Node Route Processor-Service Selection Gateway (NRP-SSG) [Cisco IOS Software Releases 12.0 Special and Early Deployments]

This feature module describes the Node Route Processor-Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.

This document includes the following sections:

Feature Overview

The NRP-SSG is a feature of Cisco IOS Release 12.0(3)DC. It is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as Asymmetric Digital Subscriber Line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.

Figure 1 shows a diagram of a typical network topology including the NRP-SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The NRP-SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.

Figure 1 NRP-SSG Connection Between ADSL Equipment and Network Services

The NRP-SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.

A licensed version of the NRP-SSG works with the Cisco SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This improves flexibility and convenience for subscribers, and enables service providers to bill subscribers based on connect time and services used, rather than charging a flat rate.

The user opens an HTML browser and accesses the URL of the Cisco SSD, a web server application. The Cisco SSD forwards user login information to the NRP-SSG, which forwards the information to the AAA server.

If the user is not valid, the AAA server sends an Access-Reject message.
If the user is valid, the AAA server sends an Access-Accept message with information specific to the user's profile about which services the user is authorized to use. The NRP-SSG logs the user in, creates a host object in memory, and sends the response to the Cisco SSD.

Based on the contents of the Access-Accept response, the Cisco SSD presents a dashboard menu of services that the user is authorized to use, and the user selects one or more of the services. The NRP-SSG then creates an appropriate connection for the user and starts RADIUS accounting for the connection.

Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscribers and the NRP-SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.

Note that the Cisco SSD functionality discussed throughout this document is available only with the NRP-SSG with Web Selection product.

Benefits

Web-Based Dashboard

The NRP-SSG with Web Selection works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server that allows users to log on to and disconnect from multiple passthrough and proxy services through a standard web browser.

After the user opens a web browser, the NRP-SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.

RADIUS Authentication and Accounting

The NRP-SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).

Multiple Traffic-Type Support

The NRP-SSG supports the following types of services:

Passthrough Service

The NRP-SSG can forward traffic through any interface via normal routing or a next hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Passthrough service is ideal for standard Internet access.

Proxy Service

When a subscriber requests access to a proxy service, the NRP-SSG will proxy the Access-Request to the remote AAA server. Upon receiving an Access-Accept from the remote RADIUS server, the NRP-SSG responds to the subscriber with the Access-Accept. To the remote AAA server, the NRP-SSG appears as a client.

During remote authentication, if the RADIUS server assigns an IP address to the subscriber, the NRP-SSG performs NAT between the assigned IP address and the subscriber's real IP address. If the remote RADIUS server does not assign an IP address, NAT is not performed.

When a user selects a proxy service, there is another username and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SSD, or is timed out.

Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

When enabled, transparent passthrough allows unauthenticated subscriber traffic to be routed through the NRP-SSG in either direction. Filters can be specified to control transparent passthrough traffic. Some of the applications for this feature include:

- Making the NRP-SSG easy to integrate into an existing network by not requiring users who have authenticated with a network access servers (NAS) to authenticate with the NRP-SSG
- To allow management traffic (such as TACACS+, RADIUS, and SNMP) from NASes connected to the host network to pass through to the service provider network
- To allow visitors or guests to access certain parts of the network
Multicast

The NRP-SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets.

In order for the NRP-SSG to forward multicast packets to the IOS routing engine, it must be configured as follows:

The interface on which multicast packets are received must be configured as an uplink or downlink interface, or a service must be bound to the interface. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
Multicast must be enabled.

If multicast is not enabled, multicast packets received on the interface will be dropped.

PPP Termination Aggregation (PTA) and PTA Multi-Domain (PTA-MD)

PTA can only be used by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs on to a service using a PPP dialer application with a username of the form user@service. The NRP-SSG recognizes the @service as a service profile and loads the service profile from the local configuration or a AAA server. The NRP-SSG forwards the AAA request to the remote RADIUS server as specified by the service profile's RADIUS-Server Attribute. An address is assigned to the subscriber through RADIUS Attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can only access one service. Users will not have access to the default network or the Cisco SSD.

While PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale VPN model where each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.

Packet Filtering

The NRP-SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.

Services

When an ACL attribute is added to a service profile, all users of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.

Users

When an ACL attribute is added to a user profile, it will apply globally to all of the user's traffic.

Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

Upstream and downstream attributes, including inacl and outacl attributes, can be added to a special pseudo-service profile that can be downloaded to the NRP-SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent passthrough feature.

Service Access Order

When users are accessing multiple services, the NRP-SSG must determine the services for which the packets are destined. To do this, the NRP-SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.

The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.

When creating service profiles, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.

Next Hop Gateway

The next hop gateway attribute is used to specify the next hop key for a service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address.

Note that this attribute overrides the IP routing table for packets destined to a service.

DNS Redirection

When the NRP-SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged in services.

If a match is found, the request is redirected to the DNS server for the matched service.

If a match is not found and the user is logged on to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.

If a match is not found and the user is not logged on to a service that has Internet connectivity, the request is forwarded using the normal routing methods specified in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

Fault Tolerance for DNS

The NRP-SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.

Session-Timeout and Idle-Timeout RADIUS Attributes

In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without logging out from the NRP-SSG. If this happens, the NRP-SSG will continue to allow traffic to pass from that IP address and this might be a problem if the IP address is obtained by another user.

The NRP-SSG provides two mechanisms to prevent this problem:

Idle-Timeout attribute—Specifies the maximum time a session or connection can remain idle before it is disconnected.
Session-Timeout attribute—Specifies the maximum amount of time a host or service object can remain active at any one time.

The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.

Concurrent or Sequential Service Access Mode

NRP-SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.

Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.

Extended High System Availability

The NRP-SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have NRP-SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant NRP-SSGs, you can configure automatic synchronization between the two. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 UAC Software Configuration Guide for more information on EHSA redundancy.

Related Features and Technologies

The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through an HTML browser.

Supported Platforms

This feature is supported on these platforms:

Cisco 6400 series

New Supported Standards, MIBs, and RFCs

MIBs

None

RFCs

None

Standards

None

Prerequisites

Cisco Service Selection Dashboard

If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the Cisco Service Selection Dashboard User Guide.

Configuration Tasks

Perform the following tasks to configure the NRP-SSG.

Configuring RADIUS Profiles
Configuring Security
Configuring a Default Network
Configuring Interfaces
Configuring Services

The following tasks are optional:

Configuring Local Service Profiles (required for Layer 2 service selection)
Configuring Transparent Passthrough
Configuring Redundancy
Configuring Fastswitching
Configuring Multicast

Configuring RADIUS Profiles

You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally using the local-profile command.You can optionally set up pseudo-service profiles also as described in this section.

This section describes RADIUS attributes that can be used to define specific AAA elements in NRP-SSG user profiles, service profiles, and specialized pseudo-service profiles.

For detailed information on the syntax of these attributes, see "NRP-SSG Vendor-Specific Attributes".

User Profiles

RADIUS user profiles contain a password, a list of subscribed services and/or groups, and access control lists.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within user profiles.

Table 1 Cisco AVPair Attributes

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

User Profile Attributes

This section specifies standard and vendor-specific RADIUS attributes that can be used in NRP-SSG user profiles.

Table 2 User Profile Attributes

Attribute	Usage
Password	Specifies the user's password (check attribute).
Session-Timeout	Specifies, in seconds, the maximum length of the user's session (reply attribute).
Idle-Timeout	Specifies, in seconds, the maximum time a connection can remain idle (reply attribute).
Service Name	Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed (reply attribute).
Service Group	Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed (reply attribute).
Auto Service	Automatically logs a user into a service when the user logs on to the NRP-SSG (reply attribute).

Service Profiles

Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within service profiles.

Table 3 Cisco AVPair Attributes

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Standard Service Profile Attributes

This section specifies standard RADIUS attributes that can be used in NRP-SSG service profiles.

Table 4 Standard Service Profile Attributes

Attribute	Usage
Password	Specifies the password (check attribute).
Service-Type	Specifies the level of service (check attribute). Must be "outbound."
Session-Timeout	Specifies, in seconds, the maximum length of the session (reply attribute).
Idle-Timeout	Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute).

NRP-SSG Specific Service Profile Attributes

This section specifies VSAs that appear within service profiles.

Table 5 NRP-SSG Service Profile Attributes

Attribute	Usage
Type of Service	(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough.
Service Mode	(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent.
DNS Server Address	(Optional) Specifies the primary and/or secondary DNS servers for this service.
Service Route	(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile.
RADIUS Server	(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type.
Next Hop Gateway	(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile".
Domain Name	(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address.
Service Description	(Optional) Provides a description of the service that is displayed to the user.

Service Group Profiles

Service group profiles contain a list of services and/or service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and/or a list of service groups as reply attributes.

This section specifies vendor-specific attributes that can be used in NRP-SSG service group profiles.

Table 6 Service Group Profile Attributes

Attribute	Usage
Service Name	Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service (reply attribute).
Service Group	Lists the service subgroups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services. There can be multiple instances of this attribute within a service group profile. Use one attribute for each service subgroup that belongs to this service group.
Group Description	Provides a description of the service group.
Password	Specifies the password (check attribute).
Service-Type	Specifies the level of service (check attribute). Must be "outbound."

Pseudo-Service Profiles

This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both types.

Transparent Passthrough Filter Pseudo-Service Profile

Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the NRP-SSG through the Cisco SSD) to be routed through normal IOS processing.

Note Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Table 7 Transparent Passthrough Filter Pseudo-Service Profile Attributes

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

The Transparent Passthrough Filter pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.

To define what traffic can pass through, the NRP-SSG downloads the Transparent Passthrough Filter pseudo-service profile. This profile contains a list of access control list (ACL) attributes. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.

To create a filter for transparent passthrough, create a profile that contains ACL attributes that define what can and cannot be accessed.

You can also create ACLs locally. For more information, see the ssg pass-through command in the Command Reference section.

Next Hop Gateway Pseudo-Service Profile

Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key, which is any string identifier, rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses.

Table 8 Next Hop Gateway Pseudo-Service Profile Attributes

Attribute	Usage
Next Hop Gateway Entry	Associates next hop gateway keys with IP addresses.

To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Sample Pseudo-Service Profiles".

For more information, see the ssg next-hop command in the Command Reference section.

NRP-SSG Vendor-Specific Attributes

The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.

Table 9 lists vendor-specific attributes used by the NRP-SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the NRP-SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.

Table 9 Vendor-Specific RADIUS Attributes for the NRP-SSG

AttrID	VendorID	SubAttrID	SubAttrName	SubAttrDataType
26	9	1	Cisco-AVpair	String
26	9	250	Account-Info	String
26	9	251	Service-Info	String
26	9	253	Control-Info	String

The following sections describe the format of each subattribute.

Note All RADIUS attributes are case sensitive.

Cisco-AVpair Attribute

The Cisco-AVpair attributes are used in user and service profiles. The Cisco-AVpair attributes are used to configure ACLs.

Upstream Access Control List

This attribute specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}"

Syntax Description

number	Access list identifier.
standard-access-control-list	Standard access control list.
extended-access-control-list	Extended access control list.

 Example Cisco-AVpair="ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note      There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.
 Downstream Access Control List This attribute specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | extended-access-control-list}"
 Syntax Description

 number

 Access list identifier.

 standard-access-control-list

 Standard access control list.

 extended-access-control-list

 Extended access control list.

 Example Cisco-AVpair="ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note      There can be multiple instances of this attribute within profiles. Use one attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.
 Account-Info Attributes The Account-Info attributes are used in user profiles and service group profiles.
 User profiles define the password and services and/or groups to which the user is subscribed.
 Service group profiles contain a list of services and/or service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user is automatically subscribed to all services and groups within that service group. A service group profile includes the name of the service group, the password, the service type (outbound), a list of services and/or a list of other service groups.
 Example (RADIUS Freeware Format) Account-Info = "Nservice1.com"
 Example (CiscoSecure ACS for UNIX and UCP Format) 9,250 = "Nservice1.com"
 Service Name In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.

Account-Info = "Nname"
 Syntax Description


 name

 Name of the service profile.

 Example Account-Info = "Ncisco.com"
Note      There can be multiple instances of this attribute within a user or service profile. Use one attribute for each service.
 Service Group In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.

Account-Info = "Gname"
 Syntax Description


 name

 Name of the group profile.

 Example Account-Info = "GServiceGroup1"
Note      There can be multiple instances of this attribute within a user or service group profile. Use one attribute for each service group.
 Auto Service This attribute subscribes the user to a service and automatically logs the user on to the service when the user accesses the Cisco SSD. Each user profile can have more than one auto service attribute.

Account-Info = "Aservicename [;username;password]"
 Syntax Description

 servicename

 Name of the service.

 username

 Username used to access the service. Required for proxy services.

 password

 Password used to access the service. Required for proxy services.

 Example Account-Info = "Agamers.net;jdoe;secret"
Note      The user must be subscribed to this service. See "Service Name".
 Group Description This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service group profile name is used.

Account-Info = "Idescription"
 Syntax Description


 description

 Description of the service group.

 Example Account-Info = "ICompany Intranet Access"
 Service-Info Attributes The Service-Info attributes are used to define a service. The following attributes define the parameters for a service.
 Service Description This attribute describes the service. This attribute is optional.

Service-Info = "Idescription"
 Syntax Description


 description

 Description of the service.

 Example Service-Info = "ICompany Intranet Access"
 Type of Service This attribute indicates whether the service is proxy or passthrough. This attribute is optional.

Service-Info = "Ttype"
 Syntax Description

 type

 P—Passthrough. Indicates the user's packets are forwarded through the

NRP-SSG. This is the default.

 X—Proxy. Indicates the NRP-SSG performs proxy service.

 Example Service-Info = "TP"
 Service Mode This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. This attribute is optional.

Service-Info = "Mmode"
 Syntax Description


 mode

 S—Sequential mode.
 C—Concurrent mode. This is the default.

 Example Service-Info = "MS"
 DNS Server Address This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the NRP-SSG can send DNS requests to the primary DNS server until performance is diminished or it fails (failover). This attribute is optional.

Service-Info = "Dip_address_1[;ip_address_2]"
 Syntax Description

 ip_address_1

 IP address of the primary DNS server.

 ip_address_2

 (Optional) IP address of the secondary DNS server used for fault tolerance.

 Example Service-Info = "D192.168.1.2;192.168.1.3"
 Service Route This attribute specifies networks available to the user for this service. This attribute is required.

Service-Info = "Rip_address;mask"
 Syntax Description

 ip_address

 IP address.

 mask

 Subnet mask.

Usage

Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".

Note An Internet service is typically specified as "R0.0.0.0;0.0.0.0" in the service profile.

Example

 Service-Info = "R192.168.1.128;255.255.255.192"

Note There can be multiple instances of this attribute within a single service profile.

RADIUS Server

This attribute specifies the remote RADIUS server that the NRP-SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.

Service-Info = "SRadius-server-address;auth-port;acct-port;secret-key"

Syntax Description

Radius-server-address	IP address of the RADIUS server.
auth-port	UDP port number for authentication and authorization requests.
acct-port	UDP port number for accounting requests.
secret-key	Secret key shared with RADIUS clients.

 Example Service-Info = "S192.168.1.1;1645;1646;cisco"
 Service Next Hop Gateway This attribute specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Table Entry". This attribute is optional.

Service-Info = "Gkey"
 Syntax Description


 key

 Name of the next hop.

 Example Service-Info = "Gnexthop1"
 Domain Name This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address. This attribute is optional.

Service-Info = "Oname1[;name2]...[;nameX]"
 Syntax Description

 name1

 Domain name that gets DNS resolution from this server.

 name2...X

 (Optional) Additional domain name(s) that gets DNS resolution from this server.

Usage

Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".

Example

 Service-Info = "Ocisco.com;cisco-sales.com"

Note There can be multiple instances of this attribute within a single service profile.

Service User

This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.

Service-Info = "Uusername"

Syntax Description

username

The name provided by the user for authentication.

 Example Service-Info = "Ujoe@cisco.com"
Note      This attribute is only used for accounting purposes and does not appear in profiles.
 Service Name This attribute defines the name of the service.

Service-Info = "Nname"
 Syntax Description


 name

 Name of the service profile or service that belongs to a service group.

 Example Service-Info = "Nservice1.com"
Note      This attribute is only used for accounting purposes and does not appear in profiles.
 Control-Info Attributes The Control-Info attributes are used to define lists or tables of information.
 Next Hop Gateway Table Entry Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see "Service Next Hop Gateway".
Note      This attribute is only used in Next Hop Gateway pseudo-service profiles and should not appear in service profiles or user profiles.

Control-Info = "Gkey;ip_address"
 Syntax Description

 key

 Service name or key specified in the Service Next Hop Gateway service profile.

 ip_address

 IP address of the next hop for this service.

Usage

Use this attribute to create a next hop gateway table for the selected NRP-SSG.

To define the IP address of the next hop for each service, the NRP-SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.

To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG.

For more information, see the ssg next-hop command in the Command Reference section.

Example

 Control-Info = "GNHT_for_SSG_1;192.168.1.128"

Octets Output

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.

Control-Info = "Orollover;value"

Syntax Description

rollover	Number of times the 32-bit integer rolled over to 0.
value	Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 232 + value

Example

In the following example, the rollover is 2 and the value is 153 (2 * 232 + 153 = 8589934745):

 Control-Info = "O2;153"

Note This attribute is only used for accounting purposes and does not appear in profiles.

Octets Input

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.

Control-Info = "Irollover;value"

Syntax Description

rollover	Number of times the 32-bit integer rolled over to 0.
value	Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 232 + value

Example

In the following example, the rollover is 3 and the value is 151 (3 * 232 + 151 = 12884902039):

 Control-Info = "I3;151"

Note This attribute is only used for accounting purposes and does not appear in profiles.

Sample User and Service Profiles

This section provides samples of user profiles and service profiles used with the
NRP-SSG.

Sample User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

 bert Password = "ernie"

 Session-Timeout = 21600,

 Account-Info = "GServiceGroup1",

 Account-Info = "Nservice1.com",

 Account-Info = "Ngamers.net"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

 user = bert {

 radius = SSG {

 check_items = {

 2 = "ernie"

}

 reply_attributes = {

 27 = 21600

 9,250 = "GServiceGroup1"

 9,250 = "Nservice1.com"

 9,250 = "Ngamers.net"

}

}

}

Sample Service Group Profile

The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:

 ServiceGroup1 Password = "cisco", Service-Type = outbound,

 Account-Info = "Nservice1.com",

 Account-Info = "Ngamers.net",

 Account-Info = "GServiceGroup3",

 Account-Info = "GServiceGroup4",

 Account-Info = "IStandard User Services"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

 user = ServiceGroup1 {

 radius = SSG {

 check_items = {

 2 = "cisco"

 6 = 5

}

 reply_attributes = {

 9,250 = "Nservice1.com"

 9,250 = "Ngamers.net"

 9,250 = "GServiceGroup3"

 9,250 = "GServiceGroup4"

 9,250 = "IStandard User Services"

}

}

}

Sample Service Profile

The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:

 service1.com    Password = "cisco", Service-Type = outbound,

 Idle-Timeout = 1800,

 Service-Info = "R192.168.1.128;255.255.255.192",

 Service-Info = "R192.168.2.0;255.255.255.192",

 Service-Info = "R192.168.3.0;255.255.255.0",

 Service-Info = "Gservice1",

 Service-Info = "D192.168.2.81",

 Service-Info = "MC",

 Service-Info = "TP",

 Service-Info = "ICompany Intranet Access",

 Service-Info = "Oservice1.com"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

 user = service1.com {

 radius = SSG {

 check_items = {

 2 = "cisco"

 6 = 5

}

 reply_attributes = {

 28 = 1800

 9,251 = "R192.168.1.128;255.255.255.192"

 9,251 = "R192.168.2.0;255.255.255.192"

 9,251 = "R192.168.3.0;255.255.255.0"

 9,251 = "Gservice1"

 9,251 = "D192.168.2.81"

 9,251 = "MC"

 9,251 = "TP"

 9,251 = "ICompany Intranet Access"

 9,251 = "Oservice1.com"

}

}

}

Sample Pseudo-Service Profiles

The following is an example of the Transparent Passthrough Filter pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

 ssg-filter Password = "cisco", Service-Type = outbound,

 Cisco-AVpair="ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",

 Cisco-AVpair="ip:inacl#7=permit ip any any"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

 user = ssg-filter {

 radius = SSG {

 check_items = {

 2 = "cisco"

 6 = 5

 reply_attributes = {

 9,1 = "ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",

 9,1 = "ip:inacl#7=permit ip any any"

}

}

}

The following is an example of the Next Hop Gateway pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

 nht1           Password = "cisco", Service-Type = outbound,

 Account-Info = "Gservice3;192.168.103.3",

 Account-Info = "Gservice2;192.168.103.2",

 Account-Info = "Gservice1;192.168.103.1",

 Account-Info = "GLabservices;192.168.4.2",

 Account-Info = "GWorldwide_Gaming;192.168.4.2"

The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:

 user = nht1{

 radius= SSG {

 check_items= {

 2=cisco

6=5

}

 reply_attributes= {

 9,253="Gservice3;192.168.103.3"

 9,253="Gservice2;192.168.103.2"

 9,253="Gservice1;192.168.103.1"

 9,253="GLabservices;192.168.4.2"

 9,253="GWorldwide_Gaming;192.168.4.2"

}

}

RADIUS Accounting Records

This section describes events that generate RADIUS accounting records and the attributes associated with the accounting records sent from the NRP-SSG to the accounting server.

Account Logon

When a user logs on, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

 Acct-Status-Type = Start

 NAS-IP-Address = ip_address

 User-Name = "username"

 Acct-Session-Id = "session_id"

 Framed-IP-Address = user_ip

 Proxy-State = "n"

ip_address	IP address of the NRP-SSG.
username	Name used to log on to the service provider network.
session_id	Session number.
user_ip	IP address of the user's system.
n	Accounting record queuing information (has no effect on account billing).

Account Logoff

When a user logs off, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

 Acct-Status-Type = Stop

 NAS-IP-Address = ip_address

 User-Name = "username"

 Acct-Session-Time = time

 Acct-Terminate-Cause = cause

 Acct-Session-Id = "session_id"

 Framed-Address = user_ip

 Proxy-State = "n"

ip_address	IP address of the NRP-SSG.
username	Name used to log on to the service provider network.
time	Length of session in seconds.
cause	Cause of account termination. These can include: User-Request. Session-Timeout. Idle-Timeout. Lost-Carrier.
session_id	Session number.
user_ip	IP address of the user's system.
n	Accounting record queuing information (has no effect on account billing).

Connection Start

When a user accesses a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

 NAS-IP-Address = 172.16.6.1

 NAS-Port = 0

 NAS-Port-Type = Virtual

 User-Name = "username"

 Acct-Status-Type = Start

 Acct-Authentic = RADIUS

 Service-Type = Framed

 Acct-Session-Id = "00000010"

 Framed-Protocol = PPP

 Service-Info = "Nisp-name.com"

 Service-Info = "Uusername"

 Service-Info = "TP"

 Acct-Delay-Time = 0

ip_address	IP address of the NRP-SSG.
username	Name used to log on to the service provider network.
session_id	Session number.
service	Name of the service profile.
hg_username	The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services.
type	X—Proxy connection. P—Passthrough connection (usually the Internet).
n	Accounting record queuing information (has no effect on account billing).

Connection Stop

When a user terminates a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

 NAS-IP-Address = 172.16.6.1

 NAS-Port = 0

 NAS-Port-Type = Virtual

 User-Name = "username"

 Acct-Status-Type = Stop

 Acct-Authentic = RADIUS

 Service-Type = Framed

 Acct-Session-Id = "00000010"

 Acct-Terminate-Cause = Lost-Carrier

 Acct-Session-Time = 71

 Acct-Input-Octets = 0

 Acct-Output-Octets = 0

 Acct-Input-Packets = 0

 Acct-Output-Packets = 0

 Framed-Protocol = PPP

 Control-Info = "I0;0"

 Control-Info = "O0;0"

 Service-Info = "Nisp-name.com"

 Service-Info = "Uusername"

 Service-Info = "TP"

 Acct-Delay-Time = 0

ip_address	IP address of the NRP-SSG.
username	Name used to log on to the service provider network.
in_bytes	Number of inbound bytes.
out_bytes	Number of outbound bytes.
time	Length of session in seconds.
cause	Cause of service termination. These include: User-Request. Lost-Carrier. Lost-Service. Session-Timeout. Idle-Timeout.
session_id	Session number.
service	Name of the service profile.
hg_username	The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services.
type	X—Proxy connection. P—Passthrough connection (usually the Internet).
n	Accounting record queuing information (has no effect on account billing).

Configuring Security

Command	Purpose
Router(config)# aaa new-model	Enables AAA.
Router(config)# aaa authentication ppp default radius	Specifies RADIUS as the default authentication method for users that log in to serial interfaces using PPP.
Router(config)# aaa authorization network default radius	Specifies that RADIUS is the default authorization used for all network-related requests.
Router(config)# radius-server host {hostname \| ip-address} [auth-port UDP-port-number] [acct-port UDP-port-number]	Specifies the RADIUS server host.
Router(config)# radius-server key AAAPassword	Sets the RADIUS shared secret between the NRP-SSG and the local AAA server.
Router(config)# radius-server vsa send	(Optional) Send vendor-specific attributes with authentication and accounting requests to the AAA server.
Router(config)# ssg radius-helper key DashboardPassword	Sets the RADIUS shared secret between the NRP-SSG and the Cisco SSD.
Router(config)# ssg radius-helper	Specifies the UDP default port numbers for a RADIUS authentication server (1645) and accounting server (1646).
Router(config)# ssg service-password ServicePassword	Sets the password used to authenticate the NRP-SSG with the local AAA server service profiles. This value must match the value configured for the AAA server service profiles.

Verifying Security

Use the show running-config command to verify that security has been configured correctly.

Configuring a Default Network

Configure the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides.

Command	Purpose
Router(config)# ssg default-network ip-address mask	Sets the IP address or subnet that users will be able to access without authentication. Typically, this is the address where the Cisco SSD resides. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.

Verifying the Default Network

Use the show running-config command to verify that the default network has been configured correctly.

Configuring Interfaces

If you are going to use PPP to connect subscribers to the NRP-SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.

Command

Purpose

 Router(config)# ssg bind direction downlink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Specifies a downlink interface, that is, the interface to the subscribers.

Configure all interfaces that will be connected to services as uplink interfaces.

Command

Purpose

 Router(config)# ssg bind direction uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Specifies an uplink interface, that is, the interface to the services.

Verifying Interfaces

Use the show ssg direction command to verify that interfaces have been configured correctly.

Configuring Services

Every service must be bound to an uplink interface.

Command	Purpose
Router(config)# ssg bind service service {ip-address \| ATM atm-interface \| Async async-interface \| BVI bvi-interface \| Dialer dialer-interface \| Ethernet ethernet-interface \| FastEthernet fastethernet-interface \| Group-Async group-async-interface \| Lex lex-interface \| Loopback loopback-interface \| Multilink multilink-interface \| Null null-interface \| Port-channel port-channel-interface \| Tunnel tunnel-interface \| Virtual-Access virtual-access-interface \| Virtual-Template virtual-template-interface \| Virtual-TokenRing virtual-tokenring-interface}	Specifies the interface for a service.
Router(config)# ssg service-search-order local \| remote \| local remote \| remote local	(Optional) Specifies the order in which NRP-SSG searches for a service profile. The default service search order is local remote, that is, the NRP-SSG searches for service profiles in Flash memory first, then on the RADIUS server.
Router(config)# ssg next-hop download [profile-name] [profile-password]	(Optional) Downloads the next-hop table from a RADIUS server.
Router(config)# ssg maxservice number	(Optional) Sets the maximum number of services per user.

Verifying Services

Use the show ssg service command to verify that services have been bound to interfaces correctly. Use the show running-config command to verify that the service search order and maximum services have been configured correctly. Use the show ssg next-hop command to verify all mappings between services and IP addresses.

Configuring Local Service Profiles

This task is required if you want to use Layer 2 service selection; otherwise, it is optional. You can configure local service profiles in addition to the service profiles on the remote RADIUS server.

Command	Purpose
Router(config)# local-profile profilename	Enters profile configuration mode. Configures a local RADIUS service profile.
Router(config-prof)# attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value	Configures an attribute in a local RADIUS service profile.

Verifying Local Service Profiles

Use the show running-config command to verify that local service profiles have been configured correctly.

Configuring Transparent Passthrough

This task is optional, and only supported in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC. Enable or disable transparent passthrough by using the appropriate command:

Command	Purpose
Router(config)# ssg pass-through [filter {ip-access-list \| ip-extended-access-list \| access-list-name \| download [profile-name \| profile-name profile-password]} [downlink \| uplink]}]	Enables transparent passthrough, allowing unauthenticated traffic to pass through the NRP-SSG.
Router(config)# no ssg pass-through [filter {ip-access-list [downlink \| uplink] \| ip-extended-access-list [downlink \| uplink] \| access-list-name [downlink \| uplink] \| downlink \| download [profile-name \| profile-name profile-password] \| uplink}}]	Disables transparent passthrough, forcing traffic to be authenticated by the NRP-SSG before passing through it.

Verifying Transparent Passthrough

Use the show running-config command to verify that transparent passthrough has been enabled. Use the show ssg pass-through-filter command to verify that the filter for transparent passthrough has been configured correctly.

Configuring Redundancy

This task is optional. Perform the following tasks on the NSP:

Step	Command	Purpose
1.	Router(config)# redundancy	Selects the redundancy configuration submode.
2.	Router(config-r)# associate slot slot [slot]	Configures two NRPs installed in the specified slots as a redundant pair. You only need to specify the first NRP of the pair; the second NRP is assumed to be in the adjacent slot.
3.	Router(config-r)# prefer slot	Defines which of the redundant NRPs is the preferred one.
4.	Router(config-r-mc)# end	Return to privileged EXEC mode.

This task is optional. Perform the following tasks on the NRP:

Step	Command	Purpose
1.	Router(config)# redundancy	Selects the redundancy configuration submode.
2.	Router(config-r)# main-cpu	Selects the main-cpu configuration submode.
3.	Router(config-r-mc)# auto-sync [startup-config \| bootvar \| config-register \| standard]	Synchronizes the configuration (startup configuration, boot variables, configuration register, or all three configurations) between redundant NSPs.
4.	Router(config-r-mc)# end	Return to privileged EXEC mode.

Verifying Redundancy

Use the show redundancy command to verify that redundancy has been configured correctly.

 RouterA# show redundancy

 User EHSA configuration (by CLI config):

 slave-console = off

 keepalive = off

 config-sync modes:

 standard = on

 start-up = on

 boot-var = on

 config-reg = on

 NSP EHSA configuration (via pam-mbox):

 redundancy = off

 preferred (slot 6) = no

 Debug EHSA Information:

 NRP specific information:

 Backplane resets = 0

 NSP mastership changes = 0

 print_pambox_config_buff: pmb_configG values:

 valid = 1

 magic = 0xEBDDBE1 (expected 0xEBDDBE1)

 Backplane resets = 0

 NSP mastership changes = 0

 print_pambox_config_buff: pmb_configG values:

 valid = 1

 magic = 0xEBDDBE1 (expected 0xEBDDBE1)

 nmacaddrs = 1

 run_redundant = 0x0

 preferred_master = 0x0

 macaddr[0][0] = 0010.7bb9.ca43

 macaddr[1][0] = 0000.0000.0000

 EHSA pins:

 peer present = 1

 peer state = SANTA_EHSA_SECONDARY

 crash status: this-nrp=NO_CRASH(1) peer-nrp=NO_CRASH(1)

 EHSA related MAC addresses:

 peer bpe mac-addr = 0010.7bb9.ca47

 my bpe mac-addr = 0010.7bb9.ca43

Configuring Fastswitching

This task is optional. Fastswitching is enabled by default.

Command	Purpose
Router(config)# ssg fastswitch	Enables fastswitching.
Router(config)# no ssg fastswitch	Disables fastswitching.

Verifying Fastswitching

Use the show running-config command to verify that fastswitching has been enabled. Because fastswitching is enabled by default, it will not be displayed in the running configuration. If fastswitching has been disabled, the following line will appear in the output of the show running-config command:

 no ssg fastswitch

Configuring Multicast

This task is optional. Multicast is disabled by default.

Command	Purpose
Router(config)# ssg multicast	Enables multicast. When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.
Router(config)# no ssg multicast	Disables multicast. If multicast is disabled, multicast packets received on an uplink or downlink interface or an interface that has had a service bound to it will be dropped.

Verifying Multicast

Use the show running-config command to verify that multicast has been enabled. If multicast is disabled, which is the default, it will not be displayed in the running configuration. If multicast is enabled, the following line will appear in the output of the show running-config command:

 ssg multicast

Verifying NRP-SSG Configuration

You can perform the following verification tasks after completing all configuration tasks described above.

To verify that the NRP-SSG, Cisco SSD, and RADIUS server have been configured to work together correctly:

From an HTML browser on a client machine on the downlink interface, enter the URL for the Cisco SSD. Enter a valid username and password when prompted. A list of services you are authorized to access should be displayed.

To verify that transparent passthrough has been configured correctly:

From a client machine on the downlink interface that is not logged on to the Cisco SSD, try to access services on a machine that is on the other side of the NRP-SSG. You should only be able to access these services when transparent passthrough is enabled on the NRP-SSG.

To verify that redundancy has been configured correctly:

Remove the NRP that was designated as the preferred NRP. The NRP in the adjacent slot should assume the identity of the preferred NRP.

Monitoring and Maintaining the NRP-SSG

Command	Purpose
Router# show ssg connection ip-address service-name	Displays the connections of a given host and service name.
Router# clear ssg connection ip-address service-name	Removes the connections of a given host and service name.
Router# show ssg pass-through-filter	Displays the downloaded filter for transparent passthrough.
Router# clear ssg pass-through-filter	Removes the downloaded filter for transparent passthrough. To remove the filter from NVRAM, use the no form of the ssg pass-through command.
Router# show ssg host [ip-address] [username]	Displays the information about a subscriber and the current connections of the subscriber.
Router# clear ssg host ip-address	Removes a given host or subscriber.
Router# show ssg direction	Displays the direction of all interfaces for which a direction has been specified.
Router# show ssg next-hop	Displays the next-hop table.
Router# clear ssg next-hop	Removes the next-hop table. To remove the next-hop table from NVRAM, use the no form of the ssg next-hop command.
Router# show ssg binding	Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
Router# show ssg service service-name	Displays the information for a service.
Router# clear ssg service service-name	Removes a service.

Configuration Examples

The configuration examples in this section support the network topology shown in Figure 2.

Figure 2 Example NRP-SSG Network Topology

Security

 aaa new-model

 aaa authentication ppp default radius

 aaa authorization network default radius

 ssg service-password cisco

 ssg radius-helper auth-port 1645 acct-port 1646

 ssg radius-helper key cisco

 radius-server host 192.168.100.28 auth-port 1645 acct-port 1646

 radius-server key cisco

 radius-server vsa send accounting

 radius-server vsa send authentication

Default Network

 ssg default-network 192.168.100.24 255.255.255.255

Interfaces

 ssg bind direction uplink ATM0/0/0.1

 ssg bind direction uplink ATM0/0/0.2

 ssg bind direction uplink ATM0/0/0.3

 ssg bind direction downlink BVI1

Services

 ssg bind service Labservices 192.168.123.1

 ssg bind service Worldwide_Gaming 192.168.113.1

 ssg bind service ACME_ISP 192.168.103.1

 ssg next-hop download nhg1 cisco

 ssg maxservice 10

The following is an example service profile as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

 user = ACME_ISP{

 profile_id = 2026

 profile_cycle = 12

 member = ServicesGroup

 radius=6510-SSG-v1.1a {

 check_items= {

 2=cisco

6=5

}

 reply_attributes= {

 9,251="R192.168.250.0;255.255.255.0"

 9,251="TX"

 9,251="S192.168.250.11;1645;1646;cisco"

}

}

}

Service Search Order

 ssg service-search-order local remote

Next-Hop Table

 ssg next-hop download nht1 cisco

The following is an example next-hop table as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

 ssg next-hop download nht1 cisco

 user = nht1{

 radius= SSG {

 check_items= {

 2=cisco

6=5

}

 reply_attributes= {

 9,253="GACME_ISP;192.168.103.1"

 9,253="GLabservices;192.168.123.1"

 9,253="GWorldwide_Gaming;192.168.113.1"

}

}

}

Max Services

 ssg maxservice 10

Local Service Profile

 local-profile Labservices

 attr 26 9 251 "R192.168.123.1;255.255.255.0"

 attr 26 9 251 "S192.168.252.11;1645;1646;cisco"

 attr 26 9 251 "OAnyProxyService.Com"

 attr 26 9 251 "TX"

 attr 2 "cisco"

 attr 6 5

Transparent Passthrough Filter

 ssg pass-through filter download tptfilter1 cisco

The following is an example transparent passthrough filter as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.

 user = tptfilter1{

 radius= SSG {

 check_items= {

 2=cisco

6=5

}

 reply_attributes= {

 9,1="ip:inacl#2=deny tcp 172.16.4.0 0.0.0.255 192.168.250.0 0.0.0.255 eq 23"

 9,1="ip:inacl#5=permit ip any any"

 9,1="ip:inacl#1=permit tcp any any established"

}

}

}

Redundancy

 redundancy

 main-cpu

 auto-sync standard

 no secondary console enable

Fastswitching

There will be nothing in the running configuration for fastswitching when it is enabled.

Multicast

 ssg multicast

Command Reference

This section documents new commands associated with the NRP-SSG. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

attr
clear ssg connection
clear ssg host
clear ssg next-hop
clear ssg pass-through-filter
clear ssg service
local-profile
show ssg binding
show ssg connection
show ssg direction
show ssg host
show ssg next-hop
show ssg pass-through-filter
show ssg service
ssg bind direction
ssg bind service
ssg default-network
ssg fastswitch
ssg maxservice
ssg multicast
ssg next-hop
ssg pass-through
ssg radius-helper
ssg service-password
ssg service-search-order

attr

To configure an attribute in a local RADIUS service profile, use the attr profile configuration command. Use the no form of this command to delete an attribute from a service profile.

attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
no attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value

Syntax Description

radius-attribute-id	RADIUS attribute ID to be configured.
vendor-id	(Optional) Vendor ID. Required if the RADIUS attribute ID is 26, indicating a vendor-specific attribute. Cisco's vendor ID is 9.
cisco-vsa-type	(Optional) Cisco vendor-specific attribute (VSA) type. Required if the vendor ID is 9, indicating a Cisco VSA.
attribute-value	Attribute value.

Defaults

No default behavior or values.

Command Mode

Profile configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to configure attributes in local RADIUS service profiles.

Examples

The following example configures the Cisco-Avpair upstream access control list attribute in the RADIUS profile, cisco.com:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# local-profile cisco.com

 routerA(config-prof)# attr 26 9 1 "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

The following example deletes the Session-Timeout attribute in the RADIUS profile, cisco.com:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# local-profile cisco.com

 routerA(config-prof)# no attr 27 600

Related Commands

Command	Description
local-profile	Configures a local RADIUS service profile and enters profile configuration mode.

clear ssg connection

To remove the connections of a given host and a service name, use the clear ssg connection privileged EXEC command.

clear ssg connection ip-address service-name

Syntax Description

ip-address	IP address of an active SSG connection.
service-name	Name of an active SSG connection.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to remove the connections for a given host and service name.

Examples

The following example removes the service connection for Perftest to host 192.168.1.1:

 RouterA# clear ssg connection 192.168.1.1 Perftest

Related Commands

Command	Description
show ssg connection	Displays the connections of a given host and a service name.

clear ssg host

To remove or disable a given host or subscriber, use the clear ssg host privileged EXEC command.

clear ssg host ip-address

Syntax Description

ip-address

IP address of the host or subscriber.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to remove a host's connection from the NRP-SSG.

Examples

The following example removes the connection for host 192.168.1.1:

 RouterA# clear ssg host 192.168.1.1

Related Commands

Command	Description
show ssg host	Displays the information about a subscriber and current connections of the subscriber.

clear ssg next-hop

To remove the next-hop table, use the clear ssg next-hop privileged EXEC command.

clear ssg next-hop

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

If you use this command to clear the next-hop table, nothing will be displayed when you use the show ssg next-hop command. However, the next-hop table will still appear in the running configuration. To remove the next-hop table from the running configuration, use the no form of the ssg next-hop command.

Examples

The following example removes the next-hop table:

 RouterA# clear ssg next-hop

Related Commands

Command	Description
ssg next-hop	Downloads the next-hop table from a RADIUS server.
show ssg next-hop	Displays the next-hop table.

clear ssg pass-through-filter

To remove the downloaded filter for transparent passthrough, use the clear ssg pass-through-filter privileged EXEC command.

clear ssg pass-through-filter

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Removing the filter allows unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you use this command to clear the downloaded transparent passthrough filter, nothing will be displayed when you use the show ssg pass-through-filter command. However, the transparent passthrough filter will still appear in the running configuration. To remove the transparent passthrough filter from the running configuration, use the no form of the ssg pass-through command.

Examples

The following example removes the downloaded transparent passthrough filter:

 RouterA# clear ssg pass-through-filter

Related Commands

Command	Description
ssg pass-through	Enables transparent passthrough.
show ssg pass-through-filter	Displays the downloaded filter for transparent passthrough.

clear ssg service

To remove a service, use the clear ssg service privileged EXEC command.

clear ssg service service-name

Syntax Description

service-name

Name of an active SSG service.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to remove services.

Examples

The following example removes the Perftest service:

 RouterA# clear ssg service Perftest

Related Commands

Command	Description
ssg bind service	Specifies the interface for a service.
show ssg binding	Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
show ssg service	Displays the information for a service.

local-profile

To configure a local RADIUS service profile and enter profile configuration mode, use the local-profile global configuration command. Use the no form of this command to delete the local service profile.

local-profile profilename
no local-profile profilename

Syntax Description

profilename

Name of profile to be configured.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to configure local RADIUS service profiles.

Examples

The following example configures the RADIUS profile called cisco.com, and enters profile configuration mode:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# local-profile cisco.com

 routerA(config-prof)#

Related Commands

Command	Description
attr	Configures an attribute in a local RADIUS profile.
ssg service-search-order	Specifies the order in which NRP-SSG searches for a service profile.

show ssg binding

To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding privileged EXEC command.

show ssg binding [| {begin expression | exclude expression | include expression}]

Syntax Description

begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display services and the interfaces to which they have been bound.

Examples

The following example displays all service names that have been bound to interfaces:

 RouterA# show ssg binding

 WhipitNet -> 192.168.1.1 (NHT)

 Service1.com -> 192.168.1.2 (NHT)

 Service2.com -> 192.168.1.3 (NHT)

 Service3.com -> 192.168.1.4 (NHT)

 GoodNet -> 192.168.2.1

 Perftest -> 192.168.1.6

Related Commands

Command	Description
ssg bind service	Specifies the interface for a service.
show ssg service	Displays the information for a service.
clear ssg service	Removes a service.

show ssg connection

To display the connections of a given host and a service name, use the show ssg connection privileged EXEC command.

show ssg connection ip-address service-name [| {begin expression | exclude expression | include expression}]

Syntax Description

ip-address	IP address of an active SSG connection. This is always a subscribed host.
service-name	The name of an active SSG connection.
begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display information about the connections for a given host and service name.

Examples

The following example shows the service connection for the Perftest service to host 192.168.1.1:

 RouterA# show ssg connection 192.168.1.1 Perftest

 ------------------------ ConnectionObject Content -----------------------

 User Name:

 User Password:

 Owner Host: 192.168.1.1

 Associated Service: Perftest

 Connection State: 0

 Connection Started since:

 *11:08:15.000 PST Mon Jan 25 1999

 Connection Traffic Statistics:

 Input Bytes = 0 (HI = 0), Input packets = 0

 Output Bytes = 0 (HI = 0), Output packets = 0

Related Commands

Command	Description
clear ssg connection	Removes the connections of a given host and a service name.

show ssg direction

To display the direction of all interfaces for which a direction has been specified, use the show ssg direction privileged EXEC command.

show ssg direction [| {begin expression | exclude expression | include expression}]

Syntax Description

begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display all interfaces that have been specified as uplinks or downlinks.

Examples

The following example displays the direction of all interfaces that have been specified as uplinks or downlinks.

 RouterA# show ssg direction

 ATM0/0/0.10: Uplink

 BVI1: Downlink

 FastEthernet0/0/0: Uplink

Related Commands

Command	Description
ssg bind direction	Specifies an interface as a downlink or uplink interface.

show ssg host

To display the information about a subscriber and current connections of the subscriber, use the show ssg host privileged EXEC command.

show ssg host [ip-address [| {begin expression | exclude expression | include expression}] | username [| {begin expression | exclude expression | include expression}] | [| {begin expression | exclude expression | include expression}]]

Syntax Description

ip-address	(Optional) IP address of the host.
username	(Optional) Display the usernames logged into the active hosts.
begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

If no arguments are provided, all current connections are displayed.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display information about host objects.

Examples

The following example displays all active hosts:

 RouterA# show ssg host

 1:172.16.4.3

 2:172.16.4.21

 3:172.16.61.1

 ### Active HostObject Count:3

The following example displays all active hosts whose IP addresses begin with 172.16.6:

 RouterA# show ssg host | begin 172.16.6

 3:172.16.61.1

 ### Active HostObject Count:3

Note A vertical bar (|) must precede the output modifier (begin, exclude or include).

The following example displays the usernames logged in to the active hosts:

 RouterA# show ssg host username

 1: 172.16.2.11 (active) Host name: user1

 ### Total HostObject Count(including inactive hosts): 1

The following example displays information about host 172.16.6.112:

 RouterA# show ssg host 172.16.6.112

 ------------------------ HostObject Content -----------------------

 Activated:TRUE

 IDB:1625316924

 User Name:user1

 Host IP:172.16.6.112

 Msg IP:0.0.0.0 (0)

 Host DNS IP:0.0.0.0

 Maximum Session Timeout:0 seconds

 Host Idle Timeout:0 seconds

 Class Attr:NONE

 User logged on since:*06:34:42.000 pst Mon May 3 1999

 User last activity at:*06:34:47.000 pst Mon May 3 1999

 Default Service:NONE

 DNS Default Service:NONE

 Active Services:isp-2; isp-name.com; isp-1;

 AutoService:isp-1; isp-2;

 Subscribed Services:isp-2; isp-3; isp-1; isp-4; isp-5;

Related Commands

Command	Description
clear ssg host	Removes or disables a given host or subscriber.

show ssg next-hop

To display the next-hop table, use the show ssg next-hop privileged EXEC command.

show ssg next-hop [| {begin expression | exclude expression | include expression}]

Syntax Description

begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display all next-hop IP addresses.

Examples

The following example displays the next-hop table:

 RouterA# show ssg next-hop

 Next hop table loaded from profile prof-nhg:

 WhipitNet -> 192.168.1.6

 Service1.com -> 192.168.1.3

 Service2.com -> 192.168.1.2

 Service3.com -> 192.168.1.1

 GoodNet -> 192.168.1.2

 Perftest -> 192.168.1.5

 End of next hop table.

Related Commands

Command	Description
ssg next-hop	Downloads the next-hop table from a RADIUS server.
clear ssg next-hop	Removes the next-hop table.

show ssg pass-through-filter

To display the downloaded filter for transparent passthrough, use the show ssg pass-through-filter privileged EXEC command.

show ssg pass-through-filter [| {begin expression | exclude expression | include expression}]

Syntax Description

begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

No default behavior or values.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display the downloaded transparent passthrough filter. The filter prevents passthrough traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.

To display a filter defined on the command line, use the show running-config command.

Examples

The following example displays the passthrough filter:

 RouterA# show ssg pass-through-filter

 Service name: filter01

 Password: cisco

 Direction: Uplink

 Extended IP access list (SSG ACL)

 permit tcp 172.16.6.0 0.0.0.255 any eq telnet

 permit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftp

Related Commands

Command	Description
ssg pass-through	Enables transparent passthrough.
clear ssg pass-through-filter	Removes the downloaded filter for transparent passthrough.

show ssg service

To display the information for a service, use the show ssg service privileged EXEC command.

show ssg service [service-name [| {begin expression | exclude expression | include expression}]]

Syntax Description

service-name	(Optional) Name of an active SSG service.
begin	(Optional) Begin with the line that contains expression.
exclude	(Optional) Exclude lines that contain expression.
include	(Optional) Include lines that contain expression.
expression	(Optional) Word or phrase used to determine what lines will be shown.

Defaults

If no service name is provided, the command displays information for all services.

Command Mode

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to display connection information for a service.

Examples

The following example displays the information for the service called isp-name.com:

 RouterA# show ssg service isp-name.com

 ------------------------ ServiceInfo Content -----------------------

 Name:isp-name.com

 Type:PASS-THROUGH

 Mode:CONCURRENT

 Service Session Timeout:0 seconds

 Service Idle Timeout:0 seconds

 Class Attr:NONE

 Authentication Type:CHAP

 Max Connections Allowed:10

 Reference Count:1

 DNS Server(s):Primary:192.168.250.11

 Included Network Segments:

 192.168.250.0/255.255.255.0

 Excluded Network Segments:

 Domain List:isp-name.com;

 Active Connections:

 1 :Virtual=172.16.6.112, Subscriber=172.16.6.112

 ------------------------ End of ServiceInfo Content ----------------

Related Commands

Command	Description
ssg bind service	Specifies the interface for a service.
show ssg binding	Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
clear ssg service	Removes a service.

ssg bind direction

To specify an interface as a downlink or uplink interface, use the ssg bind direction global configuration command. Use the no form of this command to disable the directional specification for the interface.

ssg bind direction downlink | uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

no ssg bind direction downlink | uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Syntax Description

downlink	Specify interface direction as downlink.
uplink	Specify interface direction as uplink.
ATM	Indicates the interface is ATM.
atm-interface	ATM interface.
Async	Indicates the interface is Async.
async-interface	Async interface.
BVI	Indicates the interface is BVI.
bvi-interface	Bridge-Group Virtual Interface.
Dialer	Indicates the interface is Dialer.
dialer-interface	Dialer interface.
Ethernet	Indicates the interface is Ethernet.
ethernet-interface	IEEE 802.3.
FastEthernet	Indicates the interface is FastEthernet.
fastethernet-interface	FastEthernet IEEE 802.3.
Group-Async	Indicates the interface is Group Async.
group-async-interface	Group async interface.
Lex	Indicates the interface is Lex.
lex-interface	Lex interface.
Loopback	Indicates the interface is Loopback.
loopback-interface	Loopback interface.
Multilink	Indicates the interface is Multilink.
multilink-interface	Multilink interface.
Null	Indicates the interface is Null.
null-interface	Null interface.
Port-channel	Indicates the interface is Port Channel.
port-channel-interface	Port channel interface.
Tunnel	Indicates the interface is Tunnel.
tunnel-interface	Tunnel interface.
Virtual-Access	Indicates the interface is Virtual Access.
virtual-access-interface	Virtual access interface.
Virtual-Template	Indicates the interface is Virtual Template.
virtual-template-interface	Virtual template interface.
Virtual-TokenRing	Indicates the interface is Virtual Token Ring.
virtual-tokenring-interface	Virtual token ring interface.

Defaults

All interfaces are configured as uplink interfaces by default.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.

Examples

The following example specifies an ATM interface as a downlink interface:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg bind direction downlink ATM 0/0/0.10

Related Commands

Command	Description
show ssg binding	Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

ssg bind service

To specify the interface for a service, use the ssg bind service global configuration command. Use the no form of this command to unbind the service and the interface.

ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

no ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}

Syntax Description

service	Service name.
ip-address	IP address of the next hop router.
ATM	Indicates the interface is ATM.
atm-interface	ATM interface.
Async	Indicates the interface is Async.
async-interface	Async interface.
BVI	Indicates the interface is BVI.
bvi-interface	Bridge-Group Virtual Interface.
Dialer	Indicates the interface is Dialer.
dialer-interface	Dialer interface.
Ethernet	Indicates the interface is Ethernet.
ethernet-interface	IEEE 802.3.
FastEthernet	Indicates the interface is FastEthernet.
fastethernet-interface	FastEthernet IEEE 802.3.
Group-Async	Indicates the interface is Group Async.
group-async-interface	Group async interface.
Lex	Indicates the interface is Lex.
lex-interface	Lex interface.
Loopback	Indicates the interface is Loopback.
loopback-interface	Loopback interface.
Multilink	Indicates the interface is Multilink.
multilink-interface	Multilink interface.
Null	Indicates the interface is Null.
null-interface	Null interface.
Port-channel	Indicates the interface is Port Channel.
port-channel-interface	Port channel interface.
Tunnel	Indicates the interface is Tunnel.
tunnel-interface	Tunnel interface.
Virtual-Access	Indicates the interface is Virtual Access.
virtual-access-interface	Virtual access interface.
Virtual-Template	Indicates the interface is Virtual Template.
virtual-template-interface	Virtual template interface.
Virtual-TokenRing	Indicates the interface is Virtual Token Ring.
virtual-tokenring-interface	Virtual token ring interface.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to bind a service to an interface.

Examples

The following example specifies the interface for the service defined as MyService:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg bind service MyService ATM 0/0/0.10

Related Commands

Command	Description
show ssg service	Displays the information for a service.
show ssg binding	Displays service names that have been bound to interfaces and the interfaces to which they have been bound.
clear ssg service	Removes a service.

ssg default-network

To specify the default network IP address or subnet and mask, use the ssg default-network global configuration command. Use the no form of this command to disable the default network IP address and mask.

ssg default-network ip-address mask
no ssg default-network ip-address mask

Syntax Description

ip-address	SSG default IP address or subnet
mask	SSG default network destination mask

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to specify the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.

Examples

The following example specifies a default network IP address, 192.168.1.2., and mask 255.255.255.255.

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg default-network 192.168.1.2 255.255.255.255

Related Commands

None.

ssg fastswitch

To enable fastswitching, use the ssg fastswitch global configuration command. Use the no form of this command to disable fastswitching.

ssg fastswitch
no ssg fastswitch

Syntax Description

This command has no arguments or keywords.

Defaults

Fastswitching is enabled by default.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Fastswitching must be enabled for the NRP-SSG to function.

Examples

The following example disables fastswitching:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# no ssg fastswitch

Related Commands

None.

ssg maxservice

To set the maximum number of services per user, use the ssg maxservice global configuration command. Use the no form of the command to remove the maximum number of services per user from the running configuration and return it to the default.

ssg maxservice number
no ssg maxservice

Syntax Description

number

Maximum number of services per user. The minimum value is 0; the maximum is 20.

Defaults

The default maximum number of services per user is 20.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

Use this command to limit the number of services to which a user can be logged on simultaneously.

Examples

The following example sets the maximum number of services per user to 10.

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg maxservice 10

Related Commands

None.

ssg multicast

To enable the NRP-SSG's handling of multicast, use the ssg multicast global configuration command. Use the no form of this command to disable multicast.

ssg multicast
no ssg multicast

Syntax Description

This command has no arguments or keywords.

Defaults

The NRP-SSG's handling of multicast is disabled by default.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.

Examples

The following example enables multicast:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg multicast

Related Commands

None.

ssg next-hop

To download the next-hop table from a RADIUS server, use the ssg next-hop global configuration command. Use the no form of this command to remove the command from the configuration.

ssg next-hop download [profile-name] [profile-password]
no ssg next-hop download [profile-name] [profile-password]

Syntax Description

download	Loads the next-hop table profile.
profile-name	(Optional) Profile name.
profile-password	(Optional) Profile password.

Defaults

If no profile name and password are provided, the previous profile specified with this command is downloaded. If no previous profile was specified, an error is generated.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

When this command is used, an entry is made in the running configuration. When the configuration is reloaded, the next-hop table is automatically downloaded. If the no form of this command is used to remove it from the running configuration, a next-hop table will not be automatically downloaded when the configuration is reloaded.

Examples

The following example downloads the next-hop table called MyProfile from a RADIUS server:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg next-hop download MyProfile MyProfilePassword

Related Commands

Command	Description
show ssg next-hop	Displays the next-hop table.
clear ssg next-hop	Removes the next-hop table.

ssg pass-through

To enable transparent passthrough, use the ssg pass-through global configuration command. Use the no form of this command to disable transparent passthrough.

ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]

no ssg pass-through [filter {ip-access-list [downlink | uplink] | ip-extended-access-list [downlink | uplink] | access-list-name [downlink | uplink] | downlink | download [profile-name | profile-name profile-password] | uplink}}]

Syntax Description

filter	(Optional) Specify access control for packets.
ip-access-list	(Optional) IP access list (standard or extended).
ip-extended-access-list	(Optional) IP extended access list (standard or extended).
access-list-name	(Optional) Access list name.
download	(Optional) Load a service profile and use its filter(s) as default filter(s).
profile-name	(Optional) Service profile name.
profile-password	(Optional) Service profile password.
downlink	(Optional) Apply filter to downlink packets.
uplink	(Optional) Apply filter to uplink packets.

Defaults

Transparent passthrough is disabled by default.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Note Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Usage Guidelines

Use this command to enable transparent passthrough, if you want to allow unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you want all traffic to be authenticated by the NRP-SSG, use this command to disable transparent passthrough. You can use the filter option to prevent passthrough traffic from accessing the specified IP address and subnet mask combinations.

Use the no form of this command to remove a transparent passthrough filter that was configured at the command line. This will also remove it from the running configuration.

Examples

The following example downloads a transparent passthrough filter from the filter01 service profile:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg pass-through filter download filter01 cisco

 Radius reply received:

 Created Upstream acl from it.

 Loading default pass-through filter succeeded.

Related Commands

Command	Description
show ssg pass-through-filter	Displays the downloaded filter for transparent passthrough.
clear ssg pass-through-filter	Removes the downloaded filter for transparent passthrough.

ssg radius-helper

To enable communications with the Cisco Service Selection Dashboard (SSD) and specify port numbers and secret keys for receiving packets, use the ssg radius-helper global configuration command. Use the no form of this command to disable communications with the Cisco SSD.

Syntax Description

acct-port	(Optional) Specifies the UDP destination port for a RADIUS accounting server.
port-number	(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default is 1646.
auth-port	(Optional) Specifies the UDP destination port for a RADIUS authentication server.
port-number	(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default is 1645.
key	(Optional) Specifies the key shared with the RADIUS clients.
key	(Optional) Key shared with the RADIUS clients.

Defaults

The default port number for acct-port is 1646.
The default port number for auth-port is 1645.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

You must use this command to specify a key so that the NRP-SSG can communicate with the Cisco SSD.

Examples

The following example enables communication with the Cisco SSD:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg radius-helper acct-port 1646 auth-port 1645

 routerA(config)# ssg radius-helper key MyKey

Related Commands

None.

ssg service-password

To specify the password for downloading a service profile, use the ssg service-password global configuration command. Use the no form of this command to disable the password.

ssg service-password password
no ssg service-password password

Syntax Description

password

Service profile password.

Defaults

No default behavior or values.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command sets the password required to authenticate with the AAA server and download a service profile.

Examples

The following example sets the password for downloading a service profile:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg service-password MyPassword

Related Commands

None.

ssg service-search-order

To specify the order in which NRP-SSG searches for a service profile, use the ssg service-search-order global configuration command. Use the no form of this command to disable the search order.

ssg service-search-order {local | remote | local remote | remote local}
no ssg service-search-order {local | remote | local remote | remote local}

Syntax Description

local	Search for service profiles in local Flash memory.
remote	Search for service profiles on a RADIUS server.
local remote	Search for service profiles in local Flash memory, then on a RADIUS server.
remote local	Search for service profiles on a RADIUS server, then in local Flash memory.

Defaults

The default search order is remote, that is, the NRP-SSG searches for service profiles on the RADIUS server.

Command Mode

Global configuration

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

The NRP-SSG can search for service profiles in local Flash memory, on a remote RADIUS server, or both. The possible search orders are:

Local—search only in Flash memory
Remote—search only on the RADIUS server
Local remote—search in Flash memory first, then on the RADIUS server
Remote local—search on the RADIUS server, then in Flash memory

Examples

The following example sets the search order to local remote, so that NRP-SSG will always look for service in Flash memory first, then on the RADIUS server:

 routerA# configure terminal

 Enter configuration commands, one per line. End with CNTL/Z.

 routerA(config)# ssg service-search-order local remote

Related Commands

Command	Description
local-profile	Configures a local RADIUS service profile.

Debug Commands

This section documents new debug commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.

debug ssg ctrl-errors
debug ssg ctrl-events
debug ssg ctrl-packets
debug ssg data
debug ssg data-nat
debug ssg errors
debug ssg events

debug ssg ctrl-errors

To display all error messages for control modules, use the debug ssg ctrl-errors privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-errors

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays error messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An error message is the result of an error detected during normal execution.

Examples

The following output is generated by the debug ssg ctrl-errors command when a host logs on and logs off from a service:

 routerA# debug ssg ctrl-errors

 Mar 29 13:51:30 [192.168.5.1.15.21] 59:00:15:38:%VPDN-6-AUTHORERR:L2F NAS

 LowSlot6 cannot locate a AAA server for Vi6 user User1

 Mar 29 13:51:31 [192.168.5.1.15.21] 60:00:15:39:%LINEPROTO-5-UPDOWN:Line

 protocol on Interface Virtual-Access6, changed state to down

Related Commands

Command	Description
debug ssg ctrl-events	Displays all event messages for control modules.
debug ssg ctrl-packets	Displays packet contents handled by control modules.

debug ssg ctrl-events

To display all event messages for control modules, use the debug ssg ctrl-events privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-events

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays event messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An event message is an informational message generated during normal execution.

Examples

The following output is generated by the debug ssg ctrl-events command when a host logs on to a service:

 routerA# debug ssg ctrl-events

 Mar 16 16:20:30 [192.168.6.1.7.141] 799:02:26:51:SSG-CTL-EVN:Service logon is accepted.

 Mar 16 16:20:30 [192.168.6.1.7.141] 800:02:26:51:SSG-CTL-EVN:Send cmd 11 to host 172.16.6.13. dst=192.168.100.24:36613

Related Commands

Command	Description
debug ssg ctrl-errors	Displays all error messages for control modules.
debug ssg ctrl-packets	Displays packet contents handled by control modules.

debug ssg ctrl-packets

To display packet contents handled by control modules, use the debug ssg ctrl-packets privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg ctrl-packets

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays packet messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). A packet message displays the contents of a package.

Examples

The following output is generated by the debug ssg ctl-packets command when a host logs off from a service:

 routerA# debug ssg ctrl-packets

 Mar 16 16:23:38 [192.168.6.1.7.141] 968:02:30:00:SSG-CTL-PAK:Received Packet:

 Mar 16 16:23:38 [192.168.6.1.7.141] 980:02:30:00:SSG-CTL-PAK:Sent packet:

 Mar 16 16:23:39 [192.168.6.1.7.141] 991:02:30:00:SSG-CTL-PAK:

 Mar 16 16:23:39 [192.168.6.1.7.141] 992:Received Packet:

Related Commands

Command	Description
debug ssg ctrl-errors	Displays all error messages for control modules.
debug ssg ctrl-events	Displays all event messages for control modules.

debug ssg data

To display all data path packets, use the debug ssg data privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg data

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays packets for the data modules, which includes all modules that forward data packets (DHCP, DNS, tunneling, fastswitch, IP stream, and multicast).

Examples

The following output is generated by the debug ssg data command when a host logs on and logs off from a service:

 routerA# debug ssg data

 Mar 29 13:45:16 [192.168.5.1.15.21] 45:00:09:24:

 SSG-DATA:PS-UP-SetPakOutput=1(Vi6:172.16.5.50->199.199.199.199)

 Mar 29 13:45:16 [192.168.5.1.15.21] 46:00:09:24:

 SSG-DATA:PS-DN-SetPakOutput=1(Fa0/0/0:171.69.2.132->172.16.5.50)

 Mar 29 13:45:16 [192.168.5.1.15.21] 47:00:09:24:

 SSG-DATA:FS-UP-SetPakOutput=1(Vi6:172.16.5.50->171.69.43.34)

 Mar 29 13:45:16 [192.168.5.1.15.21] 48:00:09:24:

Related Commands

Command	Description
debug ssg data-nat	Displays all data path packets for NAT processing.

debug ssg data-nat

To display all data path packets for NAT processing, use the debug ssg data-nat privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg data-nat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays packets for the data modules, which includes all modules that forward NAT data packets.

Examples

The following output is generated by the debug ssg data-nat command when a host logs on and logs off from a service:

 routerA# debug ssg data-nat

 Mar 29 13:43:14 [192.168.5.1.15.21] 35:00:07:21:SSG-DATA:TranslateIP Dst

 199.199.199.199->171.69.2.132

 Mar 29 13:43:14 [192.168.5.1.15.21] 36:00:07:21:SSG-DATA:TranslateIP

 171.69.2.132->199.199.199.199

 Mar 29 13:43:30 [192.168.5.1.15.21] 39:00:07:38:SSG-DATA:TranslateIP Dst

 199.199.199.199->171.69.2.132

 Mar 29 13:43:30 [192.168.5.1.15.21] 40:00:07:38:SSG-DATA:TranslateIP

 171.69.2.132->199.199.199.199

Related Commands

Command	Description
debug ssg data	Displays all data path packets.

debug ssg errors

To display all error messages for the system modules, use the debug ssg errors privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg errors

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays error messages for the system modules, which include the basic IOS and other support modules (such as Object Model, Timeout, and Initialization). An error message is the result of an error detected during normal execution.

Examples

The following output is generated by the debug ssg errors command when a PPPoE client logs on with an incorrect password:

 routerA# debug ssg errors

 Mar 16 08:46:20 [192.168.6.1.7.141] 225:00:16:06:SSG:SSGDoAccounting:

 reg_invoke_do_acct returns FALSE

Related Commands

Command	Description
debug ssg events	Displays event messages for system modules.

debug ssg events

To display event messages for system modules, use the debug ssg events privileged EXEC command. Use the no form of this command to disable debugging output.

[no] debug ssg events

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command History

Release	Modification
12.0(3)DC	This command was first introduced.

Usage Guidelines

This command displays event messages for the system modules, which include the basic IOS modules and other support modules (such as Object Model, Timeout, and Initialization). An event message is an informational message during normal execution.

Examples

The following output is generated by the debug ssg events command when a PPPoE client logs in with the username "username" and the password "cisco:"

 routerA# debug ssg events

 Mar 16 08:39:39 [192.168.6.1.7.141] 167:00:09:24:%LINK-3-UPDOWN:

 Interface Virtual-Access3, changed state to up

 Mar 16 08:39:39 [192.168.6.1.7.141] 168:00:09:25:%LINEPROTO-5-UPDOWN:

 Line protocol on Interface Virtual-Access3, changed state to up

 Mar 16 08:39:40 [192.168.6.1.7.141] 169:00:09:26:%VPDN-6-AUTHORERR:L2F

 NAS LowSlot7 cannot locate a AAA server for Vi3 user username

 Mar 16 08:39:40 [192.168.6.1.7.141] 170:HostObject::HostObject:size = 256

Hierarchical Navigation

Cisco IOS Software Releases 12.0 Special and Early Deployments