|
Table Of Contents
New Features in Cisco IOS Software Release 12.2(16)BX
SSG Prepaid and SSG Prepaid Idle Timeout
SSG Full Username RADIUS Attribute
Service Connection and Termination
Mutually Exclusive Service Selection
Service Profiles and Cached Service Profiles
Multicast Protocols on SSG Interfaces
VPI/VCI Static Binding to a Service Profile
RADIUS Virtual Circuit Logging
AAA Server Group Support for Proxy Services
Cisco 10000 Series Router MIB Enhancements
Product Bulletin No. 2260
Cisco IOS Software Release 12.2(16)BX
for Cisco 10000 Series RouterThis product bulletin provides information about Cisco IOS® Software Release 12.2(16)BX, which provides Cisco® Service Selection Gateway features for the Cisco 10000 Series Router.
These product bulletins are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode and related documents.
Cisco IOS Software Release 12.2(16)BX is based on the previous release, Cisco IOS Software Release 12.2(15)BX. Release 12.2(16)BX will run only on Cisco 10000 Series Performance Routing Engine PRE-2. There will be no support for PRE or PRE-1 routing engines.
New Features in Cisco IOS Software Release 12.2(16)BX
The following features and enhancements are newly supported on the Cisco 10000 Series Router in Cisco IOS Release 12.2(16)BX:
•
Service Selection Gateway
•
•
Service Selection Gateway
The Cisco 10000 Series Router supports the following Service Selection Gateway (SSG) features in Cisco IOS Software Release 12.2(16)BX:
Access Protocols
•
•
SSG Logon and Logoff
•
•
•
•
Authentication and Accounting
•
•
•
Service Selection Methods
•
•
•
Service Connection
•
•
•
•
•
Service Profiles
•
Interface Configuration
•
•
Policing
•
Redirection
•
Miscellaneous Features
•
•
•
•
•
•
The following sections describe the Service Selection Gateway features. For more information about configuring these features, refer to the Cisco 10000 Series Router Service Selection Gateway Configuration Guide.
Single Host Logon
The Single Host Logon feature enables Cisco Subscriber Edge Services Manager (SESM) software to authenticate subscribers by using the PPP authenticated information from the SSG; a subscriber does not need to log on to the SESM. To log on to a service through the SESM Web application, a subscriber enters authentication information once for the PPP session and once for the service.
For non-PPP users, when a subscriber authenticates using the SESM application, the subscriber does not have to log on again for the remainder of the non-PPP session. However, the subscriber still has to log on to services.
SSG Autologoff
The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.
SSG Prepaid and SSG Prepaid Idle Timeout
The SSG Prepaid feature allows a user to connect to a service if the user has prepaid for the service. The SSG Prepaid feature is time-based only.
When SSG Prepaid is configured, SSG checks a subscriber's available credit to determine whether to connect the subscriber to the service and how long the connection can last. The billing server administers the subscriber's credit as a series of quotas. These quotas are allotments of available credit and represent the duration of use.
The SSG Prepaid Idle Timeout feature enables SSG to return residual quotas (allotments of prepaid credit) to the billing server from services that a user is logged into but not actively using. The SSG can reauthorize a user before the user completely consumes the allocated quota. The SSG Prepaid Idle Timeout feature also enhances the handling of a returned zero quota from the billing server. A user's connection to services can be open even when the billing server returns a zero quota. The SSG can notify the billing server when a connection fails, enabling the billing server to free quota reserved for the failed connection.
SSG Session and Idle Timeout
The Session-Timeout RADIUS attribute and the Idle-Timeout RADIUS attribute are two mechanisms used to prevent the SSG from continuing to allow traffic to pass from the IP address of a user who has disconnected from the network access server without logging out from the SSG. These attributes specify the following:
•
•
SSG Full Username RADIUS Attribute
The Full Username RADIUS attribute allows SSG to include the user's full username and domain (user@service) in the RADIUS authentication and accounting requests.
Account Login and Logout
SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG. The Acct-Status-Type attribute included in the accounting-request record indicates if the accounting-request marks the start of the user service or the end of the service.
When a user logs in, SSG sends an accounting-start record to RADIUS. When a user logs out, SSG sends an accounting-stop record.
Service Connection and Termination
SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.
When a user accesses a service, SSG sends an accounting-start record to RADIUS. When a user terminates a service, SSG sends an accounting-stop record.
PPP Terminated Aggregation
PPP Terminated Aggregation (PTA) is a PPP selection method in which service selection is based on a structured domain name (for example, username@service.com). PTA terminates the PPP session into a single routing domain. Users can only access one service and users do not have access to the default network or SESM.
The PTA-MD exclusion list allows you to create a set of domains that you want to exclude from SSG processing.
PTA-Multidomain
PTA-Multidomain (PTA-MD) is a PPP selection method in which service selection is based on a structured domain name (for example, username@service.com). PTA-MD terminates the PPP sessions into multiple IP routing domains. SSG features and processing are applied to the user traffic and users can access one or more services at a time. PTA-MD service selection supports a wholesale VPN model where each domain is isolated from the other and has the capability to support overlapping IP addresses.
Web Service Selection
Web service selection enables users to concurrently access multiple on-demand services from a list of personalized services. The Cisco 10000 Series Router supports the Cisco SESM application for Web service selection.
The SESM application provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM Web application using a standard Internet browser. They do not need to download any software or plug-ins to use the SESM Web pages. After a subscriber successfully authenticates, the SESM Web application presents a list of services that the subscriber is currently authorized to use. The subscriber can gain access to one or more of those services by selecting them from a Web page. Alternatively, an automatic connection feature might provide automatic connection to services.
SSG AutoDomain
The SSG AutoDomain feature allows users to automatically connect to a service based on the domain part of the structured username specified in an Access-Request. When SSG AutoDomain is configured, user authentication is performed at the service (for example, at the AAA server within a corporate network), instead of at the network access server (NAS).
SSG Open Garden
An Open Garden is a collection of networks or Web sites that subscribers can access as long as they have physical access to the network. Subscribers do not have to provide authentication information before accessing the networks in an Open Garden. The network is not restricted by service selection, subscription, or policing.
SSG Port-Bundle Host Key
The SSG Port-Bundle Host Key feature enhances communication and functions between Cisco SSG and Cisco SESM by introducing a mechanism that uses the host source IP address and source port to identify and monitor subscribers. With the SSG Port-Bundle Host Key feature, SSG performs Port Address Translation (PAT) and Network Address Translation (NAT) on the HTTP traffic between the subscriber and the SESM server.
Exclude Networks
The Exclude Networks feature allows you to specify networks that you do not want users to automatically log on to.
Mutually Exclusive Service Selection
The Mutually Exclusive Service Selection feature restricts a subscriber to accessing only one service at a time in a specified group of services.
Service Profiles and Cached Service Profiles
Service profiles define the services that subscribers can select. Each service that is accessible has a profile that defines the attributes of the service. Service profiles are configured on the RADIUS server or directly on the Cisco 10000 Series Router. The RADIUS server or SESM downloads the service profiles to the router as needed.
The Cached Service Profiles feature enables SSG to use a cached copy of a service profile instead of downloading the profile from RADIUS every time a user logs on to the service.
SSG Hierarchical Policing
The Traffic Policing feature limits the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers and between services to a particular subscriber to ensure all types of services are allocated a proper amount of bandwidth. SSG uses per-user and per-service policing to ensure bandwidth is distributed properly between subscribers (per-user policing) and between services to a particular subscriber (per-session policing). Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), the feature is called SSG Hierarchical Policing.
Transparent Passthrough
The Transparent Passthrough feature allows unauthenticated traffic to pass through an interface. Interfaces configured as transparent passthrough are treated as Cisco IOS Software interfaces and not SSG interfaces. The Cisco 10000 Series Router can receive transparent passthrough traffic on both the access side and the network side. When an interface is configured as transparent passthrough, SSG does not process the traffic to and from the interface or apply SSG features. Instead, Cisco IOS Software processes the traffic and applies Cisco IOS features.
Multicast Protocols on SSG Interfaces
SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets. The multicast traffic is separate from the SSG traffic and is routed through normal Cisco IOS Software processing and features; it is not routed through SSG authentication or features such as per-service statistics or hierarchical policing.
SSG TCP Redirect
The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM Web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.
The SSG TCP Redirect feature supports the following:
•
•
•
For more information, refer to the "Service Selection Gateway" chapter in the Cisco 10000 Series Router Service Selection Gateway Configuration Guide.
VPI/VCI Static Binding to a Service Profile
The VPI/VCI Static Binding to a Service Profile feature allows users accessing SSG through a VPI/VCI or a range of VPIs/VCIs to access the server. When a user session arrives on a VPI/VCI or a VPI/VCI range and the session specifies the username but does not specify the domain name, SSG maps the user session to the service to which the VPI/VCI or VPI/VCI range is bound.
RADIUS Virtual Circuit Logging
RADIUS Virtual Circuit (VC) Logging extends and modifies the RADIUS network access server (NAS) port field to carry VPI/VCI information. With RADIUS VC Logging enabled, the Cisco 10000 Internet router (the SSG node) can send NAS port information to the RADIUS server, accurately recording the virtual path interface (VPI) and virtual circuit interface (VCI) of an incoming user or subscriber session. The VPI/VCI of the incoming permanent virtual circuit (PVC) is recorded at the point of entry on SSG, which offers the RADIUS client a unique VPI/VCI for each incoming PVC. This information is logged in the RADIUS accounting record that was created at session startup.
AAA Server Group Support for Proxy Services
The AAA Server Group Support for Proxy Services feature allows you to configure multiple AAA servers for redundancy. The RADIUS Server attribute enables AAA server group support for proxy services. Each group is associated with a service that requires proxy RADIUS AAA. You can configure each remote RADIUS server with timeout and retransmission parameters. When necessary, the SSG performs failover among the servers in the predefined group.
Packet Filtering
The Cisco 10000 Series Router supports per-user ACLs to prevent users from accessing specific IP addresses and ports. When an ACL attribute is added to a user profile, the attribute applies globally to all the user's traffic.
SSG accepts Cisco IOS ACLs and SSG ACLs. SSG ACLs take precedence over Cisco IOS ACLs when both Cisco IOS and SSG ACLs are configured on the same SSG interface.
An SSG ACL can have a maximum of eight access-list entries (ACEs). If you use the TCP Redirect feature, TCP Redirect uses one of the eight ACEs; therefore, you can configure only seven ACEs.
SSG Unconfig
The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured.
SSG Unconfig removes SSG allocated resources when you globally disable SSG after it was enabled. When you enable SSG, the SSG subsystem in the Cisco IOS Software acquires system resources that are never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean up system resources when SSG is not in use.
Per-Service Statistics
The Cisco 10000 Series Router collects statistics about router interfaces and the connections to them in both the input and output directions. Cisco CLI commands, such as show interface, are used to display information about the interfaces. SSG commands, such as show ssg connection, are used to display information about the connection to the router.
Field Diagnostics
Field Diagnostics provides customers with a method of testing and verifying line card hardware problems.
If you would like to perform a hardware diagnostic test on any line card in your Cisco 10000 Series Router, a Field Diagnostic image can be downloaded free of charge from Cisco Systems® and used to test whether the line card problems are indeed due to faulty hardware. The test results will verify whether or not the hardware is faulty.
For additional information about Field Diagnostic tests, refer to the Field Diagnostics for the Cisco 10000 Series Router at:
http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/tblshoot/fdiags/index.htm
8-Port DS3/E3 ATM Line Card
The 8-port DS3/E3 ATM line card is a full-height card that provides eight DS3 or E3 connections to ATM networks. The line card function focuses on Layer 2 ATM services and relies on the performance routing engine (PRE, Part Number ESR-PRE2) to provide Layer 3 services. The DS3/E3 ATM line card receives and transmits ATM cells on the physical interfaces while transmitting and receiving packets from the backplane.
The 8-port DS3/E3 ATM line card provides the following hardware features:
•
•
•
–
–
–
–
–
•
–
–
–
–
•
–
–
–
•
Mixing DSX3 modes on a per-port basis is not supported. When you configure the 8-port E3/DS3 ATM line card for a DSX3 mode, all eight ports of the line card operate in the mode you have selected.
The DS3/E3 ATM line card supports the throughput rates and ATM framing for the specified DSX3 modes as shown in Table 1.
For more information, refer to the "Configuring the 8-Port E3/DS3 ATM Line Card" in the Cisco 10000 Series Router Software Configuration Guide.
Cisco 10000 Series Router MIB Enhancements
Cisco IOS Software Release 12.2(16)BX adds support for the CISCO-SSG-MIB. For more information about the MIB capabilities on the router, refer to the Cisco 10000 Series Broadband MIB Specifications Guide. (Chapter 3, "MIB Specifications," lists MIBs constraints.). Or refer to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Product Numbers
Table 2 provides the product part numbers associated with this product bulletin.
Note:
Download Information
Registered Cisco.com customers with Cisco software support contracts can download Cisco IOS Software Release 12.2(16)BX software at the following URL:
http://www.cisco.com/public/sw-center/sw-ios.shtml
Additional Sources
For more information about Cisco IOS Software Release 12.2(16)BX, please refer to the following sources:
Release Notes for Cisco IOS Release 12.2(16)BX:
http://www.cisco.com/en/US/products/hw/routers/ps133/prod_release_note09186a008019ef2e.html
Cisco 10000 Series MIB Specifications Guide:
Posted: Thu Jan 12 16:39:24 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
