Configuring ISG Port-Bundle Host Key

Last Updated: August 21, 2011

Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure ISG port-bundle host key functionality, which maps TCP packets from subscribers to a local IP address for the ISG gateway and a range of ports. This mapping allows an external portal to identify the ISG gateway from which a session originated.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for the ISG Port-Bundle Host Key Feature

The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.

Restrictions for the ISG Port-Bundle Host Key Feature

The ISG Port-Bundle Host Key feature must be separately enabled at the portal and at all connected ISGs.

All ISG source IP addresses configured with thesourcecommand must be routable in the management network where the portal resides.

For each portal server, all connected ISGs must have the same port-bundle length.

The ISG Port-Bundle Host Key feature uses TCP. Packets will not be mapped for a subscriber who is not sending TCP traffic.

Specifying the Port-Bundle Host Key feature in a user profile will work only when the user profile is available prior to the arrival of IP packets; for example, for PPP sessions or for Dynamic Host Configuration Protocol (DHCP)-initiated IP sessions with transparent autologon.

Information About ISG Port-Bundle Host Key

Overview of ISG Port-Bundle Host Key

The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISG Port-Bundle Host Key feature enables a single portal to be deployed for multiple Virtual Routing and Forwardings (VRFs) even when there are subscribers with overlapping IP addresses.

Port-Bundle Host Key Mechanism

With the ISG Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on the TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or combination of the port bundle and ISG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). The table below describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG uses the translation tables to identify the destination IP address and destination TCP port.

Table 1 Subscriber IP VSA Description

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Attribute Data

26

9

250 Account-Info

Subscriber IP

S subscriber-ip-address [:port-bundle-number]

  • S--Account-Info code for subscriber IP.
  • subscriber-ip-address [:port-bundle-number]--The port-bundle number is used only if the ISG Port-Bundle Host Key feature is configured.

For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISG address, but there is no limit to the number of ISG IP addresses that can be configured for port bundle usage.

Port-Bundle Length

The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is four bits. The maximum port-bundle length is ten bits. See the table below for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.

Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values

Port-Bundle Length (in Bits)

Number of Ports per Bundle

Number of Bundles per Group (and per ISG Source IP Address)

0

1

64512

1

2

32256

2

4

16128

3

8

8064

4 (default)

16

4032

5

32

2016

6

64

1008

7

128

504

8

256

252

9

512

126

10

1024

63


Note
For each portal server, all connected ISGs must have the same port-bundle length, which must correspond to the configured value given in the portal server’s BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal.

Benefits of ISG Port-Bundle Host Key

Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage

The ISG Port-Bundle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, because port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.

Portal Provisioning for Subscriber and ISG IP Addresses No Longer Required

Without the ISG Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISG IP addresses before the portal is able to send RADIUS packets to the ISG or send HTTP packets to subscribers. The ISG Port-Bundle Host Key feature eliminates the need to provision a portal in order to allow one portal server to serve multiple ISGs and to allow one ISG to be served by multiple portal servers.

How to Configure ISG Port-Bundle Host Key

Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map

Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map. The ISG Port-Bundle Host Key feature will be applied to any subscriber who uses this service policy map.


Note
We recommend that you use a dedicated service policy for the feature. Do not share a policy with other ISG features.
SUMMARY STEPS

1.    enable

2.    configure terminal

3.    policy-map type service policy-name

4.    ip portbundle

5.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
policy-map type service policy-name


Example:

Router(config)# policy-map type service service1

 

Creates or defines a service policy map, which is used to define an ISG service.

 
Step 4
ip portbundle


Example:

Router(config-service-policymap)# ip portbundle

 

Enables the ISG Port-Bundle Host Key feature for the service.

 
Step 5
end


Example:

Router(config-service-policymap)# end

 

(Optional) Returns to privileged EXEC mode.

 

What to Do Next

You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".

Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server

Perform this task to enable the ISG Port-Bundle Host Key feature in a user profile or service profile on the Authentication, Authorization, and Accounting (AAA) server.

SUMMARY STEPS

1.    Add the Port-Bundle Host Key attribute to the user or service profile.


DETAILED STEPS
  Command or Action Purpose
Step 1
Add the Port-Bundle Host Key attribute to the user or service profile.

Example:

26,9,1 = "ip:portbundle=enable"

 

Enables the ISG Port-Bundle Host Key feature in the user or service profile.

 

What to Do Next

If you enabled the ISG Port Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the "Configuring ISG Subscriber Services" module.

Configuring Port-Bundle Host Key Parameters

Perform this task to configure ISG Port-Bundle Host Key parameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip portbundle

4.    match access-list access-list-number

5.    length bits

6.    source interface-type interface-number

7.    exit

8.    interface type number

9.    ip portbundle outside


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip portbundle


Example:

Router(config)# ip portbundle

 

Enters IP portbundle configuration mode.

 
Step 4
match access-list access-list-number


Example:

Router(config-portbundle)# match access-list 101

 

Specifies packets for port mapping by specifying an access list to compare against the subscriber traffic.

 
Step 5
length bits


Example:

Router(config-portbundle)# length 5

 

Specifies the ISG port-bundle length, which determines the number of ports per bundle and bundles per group.

  • The default number of bits is 4.
  • The Cisco ASR 1000 series router supports a maximum port-bundle length of 7.
  • See the section "Port-Bundle Length" for more information.
 
Step 6
source interface-type interface-number


Example:

Router(config-portbundle)# source loopback 0

 

Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic.

  • We recommend that you use a loopback interface as the source interface.
 
Step 7
exit


Example:

Router(config-portbundle)# exit

 

Returns to global configuration mode.

 
Step 8
interface type number


Example:

Router(config)# interface gigabitethernet 0/0/0

 

Specifies an interface for configuration. Enters interface configuration mode.

 
Step 9
ip portbundle outside


Example:

Router(config-if)# ip portbundle outside

 

Configures ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber for the interface being configured.

 

Verifying ISG Port-Bundle Host Key Configuration

Perform this task to display information about ISG port-bundle host key configuration.

SUMMARY STEPS

1.    enable

2.    show ip portbundle status [free | inuse]

3.    show ip portbundle ip portbundle-ip-address bundle port-bundle-number

4.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
show ip portbundle status [free | inuse]


Example:

Router# show ip portbundle status free

 

Displays information about ISG port-bundle groups.

 
Step 3
show ip portbundle ip portbundle-ip-address bundle port-bundle-number


Example:

Router# show ip portbundle ip 10.10.10.10 bundle 65

 

Displays information about a specific ISG port bundle.

 
Step 4
show subscriber session [detailed] [identifier identifier | uid session-id| username name]


Example:

Router# show subscriber session detailed

 

Displays ISG subscriber session information.

 

Configuration Examples for ISG Port-Bundle Host Key

ISG Port-Bundle Host Key Configuration Example

The following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions:

policy-map type service ISGPBHKService
 ip portbundle 
! 
policy-map type control PBHKRule 
 class type control always event session-start 
  1 service-policy type service ISGPBHKService
! 
service-policy type control PBHKRule 
interface gigabitethernet0/0/0
 ip address 10.1.1.1 255.255.255.0
 ip portbundle outside
!
ip portbundle
 match access-list 101
 length 5
 source loopback 0

Additional References

Related Documents

Related Topic

Document Title

ISG commands

Cisco IOS Intelligent Services Gateway Command Reference

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for ISG Port-Bundle Host Key

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 3 Feature Information for ISG Port-Bundle Host Key

Feature Name

Releases

Feature Configuration Information

ISG: Session: Auth: PBHK

Cisco IOS XE Release 2.2

The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated.

This module provides information about how to configure the ISG Port-Bundle Host Key feature.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.