A closed user group (CUG) is a collection of DTE devices for which the network controls access between two members and between a member and a nonmember. An X.25 network can support up to 10,000 CUGs (numbered from 0 to 9999), each of which can have any number of member DTE devices. An individual DTE becomes a member of a specific network CUG by subscription. The subscription data includes the local number the DTE will use to identify the network CUG (which may or may not be the same as the network number, as determined by network administration and the requirements of the DTE device), and any restriction that prohibits the DTE from placing a call within the CUG or, conversely, prohibits the network from presenting a call within the CUG to the DTE device.
The X.25 DCE interfaces of the router can be configured to perform the standard CUG access controls normally associated with a direct attachment to an X.25 network POP. The DCE interface of the router acts as the boundary between the DTE and the network, and CUG use ensures that only those incoming and outgoing SVCs consistent with the configured CUG subscriptions are permitted. X.25 CUG configuration commands on the router are specified at every POP, and CUG security decisions are made solely from those commands. However, CUG service is not supported on XOT connections.
CUG security depends on CUG decisions made by the two POPs used to connect an SVC through the network, so CUG security depends on the collective configuration of all POPs that define the network boundary. The standalone interface configuration determines if the POP will permit user access for a given incoming or outgoing call within the authorized CUG.
CUGs are a network service designed to allow various network subscribers (DTE devices) to be segregated into private subnetworks with limited incoming or outgoing access. This means that a DTE must obtain membership from its network service (POP) for the set of CUGs it needs access to. A DTE may subscribe to zero, one, or several CUGs at the same time. A DTE that does not require CUG membership for access is considered to be in the open part of the network. Each CUG typically permits subscribing users to connect to each other, but precludes connections with nonsubscribing DTE devices.
However, CUG behavior is highly configurable. For instance, a CUG configuration may subscribe a DTE to a given CUG, but bar it from originating calls within the CUG or, conversely, bar it from receiving calls identified as being within the CUG. CUG configuration can also selectively permit the DTE to originate calls to a DTE on the open network, or permit the DTE to receive calls from a DTE on the open network.
CUG access control is first applied when the originating DTE places a call to the POP, and again when the POP of the destination DTE device receives the call for presentation. Changes to the POP CUG subscriptions will not affect any SVCs that have already been established.
When a DTE belongs to more than one CUG, it must specify its preferential CUG, unless a call is specifically aimed at devices outside the CUG network. However, the number of CUGs to which a DTE can belong depends on the size of the network. Unsubscribing from one CUG or the overall CUG service will not result in the termination of the SVC connections.
CUG behavior is a cooperative process between two network devices. The DCE offers this service to the connecting subscribers via the DTE device. There is no global database regarding CUG membership; therefore, the Cisco router uses information configured for the various X.25 devices and the encoded CUG information in the outgoing and incoming packets.
X.25 CUGs are used for additional X.25 access protection and security. In a setup where DTE devices are attached to a PDN, you can derive a private subnetwork by subscribing your DTE devices to a set of CUGs, which allows closer control of your DTE devices, such as permitting or restricting which DTE can talk to other DTE devices and for what particular purpose. For example, a distinct CUG can be defined to handle each of the different modes of connectivity, such as the following:
-
Datagram encapsulation operation among all company sites
-
PAD services for customers seeking public information
-
PAD services for system administration internal access to consoles
-
QLLC access restricted to the company financial centers
One site could have different CUG subscriptions, depending on connectivity requirements. These sites could all have restrictions regarding which other company devices can be reached (within a CUG), whether a device is permitted to call the open network for a given function, and whether a public terminal can access the device for a given function.
By default, no CUG behavior is implemented. Therefore, in order to observe CUG restrictions, all users attached to the network must be subscribed to CUG behavior (CUG membership) even if they are not subscribed to a specific CUG.
The figure below shows two CUGs (CUG 1 and CUG 2). DTE devices A, B, and C are members of CUG 1. They can initiate and receive calls only from the other members of CUG 1. They are therefore members of a private subnet with no access to other DTE devices. DTE A is also a member of CUG 2 with DTE D, but DTE D cannot send calls to or receive calls from DTE B or DTE C. The router checks each received call to determine if it is intended for their CUG. If not, the router rejects the call.
You can subscribe to multiple CUGs per interface, but each CUG that is permitted must be specifically configured. All CUGs are sorted by their local identifier. The main limitation to the number of CUGs configured is the amount of nonvolatile memory to store the configuration. Having subscribed to a CUG, the DTE indicates which CUG is being called. If the DTE does not indicate a CUG, its DCE determines which CUG is used and if the call should be allowed.
Note |
CUG service is implemented at the DCE interface, which means that it specifies a network function. For a summary of DCE operations, refer to ITU-T 1996 Recommendation X.301 tables 7-6 and 7-8.
|
Figure 5 |
DTE Devices A, B, C, and D Connecting to CUGs 1 and 2 over a PDN |