Redirecting ISA Subscriber Traffic

Available Languages

Download Options

  • PDF     (259.0 KB)
    View with Adobe Reader on a variety of devices
Updated:December 15, 2004

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Redirecting ISA Subscriber Traffic

Table Of Contents

Redirecting ISA Subscriber Traffic

Contents

Prerequisites for Redirecting ISA Subscriber Traffic

Restrictions for Redirecting ISA Subscriber Traffic

Information About Redirecting ISA Subscriber Traffic

Overview of ISA Layer 4 Redirect

Layer 4 Redirect Applications

How to Configure ISA Layer 4 Redirect

Defining a Redirect Server Group

Configuring Layer 4 Redirection on an Interface

Prerequisites

Configuring Layer 4 Redirection in a Service Policy Map

Prerequisites

Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server

What to Do Next

Verifying ISA Traffic Redirection

Examples

Configuration Examples for ISA Layer 4 Redirect

Redirecting Unauthenticated Subscriber Traffic: Example

Redirecting Unauthorized Subscriber Traffic: Example

Initial Redirection: Example

Periodic Redirection: Examples

Redirecting DNS Traffic: Example

Additional References

Related Documents

Technical Assistance

Feature Information for Redirecting ISA Subscriber Traffic


Redirecting ISA Subscriber Traffic

The Intelligent Service Architecture (ISA) is a core set of Cisco IOS components that provide a structured framework in which edge access devices can deliver flexible and scalable services to subscribers. A Cisco device that is running a Cisco IOS image with ISA is called an Intelligent Service Gateway (ISG). This module describes how to configure ISA to redirect subscriber traffic by using the ISA Layer 4 Redirect feature. The ISA Layer 4 Redirect feature enables service providers to better control the user experience by allowing subscriber TCP or User Datagram Protocol (UDP) packets to be redirected to specified servers for appropriate handling. ISA Layer 4 redirection can be used to facilitate subscriber authentication, initial and periodic advertising captivation, redirection of application traffic, and DNS redirection.

Module History

This module was first published on April 28, 2005, and last updated on April 28, 2005.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for Redirecting ISA Subscriber Traffic" section.

Contents

Prerequisites for Redirecting ISA Subscriber Traffic

Restrictions for Redirecting ISA Subscriber Traffic

Information About Redirecting ISA Subscriber Traffic

How to Configure ISA Layer 4 Redirect

Configuration Examples for ISA Layer 4 Redirect

Additional References

Feature Information for Redirecting ISA Subscriber Traffic

Prerequisites for Redirecting ISA Subscriber Traffic

The tasks in this document assume you know how to configure access control lists.

Restrictions for Redirecting ISA Subscriber Traffic

The ISA Layer 4 Redirect feature applies only to TCP or UDP traffic.

Information About Redirecting ISA Subscriber Traffic

Before you configure Layer 4 Redirect, you should understand the following concepts:

Overview of ISA Layer 4 Redirect

Layer 4 Redirect Applications

Overview of ISA Layer 4 Redirect

The ISA Layer 4 Redirect feature redirects specified packets to servers that handle the packets in a specified manner. For example, packets sent upstream by unauthorized users can be forwarded to a server that redirects the users to a logon page. Similarly, if users try to access a service to which they have not logged on, the packets can be redirected to a server that provides a service logon screen.

The Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:

Permanent redirection—Specified traffic is redirected to the specified server all the time.

Initial redirection—Specified traffic is redirected for a specific duration of the time only, starting from when the feature is applied.

Periodic redirection—Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.

The Layer 4 Redirect feature uses access lists to define which traffic will be redirected. Multiple access lists can be used to redirect packets to different server groups. Only the first packet of a TCP session must match the access list; subsequent packets for the session will be sent to the same server.

A redirect server can be any server that is programmed to respond to the redirected packets. If ISA is used with a web portal, unauthenticated subscribers can be sent automatically to a logon page when they start a browser session. Web portal applications can also redirect to service logon pages, advertising pages, and message pages.

Redirected packets are sent to an individual redirect server or redirect server group that consists of one or more servers. The ISG selects one server from the group in a rotating fashion to receive the redirected packets.

When traffic is redirected, ISG modifies the destination IP address and TCP port of upstream packets to reflect the destination server. For downstream packets, ISG returns the source IP address and port to the original packet's destination.

Layer 4 Redirect Applications

The Layer 4 Redirect feature supports the following applications:

TCP redirection for unauthenticated users and unauthorized services

HTTP traffic from subscribers can be redirected to a web dashboard where the subscribers can log on so that authentication and authorization can be performed.

Initial and periodic redirection for advertising captivation

Subscriber traffic can be redirected to a sponsor's web page for a brief period of time at the start of the session or periodically throughout the session.

Redirection of application traffic

Application traffic from a subscriber can be redirected so as to provide value-added services. For example, a subscriber's SMTP traffic can be redirected to a local mail server that can function as a forwarding agent for the mail.

Domain Name System (DNS) redirection

DNS queries may be redirected to a local DNS server. In some deployments, such as public wireless LAN (PWLAN) hotspots, subscribers may have a static DNS server addresses, which may not be reachable at certain locations. Redirecting DNS queries to a local DNS server allows applications to work properly without requiring reconfiguration.

How to Configure ISA Layer 4 Redirect

There are three ways to apply Layer 4 redirection to sessions. One way is to configure redirection directly on the subscriber interface. A second way is to configure a service profile or service policy map with the Layer 4 redirect attribute in it, and apply that service to the session. A third way is to configure the Layer 4 redirect attribute in the user profile.

The following tasks describe how to configure Layer 4 redirection. The first task is optional. One or more of the next three tasks is required. The last task is optional.

For examples of Layer 4 redirection configuration for specific applications (such as unauthenticated user redirect), see the "Configuration Examples for ISA Layer 4 Redirect" section.

Defining a Redirect Server Group

Configuring Layer 4 Redirection on an Interface

Configuring Layer 4 Redirection in a Service Policy Map

Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server

Verifying ISA Traffic Redirection

Defining a Redirect Server Group

Perform this task to define a group of one or more servers to which traffic will be redirected. Traffic will be forwarded to servers in a rotating fashion.

SUMMARY STEPS

1. enable

2. configure terminal

3. redirect server-group group-name

4. server ip ip-address port port-number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

redirect server-group group-name

Example:

Router(config)# redirect server-group ADVT-SERVER

Defines a group of servers that make up a named redirection server group.

Step 4 

server ip ip-address port port-number

Example:

Router(config-sg-l4redirect-group)# server ip 10.0.0.1 port 8080

Adds a server to a redirect server group.

You can enter this command more than one time to add multiple servers to the server group.

Configuring Layer 4 Redirection on an Interface

Perform this task to redirect all matching Layer 4 subscriber traffic that arrives on an interface.

Prerequisites

An IP access list must be configured if you choose to use an access list to identify traffic for redirection.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip subscriber

5. identifier interface

6. exit

7. redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface fastethernet 0/0.505

Specifies an interface and enters interface configuration mode.

Step 4 

ip subscriber

Example:

Router(config-if)# ip subscriber

Enables ISA IP subscriber configuration mode.

Step 5 

identifier interface

Example:

Router(config-subscriber)# identifier interface

Creates an ISA IP interface session.

Step 6 

exit

Example:

Router(config-subscriber)# exit

Returns to interface configuration mode.

Step 7 

redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]

Example:

Router(config-if)# redirect list 100 to group advt-server duration 30 frequency 3600

Redirects specified traffic to a specified server or server group.

Configuring Layer 4 Redirection in a Service Policy Map

Perform this task to configure ISA layer 4 redirection in a service policy map.

Prerequisites

The ISA Layer 4 Redirect feature is configured under a traffic class within a service policy map. This task assumes that you have defined the traffic class map. See the module "Configuring ISA Subscriber Services" for more information.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map service policy-map-name

4. class type traffic class-name

5. redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISA service.

Step 4 

class type traffic class-name

Example:

Router(config-service-policymap)# class type traffic class1

(Optional) Specifies a traffic class map that identifies the traffic to which this service applies.

Step 5 

redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]

Example:

Router(config-service-policymap-class-traffic)# redirect to ip 10.10.10.10

Redirects traffic to a specified server or server group.

What to Do Next

You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."

Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server

The Layer 4 Redirect feature can be configured as a Cisco vendor-specific attribute (VSA) in a user or service profile on an authentication, authorization, and accounting (AAA) server. This attribute can appear more than once in a profile to define different types of redirections for a session and can be used in both user and service profiles simultaneously.

SUMMARY STEPS

1. Add the Layer 4 Redirect VSA to the user profile or service profile on the AAA server.

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

Add the Layer 4 Redirect VSA to the user profile or subscriber profile on the AAA server.

26,9,1= "ip:l4redirect=redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]"

Redirects traffic to a specified server or server group.

What to Do Next

If you configure ISA Layer 4 redirection in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."

Verifying ISA Traffic Redirection

Perform this task to verify the configuration and operation of ISA Layer 4 traffic redirection.

SUMMARY STEPS

1. enable

2. show redirect translations [ip ip-address]

3. show redirect group [group-name]

4. show subscriber session [detailed] [identifier identifier | uid session-id | username name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show redirect translations [ip ip-address]

Example:

Router# show redirect translations ip 10.0.0.0

Displays ISA Layer 4 redirect translations for sessions.

Step 3 

show redirect group [group-name]

Example:

Router# show redirect group redirect1

Displays information about ISA redirect server groups.

Step 4 

show subscriber session [detailed] [identifier identifier | uid session-id | username name]

Example:

Router# show subscriber session detailed

Displays ISA subscriber session information.

Examples

The following example shows sample output for the show redirect translations command: 

Router# show redirect translations ip 53.0.0.2


Destination IP/port    Server IP/port         Prot  In Flags  Out Flags  Timestamp

152.0.0.2       23     9.2.36.253      23     TCP   none      none       May 08 2003 
12:37:10

The following example show sample output for the show subscriber session command. This output shows that Layer 4 redirect is being applied from the service profile. 

Router# show subscriber session uid 135


Subscriber session handle: 7C000114, state: connected, service: Local Term

Unique Session ID: 135

Identifier: blind-rdt

SIP subscriber access type(s): IP-Interface

Root SIP Handle: CF000020, PID: 73

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 40 minutes, 30 seconds, Last Changed: 40 minutes, 30 seconds

AAA unique ID: 135

Switch handle: F000086

Interface: ATM2/0.53


Policy information:

  Authentication status: unauthen

  Config downloaded for session policy:

  From Access-Type: IP-Interface, Client: SM, Event: Service Selection Request, Service

    Profile name: blind-rdt, 2 references 

      username             "blind-rdt"

      l4redirect           "redirect list 100 to group sesm-grp"

  Rules, actions and conditions executed:

    subscriber rule-map blind-rdt

      condition always event session-start

        action 1 service-policy type service "blind-rdt"

          

Session inbound features:

 Feature: Layer 4 Redirect

  Rule  Cfg  Definition

  #1    SVC  Redirect list 100 to group sesm-grp  !! applied redirect

Configuration sources associated with this session:

Service: blind-rdt, Active Time = 40 minutes, 32 seconds

Interface: ATM2/0.53, Active Time = 40 minutes, 32 seconds

The following is sample output for the show subscriber session command for a session in which the Layer 4 redirection is applied on the interface: 

Router# show subscriber session uid 133


Subscriber session handle: D7000110, state: connected, service: Local Term

Unique Session ID: 133

Identifier: 

SIP subscriber access type(s): IP-Interface

Root SIP Handle: 1E, PID: 73

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 42 minutes, 54 seconds, Last Changed: 42 minutes, 54 seconds

AAA unique ID: 133

Switch handle: 17000084

Interface: FastEthernet0/0.505


Policy information:

  Authentication status: unauthen


Session inbound features:

 Feature: Layer 4 Redirect

  Rule  Cfg  Definition

  #1    INT  Redirect list 100 to group sesm-grp 

Configuration sources associated with this session:

Interface: FastEthernet0/0.505, Active Time = 42 minutes, 54 seconds

Configuration Examples for ISA Layer 4 Redirect

This section contains the following examples:

Redirecting Unauthenticated Subscriber Traffic: Example

Redirecting Unauthorized Subscriber Traffic: Example

Initial Redirection: Example

Periodic Redirection: Examples

Redirecting DNS Traffic: Example

Redirecting Unauthenticated Subscriber Traffic: Example

The following example shows the configuration of redirection for unauthenticated users. In this case, Layer 4 traffic from unauthenticated subscribers is redirected to the web portal. 

service-policy type control all-rdt

!

class-map type traffic match-any CLASS-ALL

!

policy-map type service blind-rdt

  class type traffic CLASS-ALL

	 redirect to group PORTAL

!

policy-map type control all-rdt

  class type control always event session-start

      1 service-policy type service blind-rdt


  class type control always event account-logon

	 1 authenticate

      2 service-policy type service unapply blind-rdt

!

redirect server-group PORTAL

 server ip 9.2.36.253 port 80

Redirecting Unauthorized Subscriber Traffic: Example

The following example shows the configuration of redirection for unauthorized subscribers. If the subscriber is not logged onto service "svc2", traffic matching the service "SVC" is redirected to the server group "PORTAL". Once the subscriber logs in to the service, the traffic is no longer redirected. When the subscriber logs out of the service, redirection is applied again. 

service-policy type control THE_RULE

!

class-map type traffic match-any CLASS-ALL

!

class-map type traffic match-any CLASS-100_110

 match access-group input 100 

 match access-group output 110

!

policy-map type service blind-rdt

 class type traffic CLASS-ALL

  redirect to group PORTAL

!

policy-map type service svc-rdt

 class type traffic CLASS-ALL

  redirect list 100 to group PORTAL

!

policy-map type service svc

 class type traffic CLASS-100_110

 class type traffic default in-out

  drop

!

policy-map type control THE_RULE

 class type control alwyas event account-logon

  1 authenticate

  2 service-policy type service svc-rdt

 class type control cond-svc-logon event service-start

  1 service-policy type service unapply svc-rdt

  2 service-policy type service identifier service-name

 class type control cond-svc-logon event service-stop

  1 service-policy type service unapply svc

  2 service-policy type service svc-rdt

 !

class-map type control match-all cond-svc-logon

 match identifier service-name svc 

!

redirect server-group PORTAL

 server ip 9.2.36.253 port 80

Initial Redirection: Example

The following example shows ISA configured to redirect user traffic that comes over interface FastEthernet0/0.505 to a server group called "ADVT" for the intial 60 seconds of the session. After the initial 60 seconds, ISA will stop redirecting the traffic for the rest of the lifetime of the session. 

interface FastEthernet0/0.505

 encapsulation dot1Q 505

 ip address 10.0.0.1 255.255.255.0

 ip subscriber 

  identifier interface 

 redirect to group ADVT duration 60 

 no cdp enable

The following example shows ISA configured to redirect the Layer 4 traffic of all subscribers to a server group called "ADVT" for the intial 60 seconds of the session. After the initial 60 seconds, ISA will stop redirecting the traffic for the rest of the lifetime of the session. 

service-policy type control initial-rdt

policy-map type control intial-rdt

 class type control always event session-start

  1 service-policy type service initial-rdt-profile

 !

policy-map type service initial-rdt-profile

 class type traffic CLASS-ALL

  redirect to group ADVT duration 60

Periodic Redirection: Examples

The following example shows how to redirect subscriber traffic coming over FastEthernet interface 0/0.505 for a period of 60 seconds every 3600 seconds. 

interface FastEthernet0/0.505

 encapsulation dot1Q 505

 ip address 50.0.0.1 255.255.255.0

 subscriber session

 redirect to group ADVT duration 60 frequency 3600

 no cdp enable

!

The following example shows how to redirect all subscriber traffic for a period of 60 seconds every 3600 seconds. 

service-policy control periodic-rdt session-start

!

policy-map control periodic-rdt

 class type control always event session-start

  1 service-policy service periodic-rdt-profile

 !

policy-map service periodic-rdt-profile

 redirect to group ADVT duration 60 frequency 3600

Redirecting DNS Traffic: Example

The following example shows how to redirect all subscriber DNS packets to the server group "DNS-server". 

service-policy type control DNS-rdt

policy-map type control DNS-rdt

 class type control event session-start

  1 service-policy type service DNS-rdt-profile

  !

policy-map type service DNS-rdt-profile

 class type traffic CLASS-ALL

  redirect list 120 to group DNS-server

!

access-list 100 permit udp any any eq domain

Additional References

The following sections provide references related to the ISA Layer 4 Redirect feature.

Related Documents

Related Topic
Document Title

ISA commands

Cisco IOS Intelligent Service Architecture Configuration Guide


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Feature Information for Redirecting ISA Subscriber Traffic

Table 16 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Releases 12.2(27)SBA or later appear in the table.

Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.

If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Architecture Features Roadmap."

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Table 16 Feature Information for Redirecting ISA Subscriber Traffic 

Feature Name
Software Releases
Feature Configuration Information

ISA: Flow Control: Flow Redirect

12.2(27)SBA

The ISA Layer 4 Redirect feature enables service providers to better control the user experience by allowing subscriber TCP or UDP packets to be redirected to specified servers for appropriate handling. ISA Layer 4 redirection can be applied to individual subscriber sessions or flows.

The following sections provide information about this feature:

Information About Redirecting ISA Subscriber Traffic

How to Configure ISA Layer 4 Redirect


Copyright © 2005 Cisco Systems, Inc. All rights reserved.
This module first published April 28, 2005. Last updated April 28, 2005.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco