|
|
This feature module describes the Node Route Processor-Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
The NRP-SSG is a feature of Cisco IOS Release 12.0(3)DC. It is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as Asymmetric Digital Subscriber Line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.
Figure 1 shows a diagram of a typical network topology including the NRP-SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The NRP-SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.
The NRP-SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.
A licensed version of the NRP-SSG works with the Cisco SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This improves flexibility and convenience for subscribers, and enables service providers to bill subscribers based on connect time and services used, rather than charging a flat rate.
The user opens an HTML browser and accesses the URL of the Cisco SSD, a web server application. The Cisco SSD forwards user login information to the NRP-SSG, which forwards the information to the AAA server.
Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscribers and the NRP-SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.
Note that the Cisco SSD functionality discussed throughout this document is available only with the NRP-SSG with Web Selection product.
The NRP-SSG with Web Selection works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server that allows users to log on to and disconnect from multiple passthrough and proxy services through a standard web browser.
After the user opens a web browser, the NRP-SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.
The NRP-SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).
The NRP-SSG supports the following types of services:
The NRP-SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.
When users are accessing multiple services, the NRP-SSG must determine the services for which the packets are destined. To do this, the NRP-SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.
The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.
When creating service profiles, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.
Note that this attribute overrides the IP routing table for packets destined to a service.
When the NRP-SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged in services.
If a match is found, the request is redirected to the DNS server for the matched service.
If a match is not found and the user is logged on to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.
If a match is not found and the user is not logged on to a service that has Internet connectivity, the request is forwarded using the normal routing methods specified in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.
The NRP-SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.
In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without logging out from the NRP-SSG. If this happens, the NRP-SSG will continue to allow traffic to pass from that IP address and this might be a problem if the IP address is obtained by another user.
The NRP-SSG provides two mechanisms to prevent this problem:
The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.
NRP-SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.
Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.
The NRP-SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have NRP-SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant NRP-SSGs, you can configure automatic synchronization between the two. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 UAC Software Configuration Guide for more information on EHSA redundancy.
The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through an HTML browser.
For related information on this feature, refer to the following documents:
This feature is supported on these platforms:
None
None
None
If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the Cisco Service Selection Dashboard User Guide.
Perform the following tasks to configure the NRP-SSG.
The following tasks are optional:
You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally using the local-profile command.You can optionally set up pseudo-service profiles also as described in this section.
This section describes RADIUS attributes that can be used to define specific AAA elements in NRP-SSG user profiles, service profiles, and specialized pseudo-service profiles.
For detailed information on the syntax of these attributes, see "NRP-SSG Vendor-Specific Attributes".
RADIUS user profiles contain a password, a list of subscribed services and/or groups, and access control lists.
This section specifies Cisco AVPair attributes that appear within user profiles.
| Attribute | Usage |
|---|---|
Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user. | |
Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user. |
This section specifies standard and vendor-specific RADIUS attributes that can be used in NRP-SSG user profiles.
| Attribute | Usage |
|---|---|
Specifies the user's password (check attribute). | |
Specifies, in seconds, the maximum length of the user's session (reply attribute). | |
Specifies, in seconds, the maximum time a connection can remain idle (reply attribute). | |
Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed (reply attribute). | |
Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed (reply attribute). | |
Automatically logs a user into a service when the user logs on to the NRP-SSG (reply attribute). |
Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.
This section specifies Cisco AVPair attributes that appear within service profiles.
| Attribute | Usage |
|---|---|
Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user. | |
Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user. |
This section specifies standard RADIUS attributes that can be used in NRP-SSG service profiles.
| Attribute | Usage |
|---|---|
Specifies the password (check attribute). | |
Specifies the level of service (check attribute). Must be "outbound." | |
Specifies, in seconds, the maximum length of the session (reply attribute). | |
Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute). |
This section specifies VSAs that appear within service profiles.
| Attribute | Usage |
|---|---|
(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough. | |
(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. | |
(Optional) Specifies the primary and/or secondary DNS servers for this service. | |
(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile. | |
(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type. | |
(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile". | |
(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address. | |
(Optional) Provides a description of the service that is displayed to the user. |
Service group profiles contain a list of services and/or service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and/or a list of service groups as reply attributes.
This section specifies vendor-specific attributes that can be used in NRP-SSG service group profiles.
| Attribute | Usage |
|---|---|
Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service (reply attribute). | |
Lists the service subgroups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services. There can be multiple instances of this attribute within a service group profile. Use one attribute for each service subgroup that belongs to this service group. | |
Provides a description of the service group. | |
Specifies the password (check attribute). | |
Specifies the level of service (check attribute). Must be "outbound." |
This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both types.
Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the NRP-SSG through the Cisco SSD) to be routed through normal IOS processing.
| Attribute | Usage |
|---|---|
Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user. | |
Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user. |
To define what traffic can pass through, the NRP-SSG downloads the Transparent Passthrough Filter pseudo-service profile. This profile contains a list of access control list (ACL) attributes. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.
To create a filter for transparent passthrough, create a profile that contains ACL attributes that define what can and cannot be accessed.
You can also create ACLs locally. For more information, see the ssg pass-through command in the Command Reference section.
Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key, which is any string identifier, rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses.
| Attribute | Usage |
|---|---|
Next Hop Gateway Entry | Associates next hop gateway keys with IP addresses. |
To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Sample Pseudo-Service Profiles".
For more information, see the ssg next-hop command in the Command Reference section.
The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.
Table 9 lists vendor-specific attributes used by the NRP-SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the NRP-SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.
| AttrID | VendorID | SubAttrID | SubAttrName | SubAttrDataType |
|---|---|---|---|---|
26 | 9 | 1 | Cisco-AVpair | String |
26 | 9 | 250 | Account-Info | String |
26 | 9 | 251 | Service-Info | String |
26 | 9 | 253 | Control-Info | String |
The following sections describe the format of each subattribute.
The Cisco-AVpair attributes are used in user and service profiles. The Cisco-AVpair attributes are used to configure ACLs.
This attribute specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}"number | Access list identifier. |
standard-access-control-list | Standard access control list. |
extended-access-control-list | Extended access control list. |
Cisco-AVpair="ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
This attribute specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.
Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | extended-access-control-list}"number | Access list identifier. |
standard-access-control-list | Standard access control list. |
extended-access-control-list | Extended access control list. |
Cisco-AVpair="ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
The Account-Info attributes are used in user profiles and service group profiles.
User profiles define the password and services and/or groups to which the user is subscribed.
Service group profiles contain a list of services and/or service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user is automatically subscribed to all services and groups within that service group. A service group profile includes the name of the service group, the password, the service type (outbound), a list of services and/or a list of other service groups.
Account-Info = "Nservice1.com"
9,250 = "Nservice1.com"
In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.
Account-Info = "Nname"name | Name of the service profile. |
Account-Info = "Ncisco.com"
In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.
Account-Info = "Gname"name | Name of the group profile. |
Account-Info = "GServiceGroup1"
This attribute subscribes the user to a service and automatically logs the user on to the service when the user accesses the Cisco SSD. Each user profile can have more than one auto service attribute.
Account-Info = "Aservicename [;username;password]"servicename | Name of the service. |
username | Username used to access the service. Required for proxy services. |
password | Password used to access the service. Required for proxy services. |
Account-Info = "Agamers.net;jdoe;secret"
This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service group profile name is used.
Account-Info = "Idescription"description | Description of the service group. |
Account-Info = "ICompany Intranet Access"
The Service-Info attributes are used to define a service. The following attributes define the parameters for a service.
This attribute describes the service. This attribute is optional.
Service-Info = "Idescription"description | Description of the service. |
Service-Info = "ICompany Intranet Access"
This attribute indicates whether the service is proxy or passthrough. This attribute is optional.
Service-Info = "Ttype"type | P—Passthrough. Indicates the user's packets are forwarded through the |
| X—Proxy. Indicates the NRP-SSG performs proxy service. |
Service-Info = "TP"
This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. This attribute is optional.
Service-Info = "Mmode"mode | S—Sequential mode. C—Concurrent mode. This is the default. |
Service-Info = "MS"
This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the NRP-SSG can send DNS requests to the primary DNS server until performance is diminished or it fails (failover). This attribute is optional.
Service-Info = "Dip_address_1[;ip_address_2]"ip_address_1 | IP address of the primary DNS server. |
ip_address_2 | (Optional) IP address of the secondary DNS server used for fault tolerance. |
Service-Info = "D192.168.1.2;192.168.1.3"
This attribute specifies networks available to the user for this service. This attribute is required.
Service-Info = "Rip_address;mask"ip_address | IP address. |
mask | Subnet mask. |
Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".
Service-Info = "R192.168.1.128;255.255.255.192"
This attribute specifies the remote RADIUS server that the NRP-SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.
Service-Info = "SRadius-server-address;auth-port;acct-port;secret-key"Radius-server-address | IP address of the RADIUS server. |
auth-port | UDP port number for authentication and authorization requests. |
acct-port | UDP port number for accounting requests. |
secret-key | Secret key shared with RADIUS clients. |
Service-Info = "S192.168.1.1;1645;1646;cisco"
This attribute specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Table Entry". This attribute is optional.
Service-Info = "Gkey"key | Name of the next hop. |
Service-Info = "Gnexthop1"
This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address. This attribute is optional.
Service-Info = "Oname1[;name2]...[;nameX]"name1 | Domain name that gets DNS resolution from this server. |
name2...X | (Optional) Additional domain name(s) that gets DNS resolution from this server. |
Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".
Service-Info = "Ocisco.com;cisco-sales.com"
This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.
Service-Info = "Uusername"username | The name provided by the user for authentication. |
Service-Info = "Ujoe@cisco.com"
This attribute defines the name of the service.
Service-Info = "Nname"name | Name of the service profile or service that belongs to a service group. |
Service-Info = "Nservice1.com"
The Control-Info attributes are used to define lists or tables of information.
Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see "Service Next Hop Gateway".
key | Service name or key specified in the Service Next Hop Gateway service profile. |
ip_address | IP address of the next hop for this service. |
Use this attribute to create a next hop gateway table for the selected NRP-SSG.
To define the IP address of the next hop for each service, the NRP-SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.
To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG.
For more information, see the ssg next-hop command in the Command Reference section.
Control-Info = "GNHT_for_SSG_1;192.168.1.128"
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.
The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.
Control-Info = "Orollover;value"rollover | Number of times the 32-bit integer rolled over to 0. |
value | Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
rollover * 232 + value
In the following example, the rollover is 2 and the value is 153 (2 * 232 + 153 = 8589934745):
Control-Info = "O2;153"
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.
The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.
Control-Info = "Irollover;value"rollover | Number of times the 32-bit integer rolled over to 0. |
value | Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
rollover * 232 + value
In the following example, the rollover is 3 and the value is 151 (3 * 232 + 151 = 12884902039):
Control-Info = "I3;151"
This section provides samples of user profiles and service profiles used with the
NRP-SSG.
The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:
bert Password = "ernie" Session-Timeout = 21600, Account-Info = "GServiceGroup1", Account-Info = "Nservice1.com", Account-Info = "Ngamers.net"
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
user = bert {
radius = SSG {
check_items = {
2 = "ernie"
}
reply_attributes = {
27 = 21600
9,250 = "GServiceGroup1"
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
}
}
}
The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:
ServiceGroup1 Password = "cisco", Service-Type = outbound, Account-Info = "Nservice1.com", Account-Info = "Ngamers.net", Account-Info = "GServiceGroup3", Account-Info = "GServiceGroup4", Account-Info = "IStandard User Services"
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
user = ServiceGroup1 {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
9,250 = "GServiceGroup3"
9,250 = "GServiceGroup4"
9,250 = "IStandard User Services"
}
}
}
The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:
service1.com Password = "cisco", Service-Type = outbound, Idle-Timeout = 1800, Service-Info = "R192.168.1.128;255.255.255.192", Service-Info = "R192.168.2.0;255.255.255.192", Service-Info = "R192.168.3.0;255.255.255.0", Service-Info = "Gservice1", Service-Info = "D192.168.2.81", Service-Info = "MC", Service-Info = "TP", Service-Info = "ICompany Intranet Access", Service-Info = "Oservice1.com"
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
user = service1.com {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
28 = 1800
9,251 = "R192.168.1.128;255.255.255.192"
9,251 = "R192.168.2.0;255.255.255.192"
9,251 = "R192.168.3.0;255.255.255.0"
9,251 = "Gservice1"
9,251 = "D192.168.2.81"
9,251 = "MC"
9,251 = "TP"
9,251 = "ICompany Intranet Access"
9,251 = "Oservice1.com"
}
}
}
The following is an example of the Transparent Passthrough Filter pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:
ssg-filter Password = "cisco", Service-Type = outbound, Cisco-AVpair="ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21", Cisco-AVpair="ip:inacl#7=permit ip any any"
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
user = ssg-filter {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
reply_attributes = {
9,1 = "ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",
9,1 = "ip:inacl#7=permit ip any any"
}
}
}
The following is an example of the Next Hop Gateway pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:
nht1 Password = "cisco", Service-Type = outbound, Account-Info = "Gservice3;192.168.103.3", Account-Info = "Gservice2;192.168.103.2", Account-Info = "Gservice1;192.168.103.1", Account-Info = "GLabservices;192.168.4.2", Account-Info = "GWorldwide_Gaming;192.168.4.2"
The following is the same profile as above, formatted for Cisco UCP or CiscoSecure ACS for UNIX:
user = nht1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,253="Gservice3;192.168.103.3"
9,253="Gservice2;192.168.103.2"
9,253="Gservice1;192.168.103.1"
9,253="GLabservices;192.168.4.2"
9,253="GWorldwide_Gaming;192.168.4.2"
}
}
This section describes events that generate RADIUS accounting records and the attributes associated with the accounting records sent from the NRP-SSG to the accounting server.
When a user logs on, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:
Acct-Status-Type = Start NAS-IP-Address = ip_address User-Name = "username" Acct-Session-Id = "session_id" Framed-IP-Address = user_ip Proxy-State = "n"
ip_address | IP address of the NRP-SSG. |
username | Name used to log on to the service provider network. |
session_id | Session number. |
user_ip | IP address of the user's system. |
n | Accounting record queuing information (has no effect on account billing). |
When a user logs off, the NRP-SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:
Acct-Status-Type = Stop NAS-IP-Address = ip_address User-Name = "username" Acct-Session-Time = time Acct-Terminate-Cause = cause Acct-Session-Id = "session_id" Framed-Address = user_ip Proxy-State = "n"
ip_address | IP address of the NRP-SSG. |
username | Name used to log on to the service provider network. |
time | Length of session in seconds. |
cause | Cause of account termination. These can include: · User-Request. · Session-Timeout. · Idle-Timeout. · Lost-Carrier. |
session_id | Session number. |
user_ip | IP address of the user's system. |
n | Accounting record queuing information (has no effect on account billing). |
When a user accesses a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:
NAS-IP-Address = 172.16.6.1 NAS-Port = 0 NAS-Port-Type = Virtual User-Name = "username" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed Acct-Session-Id = "00000010" Framed-Protocol = PPP Service-Info = "Nisp-name.com" Service-Info = "Uusername" Service-Info = "TP" Acct-Delay-Time = 0
ip_address | IP address of the NRP-SSG. |
username | Name used to log on to the service provider network. |
session_id | Session number. |
service | Name of the service profile. |
hg_username | The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services. |
type | X—Proxy connection. P—Passthrough connection (usually the Internet). |
n | Accounting record queuing information (has no effect on account billing). |
When a user terminates a service, the NRP-SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:
NAS-IP-Address = 172.16.6.1 NAS-Port = 0 NAS-Port-Type = Virtual User-Name = "username" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed Acct-Session-Id = "00000010" Acct-Terminate-Cause = Lost-Carrier Acct-Session-Time = 71 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Framed-Protocol = PPP Control-Info = "I0;0" Control-Info = "O0;0" Service-Info = "Nisp-name.com" Service-Info = "Uusername" Service-Info = "TP" Acct-Delay-Time = 0
ip_address | IP address of the NRP-SSG. |
username | Name used to log on to the service provider network. |
in_bytes | Number of inbound bytes. |
out_bytes | Number of outbound bytes. |
time | Length of session in seconds. |
cause | Cause of service termination. These include: · User-Request. · Lost-Carrier. · Lost-Service. · Session-Timeout. · Idle-Timeout. |
session_id | Session number. |
service | Name of the service profile. |
hg_username | The username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services. |
type | X—Proxy connection. P—Passthrough connection (usually the Internet). |
n | Accounting record queuing information (has no effect on account billing). |
| Command | Purpose |
|---|---|
Router(config)# aaa new-model | Enables AAA. |
Router(config)# aaa authentication ppp default radius | Specifies RADIUS as the default authentication method for users that log in to serial interfaces using PPP. |
Router(config)# aaa authorization network default radius | Specifies that RADIUS is the default authorization used for all network-related requests. |
Router(config)# radius-server host {hostname | ip-address} [auth-port UDP-port-number] [acct-port UDP-port-number] | Specifies the RADIUS server host. |
Router(config)# radius-server key AAAPassword | Sets the RADIUS shared secret between the NRP-SSG and the local AAA server. |
Router(config)# radius-server vsa send | (Optional) Send vendor-specific attributes with authentication and accounting requests to the AAA server. |
Router(config)# ssg radius-helper key DashboardPassword | Sets the RADIUS shared secret between the NRP-SSG and the Cisco SSD. |
Router(config)# ssg radius-helper | Specifies the UDP default port numbers for a RADIUS authentication server (1645) and accounting server (1646). |
Router(config)# ssg service-password ServicePassword | Sets the password used to authenticate the NRP-SSG with the local AAA server service profiles. This value must match the value configured for the AAA server service profiles. |
Use the show running-config command to verify that security has been configured correctly.
Configure the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides.
| Command | Purpose |
|---|---|
Router(config)# ssg default-network ip-address mask | Sets the IP address or subnet that users will be able to access without authentication. Typically, this is the address where the Cisco SSD resides. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication. |
Use the show running-config command to verify that the default network has been configured correctly.
If you are going to use PPP to connect subscribers to the NRP-SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.
| Command | Purpose |
|---|---|
Router(config)# ssg bind direction downlink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface} | Specifies a downlink interface, that is, the interface to the subscribers. |
Configure all interfaces that will be connected to services as uplink interfaces.
| Command | Purpose |
|---|---|
Router(config)# ssg bind direction uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface} | Specifies an uplink interface, that is, the interface to the services. |
Use the show ssg direction command to verify that interfaces have been configured correctly.
Every service must be bound to an uplink interface.
| Command | Purpose |
|---|---|
Router(config)# ssg bind service service {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface} | Specifies the interface for a service. |
Router(config)# ssg service-search-order local | remote | local remote | remote local | (Optional) Specifies the order in which NRP-SSG searches for a service profile. The default service search order is local remote, that is, the NRP-SSG searches for service profiles in Flash memory first, then on the RADIUS server. |
Router(config)# ssg next-hop download [profile-name] [profile-password] | (Optional) Downloads the next-hop table from a RADIUS server. |
Router(config)# ssg maxservice number | (Optional) Sets the maximum number of services per user. |
Use the show ssg service command to verify that services have been bound to interfaces correctly. Use the show running-config command to verify that the service search order and maximum services have been configured correctly. Use the show ssg next-hop command to verify all mappings between services and IP addresses.
This task is required if you want to use Layer 2 service selection; otherwise, it is optional. You can configure local service profiles in addition to the service profiles on the remote RADIUS server.
| Command | Purpose |
|---|---|
Router(config)# local-profile profilename | Enters profile configuration mode. Configures a local RADIUS service profile. |
Router(config-prof)# attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value | Configures an attribute in a local RADIUS service profile. |
Use the show running-config command to verify that local service profiles have been configured correctly.
This task is optional, and only supported in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC. Enable or disable transparent passthrough by using the appropriate command:
| Command | Purpose |
|---|---|
Router(config)# ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}] | Enables transparent passthrough, allowing unauthenticated traffic to pass through the NRP-SSG. |
Router(config)# no ssg pass-through [filter {ip-access-list [downlink | uplink] | ip-extended-access-list [downlink | uplink] | access-list-name [downlink | uplink] | downlink | download [profile-name | profile-name profile-password] | uplink}}] | Disables transparent passthrough, forcing traffic to be authenticated by the NRP-SSG before passing through it. |
Use the show running-config command to verify that transparent passthrough has been enabled. Use the show ssg pass-through-filter command to verify that the filter for transparent passthrough has been configured correctly.
This task is optional. Perform the following tasks on the NSP:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# redundancy | Selects the redundancy configuration submode. | ||
| Router(config-r)# associate slot slot [slot] | |||
| Router(config-r)# prefer slot | Defines which of the redundant NRPs is the preferred one. | ||
| Router(config-r-mc)# | Return to privileged EXEC mode. |
This task is optional. Perform the following tasks on the NRP:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)# redundancy | Selects the redundancy configuration submode. | ||
| Router(config-r)# main-cpu | Selects the main-cpu configuration submode. | ||
| Router(config-r-mc)# | Synchronizes the configuration (startup configuration, boot variables, configuration register, or all three configurations) between redundant NSPs. | ||
| Router(config-r-mc)# | Return to privileged EXEC mode. |
Use the show redundancy command to verify that redundancy has been configured correctly.
RouterA# show redundancy User EHSA configuration (by CLI config): slave-console = off keepalive = off config-sync modes: standard = on start-up = on boot-var = on config-reg = on NSP EHSA configuration (via pam-mbox): redundancy = off preferred (slot 6) = no Debug EHSA Information: NRP specific information: Backplane resets = 0 NSP mastership changes = 0 print_pambox_config_buff: pmb_configG values: valid = 1 magic = 0xEBDDBE1 (expected 0xEBDDBE1) Backplane resets = 0 NSP mastership changes = 0 print_pambox_config_buff: pmb_configG values: valid = 1 magic = 0xEBDDBE1 (expected 0xEBDDBE1) nmacaddrs = 1 run_redundant = 0x0 preferred_master = 0x0 macaddr[0][0] = 0010.7bb9.ca43 macaddr[1][0] = 0000.0000.0000 EHSA pins: peer present = 1 peer state = SANTA_EHSA_SECONDARY crash status: this-nrp=NO_CRASH(1) peer-nrp=NO_CRASH(1) EHSA related MAC addresses: peer bpe mac-addr = 0010.7bb9.ca47 my bpe mac-addr = 0010.7bb9.ca43
This task is optional. Fastswitching is enabled by default.
| Command | Purpose |
|---|---|
Router(config)# ssg fastswitch | Enables fastswitching. |
Router(config)# no ssg fastswitch | Disables fastswitching. |
Use the show running-config command to verify that fastswitching has been enabled. Because fastswitching is enabled by default, it will not be displayed in the running configuration. If fastswitching has been disabled, the following line will appear in the output of the show running-config command:
no ssg fastswitch
This task is optional. Multicast is disabled by default.
| Command | Purpose |
|---|---|
Router(config)# ssg multicast | Enables multicast. When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine. |
Router(config)# no ssg multicast | Disables multicast. If multicast is disabled, multicast packets received on an uplink or downlink interface or an interface that has had a service bound to it will be dropped. |
Use the show running-config command to verify that multicast has been enabled. If multicast is disabled, which is the default, it will not be displayed in the running configuration. If multicast is enabled, the following line will appear in the output of the show running-config command:
ssg multicast
You can perform the following verification tasks after completing all configuration tasks described above.
To verify that the NRP-SSG, Cisco SSD, and RADIUS server have been configured to work together correctly:
To verify that transparent passthrough has been configured correctly:
To verify that redundancy has been configured correctly:
| Command | Purpose |
|---|---|
Router# show ssg connection ip-address service-name | Displays the connections of a given host and service name. |
Router# clear ssg connection ip-address service-name | Removes the connections of a given host and service name. |
Router# show ssg pass-through-filter | Displays the downloaded filter for transparent passthrough. |
Router# clear ssg pass-through-filter | Removes the downloaded filter for transparent passthrough. To remove the filter from NVRAM, use the no form of the ssg pass-through command. |
Router# show ssg host [ip-address] [username] | Displays the information about a subscriber and the current connections of the subscriber. |
Router# clear ssg host ip-address | Removes a given host or subscriber. |
Router# show ssg direction | Displays the direction of all interfaces for which a direction has been specified. |
Router# show ssg next-hop | Displays the next-hop table. |
Router# clear ssg next-hop | Removes the next-hop table. To remove the next-hop table from NVRAM, use the no form of the ssg next-hop command. |
Router# show ssg binding | Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
Router# show ssg service service-name | Displays the information for a service. |
Router# clear ssg service service-name | Removes a service. |
The configuration examples in this section support the network topology shown in Figure 2.
aaa new-model aaa authentication ppp default radius aaa authorization network default radius ssg service-password cisco ssg radius-helper auth-port 1645 acct-port 1646 ssg radius-helper key cisco radius-server host 192.168.100.28 auth-port 1645 acct-port 1646 radius-server key cisco radius-server vsa send accounting radius-server vsa send authentication
ssg default-network 192.168.100.24 255.255.255.255
ssg bind direction uplink ATM0/0/0.1 ssg bind direction uplink ATM0/0/0.2 ssg bind direction uplink ATM0/0/0.3 ssg bind direction downlink BVI1
ssg bind service Labservices 192.168.123.1 ssg bind service Worldwide_Gaming 192.168.113.1 ssg bind service ACME_ISP 192.168.103.1 ssg next-hop download nhg1 cisco ssg maxservice 10
The following is an example service profile as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
user = ACME_ISP{
profile_id = 2026
profile_cycle = 12
member = ServicesGroup
radius=6510-SSG-v1.1a {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,251="R192.168.250.0;255.255.255.0"
9,251="TX"
9,251="S192.168.250.11;1645;1646;cisco"
}
}
}
ssg service-search-order local remote
ssg next-hop download nht1 cisco
The following is an example next-hop table as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
ssg next-hop download nht1 cisco
user = nht1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,253="GACME_ISP;192.168.103.1"
9,253="GLabservices;192.168.123.1"
9,253="GWorldwide_Gaming;192.168.113.1"
}
}
}
ssg maxservice 10
local-profile Labservices attr 26 9 251 "R192.168.123.1;255.255.255.0" attr 26 9 251 "S192.168.252.11;1645;1646;cisco" attr 26 9 251 "OAnyProxyService.Com" attr 26 9 251 "TX" attr 2 "cisco" attr 6 5
ssg pass-through filter download tptfilter1 cisco
The following is an example transparent passthrough filter as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX and UCP.
user = tptfilter1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,1="ip:inacl#2=deny tcp 172.16.4.0 0.0.0.255 192.168.250.0 0.0.0.255 eq 23"
9,1="ip:inacl#5=permit ip any any"
9,1="ip:inacl#1=permit tcp any any established"
}
}
}
redundancy main-cpu auto-sync standard no secondary console enable
There will be nothing in the running configuration for fastswitching when it is enabled.
ssg multicast
This section documents new commands associated with the NRP-SSG. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
To configure an attribute in a local RADIUS service profile, use the attr profile configuration command. Use the no form of this command to delete an attribute from a service profile.
attr radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
radius-attribute-id | RADIUS attribute ID to be configured. |
vendor-id | (Optional) Vendor ID. Required if the RADIUS attribute ID is 26, indicating a vendor-specific attribute. Cisco's vendor ID is 9. |
cisco-vsa-type | (Optional) Cisco vendor-specific attribute (VSA) type. Required if the vendor ID is 9, indicating a Cisco VSA. |
attribute-value | Attribute value. |
No default behavior or values.
Profile configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to configure attributes in local RADIUS service profiles.
The following example configures the Cisco-Avpair upstream access control list attribute in the RADIUS profile, cisco.com:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# local-profile cisco.com routerA(config-prof)# attr 26 9 1 "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
The following example deletes the Session-Timeout attribute in the RADIUS profile, cisco.com:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# local-profile cisco.com routerA(config-prof)# no attr 27 600
| Command | Description |
|---|---|
Configures a local RADIUS service profile and enters profile configuration mode. |
To remove the connections of a given host and a service name, use the clear ssg connection privileged EXEC command.
clear ssg connection ip-address service-name
ip-address | IP address of an active SSG connection. |
service-name | Name of an active SSG connection. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to remove the connections for a given host and service name.
The following example removes the service connection for Perftest to host 192.168.1.1:
RouterA# clear ssg connection 192.168.1.1 Perftest
| Command | Description |
|---|---|
Displays the connections of a given host and a service name. |
To remove or disable a given host or subscriber, use the clear ssg host privileged EXEC command.
clear ssg host ip-address
ip-address | IP address of the host or subscriber. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to remove a host's connection from the NRP-SSG.
The following example removes the connection for host 192.168.1.1:
RouterA# clear ssg host 192.168.1.1
| Command | Description |
|---|---|
Displays the information about a subscriber and current connections of the subscriber. |
To remove the next-hop table, use the clear ssg next-hop privileged EXEC command.
clear ssg next-hopThis command has no arguments or keywords.
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
If you use this command to clear the next-hop table, nothing will be displayed when you use the show ssg next-hop command. However, the next-hop table will still appear in the running configuration. To remove the next-hop table from the running configuration, use the no form of the ssg next-hop command.
The following example removes the next-hop table:
RouterA# clear ssg next-hop
| Command | Description |
|---|---|
Downloads the next-hop table from a RADIUS server. | |
Displays the next-hop table. |
To remove the downloaded filter for transparent passthrough, use the clear ssg pass-through-filter privileged EXEC command.
clear ssg pass-through-filterThis command has no arguments or keywords.
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Removing the filter allows unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you use this command to clear the downloaded transparent passthrough filter, nothing will be displayed when you use the show ssg pass-through-filter command. However, the transparent passthrough filter will still appear in the running configuration. To remove the transparent passthrough filter from the running configuration, use the no form of the ssg pass-through command.
The following example removes the downloaded transparent passthrough filter:
RouterA# clear ssg pass-through-filter
| Command | Description |
|---|---|
Enables transparent passthrough. | |
Displays the downloaded filter for transparent passthrough. |
To remove a service, use the clear ssg service privileged EXEC command.
clear ssg service service-name
service-name | Name of an active SSG service. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to remove services.
The following example removes the Perftest service:
RouterA# clear ssg service Perftest
| Command | Description |
|---|---|
Specifies the interface for a service. | |
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. | |
Displays the information for a service. |
To configure a local RADIUS service profile and enter profile configuration mode, use the local-profile global configuration command. Use the no form of this command to delete the local service profile.
local-profile profilename
profilename | Name of profile to be configured. |
No default behavior or values.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to configure local RADIUS service profiles.
The following example configures the RADIUS profile called cisco.com, and enters profile configuration mode:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# local-profile cisco.com routerA(config-prof)#
| Command | Description |
|---|---|
Configures an attribute in a local RADIUS profile. | |
Specifies the order in which NRP-SSG searches for a service profile. |
To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding privileged EXEC command.
show ssg binding [| {begin expression | exclude expression | include expression}]
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display services and the interfaces to which they have been bound.
The following example displays all service names that have been bound to interfaces:
RouterA# show ssg binding
WhipitNet -> 192.168.1.1 (NHT)
Service1.com -> 192.168.1.2 (NHT)
Service2.com -> 192.168.1.3 (NHT)
Service3.com -> 192.168.1.4 (NHT)
GoodNet -> 192.168.2.1
Perftest -> 192.168.1.6
| Command | Description |
|---|---|
Specifies the interface for a service. | |
Displays the information for a service. | |
Removes a service. |
To display the connections of a given host and a service name, use the show ssg connection privileged EXEC command.
show ssg connection ip-address service-name [| {begin expression | exclude expression | include expression}]
ip-address | IP address of an active SSG connection. This is always a subscribed host. |
service-name | The name of an active SSG connection. |
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display information about the connections for a given host and service name.
The following example shows the service connection for the Perftest service to host 192.168.1.1:
RouterA# show ssg connection 192.168.1.1 Perftest
------------------------ ConnectionObject Content -----------------------
User Name:
User Password:
Owner Host: 192.168.1.1
Associated Service: Perftest
Connection State: 0
Connection Started since:
*11:08:15.000 PST Mon Jan 25 1999
Connection Traffic Statistics:
Input Bytes = 0 (HI = 0), Input packets = 0
Output Bytes = 0 (HI = 0), Output packets = 0
| Command | Description |
|---|---|
Removes the connections of a given host and a service name. |
To display the direction of all interfaces for which a direction has been specified, use the show ssg direction privileged EXEC command.
show ssg direction [| {begin expression | exclude expression | include expression}]
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display all interfaces that have been specified as uplinks or downlinks.
The following example displays the direction of all interfaces that have been specified as uplinks or downlinks.
RouterA# show ssg direction
ATM0/0/0.10: Uplink
BVI1: Downlink
FastEthernet0/0/0: Uplink
| Command | Description |
|---|---|
Specifies an interface as a downlink or uplink interface. |
To display the information about a subscriber and current connections of the subscriber, use the show ssg host privileged EXEC command.
show ssg host [ip-address [| {begin expression | exclude expression | include expression}] | username [| {begin expression | exclude expression | include expression}] | [| {begin expression | exclude expression | include expression}]]
ip-address | (Optional) IP address of the host. |
username | (Optional) Display the usernames logged into the active hosts. |
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
If no arguments are provided, all current connections are displayed.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display information about host objects.
The following example displays all active hosts:
RouterA# show ssg host 1:172.16.4.3 2:172.16.4.21 3:172.16.61.1 ### Active HostObject Count:3
The following example displays all active hosts whose IP addresses begin with 172.16.6:
RouterA# show ssg host | begin 172.16.6 3:172.16.61.1 ### Active HostObject Count:3
The following example displays the usernames logged in to the active hosts:
RouterA# show ssg host username 1: 172.16.2.11 (active) Host name: user1 ### Total HostObject Count(including inactive hosts): 1
The following example displays information about host 172.16.6.112:
RouterA# show ssg host 172.16.6.112 ------------------------ HostObject Content ----------------------- Activated:TRUE IDB:1625316924 User Name:user1 Host IP:172.16.6.112 Msg IP:0.0.0.0 (0) Host DNS IP:0.0.0.0 Maximum Session Timeout:0 seconds Host Idle Timeout:0 seconds Class Attr:NONE User logged on since:*06:34:42.000 pst Mon May 3 1999 User last activity at:*06:34:47.000 pst Mon May 3 1999 Default Service:NONE DNS Default Service:NONE Active Services:isp-2; isp-name.com; isp-1; AutoService:isp-1; isp-2; Subscribed Services:isp-2; isp-3; isp-1; isp-4; isp-5;
| Command | Description |
|---|---|
Removes or disables a given host or subscriber. |
To display the next-hop table, use the show ssg next-hop privileged EXEC command.
show ssg next-hop [| {begin expression | exclude expression | include expression}]
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display all next-hop IP addresses.
The following example displays the next-hop table:
RouterA# show ssg next-hop
Next hop table loaded from profile prof-nhg:
WhipitNet -> 192.168.1.6
Service1.com -> 192.168.1.3
Service2.com -> 192.168.1.2
Service3.com -> 192.168.1.1
GoodNet -> 192.168.1.2
Perftest -> 192.168.1.5
End of next hop table.
| Command | Description |
|---|---|
Downloads the next-hop table from a RADIUS server. | |
Removes the next-hop table. |
To display the downloaded filter for transparent passthrough, use the show ssg pass-through-filter privileged EXEC command.
show ssg pass-through-filter [| {begin expression | exclude expression | include expression}]
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
No default behavior or values.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display the downloaded transparent passthrough filter. The filter prevents passthrough traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.
To display a filter defined on the command line, use the show running-config command.
The following example displays the passthrough filter:
RouterA# show ssg pass-through-filter
Service name: filter01
Password: cisco
Direction: Uplink
Extended IP access list (SSG ACL)
permit tcp 172.16.6.0 0.0.0.255 any eq telnet
permit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftp
| Command | Description |
|---|---|
Enables transparent passthrough. | |
Removes the downloaded filter for transparent passthrough. |
To display the information for a service, use the show ssg service privileged EXEC command.
show ssg service [service-name [| {begin expression | exclude expression | include expression}]]
service-name | (Optional) Name of an active SSG service. |
begin | (Optional) Begin with the line that contains expression. |
exclude | (Optional) Exclude lines that contain expression. |
include | (Optional) Include lines that contain expression. |
expression | (Optional) Word or phrase used to determine what lines will be shown. |
If no service name is provided, the command displays information for all services.
Privileged EXEC
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to display connection information for a service.
The following example displays the information for the service called isp-name.com:
RouterA# show ssg service isp-name.com
------------------------ ServiceInfo Content -----------------------
Name:isp-name.com
Type:PASS-THROUGH
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Class Attr:NONE
Authentication Type:CHAP
Max Connections Allowed:10
Reference Count:1
DNS Server(s):Primary:192.168.250.11
Included Network Segments:
192.168.250.0/255.255.255.0
Excluded Network Segments:
Domain List:isp-name.com;
Active Connections:
1 :Virtual=172.16.6.112, Subscriber=172.16.6.112
------------------------ End of ServiceInfo Content ----------------
| Command | Description |
|---|---|
Specifies the interface for a service. | |
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. | |
Removes a service. |
To specify an interface as a downlink or uplink interface, use the ssg bind direction global configuration command. Use the no form of this command to disable the directional specification for the interface.
ssg bind direction downlink | uplink {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
downlink | Specify interface direction as downlink. |
uplink | Specify interface direction as uplink. |
ATM | Indicates the interface is ATM. |
atm-interface | ATM interface. |
Async | Indicates the interface is Async. |
async-interface | Async interface. |
BVI | Indicates the interface is BVI. |
bvi-interface | Bridge-Group Virtual Interface. |
Dialer | Indicates the interface is Dialer. |
dialer-interface | Dialer interface. |
Ethernet | Indicates the interface is Ethernet. |
ethernet-interface | IEEE 802.3. |
FastEthernet | Indicates the interface is FastEthernet. |
fastethernet-interface | FastEthernet IEEE 802.3. |
Group-Async | Indicates the interface is Group Async. |
group-async-interface | Group async interface. |
Lex | Indicates the interface is Lex. |
lex-interface | Lex interface. |
Loopback | Indicates the interface is Loopback. |
loopback-interface | Loopback interface. |
Multilink | Indicates the interface is Multilink. |
multilink-interface | Multilink interface. |
Null | Indicates the interface is Null. |
null-interface | Null interface. |
Port-channel | Indicates the interface is Port Channel. |
port-channel-interface | Port channel interface. |
Tunnel | Indicates the interface is Tunnel. |
tunnel-interface | Tunnel interface. |
Virtual-Access | Indicates the interface is Virtual Access. |
virtual-access-interface | Virtual access interface. |
Virtual-Template | Indicates the interface is Virtual Template. |
virtual-template-interface | Virtual template interface. |
Virtual-TokenRing | Indicates the interface is Virtual Token Ring. |
virtual-tokenring-interface | Virtual token ring interface. |
All interfaces are configured as uplink interfaces by default.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
The following example specifies an ATM interface as a downlink interface:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg bind direction downlink ATM 0/0/0.10
| Command | Description |
|---|---|
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
To specify the interface for a service, use the ssg bind service global configuration command. Use the no form of this command to unbind the service and the interface.
ssg bind service service-name {ip-address | ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
service | Service name. |
ip-address | IP address of the next hop router. |
ATM | Indicates the interface is ATM. |
atm-interface | ATM interface. |
Async | Indicates the interface is Async. |
async-interface | Async interface. |
BVI | Indicates the interface is BVI. |
bvi-interface | Bridge-Group Virtual Interface. |
Dialer | Indicates the interface is Dialer. |
dialer-interface | Dialer interface. |
Ethernet | Indicates the interface is Ethernet. |
ethernet-interface | IEEE 802.3. |
FastEthernet | Indicates the interface is FastEthernet. |
fastethernet-interface | FastEthernet IEEE 802.3. |
Group-Async | Indicates the interface is Group Async. |
group-async-interface | Group async interface. |
Lex | Indicates the interface is Lex. |
lex-interface | Lex interface. |
Loopback | Indicates the interface is Loopback. |
loopback-interface | Loopback interface. |
Multilink | Indicates the interface is Multilink. |
multilink-interface | Multilink interface. |
Null | Indicates the interface is Null. |
null-interface | Null interface. |
Port-channel | Indicates the interface is Port Channel. |
port-channel-interface | Port channel interface. |
Tunnel | Indicates the interface is Tunnel. |
tunnel-interface | Tunnel interface. |
Virtual-Access | Indicates the interface is Virtual Access. |
virtual-access-interface | Virtual access interface. |
Virtual-Template | Indicates the interface is Virtual Template. |
virtual-template-interface | Virtual template interface. |
Virtual-TokenRing | Indicates the interface is Virtual Token Ring. |
virtual-tokenring-interface | Virtual token ring interface. |
No default behavior or values.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to bind a service to an interface.
The following example specifies the interface for the service defined as MyService:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg bind service MyService ATM 0/0/0.10
| Command | Description |
|---|---|
Displays the information for a service. | |
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. | |
Removes a service. |
To specify the default network IP address or subnet and mask, use the ssg default-network global configuration command. Use the no form of this command to disable the default network IP address and mask.
ssg default-network ip-address mask
ip-address | SSG default IP address or subnet |
mask | SSG default network destination mask |
No default behavior or values.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to specify the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides. After users enter the URL for the Cisco SSD, they will be prompted for a username and password. A mask provided with the IP address specifies the range of IP addresses that users will be able to access without authentication.
The following example specifies a default network IP address, 192.168.1.2., and mask 255.255.255.255.
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg default-network 192.168.1.2 255.255.255.255
None.
To enable fastswitching, use the ssg fastswitch global configuration command. Use the no form of this command to disable fastswitching.
ssg fastswitchThis command has no arguments or keywords.
Fastswitching is enabled by default.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Fastswitching must be enabled for the NRP-SSG to function.
The following example disables fastswitching:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# no ssg fastswitch
None.
To set the maximum number of services per user, use the ssg maxservice global configuration command. Use the no form of the command to remove the maximum number of services per user from the running configuration and return it to the default.
ssg maxservice number
number | Maximum number of services per user. The minimum value is 0; the maximum is 20. |
The default maximum number of services per user is 20.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to limit the number of services to which a user can be logged on simultaneously.
The following example sets the maximum number of services per user to 10.
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg maxservice 10
None.
To enable the NRP-SSG's handling of multicast, use the ssg multicast global configuration command. Use the no form of this command to disable multicast.
ssg multicastThis command has no arguments or keywords.
The NRP-SSG's handling of multicast is disabled by default.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
When multicast is enabled, the NRP-SSG will forward multicast packets, which include normal multicast packets and IGMP packets, received on an uplink or downlink interface that has had a service bound to it to the IOS routing engine.
The following example enables multicast:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg multicast
None.
To download the next-hop table from a RADIUS server, use the ssg next-hop global configuration command. Use the no form of this command to remove the command from the configuration.
ssg next-hop download [profile-name] [profile-password]
download | Loads the next-hop table profile. |
profile-name | (Optional) Profile name. |
profile-password | (Optional) Profile password. |
If no profile name and password are provided, the previous profile specified with this command is downloaded. If no previous profile was specified, an error is generated.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
When this command is used, an entry is made in the running configuration. When the configuration is reloaded, the next-hop table is automatically downloaded. If the no form of this command is used to remove it from the running configuration, a next-hop table will not be automatically downloaded when the configuration is reloaded.
The following example downloads the next-hop table called MyProfile from a RADIUS server:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg next-hop download MyProfile MyProfilePassword
| Command | Description |
|---|---|
Displays the next-hop table. | |
Removes the next-hop table. |
To enable transparent passthrough, use the ssg pass-through global configuration command. Use the no form of this command to disable transparent passthrough.
ssg pass-through [filter {ip-access-list | ip-extended-access-list | access-list-name | download [profile-name | profile-name profile-password]} [downlink | uplink]}]
filter | (Optional) Specify access control for packets. |
ip-access-list | (Optional) IP access list (standard or extended). |
ip-extended-access-list | (Optional) IP extended access list (standard or extended). |
access-list-name | (Optional) Access list name. |
download | (Optional) Load a service profile and use its filter(s) as default filter(s). |
profile-name | (Optional) Service profile name. |
profile-password | (Optional) Service profile password. |
downlink | (Optional) Apply filter to downlink packets. |
uplink | (Optional) Apply filter to uplink packets. |
Transparent passthrough is disabled by default.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
Use this command to enable transparent passthrough, if you want to allow unauthenticated traffic to pass through the NRP-SSG in either direction without modification. If you want all traffic to be authenticated by the NRP-SSG, use this command to disable transparent passthrough. You can use the filter option to prevent passthrough traffic from accessing the specified IP address and subnet mask combinations.
Use the no form of this command to remove a transparent passthrough filter that was configured at the command line. This will also remove it from the running configuration.
The following example downloads a transparent passthrough filter from the filter01 service profile:
routerA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
routerA(config)# ssg pass-through filter download filter01 cisco
Radius reply received:
Created Upstream acl from it.
Loading default pass-through filter succeeded.
| Command | Description |
|---|---|
Displays the downloaded filter for transparent passthrough. | |
Removes the downloaded filter for transparent passthrough. |
To enable communications with the Cisco Service Selection Dashboard (SSD) and specify port numbers and secret keys for receiving packets, use the ssg radius-helper global configuration command. Use the no form of this command to disable communications with the Cisco SSD.
ssg radius-helper [acct-port port-number | auth-port port-number | acct-port port-number auth-port port-number | key key]
acct-port | (Optional) Specifies the UDP destination port for a RADIUS accounting server. |
port-number | (Optional) Port number for accounting requests; the host is not used for accounting if set to 0. The default is 1646. |
auth-port | (Optional) Specifies the UDP destination port for a RADIUS authentication server. |
port-number | (Optional) Port number for authentication requests; the host is not used for authentication if set to 0. The default is 1645. |
key | (Optional) Specifies the key shared with the RADIUS clients. |
key | (Optional) Key shared with the RADIUS clients. |
The default port number for acct-port is 1646.
The default port number for auth-port is 1645.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
You must use this command to specify a key so that the NRP-SSG can communicate with the Cisco SSD.
The following example enables communication with the Cisco SSD:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg radius-helper acct-port 1646 auth-port 1645 routerA(config)# ssg radius-helper key MyKey
None.
To specify the password for downloading a service profile, use the ssg service-password global configuration command. Use the no form of this command to disable the password.
ssg service-password password
password | Service profile password. |
No default behavior or values.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command sets the password required to authenticate with the AAA server and download a service profile.
The following example sets the password for downloading a service profile:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg service-password MyPassword
None.
To specify the order in which NRP-SSG searches for a service profile, use the ssg service-search-order global configuration command. Use the no form of this command to disable the search order.
ssg service-search-order {local | remote | local remote | remote local}
local | Search for service profiles in local Flash memory. |
remote | Search for service profiles on a RADIUS server. |
local remote | Search for service profiles in local Flash memory, then on a RADIUS server. |
remote local | Search for service profiles on a RADIUS server, then in local Flash memory. |
The default search order is remote, that is, the NRP-SSG searches for service profiles on the RADIUS server.
Global configuration
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
The NRP-SSG can search for service profiles in local Flash memory, on a remote RADIUS server, or both. The possible search orders are:
The following example sets the search order to local remote, so that NRP-SSG will always look for service in Flash memory first, then on the RADIUS server:
routerA# configure terminal Enter configuration commands, one per line. End with CNTL/Z. routerA(config)# ssg service-search-order local remote
| Command | Description |
|---|---|
Configures a local RADIUS service profile. |
This section documents new debug commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
To display all error messages for control modules, use the debug ssg ctrl-errors privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg ctrl-errorsThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays error messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An error message is the result of an error detected during normal execution.
The following output is generated by the debug ssg ctrl-errors command when a host logs on and logs off from a service:
routerA# debug ssg ctrl-errors Mar 29 13:51:30 [192.168.5.1.15.21] 59:00:15:38:%VPDN-6-AUTHORERR:L2F NAS LowSlot6 cannot locate a AAA server for Vi6 user User1 Mar 29 13:51:31 [192.168.5.1.15.21] 60:00:15:39:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access6, changed state to down
| Command | Description |
|---|---|
Displays all event messages for control modules. | |
Displays packet contents handled by control modules. |
To display all event messages for control modules, use the debug ssg ctrl-events privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg ctrl-eventsThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays event messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). An event message is an informational message generated during normal execution.
The following output is generated by the debug ssg ctrl-events command when a host logs on to a service:
routerA# debug ssg ctrl-events Mar 16 16:20:30 [192.168.6.1.7.141] 799:02:26:51:SSG-CTL-EVN:Service logon is accepted. Mar 16 16:20:30 [192.168.6.1.7.141] 800:02:26:51:SSG-CTL-EVN:Send cmd 11 to host 172.16.6.13. dst=192.168.100.24:36613
| Command | Description |
|---|---|
Displays all error messages for control modules. | |
Displays packet contents handled by control modules. |
To display packet contents handled by control modules, use the debug ssg ctrl-packets privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg ctrl-packetsThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays packet messages for the control modules, which includes all modules that manage the user authentication and service log on and log off (RADIUS, PPP, Subblock, and Accounting). A packet message displays the contents of a package.
The following output is generated by the debug ssg ctl-packets command when a host logs off from a service:
routerA# debug ssg ctrl-packets Mar 16 16:23:38 [192.168.6.1.7.141] 968:02:30:00:SSG-CTL-PAK:Received Packet: Mar 16 16:23:38 [192.168.6.1.7.141] 980:02:30:00:SSG-CTL-PAK:Sent packet: Mar 16 16:23:39 [192.168.6.1.7.141] 991:02:30:00:SSG-CTL-PAK: Mar 16 16:23:39 [192.168.6.1.7.141] 992:Received Packet:
| Command | Description |
|---|---|
Displays all error messages for control modules. | |
Displays all event messages for control modules. |
To display all data path packets, use the debug ssg data privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg dataThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays packets for the data modules, which includes all modules that forward data packets (DHCP, DNS, tunneling, fastswitch, IP stream, and multicast).
The following output is generated by the debug ssg data command when a host logs on and logs off from a service:
routerA# debug ssg data Mar 29 13:45:16 [192.168.5.1.15.21] 45:00:09:24: SSG-DATA:PS-UP-SetPakOutput=1(Vi6:172.16.5.50->199.199.199.199) Mar 29 13:45:16 [192.168.5.1.15.21] 46:00:09:24: SSG-DATA:PS-DN-SetPakOutput=1(Fa0/0/0:171.69.2.132->172.16.5.50) Mar 29 13:45:16 [192.168.5.1.15.21] 47:00:09:24: SSG-DATA:FS-UP-SetPakOutput=1(Vi6:172.16.5.50->171.69.43.34) Mar 29 13:45:16 [192.168.5.1.15.21] 48:00:09:24:
| Command | Description |
|---|---|
Displays all data path packets for NAT processing. |
To display all data path packets for NAT processing, use the debug ssg data-nat privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg data-natThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays packets for the data modules, which includes all modules that forward NAT data packets.
The following output is generated by the debug ssg data-nat command when a host logs on and logs off from a service:
routerA# debug ssg data-nat Mar 29 13:43:14 [192.168.5.1.15.21] 35:00:07:21:SSG-DATA:TranslateIP Dst 199.199.199.199->171.69.2.132 Mar 29 13:43:14 [192.168.5.1.15.21] 36:00:07:21:SSG-DATA:TranslateIP Src 171.69.2.132->199.199.199.199 Mar 29 13:43:30 [192.168.5.1.15.21] 39:00:07:38:SSG-DATA:TranslateIP Dst 199.199.199.199->171.69.2.132 Mar 29 13:43:30 [192.168.5.1.15.21] 40:00:07:38:SSG-DATA:TranslateIP Src 171.69.2.132->199.199.199.199
| Command | Description |
|---|---|
Displays all data path packets. |
To display all error messages for the system modules, use the debug ssg errors privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg errorsThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays error messages for the system modules, which include the basic IOS and other support modules (such as Object Model, Timeout, and Initialization). An error message is the result of an error detected during normal execution.
The following output is generated by the debug ssg errors command when a PPPoE client logs on with an incorrect password:
routerA# debug ssg errors Mar 16 08:46:20 [192.168.6.1.7.141] 225:00:16:06:SSG:SSGDoAccounting: reg_invoke_do_acct returns FALSE
| Command | Description |
|---|---|
Displays event messages for system modules. |
To display event messages for system modules, use the debug ssg events privileged EXEC command. Use the no form of this command to disable debugging output.
[no] debug ssg eventsThis command has no arguments or keywords.
No default behavior or values.
| Release | Modification |
|---|---|
12.0(3)DC | This command was first introduced. |
This command displays event messages for the system modules, which include the basic IOS modules and other support modules (such as Object Model, Timeout, and Initialization). An event message is an informational message during normal execution.
The following output is generated by the debug ssg events command when a PPPoE client logs in with the username "username" and the password "cisco:"
routerA# debug ssg events Mar 16 08:39:39 [192.168.6.1.7.141] 167:00:09:24:%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up Mar 16 08:39:39 [192.168.6.1.7.141] 168:00:09:25:%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up Mar 16 08:39:40 [192.168.6.1.7.141] 169:00:09:26:%VPDN-6-AUTHORERR:L2F NAS LowSlot7 cannot locate a AAA server for Vi3 user username Mar 16 08:39:40 [192.168.6.1.7.141] 170:HostObject::HostObject:size = 256 Mar 16 08:39:40 [192.168.6.1.7.141] 171:HostObject::Reset Mar 16 08:39:40 [192.168.6.1.7.141] 172:Service List: Mar 16 08:39:40 [192.168.6.1.7.141] 175:Service = isp-1
| Command | Description |
|---|---|
Displays all error messages for the system modules. |
AAA—Authentication, authorization, and accounting (pronounced "triple a").
DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
NRP—Node Route Processor. Cisco IOS software routing engine derived from the Cisco 7200 series technology. These router blades are part of the Cisco 6400 universal access concentrator. They enable the service provider to offer scalable Layer 3 services.
PPP—Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP, PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.
RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
SSD—The Service Selection Dashboard server is a customizable Web-based application that works with the Cisco SSG to allow end customers to log on to and disconnect from proxy and passthrough services through a standard Web browser. After the customer logs in to the service provider's network, an HTML Dashboard is populated with the services authorized for that user.
SSG—Service Selection Gateway. The Cisco SSG offers service providers a means for menu-based service selection. End users can select services from the Dashboard menu, and the Cisco SSG will set up and tear down proxy and passthrough network connections based on a user's selection. The Cisco SSG will account for the services selected so that service providers can bill for individual services.
TACACS+—Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting. TACACS is an authentication protocol, developed by the Defense Data Network (DDN) community, that provides remote access authentication and related services, such as event logging. User passwords are administered in a central database rather than in individual routers, providing an easily scalable network security solution.
UAC—Universal Access Concentrator. The Cisco 6400 UAC is a broadband concentrator that supports Cisco Systems' end-to-end ATM transmission services, PPP termination services, and tunneling services. The Cisco 6400 UAC is a new system consisting of an Asynchronous Transfer Mode (ATM) switching core and redundant routing engines.
UCP—User Control Point. Cisco UCP is a carrier-class service policy administration system that enables personalized IP services. Cisco UCP's distributed, fault-tolerant architecture integrates authentication, authorization, and accounting (AAA); roaming; and address management services into a service provider's operations support systems.
Posted: Tue Sep 19 15:44:10 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.