The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Feature History
|
|
12.2(4)B |
This feature was introduced. |
This document describes the SSG Autologoff feature in Cisco IOS Release 12.2(4)B. It includes the following sections:
•Supported Standards, MIBs, and RFCs
•Monitoring and Maintaining SSG Autologoff
The SSG Autologoff feature enables the Cisco Service Selection Gateway (SSG) to verify connectivity with each host at configured intervals. If SSG detects that the host is not reachable from SSG, then it automatically initiates the logoff for that host.
SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines, cable modems, or wireless to allow simultaneous access to network services.
SSG works in conjunction with the Cisco Service Selection Dashboard (SSD) or its successor product, the Cisco Subscriber Edge Services Manager (SESM). Together with the SESM or SSD, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with an SESM or SSD web application using a standard Internet browser.
SSG acts as a central control point for Layer 2 and Layer 3 services. These can include services available through ATM virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.
SSG communicates with the authentication, authorization, and accounting (AAA) management network where RADIUS, Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.
A licensed version of SSG works with SESM or SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This functionality improves flexibility and convenience for subscribers and enables service providers to bill subscribers for connect time and services used, rather than charging a flat rate.
For more information about SSG, refer to the Service Selection Gateway feature module in the "New SSG Features in Release 12.2(4)B" area of Cisco.com.
When SSG automatic logoff (autologoff) is configured, the SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.
The ARP is an Internet protocol used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP will broadcast ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic.
Note ARP ping should be used only in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface.
ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in scenarios where hosts are directly connected.
The ICMP is a network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing. An ICMP ping is the echo message and echo-reply message used to check for connectivity between devices.
When SSG autologoff is configured to use the ICMP ping mechanism, SSG pings the host to check connectivity until an ICMP response (successful ping) is obtained or the allowable number of tries is used up. If all the tries are used up and the ping was unsuccessful, then SSG initiates logoff for that host. This pinging is done once every configured interval. As with ARP ping, if there was found to be any data traffic to or from the host was found during the interval, SSG will not ping the host because reachability was established by the data traffic.
ICMP ping will work in all types of deployment scenarios and supports overlapping IP users.
The SSG Autologoff feature enables service providers that use SSG to offer subscribers per-minute billing plans for services. SSG autologoff also prevents subscribers from being charged for services that they are not able to access.
The following restrictions apply to the SSG Autologoff feature:
•ARP ping should be used only in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation or integrated routing and bridging interface. ICMP ping can be used in all types of deployment scenarios.
•ARP ping will work only on hosts that have a MAC address. So, for example, ARP ping will not work for PPP users because they do not have a MAC table entry.
•ARP ping does not support overlapping IP addresses.
•SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.
•You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping.
•Address Resolution Protocol (ARP)
•Internet Control Message Protocol (ICMP)
For more information about SSG, see the following document:
•Service Selection Gateway, Cisco IOS Release 12.2(4)B feature module
For information about other supported SSG features, see the following documents:
•Hierarchical Policing for Service Selection Gateway, Cisco IOS Release 12.2(4)B feature module
•SSG Autodomain, Cisco IOS Release 12.2(4)B feature module
•SSG AutoLogin Using Proxy Radius, Cisco IOS Release 12.2(4)B feature module
•Service Selection Gateway Accounting Update Interval per Service, Cisco IOS Release 12.2(4)B feature module
•SSG Open Garden, Cisco IOS Release 12.2(4)B feature module
•SSG Port-Bundle Host Key, Cisco IOS Release 12.2(4)B feature module
•SSG Prepaid, Cisco IOS Release 12.2(4)B feature module
•SSG TCP Redirect for Services, Cisco IOS Release 12.2(4)B feature module
For information on configuring SSD and SESM, see the following documents:
•Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide
•Cisco Service Selection Dashboard Installation and Configuration Guide
•Cisco Service Selection Dashboard Web Developer Guide
•Cisco 6400 series
•Cisco 7200 series
•Cisco 7401 ASR
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Standards
No new standards are supported by this feature.
MIBs
No new MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new RFCs are supported by this feature.
The tasks in this feature assume that you know how to configure SSG, ARP, and ICMP.
See the following sections for configuration tasks for the SSG Autologoff feature. Each task in the list is identified as either required or optional.
•Configuring SSG Autologoff (required)
•Verifying SSG Autologoff (optional)
To configure SSG autologoff, use one of the following commands in global configuration mode:
Use the show running-config command to verify the configuration of SSG autologoff.
To monitor SSG autologoff, use the following command in EXEC mode:
|
|
---|---|
Router# debug ssg ctrl-events |
Displays all event messages for control modules, including autologoff events. |
This section provides the following configuration examples:
•SSG Autologoff Using ARP Ping
•SSG Autologoff Using ICMP Ping
The following example shows how to enable SSG autologoff. SSG will use ARP ping to detect connectivity to hosts.
ssg auto-logoff arp interval 60
The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.
ssg auto-logoff icmp interval 60 timeout 300 packets 3
This section documents new commands. All other commands used with this feature are documented in the Service Selection Gateway feature module for Cisco IOS Release 12.2(4)B or the Cisco IOS Release12.2 command reference publications.
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Address Resolution Protocol (ARP) ping mechanism to detect connectivity, use the ssg auto-logoff arp command in global configuration mode. To disable SSG autologoff, use the no form of this command.
ssg auto-logoff arp [interval seconds]
no auto-logoff arp
SSG autologoff is not enabled.
Default interval = 30 seconds.
Global configuration
|
|
---|---|
12.2(4)B |
This command was introduced. |
When the ssg auto-logoff arp command is configured, SSG will use the ARP ping mechanism to detect connectivity to hosts.
Note ARP ping should be used only in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation (RBE) or an integrated routing and bridging (IRB) interface.
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in scenarios in which hosts are directly connected.
ICMP ping can be used in all types of deployment scenarios. See the ssg auto-logoff icmp command reference page for more information about SSG autologoff using ICMP ping.
ARP ping will work only on hosts that have a MAC address. So, for example, ARP ping will not work for PPP users because they do not have a MAC table entry.
ARP ping does not support overlapping IP addresses.
SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.
You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
The following example shows how to enable SSG autologoff. SSG will use ARP ping to detect connectivity to hosts.
Router(config)# ssg auto-logoff arp interval 60
|
|
---|---|
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity. |
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Internet Control Message Protocol (ICMP) ping mechanism to detect connectivity, use the ssg auto-logoff icmp command in global configuration mode. To disable SSG autologoff, use the no form of this command.
ssg auto-logoff icmp [timeout milliseconds] [packets number] [interval seconds]
no auto-logoff icmp
SSG autologoff is not enabled.
Default interval = 30 seconds.
Default timeout = 500 milliseconds.
Default packets = 2 packets.
Global configuration
|
|
---|---|
12.2(4)B |
This command was introduced. |
When the ssg auto-logoff icmp command is specified, SSG will use the ICMP ping mechanism to detect connectivity to hosts.
Note ICMP ping may be used in all types of deployment scenarios.
ICMP ping supports overlapping IP addresses.
If a user is not reachable, a configured number of packets (p) will be sent, and each packet will be timed out (t). The user will be logged off in p*t milliseconds after the first pinging attempt. If p*t milliseconds is greater than the configured pinging interval, then the time taken to log off the host after connectivity is lost will be greater than the configured autologoff interval. If parameters are configured this way, the following warning will be issued: "Hosts will be auto-logged off (p*t) msecs after connectivity is lost." When the pinging interval is less than p*t, the timeout process for a host that has become unreachable will be invoked when the pinging to that host is still in place. However, because the timeout process will check the status of the host object and find that it is in a pinging state, the host will not be pinned again.
You can use only one method of SSG autologoff at a time: Address Resolution Protocol (ARP) ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Default values will be applied if a value of zero is configured for any parameters.
The ssg auto-logoff arp command will configure SSG to use the ARP ping mechanism to detect connectivity to hosts. ARP ping should be used only in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation or an integrated routing and bridging interface.
ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in scenarios in which hosts are directly connected. For more information about SSG autologoff that uses ARP ping, see the ssg auto-logoff arp command reference page.
The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.
Router(config)# ssg auto-logoff icmp interval 60 timeout 300 packets 3
|
|
---|---|
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ARP ping mechanism to detect connectivity. |
ARP—Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address.
DHCP—Dynamic Host Configuration Protocol. Protocol that provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
ICMP—Internet Control Message Protocol. Network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing.
SESM—Subscriber Edge Services Manager. Successor product to the Cisco SSD. SESM is part of a Cisco solution that allows subscribers of digital subscriber lines (DSL), cable, wireless, and dial-up to simultaneously access multiple services.
SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means of monitoring and controlling network devices and managing configurations, statistics collection, performance, and security.
SSD—Service Selection Dashboard. The SSD server is a customizable web-based application that works with the Cisco SSG to allow end customers to log in to and disconnect from proxy and pass-through services through a standard Web browser.
SSG—Service Selection Gateway.
VPDN—virtual private dial-up network. A VPDN is a network that extends remote access to a private network using a shared infrastructure.