- Feature Overview
- Supported Platforms
- Supported Standards, MIBs, and RFCs
- Prerequisites
- Configuration Tasks
- Monitoring and Maintaining SSG Port-Bundle Host Key
- Configuration Example
- Command Reference
- debug ssg port-map
- show ssg port-map ip
- show ssg port-map status
- ssg port-map destination access-list
- ssg port-map destination range
- ssg port-map enable
- ssg port-map length
- ssg port-map source ip
- Glossary
SSG Port-Bundle Host Key
Feature History
Note 
This document describes the SSG Port-Bundle Host Key feature in Cisco IOS Releases 12.2(4)B and 12.2(13)T. If you are running Cisco IOS Releases 12.2(16)B or 12.3(4)T or a later release, refer to the SSG Port-Bundle Host Key new-feature document specific to your release.
This document includes the following sections:
•Supported Standards, MIBs, and RFCs
•Monitoring and Maintaining SSG Port-Bundle Host Key
Feature Overview
The SSG Port-Bundle Host Key feature enhances communication and functionality between the Service Selection Gateway (SSG) and the Cisco Subscriber Edge Services Manager (SESM) by introducing a mechanism that uses the host source IP address and source port to identify and monitor subscribers.
SSG
Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines, cable modems, or wireless to allow simultaneous access to network services.
SSG works in conjunction with the Cisco Service Selection Dashboard (SSD) or its successor product, the Cisco SESM. Together with the SESM or SSD, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with an SESM or SSD web application using a standard Internet browser.
SSG acts as a central control point for Layer 2 and Layer 3 services. These can include services available through ATM virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.
SSG communicates with the AAA management network where RADIUS, Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.
A licensed version of SSG works with SESM or SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This functionality improves flexibility and convenience for subscribers and enables service providers to bill subscribers for connect time and services used, rather than charging a flat rate.
For more information about SSG, refer to the Service Selection Gateway feature module in the "New Features in Release 12.2(8)T" area of Cisco.com.
Host Key Mechanism
Note All references to SESM also apply to SSD unless a clear distinction is made.
With the SSG Port-Bundle Host Key feature, SSG performs port-address translation (PAT) and network-address translation (NAT) on the HTTP traffic between the subscriber and the SESM server. When a subscriber sends an HTTP packet to the SESM server, SSG creates a port map that changes the source IP address to a configured SSG source IP address and changes the source TCP port to a port allocated by SSG. SSG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned host key, or combination of port bundle and SSG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the SESM server and SSG in the Subscriber IP vendor-specific attribute (VSA). Table1 describes the Subscriber IP VSA. When the SESM server sends a reply to the subscriber, SSG translates the destination IP address and destination TCP port according to the port map.
For each TCP session between a subscriber and the SESM server, SSG uses one port from the port bundle as the port map. Port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited, but you can assign multiple SSG source IP addresses to accommodate more subscribers.
SSG assigns the base port of the port bundle to a port map only if SSG has no state information for the subscriber or if the state of the subscriber has changed. When the SESM server sees the base port of a port bundle in the host key, SESM queries SSG for new subscriber state information.
Local Forwarding
When the SSG Port-Bundle Host Key feature is not configured, SSG local forwarding enables SSG to forward packets locally between any SSG hosts. When the SSG Port-Bundle Host Key feature is configured, local forwarding only works for SSG hosts that are connected to at least one common service. The hosts need to be connected to a common service because if the destination host has an overlapping IP address, then SSG will not know to which of the overlapping hosts to forward the traffic. In order for SSG to forward packets from one SSG host to another SSG host that has an overlapping IP address, then the overlapping hosts cannot share any common services with the source host; otherwise, it is not guaranteed that traffic will go to the required host.
Benefits
Support for Overlapped Subscriber IP Addresses Extended to Include SESM Usage
Without the SSG Port-Bundle Host Key feature, PPP users are allowed to have overlapped subscriber IP addresses, but they cannot use SSG to conduct service selection through the web-based SESM user interface.
With the SSG Port-Bundle Host Key feature, PPP users can have overlapped IP addresses while using SSG with SESM or SSD. The subscriber IP addresses are also not required to be routable within the service management network where the SESM server resides, because the host key enables support for private addressing schemes.
Cisco SESM Provisioning for Subscriber and SSG IP Addresses No Longer Required
Without the SSG Port-Bundle Host Key feature, SESM must be provisioned for subscriber and SSG IP addresses before SESM is able to send RADIUS packets to SSG or send HTTP packets to subscribers.
The SSG Port-Bundle Host Key feature eliminates the need to provision SESM in order to allow one SESM server to serve multiple SSGs and to allow one SSG to be served by multiple SESM servers.
Reliable and Just-in-Time Notification to Cisco SSD of Subscriber State Changes
Without the SSG Port-Bundle Host Key feature, SSG uses an asynchronous messaging mechanism to immediately notify the SESM server of subscriber state changes in SSG (such as session timeouts or idle timeout events).
The SSG Port-Bundle Host Key feature replaces the asynchronous messaging mechanism with an implicit and reliable notification mechanism that uses the base port of a port bundle to alert the SESM server of a state change. The SESM server can then query SSG for the true state of the subscriber and update the cached object or send the information back to the subscriber.
Support for Multiple Accounts for One Subscriber IP Address
To accommodate multiple users sharing a single PC, the SSG Port-Bundle Host Key feature supports multiple subaccounts, each with a different username under one subscriber. When the SESM server contacts SSG to log a new user in to an already logged-in account, SSG logs out the existing account and logs in the new user. In account switching, the port bundle and host object remain the same, but the content of the host object is changed according to the profile of the subaccount user.
Restrictions
•The SSG Port-Bundle Host Key feature must be separately enabled at the SESM and at all connected SSGs.
•Enabling the SSG Port-Bundle Host Key feature requires an SSG reload and an SESM restart to take effect.
•Changing the port-bundle length will not take effect until after the router has reloaded.
•All SSG source IP addresses configured with the ssg port-map source ip command must be routable in the management network where the SESM resides.
•Overlapping subscriber IP addresses are supported only for hosts connected to SSG through routed point-to-point interfaces.
•Overlapping IP users cannot come in on the same SSG downlink interface.
•Overlapping IP users cannot be connected to the same service or to different services that are bound to the same uplink interface.
•For each SESM server, all connected SSGs must have the same port-bundle length.
•RFC1483 or local bridged or routed clients cannot have overlapping IP addresses, even across different interfaces.
Related Documents
For information about SSG, refer to the following documents:
•Service Selection Gateway, Cisco IOS Release 12.2(8)T feature module
For information about other supported SSG features, refer to the following documents:
•SSG Open Garden, Cisco IOS Release 12.2(13)T feature module
•SSG TCP Redirect for Services, Cisco IOS Release 12.2(13)T feature module
For information on configuring SSD and SESM, see the following documents:
•Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide
•Cisco Service Selection Dashboard Installation and Configuration Guide
•Cisco Service Selection Dashboard Web Developer Guide
Supported Platforms
•Cisco 3660
•Cisco 6400 series
•Cisco 7200 series
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
•The SSG Port-Bundle Host Key feature requires Cisco SSD Release 3.0(1) or Cisco SESM Release 3.1(1). If you are using an earlier release of SSD, disable the SSG Port-Bundle Host Key feature using the no ssg port-map enable global configuration command.
•A default network must be configured and routable from SSG in order for the following commands to effective:
–ssg port-map destination access-list
–ssg port-map destination range (without an IP address specified)
Configuration Tasks
See the following sections for configuration tasks for the SSG Port-Bundle Host Key feature. Each task in the list is identified as either required or optional.
Note The SSG Port-Bundle Host Key feature requires Cisco SSD Release 3.0(1) or Cisco SESM Release 3.1(1). If you are using an earlier release of SSD, disable the SSG Port-Bundle Host Key feature using the no ssg port-map enable global configuration command.
To configure the SSG Port-Bundle Host Key feature, complete the following tasks:
•Enabling the Host Key (required)
•Specifying the Subscriber Traffic to Be Port-Mapped (required)
•Specifying the SSG Source IP Addresses (required)
•Specifying the Port-Bundle Length (optional)
•Verifying the Host Key (optional)
Note All references to SESM also apply to SSD unless a clear distinction is made.
Enabling the Host Key
The port-bundle host key is disabled by default. To enable the port-bundle host key, use the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# ssg port-map enable |
Enables the port-bundle host key. Note |
Specifying the Subscriber Traffic to Be Port-Mapped
The port-bundle host key requires that you specify the subscriber traffic to be port-mapped. SSG can compare the subscriber traffic against a configured TCP port range or an access list. To specify which subscriber traffic SSG should port-map, use one or both of the following commands in global configuration mode:
Specifying the SSG Source IP Addresses
The SSG Port-Bundle Host Key feature requires that one or more SSG source IP addresses be specified for host key usage. One source IP address will permit the allocation of 4032 unique host keys, assuming a bundle length of 4 bits. For higher subscriber counts, configure additional addresses.
Note All SSG source IP addresses configured using the ssg port-map source ip command must be routable in the management network where the SESM resides.
To specify SSG source IP addresses, use the following command in global configuration mode:
Specifying the Port-Bundle Length
The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle; but note that the new value does not take effect until the SSG next reloads and SESM restarts.
Note For each SESM server, all connected SSGs must have the same port-bundle length, which must correspond to the configured value given in the SESM server's BUNDLE_LENGTH argument. If you change the port-bundle length on an SSG, be sure to make the corresponding change in the SESM configuration.
To modify the port-bundle length upon the next SSG reload, enter the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# ssg port-map length bits |
Modifies the port-bundle length, which is used to determine the number of ports per bundle and the number of bundles per group, as detailed in Table 2. Note |
Verifying the Host Key
Step 1 To verify the SSG Port-Bundle Host Key configuration, use the show running-config command in privileged EXEC mode.
Step 2 To display a summary of all port-bundle groups, use the show ssg port-map status command with no keywords:
Router# show ssg port-map status
Bundle-length = 4
Bundle-groups:-
IP Address Free Bundles Reserved Bundles In-use Bundles
70.13.60.2 4032 0 0
Step 3 Use the show ssg port-map status command with the free, reserved, or inuse keyword to display port bundles with the specified status:
Router# show ssg port-map status inuse
Bundle-group 70.13.60.2 has the following in-use port-bundles:-
Port-bundle Subscriber Address Interface
64 10.10.3.1 Virtual-Access2
Step 4 To display information about a specific port bundle, use the show ssg port-map ip command:
Router# show ssg port-map ip 70.13.60.2 port 64
State = IN-USE
Subscriber Address = 10.10.3.1
Downlink Interface = Virtual-Access2
Port-mappings:-
Subscriber Port: 3271 Mapped Port: 1024
Subscriber Port: 3272 Mapped Port: 1025
Subscriber Port: 3273 Mapped Port: 1026
Subscriber Port: 3274 Mapped Port: 1027
Subscriber Port: 3275 Mapped Port: 1028
Monitoring and Maintaining SSG Port-Bundle Host Key
To monitor and maintain the SSG Port-Bundle Host Key feature, use the following commands in privileged EXEC mode:
Configuration Example
This section provides the following configuration example:
•SSG Port-Bundle Host Key Example
SSG Port-Bundle Host Key Example
In the following example, packets that match the specified TCP port range or that are permitted by access list 100 will be port-mapped. Loopback1 is specified as the SSG source IP address.
ssg port-map enable
ssg port-map destination range 8080 to 10100 ip 70.13.6.100
ssg port-map destination access-list 100
ssg port-map source ip Loopback1
Command Reference
This section documents modified commands. All other commands used with this feature are documented in the Service Selection Gateway feature module for Cisco IOS Release 12.2(8)T or the Cisco IOS Release12.2 command reference publications.
•ssg port-map destination access-list
•ssg port-map destination range
debug ssg port-map
To display debug messages for port-mapping, use the debug ssg port-map command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ssg port-map {events | packets}
no debug ssg port-map {events | packets}
Syntax Description
events |
Displays messages for port-map events: create and remove. |
packets |
Displays port-map packet contents and port address translations. |
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays debug messages for the creation of port maps.
Examples
Using the debug ssg port-map command generates the following output when a subscriber logs in to a service:
Router# debug ssg port-map event
SSG port-map events debugging is on
Router# show debug
SSG:
SSG port-map events debugging is on
Router#
00:46:09:SSG-PMAP:Changing state of port-bundle 70.13.60.3:65 from FREE to RESERVED
00:46:09:SSG-PMAP:Changing state of port-bundle 70.13.60.3:65 from RESERVED to INUSE
00:46:10:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access2, changed state to up
Router#
00:46:25:SSG-PMAP:Allocating new port-mapping:[4148<->1040] for port-bundle 70.13.60.3:65
00:46:29:SSG-PMAP:Allocating new port-mapping:[4149<->1041] for port-bundle 70.13.60.3:65
00:46:31:SSG-PMAP:Allocating new port-mapping:[4150<->1042] for port-bundle 70.13.60.3:65
00:46:31:SSG-PMAP:Allocating new port-mapping:[4151<->1043] for port-bundle 70.13.60.3:65
00:46:31:SSG-PMAP:Allocating new port-mapping:[4152<->1044] for port-bundle 70.13.60.3:65
Router# debug ssg port-map packets
SSG port-map packets debugging is on
Router#
00:51:55:SSG-PMAP:forwarding non-TCP packet
00:51:55:SSG-PMAP:forwarding packet
00:51:55:SSG-PMAP:forwarding non-TCP packet
00:51:55:SSG-PMAP:forwarding packet
00:51:55:SSG-PMAP:forwarding non-TCP packet
00:52:06:SSG-PMAP:srcip:70.13.6.100 srcport:8080 dstip:70.13.60.3 dstport:1044
00:52:06:SSG-PMAP:TCP flags:5011 Seq no:1162897784 Ack no:-1232234715
00:52:06:SSG-PMAP:received TCP-FIN packet
00:52:10:SSG-PMAP:cef:packet bound for default n/w
00:52:10:SSG-PMAP:Checking port-map ACLs
00:52:10:SSG-PMAP:Port-map ACL check passed
00:52:10:SSG-PMAP:cef:punting TCP-SYN packet to process
00:52:10:SSG-PMAP:packet bound for default n/w
00:52:10:SSG-PMAP:fast:punting TCP-SYN packet to process
00:52:10:SSG-PMAP:packet bound for default n/w
00:52:10:SSG-PMAP:translating source address from 10.3.6.1 to 70.13.60.3
00:52:10:SSG-PMAP:translating source port from 4158 to 1040
00:52:10:SSG-PMAP:srcip:70.13.6.100 srcport:8080 dstip:70.13.60.3 dstport:1040
00:52:10:SSG-PMAP:TCP flags:6012 Seq no:1186352744 Ack no:-1232047701
00:52:10:SSG-PMAP:translating destination address from 70.13.60.3 to 10.3.6.1
00:52:10:SSG-PMAP:translating destination port from 1040 to 4158
Related Commands
|
|
|
|---|---|
Displays information on a particular port bundle. |
|
Displays information on port bundles. |
show ssg port-map ip
To display information on a particular port bundle, use the show ssg port-map ip command in privileged EXEC mode.
show ssg port-map ip ip-address port port-number
Syntax Description
ip-address |
IP address used to identify the port bundle. |
port-number |
TCP port number used to identify the port bundle. |
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays the following information about a port bundle:
•Port maps in the port bundle
•Subscriber's IP address
•Interface through which the subscriber is connected
Examples
The following output shows the Virtual-Access2 interface connected to the subscriber.
Router# show ssg port-map ip 70.13.60.2 port 64
State = IN-USE
Subscriber Address = 10.10.3.1
Downlink Interface = Virtual-Access2
Port-mappings:-
Subscriber Port: 3271 Mapped Port: 1024
Subscriber Port: 3272 Mapped Port: 1025
Subscriber Port: 3273 Mapped Port: 1026
Subscriber Port: 3274 Mapped Port: 1027
Subscriber Port: 3275 Mapped Port: 1028
Table 3 describes the significant fields in shown in the display.
Related Commands
|
|
|
|---|---|
Displays information on port bundles. |
show ssg port-map status
To display information on port bundles, use the show ssg port-map status command in privileged EXEC mode.
show ssg port-map status [free | reserved | inuse]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Entered without any keywords, the command displays a summary of all port-bundle groups, including the following information:
•A list of port-bundle groups
•Port-bundle length
•Number of free, reserved, and in-use port bundles in each group
Examples
Display All Bundles Example
The following example shows output for the show ssg port-map status command with no keywords:
Router# show ssg port-map status
Bundle-length = 4
Bundle-groups:-
IP Address Free Bundles Reserved Bundles In-use Bundles
70.13.60.2 4032 0 0
Table 4 describes the significant fields in shown in the display.
Display Inuse Bundles Example
The following example shows output for the show ssg port-map status command with the inuse keyword:
Router# show ssg port-map status inuse
Bundle-group 70.13.60.2 has the following in-use port-bundles:-
Port-bundle Subscriber Address Interface
64 10.10.3.1 Virtual-Access2
Table 5 describes the significant fields in shown in the display.
Related Commands
|
|
|
|---|---|
Displays information on a particular port bundle. |
ssg port-map destination access-list
To identify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the ssg port-map destination access-list command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map destination access list access-list-number
no ssg port-map destination access list access-list-number
Syntax Description
access-list-number |
Integer from 100 to 199 that is the number or name of an extended access list. |
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
When the ssg port-map destination access list command is configured, any traffic going to the default network and matching the access list will be port-mapped.
Note A default network must be configured and routable from SSG in order for this command to be effective.
You can use multiple entries of the ssg port-map destination access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
Examples
In the following example, packets permitted by access list 100 will be port-mapped.
ssg port-map enable
ssg port-map destination access-list 100
ssg port-map source ip Ethernet0/0/0
!
....
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 70.13.6.100
access-list 100 deny ip any any
Related Commands
|
|
|
|---|---|
Identifies packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic. |
ssg port-map destination range
To identify packets for port-mapping by specifying the TCP port range to compare against the subscriber traffic, use the ssg port-map destination range command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]
no ssg port-map destination range from port-number-1 to port-number-2 [ip ip-address]
Syntax Description
Defaults
If an IP address is not specified, Service Selection Gateway (SSG) will allow any destination IP address in the subscriber traffic to be port-mapped, as long as the packets match the specified port ranges.
Command Modes
Global configuration
Command History
Usage Guidelines
If the destination IP address is not configured, a default network must be configured and routable from SSG in order for this command to be effective.
If the destination IP address is not configured, any traffic going to the default network with the destination port will fall into the destination port range and will be port mapped.
You can use multiple entries of the ssg port-map destination range command. The port ranges are checked against the subscriber traffic in the order in which they were defined.
Examples
In the following example, packets that are going to the default network and have a destination port within the range 8080 to 8081 will be port-mapped:
Router(config)# ssg port-map destination range from 8080 to 8081
Related Commands
|
|
|
|---|---|
Identifies packets for port-mapping by specifying an access list to compare against the subscriber traffic. |
ssg port-map enable
To enable the Service Selection Gateway (SSG) port-bundle host key, use the ssg port-map enable command in global configuration mode. To disable the SSG port-bundle host key, use the no form of this command.
ssg port-map enable
no ssg port-map enable
Syntax Description
This command has no arguments or keywords.
Defaults
SSG port-bundle host key is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command will not take effect until the router has been reloaded.
The SSG Port-Bundle Host Key feature requires Cisco Service Selection Dashboard (SSD) Release 3.0(1) or CiscoSubscriber Edge Services Manager (SESM) Release 3.1(1). If you are using an earlier release of SSD, use the no ssg port-map enable command to disable the SSG Port-Bundle Host Key feature.
Examples
The following example shows how to enable the SSG port-bundle host key:
Router(config)# ssg port-map enable
Related Commands
ssg port-map length
To modify the port-bundle length upon the next Service Selection Gateway (SSG) reload, use the ssg port-map length command in global configuration mode. To return the port-bundle length to the default value, use the no form of this command.
ssg port-map length bits
no ssg port-map length bits
Syntax Description
bits |
Port-bundle length, in bits. The maximum port-bundle length is 10 bits. |
Defaults
4 bits
Command Modes
Global configuration
Command History
Usage Guidelines
The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 6 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until SSG next reloads and Cisco Service Selection Dashboard (SSD) restarts.
Note For each Cisco SSD server, all connected SSGs must have the same port-bundle length.
Examples
The following example results in 64 ports per bundle and 1008 bundles per group:
Router(config)# ssg port-map length 6
Related Commands
|
|
|
|---|---|
Displays information on port bundles, including the port-bundle length. |
ssg port-map source ip
To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the ssg port-map source ip command in global configuration mode. To remove this specification, use the no form of this command.
ssg port-map source ip {ip-address | interface}
no ssg port-map source ip {ip-address | interface}
Syntax Description
ip-address |
SSG source IP address. |
interface |
Interface whose main IP address is used as the SSG source IP address. |
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.
All SSG source IP addresses configured with the ssg port-map source ip command must be routable in the management network where the Cisco SSD resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles are limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the ssg port-map length global configuration command.
Examples
The following example shows the SSG source IP address specified with an IP address and with specific interfaces:
Router(config)# ssg port-map source ip 10.0.50.1
Router(config)# ssg port-map source ip Ethernet0/0/0
Router(config)# ssg port-map source ip Loopback 1
Related Commands
|
|
|
|---|---|
Modifies the port-bundle length upon the next SSG reload. |
Glossary
DHCP—Dynamic Host Configuration Protocol. Protocol that provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
host key—Combination of port bundle and SSG source IP address that uniquely identifies a subscriber.
NAT—network address translation. A mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space.
PAT—port address translation. A subset of NAT functionality that allows s the router to forward packets between a private IP network and the Internet.
RADIUS—Remote Authentication Dial-In User Service. A client/server security protocol created by Livingston Enterprises. Security information is stored in a central location, known as the RADIUS server.
SESM—Subscriber Edge Services Manager. Successor product to the Cisco SSD. SESM is part of a Cisco solution that allows subscribers of digital subscriber line (DSL), cable, wireless, and dial-up to simultaneously access multiple services provided by different Internet service providers, application service providers, and Corporate Access Servers.
SNMP—Simple Network Management Protocol. Network management protocol used almost exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices and to manage configurations, statistics collection, performance, and security.
SSD—Service Selection Dashboard. The SSD server is a customizable web-based application that works with the Cisco SSG to allow end customers to log in to and disconnect from proxy and pass-through services through a standard web browser. After the customer logs in to the service provider's network, an HTML dashboard is populated with the services authorized for that user.
SSG—Service Selection Gateway.
VPDN—virtual private dial-up network. A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network.
Feedback