- Intelligent Services Gateway Features Roadmap
- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- RADIUS-Based Policing
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring ISG Policies for Regulating Network Access
- Configuring ISG Integration with SCE
- Service Gateway Interface
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Finding Feature Information
- Contents
- Prerequisites for the ISG Port-Bundle Host Key Feature
- Restrictions for the ISG Port-Bundle Host Key Feature
- Information About ISG Port-Bundle Host Key
- How to Configure ISG Port-Bundle Host Key
- Configuration Examples for ISG Port-Bundle Host Key
- Additional References
- Feature Information for ISG Port-Bundle Host Key
Configuring ISG Port-Bundle Host Key
Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure ISG port-bundle host key functionality, which maps TCP packets from subscribers to a local IP address for the ISG gateway and a range of ports. This mapping allows an external portal to identify the ISG gateway from which a session originated.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG Port-Bundle Host Key" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for the ISG Port-Bundle Host Key Feature
•Restrictions for the ISG Port-Bundle Host Key Feature
•Information About ISG Port-Bundle Host Key
•How to Configure ISG Port-Bundle Host Key
•Configuration Examples for ISG Port-Bundle Host Key
•Feature Information for ISG Port-Bundle Host Key
Prerequisites for the ISG Port-Bundle Host Key Feature
For information about release and platform requirements, see the "Feature Information for ISG Port-Bundle Host Key" section.
The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.
Restrictions for the ISG Port-Bundle Host Key Feature
The following restrictions apply to the ISG Port-Bundle Host Key feature:
•The ISG Port-Bundle Host Key feature must be separately enabled at the portal and at all connected ISGs.
•All ISG source IP addresses configured with the source command must be routable in the management network where the portal resides.
•For each portal server, all connected ISGs must have the same port-bundle length.
•The ISG Port-Bundle Host Key feature uses TCP. Packets will not be mapped for a subscriber who is not sending TCP traffic.
•Specifying the Port-Bundle Host Key feature in a user profile will work only when the user profile is available prior to the arrival of IP packets; for example, for PPP sessions or for DHCP-initiated IP sessions with transparent autologon.
Information About ISG Port-Bundle Host Key
Before you configure the ISG Port-Bundle Host Key feature, you should understand the following concepts:
•Overview of ISG Port-Bundle Host Key
•Port-Bundle Host Key Mechanism
•Benefits of ISG Port-Bundle Host Key
Overview of ISG Port-Bundle Host Key
The ISG Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISG gateway and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISG Port-Bundle Host Key feature enables a single portal to be deployed for multiple VRFs even when there are subscribers with overlapping IP addresses.
Port-Bundle Host Key Mechanism
With the ISG Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on the TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or combination of port bundle and ISG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). Table 1 describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG uses the translation tables to identify the destination IP address and destination TCP port.
For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISG address, but there is no limit to the number of ISG IP addresses that can be configured for port bundle usage.
Port-Bundle Length
The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is four bits. The maximum port-bundle length is ten bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.
Note For each portal server, all connected ISGs must have the same port-bundle length, which must correspond to the configured value given in the portal server's BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal.
Note The Cisco ASR 1000 series routers support a maximum port-bundle length of 7.
Benefits of ISG Port-Bundle Host Key
Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage
The ISG Port-Bundle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, since port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.
Portal Provisioning for Subscriber and ISG IP Addresses No Longer Required
Without the ISG Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISG IP addresses before the portal is able to send RADIUS packets to the ISG or send HTTP packets to subscribers. The ISG Port-Bundle Host Key feature eliminates the need to provision a portal in order to allow one portal server to serve multiple ISGs and to allow one ISG to be served by multiple portal servers.
How to Configure ISG Port-Bundle Host Key
Perform the following tasks to configure the ISG Port-Bundle Host Key feature:
•Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map
•Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server
•Configuring Port-Bundle Host Key Parameters
•Verifying ISG Port-Bundle Host Key Configuration
Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map
Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map. The ISG Port-Bundle Host Key feature will be applied to any subscriber who uses this service policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type service policy-name
4. ip portbundle
5. end
DETAILED STEPS
What to Do Next
You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."
Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server
Perform this task to enable the ISG Port-Bundle Host Key feature in a user profile or service profile on the AAA server.
SUMMARY STEPS
1. Add the Port-Bundle Host Key attribute to the user or service profile.
DETAILED STEPS
What to Do Next
If you enabled the ISG Port Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."
Configuring Port-Bundle Host Key Parameters
Perform this task to configure ISG Port-Bundle Host Key parameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip portbundle
4. match access-list access-list-number
5. length bits
6. source interface-type interface-number
7. exit
8. interface type number
9. ip portbundle outside
DETAILED STEPS
|
|
|
---|---|---|
Step 1 |
enable Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip portbundle Router(config)# ip portbundle |
Enters IP portbundle configuration mode. |
Step 4 |
match access-list access-list-number Router(config-portbundle)# match access-list 101 |
Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic. |
Step 5 |
length bits Router(config-portbundle)# length 5 |
Specifies the ISG port-bundle length, which determines the number of ports per bundle and bundles per group. See the section "SUMMARY STEPS" for more information. •The default is 4. •The Cisco ASR 1000 series routers support a maximum port-bundle length of 7. |
Step 6 |
source interface-type interface-number Router(config-portbundle)# source loopback 0 |
Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic. •It is recommended that you use a loopback interface as the source interface. |
Step 7 |
exit Router(config-portbundle)# exit |
Returns to privileged EXEC mode. |
Step 8 |
interface type number Router(config)# interface gigabitethernet 0/0/0 |
Specifies an interface for configuration. |
Step 9 |
ip portbundle outside Router(config-if)# ip portbundle outside |
Configures ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber for the interface being configured. |
Verifying ISG Port-Bundle Host Key Configuration
Perform this task to display information about ISG port-bundle host key configuration.
SUMMARY STEPS
1. enable
2. show ip portbundle status [free | inuse]
3. show ip portbundle ip portbundle-ip-address bundle port-bundle-number
4. show subscriber session [detailed] [identifier identifier | uid session-id | username name]
DETAILED STEPS
Configuration Examples for ISG Port-Bundle Host Key
This section contains the following example:
•ISG Port-Bundle Host Key Configuration: Example
ISG Port-Bundle Host Key Configuration: Example
The following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions:
policy-map type service ISGPBHKService
ip portbundle
!
policy-map type control PBHKRule
class type control always event session-start
1 service-policy type service ISGPBHKService
!
service-policy type control PBHKRule
interface gigabitethernet0/0/0
ip address 10.1.1.1 255.255.255.0
ip portbundle outside
!
ip portbundle
match access-list 101
length 5
source loopback 0
Additional References
The following sections provide references related to the ISG Port-Bundle Host Key feature.
Related Documents
|
|
---|---|
ISG commands |
Cisco IOS Intelligent Services Gateway Command Reference |
Technical Assistance
Feature Information for ISG Port-Bundle Host Key
Table 3 lists the features in this module and provides links to specific configuration information. For information about a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 3 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.