Escolar Documentos
Profissional Documentos
Cultura Documentos
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Agenda
The Next Wave of Broadband
User Centric Network
Identity and Services
Access Technology Abstraction
Intelligent Services GatewayISG
ISG Overview
What is ISG?
Northbound Interfaces
ISG Sessions
ISG Services
Cisco Policy Language
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Converged
All in One
Networks
Converged
User Centric
Networks
Presentation_I
BRKSPG-3304
D
Increased revenue by
decreasing cost of managing
and maintaining multiple
networks
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Log in
Add Services
Pay As You
Go!
Pay What
You Use!
Broadband
Light
Broadband
Basic
Broadband
Premium
Buy credit
Buy
Buy: $19.99
Buy: $29.99
Buy: $39.99
Add Value
Branded
VoD
($4.99/movie)
Presentation_I
BRKSPG-3304
D
Branded
Phone
Branded
TV
($15.99 + LD)
($29.99)
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Identity
Subscriber
Sessions
Differentiated
Services
Dynamic Service
Management
Presentation_I
BRKSPG-3304
D
Who subscriber is
Where he is
What he requires
Session creation/
authentication
Intelligent
Services
Gateway
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Dynamic Policy
Push and Pull
Cisco Public
Subscriber
Services
ISG
Identities
Services
Subscriber Authentication(*)
T0
T1
T2
TN
Subscriber Session
Subscriber Session
Brian
Subscriber Session
Brian
Subscriber Session
IP Addr:
IP Addr:
IP Addr:
IP Addr:
10.1.1.211
10.1.1.211
10.1.1.211
Username: ?
Username: ?
Username: Brian
Username: Brian
Service:
Service:
Service:
Service:
DEFAULT_SRV
DEFAULT_SRV
Only permits
management traffic
through the session
DEFAULT_SRV
PPU_SRV
PPU_SRV
Pay Per Use Service:
- Permits all traffic
- 512K/1Mbps US./DS
- Accounting enabled on
session
PREMIUM_FR_SRV
PREMIUM_FR_SRV
Flat Rate Premium Data Service:
- Permits all traffic
- 1M/8Mbps US/DS
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
DSL
DSLAM
Cable
Walled Garden
ATM/Ethernet
Switch
CMTS
BRAS/BNG
Open Garden
Access
Ethernet
Distribution
Access Technology:
Legacy DSL/ATM
Metro Ethernet, Wireless LAN, Cable
802.11 or
802.16
Access Protocol:
IP
PPP
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
What Is ISG?
Subscriber Policy Layer
Policy
Server
AAA
Server
Web
Portal
DHCP
Server
Open
Northbound
Interfaces
Subscriber
Identity
Management
ISG
Policy
Management
and
Enforcement
ISG
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Platforms
Different Products for Different Solution Segments
ASR 5000
Fixed Mobile Convergence
ASR 1000
Current Primary BNG
Platform
Presentation_I
BRKSPG-3304
D
ASR 9000
Emerging Large Scale BNG
Platform
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
10
ISG Overview
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
11
Policy
Server
Web
Portal
DHCP
Server
Internet/Core
Guest
Portal
Open Garden
Video
Audio
Servers
Walled Garden
Deployed at access or
service edge
Subscriber Identification
Subscriber Services
Determination and Enforcement
BRKSPG-3304
D
Subscriber Authentication
Cisco Public
12
Network
Layer
Event
Guest
Portal
Open Garden
Presentation_I
BRKSPG-3304
D
Guest
Portal
Walled Garden
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Open Garden
Cisco Public
Walled Garden
13
Policy
Server
Web
Portal
DHCP
Server
Subscriber 1
Subscriber 1
session
Subscriber 2
Internet/Core
Guest
Portal
Subscriber 3
Open Garden
Walled Garden
Video
Audio
Servers
Subscriber 2
session
Subscriber 3
session
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
14
Authentication
Session
Termination
Ethernet sessions
Statically Created Sessions:
Interface sessions (IP-based)
Service
Activation
Ethernet sessions
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
15
PPP Sessions
IP Sessions
Virtual Template w/
Virtual Access (sub)Interfaces
IPLayer2 Connected
IP
PPP
1483
AAL5
ATM
Phy
PPPoA
ATM
Access
IP
PPP
PPPoE
Eth
1483
AAL5
ATM
Phy
PPPoEoA
ATM
IP
Eth
Phy
Eth
Distribution
Ethernet
Native IP capable
transport technologies
802.11, 802.16
IPRouted
PPPoEoE / PPPoEoVLAN/PPPoEoQnQ
IP
PPP
PPPoE
.1Q QnQ
Eth
Phy
Eth
PPPoL2TP
ATM
Eth
Presentation_I
BRKSPG-3304
D
IP
IP
Any access
technology
IP
Eth
Phy
IP
PPP
L2TP
IP/UDP
ATM,E
th,..
Phy
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
16
IP Sessions - FSOL
DHCP
DHCP discover
RADIUS
RADIUS
Access Request OR
Accounting Start
Wireless
Client
Presentation_I
BRKSPG-3304
D
AP
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
17
Session Authentication
ISG Session
Web Logon
Authentication Is Not Mandatory on a Session,
but Used in Most Situations
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
18
Session AuthenticationIP
ISG Session
IP common scenarios
+
Web Logon
Web
Portal
AAA
Server
RADIUS
Username: WebLogon
Username
Data Traffic
redirection
DHCP exchange
AAA
Server
RADIUS
Username:
MAC:RemoteID:CircuitID
EAP Auth
(EAP based auth)
EAP
Wireless
Client
AAA
Server
RADIUS
RADIUS
Username:
EAP username
AP
TAL:IP/MAC
Data Traffic
AAA
Server
RADIUS
Username:
MAC or IP
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
19
DHCP
Client
AAA
Server
L3 cloud
DHCP Address Assignment exchange
Data Traffic
DHCP LeaseQuery
(Client IP)
DHCP LeaseActive
(Client IP->MAC)
RADIUS Access Request
username: Client MAC
RADIUS Access Accept
username: Client MAC
Client MAC address not directly available to ISG in routed scenarios with external
DHCP server
DHCP Leasequery can be used to retrieve Client MAC address from DHCP Server
Retrieved MAC address can be used:
for MAC based authentication
as Calling-Station-ID in Accounting Records
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
20
Session Termination
ISG Session
Web
Portal
RADIUS CoA
Account-Logoff
IP Sessions Exclusively
ICMP/ARP keepalive failure
Keepalive failure
DHCP
DHCP Release
Policy
Manager
RADIUS PoD
EAP
Wireless
Client
Presentation_I
BRKSPG-3304
D
OR DHCP
lease expiry
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
DHCP
initiated
sessions
only
RADIUS
RADIUS
Accounting Stop
AP
Cisco Public
21
ISG Services
ISG services
Features
Portbundle (PBHK)
Keepalives: ICMP and ARP based
Timeouts:
Idle, Absolute
Traffic
Conditioning
QoS:
Security:
Traffic
Forwarding
Control
Traffic
Accounting
PostPaid
Prepaid: Time/Volume based
Tariff Switching
Interim
Broadcast
Policing, MQC
Per User ACLs
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
22
ISG services
ACL
TC1
ACL
TC2
ACL
SubscriberX
Data
Classification
Subscriber Session
TC3
Flow
Features
Session
Features
grouped in
Session
Services
Presentation_I
BRKSPG-3304
D
Cisco Public
23
Subscriber Data
Internet/Core
Guest
Portal
Open Garden
BRKSPG-3304
D
Web DHCP
Portal Server
Video
Audio
Servers
Walled Garden
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
24
ISG services
Session
Portbundle (PBHK)
Session
Administration
Absolute/Idle Timeouts
ICMP and ARP keepalives
Policing
Traffic
Conditioning
MQC
Per User ACLs
Traffic
Forwarding
Control
Traffic
Accounting
Redirection
VRF assignment
L2TP assignment
Postpaid Accounting
x
x
x
x
x
x
x
x
x
x
Prepaid Accounting
Traffic Class
(TC)
x
x
x
x
Note: Restrictions apply; verify feature availability on your platform with the feature navigator
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
25
No limit in number of
services per session
Standalone features
Subscriber Session
Feature 1
Feature 2
FeatureN
Feature
Session
Service
ISG services
Once activated, a
standalone feature can be
modified, but not removed
TC Service
TC ACL
Feature 1
No limit in number of
features per session
FeatureN
Service3
ServiceM
TC Services
No limit in number of features per service
No limit in number of services per session
Only a single service at the time applied to traffic
Presentation_I
BRKSPG-3304
D
Priority based
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
26
ISG services
Feature
3
Session
Service
ACL
Subscriber Session
TC1Service
Feature
1
Feature
2
Feature
3
TC1
Feature
1
Feature
2
Data
TC2Service
Feature
Feature
Feature
ACL
TC1
Feature
1
TC2
TC2Service: priority 20
Presentation_I
BRKSPG-3304
D
Traffic
Forwarding
Service
DefaultClass
Feature
2
TC1Service: priority 10
TC2
SessionTraffic
Features
Classification
Apply to the
(using traffic
entire session
classes:
e.g. per-user ACL, class-map type
Policing, MQC,
traffic)
Accounting
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Flow-Features
Apply to the
classified flow
(a portion of
entire session
traffic)
Cisco Public
Forwarding Service
Forwarding
(at L2, e.g. L2TP)
or Routing
(at L3, e.g. VRF)
Mutually exclusive
27
ISG services
Feature
3
Session
Service
ACL
Subscriber Session
TC1Service
Feature
1
Feature
2
Feature
3
permit
TC1
deny
Feature
1
Feature
2
Data
TC2Service
Feature
Feature
Feature
ACL
TC1
permit
deny
Feature
1
TC2
TC2Service: priority 20
Presentation_I
BRKSPG-3304
D
Traffic
Forwarding
Service
Allow traffic
DefaultClass
drop
traffic
Feature
2
TC1Service: priority 10
TC2
SessionTraffic
Features
Classification
Apply to the
(using traffic
entire session
classes:
e.g. per-user ACL, class-map type
Policing, MQC,
traffic)
Accounting
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Flow-Features
Apply to the
classified flow
(a portion of
entire session
traffic)
Cisco Public
Forwarding Service
Forwarding
(at L2, e.g. L2TP)
or Routing
(at L3, e.g. VRF)
Mutually exclusive
28
Defining Services
ISG services
Location
Download
1
AAA Server
Services defined in Service Profiles
Standard and Vendor Specific
RADIUS attributes used
On demand download on a
need basis
RADIUS Access-request
Username: Premium_HSI
Password: <service pwd>
3 RADIUS Access-accept
Features associated w/ service
4
Definition of all existing Services
typically pre-downloaded on Box
Policy Manager
(supporting the SGI Interface)
Services defined in XML
Pre-download of all existing services
SGI Request
Premium, Standard, Basic
HSI service definitions
SGI Response
ISG
Services pre-configured using CLI
Services defined on Service Policies:
policy-map type service <name>
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
29
Manager/Web Portal
from
external PM
Administrator
Subscriber Policy Layer
Subscriber
from
data
plane
Control Policy
plane plane
RADIUS
CoA or SGI
Request
RADIUS
Acc-accept
actions
Data
plane
events
RADIUS
Acc-req
ISG services
Subscriber
Subscriber is successfully
authenticated
RADIUS Response includes
Services and Features to activate
on Session (from UserProfile)
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
30
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
31
Session
Authentication
Session
Service
Activation
Session
Life Cycle
Termination
described using
Cisco
Policy
Language
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
32
policy-map type
control <name>
Session
Actions
action1
action2
more actions for event
.......
event 2
.......
more events
Typically applied on
interface
Defines all aspects of
session processing
Cisco Public
33
Events:
The event is
always valid
Session-start
Event 1
class
type control always event session-start
Account-logon
Action
1
10 service-policy
type service name <service name>
Service-start
2
20Action
authorize
aaa password lab identifier mac
...
Actions:
apply/unapply a service
authenticate (Web Logon)
....
Presentation_I
BRKSPG-3304
D
authorize (TAL)
Condition:
Qualify in what cases the event is valid
Configured as a control class:
class-map type control <name>
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
...
Cisco Public
34
Session
Condition
Event
Condition
Control Class:
List of Actions
1. Disable Service B
2. Enable Service A
Control Class:
List of Actions
1. Enable Service X
2. Enable Service Y
3. Take Action R
Presentation_I
BRKSPG-3304
D
Event
Condition
Event
Event
Control Class:
List of Actions
1. Enable Service PBHK
2. Take action AAA
3. Enable Service L4R
4. Take action: Set Timer
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
35
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
36
.12
.10
192.168.110.0/24
f1/0 .2
g0/0.1
Internet
Lo0 = 10.0.0.1
Address Assmt.
Session Initiator
DHCP
ISG is DHCP Relay
DHCP
Interf.
Authentication
TAL (mac address)
w/ Web Logon fall back
for Self Subscription
GE (.1Q)
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
37
1a
DHCP Discover
Session-start
event posted
4a username = mac
Access-Reject
<snip>
4b
DHCP Discover
1c DHCP Exchange
(*) assumes that the definition
of PBHK, L4R and
OpenGarden are already
available on the ISG
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
38
Call Flows
http://www.cisco.com
8
9
L4Redirect to Portal
AccountLogon
event
10b
posted
11a
10a
Access-Accept
service: BASIC_HSI_SRV
Service-start
11c event
posted
12a
<snip>
Access-Request
username, password
11b
Access-Request
BASIC_HSI_SRV, srvpwd
Access-Accept
BASIC_HSI_SRV definition
13 BASIC_HSI_SRV is applied
12b
10c
http://www.cisco.com
16
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. AllSimplified
rightsCisco
reserved.
call
flow
10b
class type control always event account-logon
11a 10 authenticate aaa list IP_AUTHEN_LIST
20 service-policy type service unapply
15
name L4R_SRV
30 service-policy type service unapply
name OG_SRV
!
class type control BASIC_HSI_SRV_CM event
service-start 11c
12a 10 service-policy type service identifier servicename
12b
Service-Name:
BASIC_HSI_SRV
Service-Password: servicecisco
Attr 28: idle-timeout = 600
AVPair: subscriber:accounting-list=
IP_ACCNT_LIST
ServiceInfo: QU;256000;D;768000;
Cisco Public
39
RADIUS
interface
configuration
I.
aaa new-model
aaa group server radius SERVER_GRP1
server 192.168.110.10 auth-port 1812 acct-port 1813
!
aaa authorization network default group SERVER_GRP1
aaa authorization subscriber-service default group SERVER_GRP1
subscriber service password servicecisco
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
ip radius source-interface Loopback0
radius-server attribute 4 10.0.0.1
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 access-request include
radius-server attribute 55 include-in-acct-req
radius-server attribute 44 include-in-access-req
radius-server host 192.168.110.10 auth-port 1812 acct-port 1813 key aaacisco
radius-server vsa send authentication
radius-server vsa send accounting
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Attribute 6 - Service-Type
Attribute 8 - Framed-IP-Address
Attribute 32 - NAS-Identifier
Attribute 44 - Acct-Session-Id
Attribute 55 - Event-Timestamp
40
Service-Name = OG_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group
name OG_ACL_OUT priority 10
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
Service-Name = L4R_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group
name L4R_ACL_IN priority 20
AVPair: ip:l4redirect=redirect to group REDIR_GRP
Service-Name = PBHK_SRV
Service Password = servicecisco
AVPair: ip:portbundle=enable
Service-Name:
BASIC_HSI_SRV
Service-Password: servicecisco
Attr 28: idle-timeout = 600
AVPair: subscriber:accounting-list= IP_ACCNT_LIST
ServiceInfo: QU;256000;D;768000;
Presentation_I
BRKSPG-3304
D
II.
OpenGarden
service associated
configurations
L4R service
associated
configurations
PBHK service
associated
configurations
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet1/0
decription To WebPortal
ip address 192.168.110.1 255.255.255.0
ip portbundle outside
!
ip portbundle
match access-list 198
source Loopback0
!
access-list 198 permit ip any host 192.168.110.10
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
41
L4R service
associated
10.0.0.1:<pbhk_id>
configurations
Lo0 =10.0.0.1
Service-Name = L4R_SRV
PBHK intf = Lo0
Service Password
=
servicecisco
192.168.30.10
192.168.110.10
interface Loopback0
Activate Service GOLD_DATA
AVPair: ip:traffic-class=input access-group
ip address 10.0.0.1 255.255.255.255
name L4R_ACL_IN HTTP
priority 20
HTTP !
interface FastEthernet1/0
AVPair: ip:l4redirect=redirect
to group REDIR_GRP
service
IP PBHK
SA: 10.0.0.1
IP SA: 192.168.30.10
IP associated
DA: 192.168.110.10 decription To WebPortal
IP DA: 192.168.110.10
Service-Name = PBHK_SRV
configurations
TCP:
<pbhk l4 sport>:80ip address 192.168.110.1 255.255.255.0
TCP: <SSAP>:80
ip portbundle outside
Service Password = servicecisco
!
AVPair: ip:portbundle=enable
Apply service to 10.0.0.1:<pbhk_id>
ip portbundle
Service-Name:
BASIC_HSI_SRV
match access-list 198
source Loopback0
Service-Password: servicecisco
Basic HSI service
*
PBHK
Benefits:
Support
for
overlapping
host
IP
addresses
!
Attr 28: idle-timeout = 600
Associated
access-list 198 permit ip any host 192.168.110.10
Subscribers neednt
be routable fromconfigurations
Portal
AVPair: subscriber:accounting-list=
IP_ACCNT_LIST
ServiceInfo: QU;256000;D;768000;
Single Portal can serve multiple ISGsaaa accounting network IP_ACCNT_LIST group SERVER_GROUP1
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
42
Service-Name = OG_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group \
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group \
name OG_ACL_OUT priority 10
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
Service-Name = L4R_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group \
name L4R_ACL_IN priority 20
AVPair: ip:l4redirect=redirect to group REDIR_GRP
Service-Name = PBHK_SRV
Service Password = servicecisco
AVPair: ip:portbundle=enable
Service-Name:
BASIC_HSI_SRV
Service-Password: servicecisco
Attr 28: idle-timeout = 600
AVPair: subscriber:accounting-list= IP_ACCNT_LIST
ServiceInfo: QU;256000;D;768000;
Presentation_I
BRKSPG-3304
D
II.
OpenGarden
service associated
configurations
L4R service
associated
configurations
PBHK service
associated
configurations
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet1/0
decription To WebPortal
ip address 192.168.110.1 255.255.255.0
ip portbundle outside
!
ip portbundle
match access-list 198
source Loopback0
!
access-list 198 permit ip any host 192.168.110.10
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
43
Service-Name = OG_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group \
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group \
name OG_ACL_OUT priority 10
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
Service-Name = L4R_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group \
name L4R_ACL_IN priority 20
AVPair: ip:l4redirect=redirect to group REDIR_GRP
II.
OpenGarden
service associated
configurations
L4R service
associated
configurations
L4 Redirect
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet1/0
PBHK service
Subscribers traffic,
decription Tomatching
WebPortal a flow
associated
Service-Name = PBHK_SRV
configurations
ip address 192.168.110.1
description,255.255.255.0
is redirected
192.168.110.10 198.133.219.25
ip portbundletooutside
Service Password = servicecisco
a destination and a L4
!
port
defined on the ISG
AVPair: ip:portbundle=enable
www.cisco.com
ip portbundle
Any 198
TCP and UDP traffic
Service-Name: HTTP
BASIC_HSI_SRV
match access-list
can be redirected
source Loopback0
Service-Password:
servicecisco
HTTP Basic HSI service
IP SA: 192.168.30.10
!
The target server
Attr 28:IPidle-timeout
= 600
DA: 198.133.219.25
IP SA: 192.168.30.10 Associated
access-list
198
permit ip any host
192.168.110.10
responsible
to handle
TCP:
<SSAP>:80
AVPair:
subscriber:accounting-list=
IP_ACCNT_LIST
IP DA: 192.168.110.10configurations
the redirected traffic
TCP: <SSAP>:<redirect
port>
ServiceInfo: QU;256000;D;768000;
aaa accounting
network IP_ACCNT_LIST group SERVER_GROUP1
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
44
Service-Name = OG_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group
name OG_ACL_OUT priority 10
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
Service-Name = L4R_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group permit
name L4R_ACL_IN priority 20
deny
AVPair: ip:l4redirect=redirect to group REDIR_GRP
Service-Name = PBHK_SRV
Service Password = servicecisco
AVPair: ip:portbundle=enable
II.
OpenGarden
service associated
configurations
TC Priority Defines
order in which TC
ACLs are matched
against incoming
traffic
Lower numerical
value -> Higher
Priority
First Match honored
L4R service
associated
configurations
PBHK service
associated
configurations
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
45
II.
ACL2
ACL1
Service-Name = OG_SRV
Service Password = servicecisco
OpenGarden
service associated
AVPair: ip:traffic-class=input access-group
configurations
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group Subscriber Session
name OG_ACL_OUT priority 10
Traffic Class1
AVPair: ip:traffic-class=in default drop
L4R service
permit
associated TC1
AVPair: ip:traffic-class=out default drop
configurations10
deny
Service-Name = L4R_SRV
Service Password = servicecisco
Traffic Class2
AVPair: ip:traffic-class=input access-group permit
TC2
TC1 or
20
20
Dataname L4R_ACL_IN priority
deny
TC2 ?
Feature
Feature
AVPair: ip:l4redirect=redirect
to group REDIR_GRP
Feature
PBHK service
Service-Name = PBHK_SRV
Service Password = servicecisco
AVPair: ip:portbundle=enable
Service-Name:
BASIC_HSI_SRV
Service-Password: servicecisco
Attr 28: idle-timeout = 600
AVPair: subscriber:accounting-list= Traffic
IP_ACCNT_LIST
Classification
TC priorityQU;256000;D;768000;
is important (order of ACL evaluation)
ServiceInfo:
TrafficPresentation_I
goes to next TC only if not matched by previous
BRKSPG-3304
D
interface Loopback0
traffic
ip address 10.0.0.1
255.255.255.255
Traffic
Lower
!
Forwarding
numerical
interface FastEthernet1/0
value ->
Service
decription To WebPortal Higher
associated
Priority
configurations
ip address 192.168.110.1 255.255.255.0
Default Class
First Match
ip portbundle outside
Allow traffic
honored
!
drop traffic
ip portbundle
match access-list 198
source Loopback0
Basic HSI service
!
Associated
access-list 198 permit ip any host 192.168.110.10
configurations
Flow-Features
Apply
to the classified
(a portion of the
entireSERVER_GROUP1
session data)
aaa
accounting
networkflow
IP_ACCNT_LIST
group
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
46
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Method Lists:
Cisco Public
III.
47
Summary
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
48
Summary Slide
The Next Wave of Broadband
User Centric Network
Access Technology Abstraction
ISG Overview
What is ISG?
ISG Sessions
ISG Services
Cisco Policy Language
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
49
Key Takeaways
ISG is a Subscriber Aggregation device that provides
Subscriber and Service Management functions
Can be deployed in several architectures to support
wired and wireless subscribers and for both PPP and
IP-based subscriber access
Offers a wide choice of subscriber authentication
optionse.g. PPP CHAP/PAP, EAP,TAL, Web Auth,
DHCP Authentication
Multiple, open and standard based northbound interfaces
simplify inter-working with existing
BackOffice appliances
Configuration model based on predefined events and
user defined actions allows for flexible and fully
customizable session and service management
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Session
50
Glossary
Acronyms
AAA
Acronyms
IPoE
Acronyms
IP over Ethernet
SGI
AAL5
ISG
TAL
ACL
ISP
TC
Traffic Class
ATM
L2TP
US
Upstream
BNG
LAC
VC
Virtual Circuit
BRAS
LAN
VLAN
Virtual LAN
CoA
Change of Authorization
LNS
VoIP
Voice over IP
CHAP
Challenge-Handshake Authentication
Protocol
MPLS
VoD
Video on Demand
MQC
VPN
CLI
NAS
VRF
CMTS
PAP
VSA
CPE
PBHK
WiMAX
CPL
PON
DHCP
XML
Phy
Physical
DS
Down Stream
PM
Policy Manager
DSL
PPP
DSLAM
PPPoA
EAP
PPPoE
FSOL
PPPoX
GE
Gigabit Ethernet
PTA
IPoE
IP over Ethernet
PWLAN
IPTV
IP Television
QoS
Quality of Service
HSI
RADIUS
IOS
IP
Internet Protocol
RFC
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
51
Q&A
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
52
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
53
53
Presentation_I
D
Cisco Public