CISCOLIVE_IPOE

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSPG-3304 1

Subscriber Aware Ethernet: Traditional Broadband Functions over Next-Gen Carrier Ethernet Networks Brian Cox Technical Marketing Engineer


Agenda

� The Next Wave of Broadband ‒ User Centric Network

‒ Identity and Services

‒ Access Technology Abstraction

‒ Intelligent Services Gateway—ISG

� ISG Overview ‒ What is ISG?

‒ Northbound Interfaces

‒ ISG Sessions

‒ ISG Services

‒ Cisco Policy Language

� ISG Configuration Example


The Next Wave of Broadband


Evolution in Service Provider Network Architectures

Increased revenue by decreasing cost of managing

and maintaining multiple networks

Increased overall revenue by increasing revenue per user:

� Customized services � Rapid deployment of new

services based on market trends � Subscriber Self Subscription and

Self Care

Diverged “per Service”

Networks

Converged “All in One”

Networks

Converged “User Centric”

Networks


The New User Experience Enabling the Next Wave of Broadband

Add Subscribers

Pay As You Go!

Buy credit

Pay What You Use!

Buy

Broadband Light

Buy: $19.99

Broadband Basic

Buy: $29.99

Broadband Premium Buy: $39.99

Branded VoD ($4.99/movie)

Branded TV ($29.99)

Branded Phone ($15.99 + LD)

Add Value

Add Services

Register Log in


Subscriber identified using multiple dimensions. Identity gathered: � From multiple sources and events � Over session lifecycle

Services and Rules updated based on : � How subscriber behaves � What he requires NOW

Different Services and Rules applied based on: � Who subscriber is � Where he is � What he requires

The Elements of Customization

Identity

Differentiated Services

Dynamic Service Management

Intelligent Services Gateway

Subscriber Services

Subscriber Sessions

Subscriber Services

Session creation/ authentication

Dynamic Policy Push and Pull


Building the Identity and Assigning Services

MAC Addr: 00:DE:34:F1:C0:28 IP Addr: ? Username: ? Service: DEFAULT_SRV

Subscriber Session

T0

DHCP Exchange Starts

MAC Addr: 00:DE:34:F1:C0:28 IP Addr: 10.1.1.211 Username: ? Service: DEFAULT_SRV

Subscriber Session

T1

DHCP Exchange Completes(*)

MAC Addr: 00:DE:34:F1:C0:28 IP Addr: 10.1.1.211 Username: Brian Service: PPU_SRV

Brian Subscriber Session

T2

Subscriber Authentication(*)

MAC Addr: 00:DE:34:F1:C0:28 IP Addr: 10.1.1.211 Username: Brian Service: PREMIUM_FR_SRV

Brian Subscriber Session

TN

Dynamic Service Update

Identities

Services

DEFAULT_SRV Only permits management traffic through the session

PPU_SRV Pay Per Use Service: - Permits all traffic - 512K/1Mbps US./DS - Accounting enabled on session

PREMIUM_FR_SRV Flat Rate Premium Data Service: - Permits all traffic - 1M/8Mbps US/DS

ISG

Subscriber

(*) Order of operations not representative of a real call flow


Open Garden Walled Garden

Access Technology Abstraction

ATM/Ethernet Switch

DSL

802.11 or 802.16

Access Distribution Ethernet

CMTS Cable

� Subscriber-centric services regardless of: Access Technology Access Protocol

� Access Technology: Legacy DSL/ATM Metro Ethernet, Wireless LAN, Cable

� Access Protocol: IP PPP

DSLAM

BRAS/BNG


Policy Server

What Is ISG?

Cisco Intelligent Services Gateway (ISG) is a licensed feature set on Cisco IOS that provides Session Management and Policy Management services to a variety of access networks Addresses PPPoE to IPoE migration while maintaining all subscriber management functions

Subscriber Identity

Management

Policy Management

and Enforcement

DHCP Server AAA

Server

ISG

Web Portal

Open Northbound Interfaces

Subscriber Policy Layer

So focal, that the entire device is often referred as an: Intelligent Services Gateway router or simply “The ISG”

ISG


ASR 5000

Fixed Mobile Convergence

ASR 9000 Emerging Large Scale BNG

Platform

ASR 1000 Current Primary BNG

Platform

Platforms Different Products for Different Solution Segments


ISG Overview


ISG’s Place in the Network

� Subscriber Identification � Subscriber Authentication � Subscriber Services

Determination and Enforcement � Dynamic Service update

� Deployed at access or service edge

� Communicates with other devices to control all aspects of subscriber access in the network

� Single point of contact

Walled Garden Open Garden

Guest Portal

AAA Server

Policy Server

Web Portal

DHCP Server


Video Audio Servers

Internet/Core



Guest Portal

DHCP Server


ISG’s Dynamic Policy Activation


Guest Portal

DHCP Server

AAA Server


Dynamic Policy Push (e.g. “Turbo Button”)

Policy Server

Application/ Service Layer event

Web Portal

Dynamic Policy Pull (e.g. Automatic Service-Profile

Download on Session Establishment)

Web Portal

Policy Server

Network Layer Event

AAA Server


The Subscriber Session in ISG

� Construct within Cisco IOS that represents a subscriber ‒ subscriber: billable entity and/or an entity that should be authenticated/authorize

� Common context on which services are activated � Created at first sign of peer activity (FSOL = First Sign Of Life)


Internet/Core

Guest Portal


Video Audio Servers

Subscriber 1

Subscriber 2

Subscriber 3

Subscriber 1 session



AAA Server

Policy Server

Web Portal

DHCP Server

ISG Session


ISG Session Types

� Based on Subscriber Access Protocol � Sessions Supported:

Dynamically Created Sessions:

PPP sessions

IP sessions

IP “Subnet” sessions

Ethernet sessions

ISG Session

Statically Created Sessions:

Interface sessions (IP-based)

Ethernet sessions

Session

Initiation

Authentication Termination

Service Activation


Subscriber Dynamic Sessions

Access Distribution

Ethernet

PPPoA

PPPoEoA

PPPoL2TP

ATM

PPP Sessions

Phy ATM AAL5 1483 PPP IP

Eth

IP PPP

PPPoE

Phy

IP PPP

Phy ATM AAL5 1483

PPPoEoE / PPPoEoVLAN/PPPoEoQnQ

Phy Eth

IP PPP

PPPoE .1Q QnQ

ATM

Eth

ATM Eth IP

IP/UDP L2TP

IP Sessions

Eth

Native IP capable transport technologies

802.11, 802.16

Any access technology

IP

IP

Phy Eth

IP

Phy Eth

IP–Layer2 Connected

IP–Routed

802.3 based main intfes Subinterfaces: .1q, QnQ

Virtual Template w/ Virtual Access (sub)Interfaces

ATM,Eth,..

ISG Session


Dynamic Session Initiation

� ISG sessions are initiated at the First Sign of Life (FSOL) � FSOL depends on the Session Type

PPP Sessions - FSOL IP Sessions - FSOL .... there are options .....

DHCP

DHCP discover

Data Traffic

Unclassified MAC or IP � IP packet with unknown MAC or IP source address

Use MAC for L2-connected IP sessions

Use IP for routed IP sessions

� DHCP Discover message � ISG must be DHCP Relay or

Server

� RADIUS Access/Accnt Start � ISG must be a Radius Proxy � Typically used in PWLAN and

WiMAX environments

ISG Session

RADIUS

AP Wireless Client

RADIUS Access Request OR

Accounting Start

PPP Call Request (LCP)


Session Authentication

Authentication models supported: � Access Protocol Native Authentication:

‒ PPP: CHAP/PAP

‒ IP: EAP for wireless client

‒ DHCP Authentication

� Transparent Auto Logon (TAL): ‒ Authenticates using subscriber related

network identifiers

‒ e.g. MAC/IP address, DHCP Option 82, PPPoE Tags...

� Web Logon

Authentication Is Not Mandatory on a Session, but Used in Most Situations

ISG Session

Authentication: Allow Access to Network Resources Only to Recognized Users


� Access Switch inserts Option82 Circuit and Remote ID in DHCP Requests

� ISG performs authentication using a combination of Circuit and RemoteID as username

� ISG session must be DHCP initiated

Session Authentication—IP

IP – common scenarios

� ISG performs authentication using identifiers from subscriber traffic (source IP/MAC)

� Mac typically used in IP-L2 connected topologies to support, IP used in IP-routed topologies

+ � User traffic redirected to Web Portal to enter credentials

� User Credentials propagated to the ISG � ISG uses credentials to authenticate user with AAA

server � Applicable to all session types

Dep

loym

ent l

ikel

ihoo

d

-

� User starts EAP authentication with Access Point (AP) � ISG impersonates RADIUS server toward AP and

RADIUS client toward real server � ISG learns session authentication status by proxying

RADIUS messages betw/ real RADIUS client and Server

� ISG session must be RADIUS initiated

EAP Auth

RADIUS Username: EAP username

AAA Server

AP Wireless Client

RADIUS (EAP based auth) EAP

RADIUS Username: MAC:RemoteID:CircuitID

AAA Server

TAL: Option82 Auth

Access SW inserts Option 82 CircuitID/RemoteID

DHCP exchange

AAA Server

RADIUS Username: MAC or IP

Data Traffic

TAL:IP/MAC

RADIUS Username: WebLogon Username

AAA Server

Web Portal

Web Logon

redirection Data Traffic

ISG Session


DHCP Client

AAA Server

DHCP Server

Mac Authentication for Routed IP sessions

L3 cloud

Data Traffic

DHCP LeaseQuery (Client IP) DHCP LeaseActive (Client IP->MAC)

DHCP Address Assignment exchange

RADIUS Access Request username: Client MAC RADIUS Access Accept username: Client MAC

� Client MAC address not directly available to ISG in routed scenarios with external DHCP server � DHCP Leasequery can be used to retrieve Client MAC address from DHCP Server � Retrieved MAC address can be used:

� for MAC based authentication � as Calling-Station-ID in Accounting Records


Session Termination ISG Session

PPP Sessions Exclusively IP Sessions Exclusively ICMP/ARP keepalive failure

Keepalive failure ICMP Keepalives used for routed sessions ARP keepalives used for l2-connected sessions

PPP and PPPoX protocol events

ppp disconnect; ppp keepalives or L2TP hellos failure

RADIUS PoD

Policy Manager

RADIUS PoD (Packet Of Disconnect)

DHCP

DHCP Release

OR DHCP lease expiry

DHCP initiated sessions only

Web Portal

Web Logoff

RADIUS CoA Account-Logoff

Idle and Absolute Timeouts/Timer Expiry

IP and PPP Sessions

RADIUS

Wireless Client

RADIUS Accounting Stop EAP

AP


ISG Services

� Service: A collection of features that are applicable on a subscriber session Service = {feat.1, feat.2,...,feat.n}

Session Administration

Portbundle (PBHK) Keepalives: ICMP and ARP based Timeouts: Idle, Absolute

Traffic Conditioning

QoS: Policing, MQC Security: Per User ACLs

Traffic Forwarding Control

Subscriber Address Assignment Control Redirection: Initial, Permanent, Periodic VRF assignment: Initial, Transfer L2TP assignment

Traffic Accounting

PostPaid Prepaid: Time/Volume based Tariff Switching Interim Broadcast

Feat

ures

Associated to Primary Services

ISG services

� Primary Service: Contains one “traffic forwarding” feature and optionally other features; only one primary service can be active on a session


ISG Feature Granularity Per Session or Per Traffic Class (TC)?

� ISG Classification resembles Modular QoS CLI (MQC)

� IP ACL (standard or extended) are used to create differential flows (Traffic Classes)

� Each Traffic Class can have a different set of features applied

� A Traffic Class and associated features also referred as TC service

� A Default TC can be used to drop traffic that could not be classified

SubscriberX Data

TC1

TC2

TC3

Flow Features

Session Features

Cla

ssifi

catio

n ACL

ACL

ACL

ISG services

grouped in Session Services

Subscriber Session


When Should I Use TC Services?


Internet/Core

Guest Portal

AAA Server

Policy Server

Web Portal

DHCP Server


Video Audio Servers

Subscriber Data

ISG services

To identify what traffic should be redirected to an external appliance (Web Logon, Periodic Advertisement)

To offer different QoS levels to different flows

For differentiated billing based on application usage

To permit Open Garden traffic over an unauthenticated session while dropping all other traffic (default drop)


What Goes Where... Applying Features to Session or TC ISG services

Session Administration

Portbundle (PBHK) x Absolute/Idle Timeouts x x ICMP and ARP keepalives x

Traffic Conditioning

Policing x x MQC x Per User ACLs x

Traffic Forwarding Control

Redirection x x VRF assignment x L2TP assignment x

Traffic Accounting

Postpaid Accounting x x Prepaid Accounting x

Session Traffic Class

(TC)

Note: Restrictions apply; verify feature availability on your platform with the feature navigator


How Many Features in a Service? How Many Services on a Session?

Subscriber Session

Feature 1 Feature 2

FeatureN

Session Service

ServiceM

Service3

ISG services

Feature

TC ACL Feature 1

FeatureN

TC Service

Session Services No limit in number of features per service A service is smallest atomic configuration unit that can be activated and deactivated

Deactivating a service implies deactivating all associated features

No limit in number of services per session

Good Practice: Different services have different set of features

TC Services No limit in number of features per service No limit in number of services per session

Only a single service at the time applied to traffic Priority based

Standalone features Features can be directly enabled on a session without using a service

Once activated, a standalone feature can be modified, but not removed

No limit in number of features per session

Good Practice: standalone features and session service features do not overlap


ISG Subscriber Session Building the Data Plane

Feature 1

Session Service

ISG services

Feature 3

Feature 2

TC1

TC2 Feature

1

Feature 2

Feature 1

Feature 3

Feature 2 Traffic

Forwarding Service

AC

L

Feature Feature Feature

TC1

TC2 Data AC

L

Default- Class

Subscriber Session

Forwarding Service Forwarding

(at L2, e.g. L2TP) or Routing

(at L3, e.g. VRF) Mutually exclusive

Flow-Features Apply to the

classified flow (a portion of

entire session traffic)

Session-Features

Apply to the entire session

e.g. per-user ACL, Policing, MQC,

Accounting

Traffic Classification (using traffic

classes: class-map type

traffic)

TC2Service

TC1Service

TC2Service: priority 20 TC1Service: priority 10


ISG Subscriber Session Traffic Forwarding

Feature 1

Session Service

Feature 3

Feature 2

TC1

TC2 Feature

1

Feature 2

Feature 1

Feature 3

Feature 2 Traffic

Forwarding Service

AC

L

Feature Feature Feature

TC1

TC2 Data AC

L

Default- Class

Subscriber Session

Forwarding Service Forwarding

(at L2, e.g. L2TP) or Routing

(at L3, e.g. VRF) Mutually exclusive

Flow-Features Apply to the

classified flow (a portion of

entire session traffic)

Session-Features

Apply to the entire session

e.g. per-user ACL, Policing, MQC,

Accounting

Traffic Classification (using traffic

classes: class-map type

traffic)

TC2Service

TC1Service

TC2Service: priority 20 TC1Service: priority 10

permit deny

deny

Allow traffic

drop traffic

permit

ISG services


Defining Services

AAA Server

Location

Policy Manager (supporting the SGI Interface)

Download

� Services defined in Service Profiles � Standard and Vendor Specific

RADIUS attributes used � On demand download on a

need basis

� Services defined in XML

� Pre-download of all existing services

RADIUS Access-request Username: Premium_HSI Password: <service pwd>

RADIUS Access-accept Features associated w/ service

2 � Premium HSI service

should be activated on the session

� No definition yet available

1

� Service Activated on session � Service Stored in local cache

while in use by at least 1 sessions

3

4

SGI Request Premium, Standard, Basic

HSI service definitions

SGI Response

1

• Definition of all existing Services typically pre-downloaded on Box

� Services permanently stored in local database 2

3

ISG � Services pre-configured using CLI

� Services defined on Service Policies: policy-map type service <name>

� Services permanently stored in local database

ISG services


How Services Are Activated on a Session?

AAA Server

DHCP Server


Administrator

Via an External Policy Manager/Web Portal

During Subscriber Authentication/ Authorization

Subscriber

RADIUS CoA or SGI

Request

Web Portal / Policy Server

DHCP Server


Web Portal / Policy Server

Subscriber

RADIUS Acc-req

� Subscriber is successfully authenticated

� RADIUS Response includes Services and Features to activate on Session (from UserProfile)

� Service Activation request sent by External Policy Managers via a RADIUS CoA or a SGI Request message

Via the On-Box Policy Manager

� Policy Plane determines what actions to take on session based on events

� actions *include* applying a service

� Control Plane ensures actions are taken – i.e. provisions the data plane

� Data Plane enforces traffic conditioning policies to the session

AAA Server

RADIUS Acc-accept

Pol

icy

plan

e C

ontro

l pl

ane

Dat

a pl

ane

actions

even

ts

from external PM

from data plane

ISG services


ISG Control Policy


The On-Box Policy Manager (PM)

Handles All Aspects of Subscriber Session Lifecycle, Not Just Service Activation!

Session Life Cycle

Session

Initiation

Authentication Termination described using

Cisco Policy Language

Through CPL and the On-Box PM, ISG Is Not Only a Policy Enforcement Point (PEP);

It Is Also a Policy Decision Point (PDP)

Service Activation

Session


Cisco Policy Language CLI

policy-map type control <name>

event 1 class type control <conditions> event <event type>

action1

Conditional class of events Control policy-map Actions

Typically applied on interface Defines all aspects of session processing

.......

event 2

action2 .......

Events are identified by their event type Common event types: � Session-start: New session detected � Account-logon: Account-Logon msg. received from

external source � Service-start: new service start req. from external

source � Service-stop: Service termination req. from external

source � Timed-policy-expiry: Set Timer expired

Event actions are executed only if <conditions> are met for the event � Multiple instances of same event w/ unique condition � Different set of actions for same event type � Conditions account for other aspects surrounding

the event

more events

more actions for event

Actions are in a ordered list Different set of actions per {event, condition} Common action types: � Service: Used to start a new service � Service Unapply: Used to terminate an active service � Authenticate: Used to authenticate a session using

subscriber’s credentials � Authorize: Used to authenticate a session using one

or more network identifiers (TAL) � Set-Timer: Used to generate an event after a

configured amount of time

Session


Control Policy Structure

� Configuring ISG mostly implies configuring the control policy � Control policy determines the operations to be executed on

a session upon different events

policy-

Event 1

Action 1 Action 2

Event 2

....

policy-map type control <map name>

class type control always event session-start

10 service-policy type service name <service name> 20 authorize aaa password lab identifier mac

Events: � Session-start

� Account-logon

� Service-start

� ...

Actions: � apply/unapply a service

� authenticate (Web Logon)

� authorize (TAL)

� ...

class type control <condition> event service-start

Condition: Qualify in what cases the event is valid Configured as a control class: class-map type control <name>

The event is always valid


Defining a Control Policy Policy-Map Type Control

Condition Event Condition Event Condition Event

Control Policy Associate Events and Conditions to an ordered list of Actions

Control Class: List of Actions

1. Enable Service X 2. Enable Service Y 3. Take Action R

1. Disable Service B 2. Enable Service A

policy-map type control SUBSCRIBER_RULE class type control always event session-start 10 service-policy type service name PBHK 20 authorize aaa password lab identifier mac-addr 30 service-policy type service name L4R 40 set-timer IP_UNAUTH_TIMER 15 ! class type control always event account-logon 10 authenticate aaa list IP_AUTH_LIST 20 service-policy type service unapply name L4R ! class type control CND_U event timed-policy-expiry 10 service disconnect !

Condition Event



1. Enable Service PBHK 2. Take action AAA 3. Enable Service L4R 4. Take action: Set Timer

Session


ISG as IP Session Aggregator


ISG as IP Session Aggregator (L2)

Once authenticated subscriber will be assigned a Pay Per Use Standard High Speed service: � 256Kbps upstream/ 768Kbps downstream via ISG policing

� Accounting

� Idle timeout (10 min)

Address Assmt. Session Initiator Interf. Authentication

DHCP

ISG is DHCP Relay DHCP GE (.1Q)

TAL (mac address) w/ Web Logon fall back for Self Subscription

192.168.110.0/24 .12 .10

.2

Lo0 = 10.0.0.1

f1/0

g0/0.1 Internet


Call Flows L2 IP Session

DHCP Discover

Session-start event posted

2 ISG session creation

3 PBHK service applied (*)

4a Access-Request username = mac

4b Access-Reject

5 OpenGarden and L4R services applied (*)

DHCP Discover

DHCP Exchange 1c

1a

6 Authentication Timer started

(*) assumes that the definition of PBHK, L4R and OpenGarden are already available on the ISG

class type control always event session-start 10 service-policy type service name PBHK_SRV 20 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-addr 30 service-policy type service name OG_SRV 40 service-policy type service name L4R_SRV 50 set-timer AUTHEN_TMR 10

2 3 4a

5 6

interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address ... service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected initiator dhcp class-aware

policy-map type control IP_SESSION_RULE1 <snip>

2

1b


Call Flows

http://www.cisco.com 7 L4Redirect to Portal

8 HTTP Redirect. User self-registers 9

CoA Req. Account Logon username, password

11b Access-Accept service: BASIC_HSI_SRV

Access-Request username, password

Account-Logon event

posted

Service-start event posted

11a

12b Access-Accept BASIC_HSI_SRV definition

Access-Request BASIC_HSI_SRV, srvpwd 12a

13 BASIC_HSI_SRV is applied

15 L4R and OpenGarden services are unapplied

10a

CoA Ack. Account Logon

http://www.cisco.com 16

10c

class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name L4R_SRV 30 service-policy type service unapply name OG_SRV ! class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service- name

policy-map type control IP_SESSION_RULE1 <snip>

11a

15

Service-Name: “BASIC_HSI_SRV” Service-Password: “servicecisco” Attr 28: idle-timeout = 600 AVPair: “subscriber:accounting-list= IP_ACCNT_LIST” ServiceInfo: QU;256000;D;768000;

12b 14 Accounting-Request (Start) and Response

Simplified call flow

10b 10b

11c

11c 12a

aaa author subscriber-service default SERVER_GRP1 subscriber service password servicecisco


aaa new-model aaa group server radius SERVER_GRP1 server 192.168.110.10 auth-port 1812 acct-port 1813 ! aaa authorization network default group SERVER_GRP1 aaa authorization subscriber-service default group SERVER_GRP1 subscriber service password servicecisco ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! ip radius source-interface Loopback0 radius-server attribute 4 10.0.0.1 radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 access-request include radius-server attribute 55 include-in-acct-req radius-server attribute 44 include-in-access-req radius-server host 192.168.110.10 auth-port 1812 acct-port 1813 key aaacisco radius-server vsa send authentication radius-server vsa send accounting

Use Case Full Configurations Northbound Interfaces I.

aaa server radius dynamic-author client 192.168.110.10 server-key cisco auth-type any port (1700)

Attribute 6 - Service-Type Attribute 8 - Framed-IP-Address Attribute 32 - NAS-Identifier Attribute 44 - Acct-Session-Id Attribute 55 - Event-Timestamp

RADIUS interface configuration

RADIUS Extensions interface configuration


Use Case Full Configurations Services

Service-Name = “PBHK_SRV” Service Password = “servicecisco” AVPair: ip:portbundle=enable


AAA Server configuration Cfg required on ISG

OpenGarden service associated configurations

aaa accounting network IP_ACCNT_LIST group SERVER_GROUP1

Basic HSI service Associated configurations

interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! interface FastEthernet1/0 decription To WebPortal ip address 192.168.110.1 255.255.255.0 ip portbundle outside ! ip portbundle match access-list 198 source Loopback0 ! access-list 198 permit ip any host 192.168.110.10

PBHK service associated configurations

redirect server-group REDIR_GRP server ip 192.168.110.10 port <TCP port #> ! ip access-list extended L4R_ACL_IN permit tcp any any

II.

ip access-list extended OG_ACL_IN permit ip any 192.168.110.0 0.0.0.255 ip access-list extended OG_ACL_OUT permit ip 192.168.110.0 0.0.0.255 any

L4R service associated configurations

Service-Name = “L4R_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group name L4R_ACL_IN priority 20 AVPair: ip:l4redirect=redirect to group REDIR_GRP

Service-Name = “OG_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group name OG_ACL_IN priority 10 AVPair: ip:traffic-class=output access-group name OG_ACL_OUT priority 10 AVPair: ip:traffic-class=in default drop AVPair: ip:traffic-class=out default drop












II.





PBHK – Port Bundle Host Key * Used to generate a host key -> common identifier that ISG & Portal can use to reference a subs. session - Extracted by the Portal from packets sourced by subscriber - If PBHK - disabled: host key: IP Source Address (Subscriber IP Address) - enabled: ISG performs a port NAT (PAT) like operation to subscriber packets destined to portal host key: ISG IP address + PBHK ID (L4Source Port (12MSBs))

* PBHK Benefits: Support for overlapping host IP addresses Subscribers needn’t be routable from Portal Single Portal can serve multiple ISGs

HTTP IP SA: 192.168.30.10 IP DA: 192.168.110.10 TCP: <SSAP>:80

Apply service to 10.0.0.1:<pbhk_id>

Activate Service GOLD_DATA

HTTP IP SA: 10.0.0.1 IP DA: 192.168.110.10 TCP: <pbhk l4 sport>:80

Lo0 =10.0.0.1 PBHK intf = Lo0

10.0.0.1:<pbhk_id>

192.168.110.10 192.168.30.10





Service-Name = “L4R_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group \ name L4R_ACL_IN priority 20 AVPair: ip:l4redirect=redirect to group REDIR_GRP

Service-Name = “OG_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group \ name OG_ACL_IN priority 10 AVPair: ip:traffic-class=output access-group \ name OG_ACL_OUT priority 10 AVPair: ip:traffic-class=in default drop AVPair: ip:traffic-class=out default drop








II.







Service-Name = “L4R_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group \ name L4R_ACL_IN priority 20 AVPair: ip:l4redirect=redirect to group REDIR_GRP

Service-Name = “OG_SRV” Service Password = “servicecisco” AVPair: ip:traffic-class=input access-group \ name OG_ACL_IN priority 10 AVPair: ip:traffic-class=output access-group \ name OG_ACL_OUT priority 10 AVPair: ip:traffic-class=in default drop AVPair: ip:traffic-class=out default drop








II.



L4 Redirect � Subscriber’s traffic,

matching a flow description, is redirected to a destination and a L4 port defined on the ISG

� Any TCP and UDP traffic can be redirected

� The target server responsible to handle the redirected traffic

HTTP IP SA: 192.168.30.10 IP DA: 198.133.219.25 TCP: <SSAP>:80

www.cisco.com

192.168.110.10 198.133.219.25

HTTP IP SA: 192.168.30.10 IP DA: 192.168.110.10 TCP: <SSAP>:<redirect port>














II.


permit

deny

TC Priority Defines order in which TC ACLs are matched against incoming traffic Lower numerical value -> Higher Priority First Match honored















II.


Flow-Features Apply to the classified flow (a portion of the entire session data)

Traffic Classification TC priority is important (order of ACL evaluation) Traffic goes to next TC only if not matched by previous

Subscriber Session

Traffic Forwarding

Service Feature Feature Feature

TC1 10

Data

Traffic Class1

AC

L2 Traffic Class2

TC1 or

TC2 ?

TC2 20

AC

L1

Default Class

permit

Allow traffic

permit

deny

drop traffic

deny

• TC Priority Defines order in which TC ACLs are matched against incoming traffic • Lower numerical value -> Higher Priority • First Match honored


Use Case Full Configurations Control Policy

policy-map type control IP_SESSION_RULE1 class type control AUTH_TMR_CM event timed-policy-expiry 1 service disconnect ! class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service-name ! class type control BASIC_HSI_SRV_CM event service-stop 1 service-policy type service unapply service-name 10 service-policy type service name L4R_SRV 20 service-policy type service name OG_SRV ! class type control always event session-start 10 service-policy type service name PBHK_SRV 20 service-policy type service name OPENGARDEN_SRV 30 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-address 40 service-policy type service name L4R_SRV 50 set-timer AUTH_TMR 10 ! class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name L4R_SRV 30 service-policy type service unapply name OG_SRV ! class type control always event account-logoff 1 service disconnect delay 5 !

Method Lists:

aaa authorization network IP_AUTHOR_LIST group SERVER_GRP1 aaa authentication login IP_AUTHEN_LIST group SERVER_GRP1

Control Classes: class-map type control match-any BASIC_HSI_SRV_CM match service-name BASIC_HSI_SRV class-map type control match-all AUTH_TMR_CM match timer AUTH_TMR match authen-status unauthenticated Interface

interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address 192.168.30.1 255.255.255.0 service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected initiator DHCP

ip dhcp pool POOL_VLAN10 relay source 192.168.30.0 255.255.255.0 relay destination 192.168.110.12

DHCP Relay cfg

DHCP server address

III.

III.

V.

V.

IV.

IV.

IV.

V.

IV.

IV.


Summary


Summary Slide

� The Next Wave of Broadband ‒ User Centric Network

‒ Access Technology Abstraction

� ISG Overview ‒ What is ISG?

‒ ISG Sessions

‒ ISG Services

‒ Cisco Policy Language


Key Takeaways

� ISG is a Subscriber Aggregation device that provides Subscriber and Service Management functions � Can be deployed in several architectures to support

wired and wireless subscribers and for both PPP and IP-based subscriber access

� Offers a wide choice of subscriber authentication options—e.g. PPP CHAP/PAP, EAP,TAL, Web Auth, DHCP Authentication

� Multiple, open and standard based northbound interfaces simplify inter-working with existing BackOffice appliances

� Configuration model based on predefined events and user defined actions allows for flexible and fully customizable session and service management

Session


Glossary Acronyms

AAA Accounting Authentication Authorization

AAL5 ATM Adaptation Layer 5

ACL Access Control List

ATM Asynchronous Transfer Mode

BNG Broadband Network Gateway

BRAS Broadband Remote Access Server

CoA Change of Authorization

CHAP Challenge-Handshake Authentication Protocol

CLI Command Line Interface

CMTS Cable Modem Termination System

CPE Customer Premises Equipment

CPL Cisco Policy Language

DHCP Dynamic Host Configuration Protocol

DS Down Stream

DSL Digital Subscriber Line

DSLAM Digital Subscriber Line Access Multiplexer

EAP Extensible Authentication Protocol

FSOL First Sign Of Life

GE Gigabit Ethernet

IPoE IP over Ethernet

IPTV IP Television

HSI High Speed Internet

IOS Internetwork Operating System

IP Internet Protocol

Acronyms

IPoE IP over Ethernet

ISG Intelligent Services Gateway

ISP Internet Service Provider

L2TP Layer 2 Tunneling Protocol

LAC L2TP Access Concentrator

LAN Local Area Network

LNS L2TP Network Server

MPLS Multi Protocol Label Switching

MQC Modular QoS CLI

NAS Network Access Server

PAP Password Authentication Protocol

PBHK Port Bundle Host Key

PON Passive Optical Network

Phy Physical

PM Policy Manager

PPP Point to Point Protocol

PPPoA PPP over ATM

PPPoE PPP over Ethernet

PPPoX PPP over X X=Ethernet, ATM,

PTA PPP Aggregation and Termination

PWLAN Public Wireless LAN

QoS Quality of Service

RADIUS Remote Authentication Dial In User Service

RFC Request For Comments

Acronyms

SGI Services Gateway Interface

TAL Transparent Auto Logon

TC Traffic Class

US Upstream

VC Virtual Circuit

VLAN Virtual LAN

VoIP Voice over IP

VoD Video on Demand

VPN Virtual Private Network

VRF Virtual Routing Forwarding

VSA Vendor Specific Attribute

WiMAX Worldwide Inter-operability for Microwave Access

XML Extensible Markup Language


Q&A


Complete Your Online Session Evaluation � Give us your feedback and you

could win fabulous prizes. Winners announced daily.

� Receive 20 Passport points for each session evaluation you complete.

� Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

53

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

CISCOLIVE_IPOE

Documents

cisco andor

id cisco public

cisco public brkspg

services mac addr

different services

session lifecycle services

service networks

ip addr