Filter
Top Products
1-4
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
OL-4387-02
Chapter 1 Service Selection Gateway Overview
Supported SSG Features
Supported SSG Features
The Cisco 10000 series router supports the following SSG features and functionality:
• SSG Logon and Logoff, page 3-1
• Authentication and Accounting, page 4-1
• Service Selection Methods, page 5-1
• Service Connection, page 6-1
• Service Profiles and Cached Service Profiles, page 7-1
• SSG Hierarchical Policing, page 8-1
• Interface Configuration, page 9-1
• SSG TCP Redirect, page 10-1
• VPI/VCI Static Binding to a Service Profile, page 11-1
• RADIUS Virtual Circuit Logging, page 11-2
• AAA Server Group Support for Proxy Services, page 11-2
• Packet Filtering, page 11-3
• SSG Unconfig, page 11-5
For more information about the SSG features, refer to the Service Selection Gateway, Release 12.2(15)B
feature module.
For information about SSG features supported in a specific Cisco IOS release, refer to the
Cisco 10000 Series Router Feature Map.
SSG Restrictions
The SSG feature has the following restrictions:
• When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates
can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for “no
policing”, leaving 7 different police rates available per uplink interface and R attribute combination
For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry
an R attribute of “R0.0.0.0;0.0.0.0”, the ninth service will fail to acquire correct policing rates and
this error message may appear:
%GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate
• Network address translation (NAT) functionality is not supported. This means that the router does
not support concurrent access to multiple services for which the services, not the access provider,
must assign the user’s IP address. For example, this restriction applies to concurrent access to a
private service and SESM or the Open Garden network, or concurrent access to a tunnel service and
SESM or the Open Garden network.
• The Cisco 10000 series router adds reachability information to the Open Garden and default
networks for all services, both public and private. Because NAT is not supported, the addresses for
the Open Garden and default networks cannot overlap addresses defined within the service
definition.
• To restrict access to the Open Garden network by private services, you must specifically bind the
Open Garden to the uplink interfaces. Do not bind the Open Garden to the interface used by the
private service.