Filter
Top Products
10-3
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
OL-4387-02
Chapter 10 SSG TCP Redirect
Figure 10-1 Restricting Access to Networks within Authorized Services
The following describes the behavior of redirection for unauthorized services:
• If a packet arrives from an unauthorized SSG user or it is destined to an unauthorized service,
SSG redirects the packet if the packet matches the protocol and ports configured as the redirection
filter. If the packet does not match the filter, SSG drops the packet.
• If a packet arrives from an unauthorized service or is destined to an unauthorized SSG user,
SSG drops the packet.
• If a user’s connection is subject to redirection or captivation, SSG redirects to SESM any packets
from the connection that match the protocol and ports for redirection and captivation.
• If packets from the connection do not match the protocol and ports configured as a filter, SSG drops
the packets.
Initial Captivation
Initial captivation redirects certain packets from users for a specific period of time. After a user logs on,
packets to certain TCP ports are redirected to a server for advertisements and branding. SSG captivates
the user by redirecting all user packets to those TCP ports regardless of the destination address.
Captivation is active for a specified duration, starting from the first redirected session.
If you configure initial captivation globally by using the CLI, captivation applies to all authenticated
users. You can also enable initial captivation in the RADIUS user profile as an Account-Info attribute to
override the CLI setting.
The user profile contains the following information for initial captivation:
• Server group name
Note Use the CLI to configure the server group and associate a port or port list to the server group.
• Duration of captivation
• Service name (optional)
Note If you specify the optional service name, captivation activates only when logon to that
service occurs.
IPTVService 10.1.1.1/32
87908
ServiceA
10.0.0.0/8