Support User Manuals

Cisco Systems OL-4387-02 Network Router User Manual

Open as PDF

of 110

11-5

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

OL-4387-02

Chapter 11 Miscellaneous SSG Features

SSG Unconfig

Configuration of Packet Filtering

To configure SSG ACLs, use the following Cisco-AV pair attributes:

• Downstream Access Control List (outacl)

Cisco-AVpair = "ip:outacl[#

numbe

r]={

standard-access-control-list

|

extended-access-control-lis

t}"

• Upstream Access Control List (inacl)

Cisco-AVpair = "ip:inacl[#

numbe

r]={

standard-access-control-list

|

extended-access-control-lis

t}"

For more information, refer to the Service Selection Gateway, Release 12.2(15)B feature module.

Configuration Example for Packet Filtering

The following is an example of a downstream ACL (outacl):

Cisco-AVpair = "ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

The following is an example of an upstream ACL (inacl):

Cisco-AVpair = "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"

SSG Unconfig

The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data

structures and system resources created by SSG when SSG is unconfigured.

SSG Unconfig removes SSG allocated resources when you globally disable SSG after it was enabled.

When you enable SSG, the SSG subsystem in the Cisco IOS software acquires system resources that are

never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean

up system resources when SSG is not in use by entering the no ssg enable force-cleanup command.

The SSG Unconfig feature also enhances several IOS commands to allow you to delete all host objects,

a range of host objects, or all service objects (connection objects). Enhancements to the show ssg host

command allow you to display information about an interface and its IP address when you enable

host-key mode on that interface. For more information about the SSG commands, refer to the

Cisco 10000 Series Routers Command Quick Reference Guide.

For more information about the SSG Unconfig feature, refer to the SSG Unconfig, Release 12.2(15)B

feature module and the Service Selection Gateway, Release 12.2(15)B feature module.

Restrictions for SSG Unconfig

SSG Unconfig clears all SSG resources on the system. Therefore, if you no longer need to run SSG

features on the router, instead of using SSG Unconfig enter the no ssg enable force-cleanup command

after all users are logged out.

previous next