Intelligent Services Gateway (ISG) -- WiMAX Service Provider Network Configuration Example
This example provides a sample configuration of Cisco Intelligent Services Gateway (ISG) deployed in a service provider's broadband network that is delivering triple-play services to subscribers through DSL, Ethernet, and WiMAX access.
DSL, Ethernet and Fixed WiMAX Access
- DSL Forum TR-101 functions
- Metro Ethernet Forum (MEF) 6/10 Ethernet services models
- N:1 and 1:1 VLAN multiplexing models
- Multi VC, trunk and non-trunk user network interface (UNI) options
- Ethernet to the home and business (ETTx) Spanning-Tree Protocol (STP) access rings and hub and spoke
- WiMAX nodes integrated in the ETTx access
- DSL access nodes with redundant connectivity
Transport Functions between Access and Edge
- Intelligent access multiplexing
- MPLS/IP Layer 2 and Layer 3 transport services
- Transparent virtualized Ethernet point-to-point (P2P) and multipoint (MP) transport (EoMPLS and H-VPLS) for services with IP/L3VPN/L2VPN Edge in broadband network gateway (BNG) and multiservice edge (MSE)
- Service-aware IP transport for triple-play services (IPTV, VoD, Voice)
- L2/L3 MPLS/IP transport layer provides flexibility scalability, transparency, virtualization and service awareness when required
- Aggregation network provides the option for implementing L2/L3 business VPN services
Subscriber and Service Edge
- Residential H.323 signaling interface (HSI) in BNG
- Business L2/3 VPNs in MSE
Transparent Auto-Logon (TAL) Postpaid
The following example shows the configuration of a routed subscriber network using the Port-Bundle Host Key (PBHK) and Layer 4 Redirect features. The basic behavior of the ISG is summarized in the control policy that is used when a First Sign of Life (FSOL) is detected. In this example, the FSOL is an unclassified source IP address.
The key to understanding an individual ISG configuration is generally the control policy, which maps out the actions taken by the ISG when different ISG events occur. The following example shows a control policy that allows some source IP address traffic to pass through the ISG without authentication, performing Transparent Auto Logon (TAL) for a set of predefined IP addresses, and performing web (portal) authentication for all other subscribers.
policy-map type control isg-control
|Control policy definition|
Session Start Events
class type control PASSTHROUGH event session-start 10 service local-passthrough !
|FSOL traffic that matches the class map PASSTHROUGH does not go through any authentication or redirection. It simply has a service applied to it.|
class type control TAL_IP_SUBSCRIBERS event session-start 10 authorize aaa list AUTHOR_LIST1 password svcisco identifier source-ip-address 20 service-policy type service name DEFAULT_NETWORK_SERVICE 30 set-timer IP-UNAUTH-timer 5 !
|FSOL traffic that matches this class map is sent for authorization. If authorization fails, the service DEFAULT_NETWORK_SERVICE is applied, and an authentication timer is set.|
class type control always event session-start 10 service-policy type service name DEFAULT_NETWORK_SERVICE 20 service-policy type service name PBHK_SERVICE 30 service-policy type service name L4_REDIRECT_SERVICE 40 service-policy type service name OPENGARDEN_SERVICE 50 set-timer IP-UNAUTH-timer 5 !
|Any FSOL traffic that does not match the previous class maps is handled here.
Account Logon Events
class type control always event account-logon 10 authenticate aaa list AUTHEN_LIST1 20 service-policy type service unapply name L4_REDIRECT_SERVICE !
|On an account-logon event, authenticate the subscriber.
Upon successful authentication, unapply the L4_REDIRECT_SERVICE.
Account Logoff Events
class type control always event account-logoff 10 service disconnect delay 5 !
|Upon a account-logoff event, disconnect after a 5 second delay. This should ensure that the client TCP sessions close before disconnection.|
Service Start Event
class type control always event service-start 10 service-policy type service identifier service-name
|Upon a service-start event, apply the service defined in the message.|
Service Stop Event
class type control always event service-stop 10 service-policy type service unapply identifier service-name
|Upon a service-stop event, unapply the service defined in the message.|
Timed Policy Expiry Event
class type control UNAUTHEN_COND event timed-policy-expiry 10 service disconnect
|Upon a timed-policy-expiry event, if the class-map UNAUTHEN_COND is true, disconnect the session.|
Quota Depleted Event
class type control always event quota-depleted 10 set-param drop-traffic TRUE
|Upon a quota-depleted event, drop the session traffic.|
Credit Exhausted Event
class type control always event credit-exhausted 10 service-policy type service name PREPAID_REDIRECT_SERVICE
|Upon a credit-exhausted event, apply the service PREPAID_REDIRECT_SERVICE.|
In the previous section class maps were used to select which actions would occur for certain events. The following examples show these class-maps.
class-map type control match-any PASSTHROUGH match source-ip-address 10.10.62.0 255.255.254.0 match source-ip-address 10.10.28.1 255.255.255.255 match source-ip-address 10.10.0.111 255.255.255.255 …
class-map type control match-any TAL_IP_SUBSCRIBERS match source-ip-address 10.10.52.163 255.255.255.255
Authentication, authorization, and accounting (AAA) is a key part of ISG and ISG cannot operate without a minimum AAA configuration.
aaa new-model ! aaa group server radius AAA_GROUP server 10.10.6.13 auth-port 1812 acct-port 1813
|This command is required.
aaa authentication login AUTHEN_LIST group AAA_GROUP aaa authorization network AUTHOR_LIST group AAA_GROUP aaa authorization subscriber-service default local group AAA_GROUP aaa accounting update periodic 30 aaa accounting network ACCNT_LIST start-stop group AAA_GROUP
ISG RADIUS Server
radius-server attribute 44 include-in-access-req radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 25 access-request include
radius-server host 10.10.7.14 auth-port 1812 acct-port 1813 retransmit 3 key 7 <removed> radius-server retransmit 2 radius-server timeout 3 radius-server vsa send accounting radius-server vsa send authentication
Change of Authorization (CoA) Portal
aaa server radius dynamic-author client 10.10.80.130 client 10.10.33.166 server-key 7 <removed> auth-type any ignore session-key ignore server-key
|Class of service (CoS) server|
Open Garden Service
The Open Garden service is a traffic class that is defined to only allow limited services prior to authentication. These services are typically Domain Name System (DNS), web portal, and any other services that are necessary to get the subscriber to a level where they can authenticate themselves. Examples of the service configuration are shown below.
ip access-list extended ACL_IN_OPENGARDEN permit ip any host 192.168.200.78 permit ip any host 192.168.200.8 permit ip any host 192.168.200.19 … ip access-list extended ACL_IN_OPENGARDEN permit ip any host 192.168.200.78 permit ip any host 192.168.200.8 permit ip any host 192.168.200.19 … class-map type traffic match-any TC_OPENGARDEN match access-group input name ACL_IN_OPENGARDEN match access-group output name ACL_OUT_OPENGARDEN policy-map type service OPENGARDEN_SERVICE 10 class type traffic TC_OPENGARDEN ! class type traffic default in-out drop
|Define hosts reachable by subscribers.
Create class map based on the host ACLs.
Layer 4 Redirect Service
The L4 Redirect service is typically used to force subscribers to a web portal for authentication purposes.
ip access-list extended ACL_REDIRECT deny tcp any host 10.10.6.16 eq www deny tcp any host 10.10.6.16 eq 8080 permit tcp any any eq www permit tcp any any eq 8080 class-map type traffic match-any TC_L4_REDIRECT match access-group input name ACL_REDIRECT policy-map type service L4_REDIRECT_SERVICE 20 class type traffic TC_L4_REDIRECT redirect to group REDIRECT_GROUP redirect server-group REDIRECT_GROUP server ip 10.16.6.16 port 8090
|Define traffic to be diverted
Define the redirect group
access-list 110 permit ip any host 10.10.6.16 access-list 110 permit ip any host 10.10.6.28 ip portbundle match access-list 110 source Loopback100 source Loopback101 interface GigabitEthernet1/0/0.123 encapsulation dot1Q 123 <snip> ip portbundle outside policy-map type service PBHK_SERVICE ip portbundle
|Apply PBHK to traffic to web portals.
Define port bundle
Outgoing interface towards web portal.