Ciscolive Ipoe

Subscriber Aware Ethernet:
Traditional Broadband Functions over

Next-Gen Carrier Ethernet Networks
Brian Cox
Technical Marketing Engineer
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. All rightsCisco
reserved.
Cisco Public
Agenda
The Next Wave of Broadband
User Centric Network
Identity and Services
Access Technology Abstraction
Intelligent Services GatewayISG
ISG Overview
What is ISG?
Northbound Interfaces
ISG Sessions
ISG Services
Cisco Policy Language
ISG Configuration Example
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
Evolution in Service Provider

Network Architectures
Diverged
per Service
Networks
Converged
All in One
Networks
Converged
User Centric
Networks
Presentation_I
BRKSPG-3304
D
Increased revenue by
decreasing cost of managing
and maintaining multiple
networks
Increased overall revenue by

increasing revenue per user:
Customized services
Rapid deployment of new
services based on market trends
Subscriber Self Subscription and
Self Care
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
The New User Experience

Enabling the Next Wave of Broadband
Add Subscribers
Register
Log in
Add Services
Pay As You
Go!
Pay What
You Use!
Broadband
Light
Broadband
Basic
Broadband
Premium
Buy credit
Buy
Buy: $19.99
Buy: $29.99
Buy: $39.99
Add Value
Branded
VoD
($4.99/movie)
Presentation_I
BRKSPG-3304
D
Branded
Phone
Branded
TV
($15.99 + LD)
($29.99)
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
The Elements of Customization
Identity
Subscriber identified using multiple

dimensions. Identity gathered:
Subscriber
Sessions
From multiple sources and events

Over session lifecycle
Subscriber
Services
Different Services and Rules
applied based on:
Differentiated
Services
Dynamic Service
Management
Presentation_I
BRKSPG-3304
D
Who subscriber is
Where he is
What he requires
Session creation/
authentication
Intelligent
Services
Gateway
Services and Rules updated based on :

How subscriber behaves
What he requires NOW
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Dynamic Policy
Push and Pull
Cisco Public
Subscriber
Services
Building the Identity

and Assigning Services
Subscriber
ISG
Identities
Services
DHCP Exchange Starts
DHCP Exchange Completes(*)
Subscriber Authentication(*)
Dynamic Service Update
T0
T1
T2
TN
Subscriber Session
Subscriber Session
Brian
Subscriber Session
Brian
Subscriber Session
MAC Addr: 00:DE:34:F1:C0:28
IP Addr:
IP Addr:
IP Addr:
IP Addr:
10.1.1.211
10.1.1.211
10.1.1.211
Username: ?
Username: ?
Username: Brian
Username: Brian
Service:
Service:
Service:
Service:
DEFAULT_SRV
DEFAULT_SRV
Only permits
management traffic
through the session
DEFAULT_SRV
PPU_SRV
PPU_SRV
Pay Per Use Service:
- Permits all traffic
- 512K/1Mbps US./DS
- Accounting enabled on
session
PREMIUM_FR_SRV
PREMIUM_FR_SRV
Flat Rate Premium Data Service:
- Permits all traffic
- 1M/8Mbps US/DS
(*) Order of operations not representative of a real call flow

Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
DSL
DSLAM
Cable
Walled Garden
Subscriber-centric services regardless of:

Access Technology
Access Protocol
ATM/Ethernet
Switch
CMTS
BRAS/BNG
Open Garden
Access
Ethernet
Distribution
Access Technology:
Legacy DSL/ATM
Metro Ethernet, Wireless LAN, Cable
802.11 or
802.16
Access Protocol:
IP
PPP
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
What Is ISG?
Subscriber Policy Layer
Policy
Server
AAA
Server
Web
Portal
DHCP
Server
Open
Northbound
Interfaces
Subscriber
Identity
Management
ISG
Policy
Management
and
Enforcement
Cisco Intelligent Services Gateway

(ISG) is a licensed feature set on
Cisco IOS that provides Session
Management and Policy
Management services to a variety of
access networks
Addresses PPPoE to IPoE migration
while maintaining all subscriber
management functions
ISG
So focal, that the entire device is often referred as an:

Intelligent Services Gateway router or simply The ISG
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
Platforms
Different Products for Different Solution Segments
ASR 5000
Fixed Mobile Convergence
ASR 1000
Current Primary BNG
Platform
Presentation_I
BRKSPG-3304
D
ASR 9000
Emerging Large Scale BNG
Platform
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
10
ISG Overview
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
11
ISGs Place in the Network

AAA
Server
Policy
Server
Web
Portal
DHCP
Server
Internet/Core
Guest
Portal
Open Garden
Video
Audio
Servers
Walled Garden
Deployed at access or
service edge
Subscriber Identification
Communicates with other devices

to control all aspects of
subscriber access in the network
Subscriber Services
Determination and Enforcement
Single point of contact

Presentation_I
BRKSPG-3304
D
Subscriber Authentication
Dynamic Service update

Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
12
ISGs Dynamic Policy Activation

Dynamic Policy Pull
(e.g. Automatic Service-Profile
Download on Session
Establishment)
DHCP Web
Policy AAA
Server Portal Server Server
Dynamic Policy Push

(e.g. Turbo Button)
Application/
Service Layer event
DHCP Web Policy AAA
Server Portal Server Server
Network
Layer
Event
Guest
Portal
Open Garden
Presentation_I
BRKSPG-3304
D
Guest
Portal
Walled Garden
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Open Garden
Cisco Public
Walled Garden
13
The Subscriber Session in ISG

ISG Session

AAA
Server
Policy
Server
Web
Portal
DHCP
Server
Subscriber 1
Subscriber 1
session
Subscriber 2
Internet/Core
Guest
Portal
Subscriber 3
Open Garden
Walled Garden
Video
Audio
Servers
Subscriber 2
session
Subscriber 3
session
Construct within Cisco IOS that represents a subscriber

subscriber: billable entity and/or an entity that should be authenticated/authorize
Common context on which services are activated

Created at first sign of peer activity (FSOL = First Sign Of Life)
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
14
ISG Session Types

ISG Session
Based on Subscriber Access Protocol

Sessions Supported:
Initiation
Dynamically Created Sessions:

PPP sessions
IP sessions
IP Subnet sessions
Authentication
Session
Termination
Ethernet sessions
Statically Created Sessions:
Interface sessions (IP-based)
Service
Activation
Ethernet sessions
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
15
Subscriber Dynamic Sessions

ISG Session
PPP Sessions
IP Sessions
Virtual Template w/
Virtual Access (sub)Interfaces
IPLayer2 Connected
IP
PPP
1483
AAL5
ATM
Phy
PPPoA
ATM
Access
IP
PPP
PPPoE
Eth
1483
AAL5
ATM
Phy
PPPoEoA
ATM
IP
Eth
Phy
Eth
Distribution
Ethernet
802.3 based main intfes

Subinterfaces: .1q, QnQ
Native IP capable
transport technologies
802.11, 802.16
IPRouted
PPPoEoE / PPPoEoVLAN/PPPoEoQnQ
IP
PPP
PPPoE
.1Q QnQ
Eth
Phy
Eth
PPPoL2TP
ATM
Eth
Presentation_I
BRKSPG-3304
D
IP
IP
Any access
technology
IP
Eth
Phy
IP
PPP
L2TP
IP/UDP
ATM,E
th,..
Phy
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
16
Dynamic Session Initiation

ISG Session
ISG sessions are initiated at the First Sign of Life (FSOL)

FSOL depends on the Session Type
IP Sessions - FSOL
PPP Sessions - FSOL
.... there are options .....

Unclassified MAC or IP
Data Traffic
PPP Call Request (LCP)
DHCP
DHCP discover
RADIUS
RADIUS
Access Request OR
Accounting Start
Wireless
Client
Presentation_I
BRKSPG-3304
D
AP
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
IP packet with unknown MAC

or IP source address
Use MAC for L2-connected IP
sessions
Use IP for routed IP sessions
DHCP Discover message

ISG must be DHCP Relay or
Server
RADIUS Access/Accnt Start

ISG must be a Radius Proxy
Typically used in PWLAN and
WiMAX environments
Cisco Public
17
Session Authentication
ISG Session
Authentication: Allow Access to Network Resources Only to

Recognized Users
Authentication models supported:

Access Protocol Native Authentication:
PPP: CHAP/PAP
IP: EAP for wireless client
DHCP Authentication
Transparent Auto Logon (TAL):

Authenticates using subscriber related
network identifiers
e.g. MAC/IP address, DHCP Option 82,
PPPoE Tags...
Web Logon
Authentication Is Not Mandatory on a Session,
but Used in Most Situations
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
18
Session AuthenticationIP
ISG Session
IP common scenarios
+
Web Logon
Web
Portal
AAA
Server
RADIUS
Username: WebLogon
Username
Data Traffic
redirection
TAL: Option82 Auth

Deployment likelihood
DHCP exchange
AAA
Server
RADIUS
Username:
MAC:RemoteID:CircuitID
Access SW inserts Option 82

CircuitID/RemoteID
EAP Auth
(EAP based auth)
EAP
Wireless
Client
AAA
Server
RADIUS
RADIUS
Username:
EAP username
AP
TAL:IP/MAC
Data Traffic
AAA
Server
RADIUS
Username:
MAC or IP
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
User traffic redirected to Web Portal to enter

credentials
User Credentials propagated to the ISG
ISG uses credentials to authenticate user with AAA
server
Applicable to all session types
Access Switch inserts Option82 Circuit and Remote
ID in DHCP Requests
ISG performs authentication using a combination of
Circuit and RemoteID as username
ISG session must be DHCP initiated
User starts EAP authentication with Access Point (AP)
ISG impersonates RADIUS server toward AP and
RADIUS client toward real server
ISG learns session authentication status by proxying
RADIUS messages betw/ real RADIUS client and
Server
ISG session must be RADIUS initiated
ISG performs authentication using identifiers from
subscriber traffic (source IP/MAC)
Mac typically used in IP-L2 connected topologies to
support, IP used in IP-routed topologies
Cisco Public
19
Mac Authentication for Routed IP sessions

DHCP
Server
DHCP
Client
AAA
Server
L3 cloud
DHCP Address Assignment exchange
Data Traffic
DHCP LeaseQuery
(Client IP)
DHCP LeaseActive
(Client IP->MAC)
RADIUS Access Request
username: Client MAC
RADIUS Access Accept
username: Client MAC
Client MAC address not directly available to ISG in routed scenarios with external
DHCP server
DHCP Leasequery can be used to retrieve Client MAC address from DHCP Server
Retrieved MAC address can be used:
for MAC based authentication
as Calling-Station-ID in Accounting Records
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
20
Session Termination
ISG Session
IP and PPP Sessions

Web Logoff
Idle and Absolute Timeouts/Timer Expiry
Web
Portal
RADIUS CoA
Account-Logoff
PPP Sessions Exclusively
IP Sessions Exclusively
ICMP/ARP keepalive failure
Keepalive failure
PPP and PPPoX protocol events
ICMP Keepalives used for routed sessions

ARP keepalives used for l2-connected sessions
ppp disconnect; ppp keepalives or L2TP

hellos failure
RADIUS PoD (Packet Of Disconnect)
DHCP
DHCP Release
Policy
Manager
RADIUS PoD
EAP
Wireless
Client
Presentation_I
BRKSPG-3304
D
OR DHCP
lease expiry
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
DHCP
initiated
sessions
only
RADIUS
RADIUS
Accounting Stop
AP
Cisco Public
21
ISG Services
ISG services
Features
Service: A collection of features that are applicable on a subscriber

session Service = {feat.1, feat.2,...,feat.n}
Session
Administration
Portbundle (PBHK)
Keepalives: ICMP and ARP based
Timeouts:
Idle, Absolute
Traffic
Conditioning
QoS:
Security:
Traffic
Forwarding
Control
Subscriber Address Assignment Control

Redirection: Initial, Permanent, Periodic
VRF assignment: Initial, Transfer
Associated to
L2TP assignment
Primary Services
Traffic
Accounting
PostPaid
Prepaid: Time/Volume based
Tariff Switching
Interim
Broadcast
Policing, MQC
Per User ACLs
Primary Service: Contains one traffic forwarding feature and optionally

other features; only one primary service can be active on a session
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
22
ISG Feature Granularity

Per Session or Per Traffic Class (TC)?
ISG services
ACL
TC1
ACL
TC2
ACL
SubscriberX
Data
Classification
Subscriber Session
TC3
Flow
Features
Session
Features
grouped in
Session
Services
ISG Classification resembles

Modular QoS CLI (MQC)
Each Traffic Class can have a

different set of features applied
IP ACL (standard or extended) are

used to create differential flows
(Traffic Classes)
A Traffic Class and associated

features also referred as
TC service
Presentation_I
BRKSPG-3304
D
A Default TC can be used to drop

traffic that could not be classified
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
23
When Should I Use TC Services?

ISG services

AAA Policy
Server Server
Subscriber Data
Internet/Core
Guest
Portal
Open Garden
To permit Open Garden traffic

over an unauthenticated
session while dropping all
other traffic (default drop)
Presentation_I
BRKSPG-3304
D
To identify what traffic

should be redirected to an
external appliance (Web
Logon, Periodic
Advertisement)
Web DHCP
Portal Server
Video
Audio
Servers
Walled Garden
For differentiated billing

based on application
usage
To offer different QoS

levels to different flows
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
24
What Goes Where...

Applying Features to Session or TC
ISG services
Session
Portbundle (PBHK)
Session
Administration
Absolute/Idle Timeouts
ICMP and ARP keepalives
Policing
Traffic
Conditioning
MQC
Per User ACLs
Traffic
Forwarding
Control
Traffic
Accounting
Redirection
VRF assignment
L2TP assignment
Postpaid Accounting
x
x
x
x
x
x
x
x
x
x
Prepaid Accounting
Traffic Class
(TC)
x
x
x
x
Note: Restrictions apply; verify feature availability on your platform with the feature navigator
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
25
How Many Features in a Service?

How Many Services on a Session?
Session Services
No limit in number of
features per service
A service is smallest
atomic configuration unit
that can be activated
and deactivated
Deactivating a service
implies deactivating all
associated features
services per session
Standalone features
Subscriber Session
Feature 1
Feature 2
FeatureN
Features can be directly

enabled on a session
without using a service
Feature
Session
Service
ISG services
Once activated, a
standalone feature can be
modified, but not removed
TC Service
TC ACL
Feature 1
features per session
FeatureN
Good Practice: standalone

features and session
service features do not
overlap
Service3
ServiceM
Good Practice: Different

services have different
set of features
TC Services
No limit in number of features per service
No limit in number of services per session
Only a single service at the time applied to traffic
Presentation_I
BRKSPG-3304
D
Priority based
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
26
ISG Subscriber Session

Building the Data Plane
ISG services
Feature
3
Session
Service
ACL
Subscriber Session
TC1Service
Feature
1
Feature
2
Feature
3
TC1
Feature
1
Feature
2
Data
TC2Service
Feature
Feature
Feature
ACL
TC1
Feature
1
TC2
TC2Service: priority 20
Presentation_I
BRKSPG-3304
D
Traffic
Forwarding
Service
DefaultClass
Feature
2
TC2
SessionTraffic
Features
Classification
Apply to the
(using traffic
entire session
classes:
e.g. per-user ACL, class-map type
Policing, MQC,
traffic)
Accounting
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Flow-Features
Apply to the
classified flow
(a portion of
entire session
traffic)
Cisco Public
Forwarding Service
Forwarding
(at L2, e.g. L2TP)
or Routing
(at L3, e.g. VRF)
Mutually exclusive
27
ISG Subscriber Session

Traffic Forwarding
ISG services
Feature
3
Session
Service
ACL
Subscriber Session
TC1Service
Feature
1
Feature
2
Feature
3
permit
TC1
deny
Feature
1
Feature
2
Data
TC2Service
Feature
Feature
Feature
ACL
TC1
permit
deny
Feature
1
TC2
Presentation_I
BRKSPG-3304
D
Traffic
Forwarding
Service
Allow traffic
DefaultClass
drop
traffic
Feature
2
TC2
SessionTraffic
Features
Classification
Apply to the
(using traffic
entire session
classes:
e.g. per-user ACL, class-map type
Policing, MQC,
traffic)
Accounting
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Flow-Features
Apply to the
classified flow
(a portion of
entire session
traffic)
Cisco Public
Forwarding Service
Forwarding
(at L2, e.g. L2TP)
or Routing
(at L3, e.g. VRF)
Mutually exclusive
28
Defining Services
ISG services
Location
Download
1
AAA Server
Services defined in Service Profiles
Standard and Vendor Specific
RADIUS attributes used
On demand download on a
need basis
Premium HSI service

should be activated
on the session
No definition yet
available
Service Activated on session

Service Stored in local cache
while in use by at least 1 sessions
RADIUS Access-request
Username: Premium_HSI
Password: <service pwd>
3 RADIUS Access-accept
Features associated w/ service
4
Definition of all existing Services
typically pre-downloaded on Box
Policy Manager
(supporting the SGI Interface)
Services defined in XML
Pre-download of all existing services
SGI Request
Premium, Standard, Basic
HSI service definitions
Services permanently stored

in local database
SGI Response
ISG
Services pre-configured using CLI
Services defined on Service Policies:
policy-map type service <name>
Presentation_I
BRKSPG-3304
D
Services permanently stored

in local database
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
29
How Services Are Activated

on
a
Session?
During Subscriber
Via an External Policy
Authentication/
Authorization
Via the On-Box Policy

Manager
Manager/Web Portal
from
external PM
Administrator
Subscriber
from
data
plane
Control Policy
plane plane
RADIUS
CoA or SGI
Request
RADIUS
Acc-accept
actions
Data
plane
DHCP Web Portal / AAA

Server Policy Server Server
events
DHCP Web Portal / AAA

Server Policy Server Server
RADIUS
Acc-req
ISG services
Subscriber
Subscriber is successfully
authenticated
RADIUS Response includes
Services and Features to activate
on Session (from UserProfile)
Service Activation request sent

by External Policy Managers via
a RADIUS CoA or a SGI
Request message
Policy Plane determines what actions to

take on session based on events
actions *include* applying a service
Control Plane ensures actions are taken
i.e. provisions the data plane
Data Plane enforces traffic conditioning
policies to the session
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
30
ISG Control Policy
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
31
The On-Box Policy Manager (PM)
Session
Handles All Aspects of Subscriber Session Lifecycle,

Not Just Service Activation!
Initiation
Authentication
Session
Service
Activation
Session
Life Cycle
Termination
described using
Cisco
Policy
Language
Through CPL and the On-Box PM,

ISG Is Not Only a Policy Enforcement Point (PEP);
It Is Also a Policy Decision Point (PDP)
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
32
Cisco Policy Language CLI

Control policy-map
Conditional class of events

event 1
class type control <conditions>
event <event type>
policy-map type
control <name>
Session
Actions
action1
action2
more actions for event
.......
event 2
.......
more events
Typically applied on
interface
Defines all aspects of
session processing
Events are identified by their event type

Common event types:
Session-start: New session detected
Account-logon: Account-Logon msg. received from
external source
Actions are in a ordered list

Different set of actions per {event,
condition}
Common action types:
Service-start: new service start req. from external

source
Service: Used to start a new service
Service-stop: Service termination req. from external

source
Authenticate: Used to authenticate a session using

subscribers credentials
Timed-policy-expiry: Set Timer expired
Authorize: Used to authenticate a session using one

or more network identifiers (TAL)
Event actions are executed only if

<conditions> are met for the event
Service Unapply: Used to terminate an active service
Set-Timer: Used to generate an event after a

configured amount of time
Multiple instances of same event w/ unique condition

Different set of actions for same event type
Presentation_I
BRKSPG-3304
D
Conditions account for other aspects surrounding

the event
Cisco Public
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Control Policy Structure

Configuring ISG mostly implies configuring the control policy
Control policy determines the operations to be executed on
a session upon different events
policy- type control <map name>
policy-map
Events:
The event is
always valid
Session-start
Event 1
class
type control always event session-start
Account-logon
Action
1
10 service-policy
type service name <service name>
Service-start
2
20Action
authorize
aaa password lab identifier mac
...
Actions:
Event 2type control <condition> event service-start

class
apply/unapply a service
authenticate (Web Logon)
....
Presentation_I
BRKSPG-3304
D
authorize (TAL)
Condition:
Qualify in what cases the event is valid
Configured as a control class:
class-map type control <name>
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
...
Cisco Public
34
Defining a Control Policy
Session
Policy-Map Type Control

Control Policy
Condition
Associate Events and Conditions to an ordered list of Actions

Condition
Event
Condition
Control Class:
List of Actions
1. Disable Service B
2. Enable Service A
Control Class:
List of Actions
1. Enable Service X
2. Enable Service Y
3. Take Action R
Presentation_I
BRKSPG-3304
D
Event
Condition
Event
Event
Control Class:
List of Actions
1. Enable Service PBHK
2. Take action AAA
3. Enable Service L4R
4. Take action: Set Timer
policy-map type control SUBSCRIBER_RULE

class type control always event session-start
10 service-policy type service name PBHK
20 authorize aaa password lab identifier mac-addr
30 service-policy type service name L4R
40 set-timer IP_UNAUTH_TIMER 15
!
class type control always event account-logon
10 authenticate aaa list IP_AUTH_LIST
20 service-policy type service unapply name L4R
!
class type control CND_U event timed-policy-expiry
10 service disconnect
!
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
35
ISG as IP Session Aggregator
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
36
ISG as IP Session Aggregator (L2)
.12
.10
192.168.110.0/24
f1/0 .2
g0/0.1
Internet
Lo0 = 10.0.0.1
Address Assmt.
Session Initiator
DHCP
ISG is DHCP Relay
DHCP
Interf.
Authentication
TAL (mac address)
w/ Web Logon fall back
for Self Subscription
GE (.1Q)
Once authenticated subscriber will be assigned a Pay Per Use

Standard High Speed service:
256Kbps upstream/ 768Kbps downstream via ISG policing
Accounting
Idle timeout (10 min)
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
37
Call Flows L2 IP Session
1a
interface GigabitEthernet 0/0.1

encapsulation dot1Q 10
ip address ...
service-policy type control IP_SESSION_RULE1
ip subscriber l2-connected
2
initiator dhcp class-aware
DHCP Discover
Session-start
event posted
2 ISG session creation

3 PBHK service applied (*)
Access-Request
policy-map type control IP_SESSION_RULE1
4a username = mac
Access-Reject
<snip>
4b
5 OpenGarden and L4R

services applied (*)
6 Authentication Timer started

1b
DHCP Discover
class type control always event session-start 2

3 10 service-policy type service name PBHK_SRV
20 authorize aaa list IP_AUTHOR_LIST
4a
password cisco123 identifier mac-addr
30 service-policy type service name OG_SRV
5
40 service-policy type service name L4R_SRV
6 50 set-timer AUTHEN_TMR 10
1c DHCP Exchange
(*) assumes that the definition
of PBHK, L4R and
OpenGarden are already
available on the ISG
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
38
Call Flows
http://www.cisco.com
8
9
L4Redirect to Portal
aaa author subscriber-service default

SERVER_GRP1
subscriber service password servicecisco
HTTP Redirect. User self-registers

CoA Req. Account Logon
username, password
AccountLogon
event
10b
posted
11a
10a
Access-Accept
service: BASIC_HSI_SRV
Service-start
11c event
posted
12a
<snip>
Access-Request
username, password
11b
Access-Request
BASIC_HSI_SRV, srvpwd
Access-Accept
BASIC_HSI_SRV definition
13 BASIC_HSI_SRV is applied
12b
Accounting-Request (Start) and 14

Response
15 L4R and OpenGarden services are unapplied
10c
CoA Ack. Account Logon
http://www.cisco.com
16
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
affiliates. AllSimplified
rightsCisco
reserved.
call
flow
10b
11a 10 authenticate aaa list IP_AUTHEN_LIST
20 service-policy type service unapply
15
name L4R_SRV
30 service-policy type service unapply
name OG_SRV
!
class type control BASIC_HSI_SRV_CM event
service-start 11c
12a 10 service-policy type service identifier servicename
12b
Service-Name:
BASIC_HSI_SRV
Service-Password: servicecisco
Attr 28: idle-timeout = 600
AVPair: subscriber:accounting-list=
IP_ACCNT_LIST
ServiceInfo: QU;256000;D;768000;
Cisco Public
39
Use Case Full Configurations

Northbound Interfaces
RADIUS
interface
configuration
I.
aaa new-model
aaa group server radius SERVER_GRP1
server 192.168.110.10 auth-port 1812 acct-port 1813
!
aaa authorization network default group SERVER_GRP1
aaa authorization subscriber-service default group SERVER_GRP1
subscriber service password servicecisco
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
ip radius source-interface Loopback0
radius-server attribute 4 10.0.0.1
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 access-request include
radius-server attribute 55 include-in-acct-req
radius-server host 192.168.110.10 auth-port 1812 acct-port 1813 key aaacisco
radius-server vsa send authentication
radius-server vsa send accounting
aaa server radius dynamic-author

RADIUS
client 192.168.110.10
Extensions
server-key cisco
interface
auth-type any
configuration
port (1700)
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
Attribute 6 - Service-Type
Attribute 8 - Framed-IP-Address
Attribute 32 - NAS-Identifier
Attribute 44 - Acct-Session-Id
Attribute 55 - Event-Timestamp
40

Services
AAA Server configuration
Service-Name = OG_SRV
Service Password = servicecisco
AVPair: ip:traffic-class=input access-group
name OG_ACL_IN priority 10
AVPair: ip:traffic-class=output access-group
name OG_ACL_OUT priority 10
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
Service-Name = L4R_SRV
name L4R_ACL_IN priority 20
AVPair: ip:l4redirect=redirect to group REDIR_GRP
Service-Name = PBHK_SRV
AVPair: ip:portbundle=enable
Service-Name:
BASIC_HSI_SRV
AVPair: subscriber:accounting-list= IP_ACCNT_LIST
Presentation_I
BRKSPG-3304
D
II.
Cfg required on ISG
OpenGarden
service associated
configurations
ip access-list extended OG_ACL_IN

permit ip any 192.168.110.0 0.0.0.255
ip access-list extended OG_ACL_OUT
permit ip 192.168.110.0 0.0.0.255 any
L4R service
associated
configurations
redirect server-group REDIR_GRP

server ip 192.168.110.10 port <TCP port #>
!
ip access-list extended L4R_ACL_IN
permit tcp any any
PBHK service
associated
configurations
Basic HSI service

Associated
configurations
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet1/0
decription To WebPortal
ip address 192.168.110.1 255.255.255.0
ip portbundle outside
!
ip portbundle
match access-list 198
source Loopback0
!
access-list 198 permit ip any host 192.168.110.10
aaa accounting network IP_ACCNT_LIST group SERVER_GROUP1
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
41

Services
II. Bundle Host Key Cfg required on ISG

PBHK Port
Service-Name
= OG_SRV
* Used to generate
a host key -> common identifier that ISG & Portal canipuse
to reference a subs. session
access-list extended OG_ACL_IN
OpenGarden
- Extracted by the Portal from packets sourcedservice
by subscriber
permit ip any 192.168.110.0 0.0.0.255
associated
ip
access-list
extended OG_ACL_OUT
configurations
- If name
PBHKOG_ACL_IN
- disabled:priority 10
host key: IP Source Address (Subscriber IP Address)
permit ip 192.168.110.0 0.0.0.255 any
- enabled:
ISG performs a port NAT (PAT) like operation to subscriber packets destined to portal
AVPair: ip:traffic-class=output
access-group
name OG_ACL_OUT priority
10 key: ISG IP address + PBHK ID (L4Source
redirect server-group
REDIR_GRP
)
host
Port (12MSBs)
L4R service
associated
10.0.0.1:<pbhk_id>
configurations

!
permit tcp any any
Lo0 =10.0.0.1
PBHK intf = Lo0
Service Password
=
servicecisco
192.168.30.10
192.168.110.10
interface Loopback0
Activate Service GOLD_DATA
ip address 10.0.0.1 255.255.255.255
name L4R_ACL_IN HTTP
priority 20
HTTP !
AVPair: ip:l4redirect=redirect
to group REDIR_GRP
service
IP PBHK
SA: 10.0.0.1
IP SA: 192.168.30.10
IP associated
DA: 192.168.110.10 decription To WebPortal
IP DA: 192.168.110.10
configurations
TCP:
<pbhk l4 sport>:80ip address 192.168.110.1 255.255.255.0
TCP: <SSAP>:80
!
Apply service to 10.0.0.1:<pbhk_id>
ip portbundle
Service-Name:
BASIC_HSI_SRV
source Loopback0
Basic HSI service
*
PBHK
Benefits:
Support
for
overlapping
host
IP
addresses
!
Associated
Subscribers neednt
be routable fromconfigurations
Portal
AVPair: subscriber:accounting-list=
IP_ACCNT_LIST
Single Portal can serve multiple ISGsaaa accounting network IP_ACCNT_LIST group SERVER_GROUP1
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
42

Services
AVPair: ip:traffic-class=input access-group \
AVPair: ip:traffic-class=output access-group \
Service-Name:
BASIC_HSI_SRV
AVPair: subscriber:accounting-list= IP_ACCNT_LIST
Presentation_I
BRKSPG-3304
D
II.
Cfg required on ISG
OpenGarden
service associated
configurations

permit ip any 192.168.110.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 any
L4R service
associated
configurations

!
permit tcp any any
PBHK service
associated
configurations
Basic HSI service

Associated
configurations
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
ip address 192.168.110.1 255.255.255.0
!
ip portbundle
source Loopback0
!
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
43

Services
AVPair: ip:traffic-class=output access-group \
II.
Cfg required on ISG
OpenGarden
service associated
configurations

permit ip any 192.168.110.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 any
L4R service
associated
configurations

!
permit tcp any any
L4 Redirect
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
PBHK service
Subscribers traffic,
decription Tomatching
WebPortal a flow
associated
configurations
ip address 192.168.110.1
description,255.255.255.0
is redirected
192.168.110.10 198.133.219.25
ip portbundletooutside
a destination and a L4
!
port
defined on the ISG
www.cisco.com
ip portbundle
Any 198
TCP and UDP traffic
Service-Name: HTTP
BASIC_HSI_SRV
match access-list
can be redirected
source Loopback0
Service-Password:
servicecisco
HTTP Basic HSI service
IP SA: 192.168.30.10
!
The target server
Attr 28:IPidle-timeout
= 600
DA: 198.133.219.25
IP SA: 192.168.30.10 Associated
access-list
198
permit ip any host
192.168.110.10
responsible
to handle
TCP:
<SSAP>:80
AVPair:
subscriber:accounting-list=
IP_ACCNT_LIST
IP DA: 192.168.110.10configurations
the redirected traffic
TCP: <SSAP>:<redirect
port>
aaa accounting
network IP_ACCNT_LIST group SERVER_GROUP1
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
44

Services
AVPair: ip:traffic-class=output access-group
AVPair: ip:traffic-class=input access-group permit
deny
II.
OpenGarden
service associated
configurations
TC Priority Defines
order in which TC
ACLs are matched
against incoming
traffic
Lower numerical
value -> Higher
Priority
First Match honored
L4R service
associated
configurations
PBHK service
associated
configurations
Basic HSI service

Associated
configurations
Cfg required on ISG

permit ip any 192.168.110.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 any
!
permit tcp any any
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
ip address 192.168.110.1 255.255.255.0
!
ip portbundle
source Loopback0
!

Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
45

Services
II.
ACL2
ACL1
OpenGarden
service associated
configurations
AVPair: ip:traffic-class=output access-group Subscriber Session
Traffic Class1
L4R service
permit
associated TC1
configurations10
deny
Traffic Class2
AVPair: ip:traffic-class=input access-group permit
TC2
TC1 or
20
20
Dataname L4R_ACL_IN priority
deny
TC2 ?
Feature
Feature
AVPair: ip:l4redirect=redirect
to group REDIR_GRP
Feature
PBHK service
Service-Name:
BASIC_HSI_SRV
AVPair: subscriber:accounting-list= Traffic
IP_ACCNT_LIST
Classification
TC priorityQU;256000;D;768000;
is important (order of ACL evaluation)
ServiceInfo:
TrafficPresentation_I
goes to next TC only if not matched by previous
BRKSPG-3304
D
Cfg required on ISG

permit ip any 192.168.110.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 any
TC Priority
order
server ip 192.168.110.10 portDefines
<TCP port
#>
in
which
TC
!
ACLs are
matched
permit tcp any any
against
incoming
interface Loopback0
traffic
ip address 10.0.0.1
255.255.255.255
Traffic
Lower
!
Forwarding
numerical
value ->
Service
decription To WebPortal Higher
associated
Priority
configurations
ip address 192.168.110.1 255.255.255.0
Default Class
First Match
Allow traffic
honored
!
drop traffic
ip portbundle
source Loopback0
Basic HSI service
!
Associated
configurations
Flow-Features
Apply
to the classified
(a portion of the
entireSERVER_GROUP1
session data)
aaa
accounting
networkflow
IP_ACCNT_LIST
group
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
46

Control Policy
class type control AUTH_TMR_CM event timed-policy-expiry IV.
1 service disconnect
!
class type control BASIC_HSI_SRV_CM event service-start
V.
10 service-policy type service identifier service-name
!
class type control BASIC_HSI_SRV_CM event service-stop
1 service-policy type service unapply service-name
V.
20 service-policy type service name OG_SRV
!
IV.
class type control always event session-start
10 service-policy type service name PBHK_SRV
20 service-policy type service name OPENGARDEN_SRV
30 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier
mac-address
50 set-timer AUTH_TMR 10
!
IV.
10 authenticate aaa list IP_AUTHEN_LIST
20 service-policy type service unapply name L4R_SRV
30 service-policy type service unapply name OG_SRV
!
class type control always event account-logoff
1 service disconnect delay 5
!
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Method Lists:
aaa authorization network IP_AUTHOR_LIST group

SERVER_GRP1
aaa authentication login IP_AUTHEN_LIST group IV.
SERVER_GRP1
Control Classes:
class-map type control match-any BASIC_HSI_SRV_CM

match service-name BASIC_HSI_SRV
V.
class-map type control match-all AUTH_TMR_CM
match timer AUTH_TMR
IV.
match authen-status unauthenticated
Interface
interface GigabitEthernet 0/0.1

III.
encapsulation dot1Q 10
ip address 192.168.30.1 255.255.255.0
service-policy type control IP_SESSION_RULE1
ip subscriber l2-connected
initiator DHCP
DHCP Relay cfg
ip dhcp pool POOL_VLAN10

relay source 192.168.30.0 255.255.255.0
relay destination 192.168.110.12
DHCP server address
Cisco Public
III.
47
Summary
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
48
Summary Slide
User Centric Network
ISG Overview
What is ISG?
ISG Sessions
ISG Services
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
49
Key Takeaways
ISG is a Subscriber Aggregation device that provides
Subscriber and Service Management functions
Can be deployed in several architectures to support
wired and wireless subscribers and for both PPP and
IP-based subscriber access
Offers a wide choice of subscriber authentication
optionse.g. PPP CHAP/PAP, EAP,TAL, Web Auth,
DHCP Authentication
Multiple, open and standard based northbound interfaces
simplify inter-working with existing
BackOffice appliances
Configuration model based on predefined events and
user defined actions allows for flexible and fully
customizable session and service management
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
Session
50
Glossary
Acronyms
AAA
Acronyms
Accounting Authentication Authorization
IPoE
Acronyms
IP over Ethernet
SGI
Services Gateway Interface

Transparent Auto Logon
AAL5
ATM Adaptation Layer 5
ISG
Intelligent Services Gateway
TAL
ACL
Access Control List
ISP
Internet Service Provider
TC
Traffic Class
ATM
Asynchronous Transfer Mode
L2TP
Layer 2 Tunneling Protocol
US
Upstream
BNG
Broadband Network Gateway
LAC
L2TP Access Concentrator
VC
Virtual Circuit
BRAS
Broadband Remote Access Server
LAN
Local Area Network
VLAN
Virtual LAN
CoA
Change of Authorization
LNS
L2TP Network Server
VoIP
Voice over IP
CHAP
Challenge-Handshake Authentication
Protocol
MPLS
Multi Protocol Label Switching
VoD
Video on Demand
MQC
Virtual Private Network
Command Line Interface
Modular QoS CLI
VPN
CLI
NAS
Network Access Server
VRF
Virtual Routing Forwarding
CMTS
Cable Modem Termination System
PAP
Password Authentication Protocol
VSA
Vendor Specific Attribute
CPE
Customer Premises Equipment
PBHK
Port Bundle Host Key
WiMAX
CPL
Worldwide Inter-operability for

Microwave Access
PON
Passive Optical Network
DHCP
Dynamic Host Configuration Protocol
XML
Extensible Markup Language
Phy
Physical
DS
Down Stream
PM
Policy Manager
DSL
Digital Subscriber Line
PPP
Point to Point Protocol
DSLAM
Digital Subscriber Line Access Multiplexer
PPPoA
PPP over ATM
EAP
Extensible Authentication Protocol
PPPoE
PPP over Ethernet
FSOL
First Sign Of Life
PPPoX
PPP over X X=Ethernet, ATM,
GE
Gigabit Ethernet
PTA
PPP Aggregation and Termination
IPoE
IP over Ethernet
PWLAN
Public Wireless LAN
IPTV
IP Television
QoS
Quality of Service
HSI
High Speed Internet
RADIUS
IOS
Internetwork Operating System
Remote Authentication Dial In User

Service
IP
Internet Protocol
RFC
Request For Comments
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
51
Q&A
Presentation_I
BRKSPG-3304
D
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
52
Complete Your Online

Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for
each session evaluation you
complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal) or
visit one of the Internet stations
throughout the Convention
Center.
Presentation_I
BRKSPG-3304
D
Dont forget to activate your

Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
Public
2011 Cisco and/or
its affiliates.
All rights
2012
Cisco and/or
itsreserved.
reserved.
Cisco Public
53
53
Presentation_I
D
Cisco Public

Ciscolive Ipoe

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ciscolive Ipoe

Загружено:

Авторское право:

Доступные форматы

Subscriber Aware Ethernet:

Traditional Broadband Functions over

ISG Configuration Example

The Next Wave of Broadband

Evolution in Service Provider

Increased overall revenue by

The New User Experience

The Elements of Customization

Subscriber identified using multiple

From multiple sources and events

Services and Rules updated based on :

Building the Identity

DHCP Exchange Starts

DHCP Exchange Completes(*)

Dynamic Service Update

MAC Addr: 00:DE:34:F1:C0:28

MAC Addr: 00:DE:34:F1:C0:28

MAC Addr: 00:DE:34:F1:C0:28

MAC Addr: 00:DE:34:F1:C0:28

(*) Order of operations not representative of a real call flow

Access Technology Abstraction

Subscriber-centric services regardless of:

Cisco Intelligent Services Gateway

So focal, that the entire device is often referred as an:

ISGs Place in the Network

Communicates with other devices

Single point of contact

Dynamic Service update

ISGs Dynamic Policy Activation

Dynamic Policy Push

The Subscriber Session in ISG

Subscriber Policy Layer

Construct within Cisco IOS that represents a subscriber

Common context on which services are activated

ISG Session Types

Based on Subscriber Access Protocol

Dynamically Created Sessions:

Subscriber Dynamic Sessions

802.3 based main intfes

Dynamic Session Initiation

ISG sessions are initiated at the First Sign of Life (FSOL)

PPP Sessions - FSOL

.... there are options .....

PPP Call Request (LCP)

IP packet with unknown MAC

DHCP Discover message

RADIUS Access/Accnt Start

Authentication: Allow Access to Network Resources Only to

Authentication models supported:

Transparent Auto Logon (TAL):

TAL: Option82 Auth

Access SW inserts Option 82

User traffic redirected to Web Portal to enter

Mac Authentication for Routed IP sessions

IP and PPP Sessions

Idle and Absolute Timeouts/Timer Expiry

PPP Sessions Exclusively

PPP and PPPoX protocol events

ICMP Keepalives used for routed sessions

ppp disconnect; ppp keepalives or L2TP

Service: A collection of features that are applicable on a subscriber

Subscriber Address Assignment Control

Primary Service: Contains one traffic forwarding feature and optionally