Supported Ssg Features; Ssg Restrictions - Cisco OL-4387-02 Configuration Manual

Supported SSG Features

Supported SSG Features
The Cisco 10000 series router supports the following SSG features and functionality:
•
•
•
•
•
•
•
•
•
•
•
•
•
For more information about the SSG features, refer to the
feature
For information about SSG features supported in a specific Cisco IOS release, refer to the
Cisco 10000 Series Router Feature

SSG Restrictions

The SSG feature has the following restrictions:
•
•
•
•
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
1-4
SSG Logon and Logoff, page 3-1
Authentication and Accounting, page 4-1
Service Selection Methods, page 5-1
Service Connection, page 6-1
Service Profiles and Cached Service Profiles, page 7-1
SSG Hierarchical Policing, page 8-1
Interface Configuration, page 9-1
SSG TCP Redirect, page 10-1
VPI/VCI Static Binding to a Service Profile, page 11-1
RADIUS Virtual Circuit Logging, page 11-2
AAA Server Group Support for Proxy Services, page 11-2
Packet Filtering, page 11-3
SSG Unconfig, page 11-5
module.
When using SSG hierarchical policing on Cisco 10000 Series routers, a maximum of 8 policing rates
can be used per uplink interface and R attribute combination. Of these 8 rates, 1 is reserved for "no
policing", leaving 7 different police rates available per uplink interface and R attribute combination
For example, if eight SSG services are bound to the same SSG next-hop and all eight services carry
an R attribute of "R0.0.0.0;0.0.0.0", the ninth service will fail to acquire correct policing rates and
this error message may appear:
%GENERAL-3-EREVENT: C10KSSG: Vi2.8 svc_bitmap 0x2 Unable to set connection rate
Network address translation (NAT) functionality is not supported. This means that the router does
not support concurrent access to multiple services for which the services, not the access provider,
must assign the user's IP address. For example, this restriction applies to concurrent access to a
private service and SESM or the Open Garden network, or concurrent access to a tunnel service and
SESM or the Open Garden network.
The Cisco 10000 series router adds reachability information to the Open Garden and default
networks for all services, both public and private. Because NAT is not supported, the addresses for
the Open Garden and default networks cannot overlap addresses defined within the service
definition.
To restrict access to the Open Garden network by private services, you must specifically bind the
Open Garden to the uplink interfaces. Do not bind the Open Garden to the interface used by the
private service.
Service Selection Gateway, Release 12.2(15)B
Map.
Chapter 1 Service Selection Gateway Overview
OL-4387-02