Cisco Cisco Packet Data Gateway (PDG)
SecGW Service Creation
WSG Service Configuration ▀
SecGW Administration Guide, StarOS Release 18 ▄
39
Characteristics and Limitations
The following factors characterize WSG service configuration:
A WSG service configuration has precedence over the equivalent configuration in subscriber mode or the
template payload.
Any changes made to a WSG service require that the service be restarted to apply any changed parameters. You
restart the service by unbinding and binding the IP address to the service context.
Up to 16 named IPv4 pools can be configured. The list is sorted, and the addresses are allocated from the first
pool in the list with available addresses.
Multiple IPv6 pools can be configured.
Multiple IPv4 and IPv6 ACLs can be configured.
IPv4 pools are only used for IPv4 calls; IPv6 pools are only used for IPv6 calls.
Lookup Priority
The Wireless Security Gateway Lookup Priority List Configuration Mode is used to set the priority (1–6) of subnet
combinations for site-to-site tunnels.
combinations for site-to-site tunnels.
The following command sequence sets the lookup priority:
config
wsg-lookup
priority priority_level source-netmask subnet_size destination netmask
subnet_size
subnet_size
For the packet lookup to work optimally, the top bits in the negotiated TSi for all the tunnels should be unique. The top
number of bits that must be unique is equal to the lowest “destination-netmask” configured under all lookup priorities.
number of bits that must be unique is equal to the lowest “destination-netmask” configured under all lookup priorities.
For example, if the lowest destination-netmask configured under any priority is 16:
priority 1 source-netmask 20 destination-netmask 18
priority 2 source-netmask 22 destination-netmask 16
A valid set of traffic selectors for the configured set of lookup priorities would be:
IPSec Tunnel 1: 10.11.1.0(tsi) - 20.20.1.0(tsr)
IPSec Tunnel 2: 10.10.2.0(tsi) - 20.20.2.0(tsr)
An invalid set of traffic selectors would be:
IPSec Tunnel 1: 10.10.1.0(tsi) - 20.20.1.0(tsr)
IPSec Tunnel 2: 10.10.2.0(tsi) - 20.20.2.0(tsr)
The above set is invalid because the top 16 bits for these two tunnels are not unique, both are 10.10.
The network should be designed to accommodate this requirement.
For additional information, see the WSG Lookup Priority List Configuration Mode chapter of the Command Line
Interface Reference.
Interface Reference.