для Cisco Cisco IOS Software Release 12.4(15)T
SSG Mobile Wireless Enhancements
Information About SSG Mobile Wireless Enhancements
3
Cisco IOS Releases 12.4(15)T
SSG always proxies accounting-on-off packets received from client GGSNs. These packets are used to
signal that the client GGSN has just rebooted (or is about to be rebooted). When SSG receives the
packets, SSG destroys all host objects associated with the specified client GGSN before forwarding the
packet. SSG uses the NAS IP address in the accounting-on-off packets to determine the affected GGSN.
Determining the affected GGSN enables multiple tunnel interfaces to exist between the GGSN and SSG.
Although there are multiple RADIUS clients configured at SSG, only a single accounting-on-off packet
is generated by the GGSN. As part of the normal SSG functionality, SSG sends accounting-start-stop
records for both the active host objects and for any services to which they are connected.
signal that the client GGSN has just rebooted (or is about to be rebooted). When SSG receives the
packets, SSG destroys all host objects associated with the specified client GGSN before forwarding the
packet. SSG uses the NAS IP address in the accounting-on-off packets to determine the affected GGSN.
Determining the affected GGSN enables multiple tunnel interfaces to exist between the GGSN and SSG.
Although there are multiple RADIUS clients configured at SSG, only a single accounting-on-off packet
is generated by the GGSN. As part of the normal SSG functionality, SSG sends accounting-start-stop
records for both the active host objects and for any services to which they are connected.
Consider the following scenario in a load-balancing environment. Assume that there are 10 GGSNs and
10 SSGs in the system. In this case, when the GGSN fails, there will be 10 accounting-off packets sent
to the RADIUS load balancing (RLB) server farm. The RLB server farm replicates each accounting-off
packet to the 10 SSGs. Each SSG in turn forwards these accounting-off packets to the AAA server. So
there is a total of 100 accounting-off packets in a short period of time. For some customers the AAA
server often has problems handling this high rate of accounting on and off packets, which increases the
possibility of a system failure.
10 SSGs in the system. In this case, when the GGSN fails, there will be 10 accounting-off packets sent
to the RADIUS load balancing (RLB) server farm. The RLB server farm replicates each accounting-off
packet to the 10 SSGs. Each SSG in turn forwards these accounting-off packets to the AAA server. So
there is a total of 100 accounting-off packets in a short period of time. For some customers the AAA
server often has problems handling this high rate of accounting on and off packets, which increases the
possibility of a system failure.
In a Cisco Mobile Exchange (CMX) solution, you can enable a server to stop forwarding the
accounting-off packets in all the routers except for two or three routers. Enabling the server in this way
ensures that the AAA server will not receive the accounting-off packets from every SSG in the system.
accounting-off packets in all the routers except for two or three routers. Enabling the server in this way
ensures that the AAA server will not receive the accounting-off packets from every SSG in the system.
Accounting-Start Packet Discards to Retain a Host with Varying IP Addresses
Before Cisco IOS Release 12.4(15)T, the default behavior of the session-identifier msid command for
SSG is to disconnect a host object if a second accounting-start packet is received for a Mobile Station
Identifier (MSID) address with a different IP address. However, this behavior can cause a problem
especially in the Public Wireless Local Area Network (PWLAN) space for clients with multiple
interfaces (that is, wireless and Ethernet interfaces), which can result in packets sent from a single
interface with multiple source IP addresses.
SSG is to disconnect a host object if a second accounting-start packet is received for a Mobile Station
Identifier (MSID) address with a different IP address. However, this behavior can cause a problem
especially in the Public Wireless Local Area Network (PWLAN) space for clients with multiple
interfaces (that is, wireless and Ethernet interfaces), which can result in packets sent from a single
interface with multiple source IP addresses.
This enhancement to the session-identifier msid unique ip command instructs SSG to discard the
subsequent accounting-start records with the same MSID but a different IP address.
subsequent accounting-start records with the same MSID but a different IP address.
PoD to NAS Forwarding
When SSG, acting as a RADIUS proxy, receives the Packet of Disconnect (PoD) from a RADIUS server,
it cleans up the corresponding host object but does not forward the PoD to NAS. As a result, the NAS is
not informed about the RADIUS server’s decision to disconnect the user session.
it cleans up the corresponding host object but does not forward the PoD to NAS. As a result, the NAS is
not informed about the RADIUS server’s decision to disconnect the user session.
This enhancement disconnects the host object when the PoD is received from the AAA server and also
forwards it to a downstream device. When SSG forwards the PoD to the downstream NAS, the NAS will
send a PoD-ACK/NAK back to SSG. Previously, SSG would have deleted the host object for that
particular user at this point. Therefore, this enhancement ensures that SSG ignores the PoD-ACK/NAKs
and accounting-stop packets sent by the NAS in response to the forwarded PoD.
forwards it to a downstream device. When SSG forwards the PoD to the downstream NAS, the NAS will
send a PoD-ACK/NAK back to SSG. Previously, SSG would have deleted the host object for that
particular user at this point. Therefore, this enhancement ensures that SSG ignores the PoD-ACK/NAKs
and accounting-stop packets sent by the NAS in response to the forwarded PoD.
On receiving the POD request with radius code 40, SSG disconnects the user by deleting all host-related
information maintained by SSG. The following points summarize the PoD support by SSG:
information maintained by SSG. The following points summarize the PoD support by SSG:
•
The host is identified by the following properties:
–
Attribute 8: framed IP address
–
SSG account-info VSA: port bundle information present with S subattribute
•
On finding the host, SSG deletes the host and connections made by the host.