Configuring ISG Access for IP Subscriber Sessions
Information About ISG Access for IP Subscriber Sessions
11
Dynamic VPN selection can be initiated through automatic service logon, where the VRF is
downloaded and applied to the subscriber session at session start, or through subscriber service
selection at a web portal, in which case the subscriber is transferred to the VRF that corresponds to
the selected service.
VPN Addressing
When a subscriber session is transferred from one VPN domain to another, it is effectively entering a
new addressing domain that may or may not overlap the subscriber’s previous domain. The subscriber’s
network-facing address must be altered accordingly so that packets can be correctly routed back from
within the service domain.
A VRF transfer is necessary when a subscriber’s identity and subscribed services cannot be determined
without interaction with a web portal. A local routing context is required, at least initially, so that IP
packets may be routed to and from the portal server. Following portal-based service selection, the
subscriber would typically have to be transferred into the VRF associated with the selected service
domain. Following a VRF transfer, the subscriber must also receive an address that is routable in this
new domain.
If ISG is adjacent to the subscriber device and serves as a DHCP relay or server, DHCP can be used to
assign domain-specific addresses to subscribers.
In order for VRF transfers to be supported, it is strongly recommended that DHCP be configured with
short initial leases, this is because existing subscriber addresses can only be altered once the current
lease has expired. Subscribers will not have access to the selected domain before the next DHCP renew
request is received. Using short initial lease times minimizes the interval between a VRF change and a
DHCP renewal. If long lease times are used, an out-of-band method of initiating IP address change
should be implemented.
When DHCP can be used to assign a new address at the subscriber device, subnet-based VRF selection
can be used to bring about the transfer. Subnet-based VRF selection (also known as VRF autoclassify)
is a feature that selects the VRF at the ingress port on the basis of the source IP subnet address.
Service providers and organizations have allocated public IP address blocks that are not overlapping by
nature. Therefore, when they are assigned public IP addresses, VPN IP subscribers have no overlapping
IP addresses. When VPN IP subscribers of different VPN domains have private IP addresses assigned,
they are likely to have overlapping addresses in the access network.
An access network is a single IP address space when there is no Layer 2 encapsulation separating VPN
IP subscribers of different VPN domains. Therefore, ISG must be able to handle overlapping IP
addresses when deploying VPN IP subscribers. IP connectivity for VPN IP subscribers with overlapping
IP addresses is possible only when they are connected to ISG through a Layer 2 connected access
network.
VPN IP Subscriber Identity
ISG identifies VPN IP subscribers in the same way that it identifies non-VPN IP subscribers. Upstream
IP traffic is defined as the subscriber IP traffic traveling from the access network to the VPN (overlaid
on top of the service provider core network). Downstream IP traffic is defined as the subscriber IP traffic
traveling from the VPN to the access network.
Summary of Contents for IOS XE
Page 14: ...About Cisco IOS XE Software Documentation Additional Resources and Documentation Feedback xii ...
Page 28: ...Using the Command Line Interface in Cisco IOS XE Software Additional Information xiv ...
Page 36: ...Intelligent Services Gateway Features Roadmap 8 ...
Page 46: ...Overview of ISG Feature Information for the Overview of ISG 10 ...
Page 70: ...Configuring ISG Control Policies Feature Information for ISG Control Policies 24 ...
Page 136: ...Configuring MQC Support for IP Sessions Feature Information for MQC Support for IP Sessions 8 ...
Page 224: ...Configuring ISG Subscriber Services Feature Information for ISG Subscriber Services 20 ...
Page 344: ...Service Gateway Interface Feature Information for Service Gateway Interface 8 ...