Has anyone used (or is knowledgeable on) ISG feature? (Intelligent Services Gateway)

Unanswered Question
Mar 12th, 2010


I am trying to obtain more information about the ISG feature on 7200 and 7600 platforms and finding it very difficult to obtain answers from distributors or even Cisco representatives.

The main questions are:

- How many subscribers include the 7200 license?, provided that my subscribers would be of IP-type (not tunnelled).

FR-ISG72ISG Feature License for 7200
FR-ISG72=ISG Feature License for 7200

- What other licenses are needed in a 7200 platform?

I believe, maybe:

FR-BUS72Cisco IOS 7200/7300/7400 Series Broadband 8000 User License
FR-BUS72=Cisco IOS 7200 Series Broadband User Services License

-  On Cico 7600, ISG is licensed in steps of 8000 subscribers. If I have a redundant system (two routing engines), do I need to buy the license twice?

76-ES+ISG-LICES+ Intelligent Services Gateway SW License, 8K subs, 8 VRF
76-ES+ISG-LIC=ES+ Internet Services Gateway (ISG) Software License


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.julin Fri, 05/21/2010 - 13:17

I'm just starting to read up on it myself and all I can say is "me too" as to the horrible state of runaway PR (and no real substance) about this feature.

The trade rag people who are writing solely for the sake of advising people as to which tech stocks to buy sure seem to pretend they understand it.

I guess it's probably one of those things you can only get a half-straight answer about from your sales rep, assuming you are a big enough customer to merit their attention.

So far I haven't even been able to come up with a full list of policy servers compatible with ISG, unless that list has only two items: Cisco's own SCE and Broadhop's SME.

There's no technical overview that assures me that there's actual a technical advantage over a stand-alone inline packet swatter -- one would hope there'd be tighter queue integration, but the publicly available materials can't do much more than say "this is some amorphous thing providers use to manage their DPI rules and their subscribers and oh yeah it uses RADIUS and you have to buy handfuls of licenses and here's how to put grandma in her own subscriber class."

We aren't a provider, but that doesn't mean we don't need to shape -- it seems most of these companies are shooting for million dollar contracts with CLECs and couldn't care less about our ilk, though.

The entire value of such a system to us is all in receiving robustly QA'd service signature updates -- our "subscriber" system is nothing like a big ISPs so we'd be happy to hand code that, but we just do not have the staff to be beta testing DPI signatures from volunteer security mailing lists, much less writing our own.  I suspect it's probably the opposite in the provider space -- at least one tech dedicated to traffic analysis but an overwhelming deluge of bureaucratic subscriber contracts drawn up by law school washouts to keep apace of.

There's no Cisco material touting how they have a lab full of techs testing all the updated SCE-BB signatures before they ship them out, or even how often they promise to ship them out.  For all we know they could strand us with stale signatures until they get around to updating them a year later.

Best of luck.  We won't be needing a new traffic shaper for a couple of years, so I guess I'm kinda happy we don't need to try to buy into this mess quite yet.  If things don't improve by them I guess this Quantum Flow Processor will just lie fallow at 1% utilization and we'll buy an inline swatter from a company small enough to care.

MCentrick2010 Thu, 05/27/2010 - 07:25

Thanks indeed for your response.

In fact I could not obtain any support at all from Cisco (Spain) even if I explained we were a small software company that required ISG to complement an existing solution for a BIG mobile operator. The question was supposed to be escalated to the US more than 1 month ago.

Myself, I was actually able to better understand the configuration and licenses required for the feature, with a final question about the capacity (maximum number of sessions). My conclusions and questions are at the end of this email, in case you or anyone else is interested.

Anyway, our main requirement is not traffic shaping, but providing a captive portal (redirect unauthorized traffic to some node, and be able to let the box know when an IP is "authorized"/"unauthorized".Cisco used to have a smaller feature to do this called SSG (service selection gateway) which is end-of-lifed, I believe.

If you know a box that does this, please advise! And it would be nice if you could recommend an "inline packet swatter".

For demo, I have done it myself with linux and iptables, but the time to make it business-class may be more costly than buying some product.

The issues I have had trying to find out information from Juniper ("subscriber management" feature) are similar!!

Final Question about ISG capacity


We wish to use the Intelligent Services Gateway (ISG) functionality, which seems supported only on Cisco 10000, 7600, 7300 and 7200 routers.

Our traffic requirements are not too high (500Mbps), but due to the following number of sessions limitation in 7200/7300, the right platform for us seems the 7600:

"The Cisco 7200 Series and Cisco 7301 scale from 4000 to 8000 sessions"

We would actually need 50000-100000 consurrent sessions.

On Cisco 7600, the feature seems supported by default on Cisco IOS 12.2SR without the need for an extra license, even with the plain "IP Services" flavour of IOS.

However, we have the following fundamental questions that we could not completely resolve with the documentation or software configurator tool.

Maximum number of consurrent sessions supported

Our sessions would be of the "IP session" kind, meaning:

"An IP session includes all the traffic that is associated with a single subscriber IP address".

On the documentation, this is the applicable information that we find regarding the number of sessions:

Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards
The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays:
- Cisco 7600 chassis—32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases)
- ES+ line card—4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases)
- SIP400 line card—8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases)

Let us suppose that we use the SIP400 line card, since ES+ is far from our networking requirements.

Please confirm/answer the following:

  • No special license is required to use ISG with SIP400.
  • Is the 8000 session limitation per SIP400 module or per SPA attached to it?
  • I read in the documentation, that the SAMI card enhances the maximum number of ISG sessions:

The ISG Support for SAMI Blade feature combines the subscriber management features and functions of the Cisco Intelligent Services Gateway (ISG) with the processing power of the Cisco Service Application Module for IP (SAMI). The Cisco SAMI blade has six PowerPC (PPC) processors and occupies just one slot in the Cisco 7600 series router. This means that you can support many ISG features for up to 600,000 subscribers on a single router. 

  • We then assume that the SAMI blade overcomes the limitations noted above: 32,000 session/chassis and 8,000 sessions/SIP400. Correct?
  • No extra license is required to use ISG with SAMI.

Based on this assumptions, an example configuration for a single node could be:

Product Description Quantity

CISCO7604                     Cisco 7604 Chassis                                          1         
FAN-MOD-4HS                   High-Speed Fan Module for 7604/6504-E                       1         
7604-RSP720C-P                Cisco 7604 Chassis,4-slot,RSP720-3C,PS                      1         
2700W-AC                      Dummy PID 2700 W AC Power Supply for 7604                   1         
CAB-C19-CBN                   Cabinet Jumper Power Cord, 250 VAC 16A, C20-C19 Connectors  1         
S764ISK9-12233SRE             Cisco 7600-RSP720 IOS IP SERVICES SSH                       1         
7600-SIP-400                  Cisco 7600 Series SPA Interface Processor-400               1         
SPA-2X1GE                     Cisco 2-port Gigabit Ethernet Shared Port Adapter           2         

WS-SVC-SAMI-BB-K9             Service Application Module for IP ( 6 x PPC w/ 1GB) (Cryto) 1      


This Discussion