Re: Has anyone used (or is knowledgeable on) ISG feature? (Intel
I'm just starting to read up on it myself and all I can say is "me too" as to the horrible state of runaway PR (and no real substance) about this feature.
The trade rag people who are writing solely for the sake of advising people as to which tech stocks to buy sure seem to pretend they understand it.
I guess it's probably one of those things you can only get a half-straight answer about from your sales rep, assuming you are a big enough customer to merit their attention.
So far I haven't even been able to come up with a full list of policy servers compatible with ISG, unless that list has only two items: Cisco's own SCE and Broadhop's SME.
There's no technical overview that assures me that there's actual a technical advantage over a stand-alone inline packet swatter -- one would hope there'd be tighter queue integration, but the publicly available materials can't do much more than say "this is some amorphous thing providers use to manage their DPI rules and their subscribers and oh yeah it uses RADIUS and you have to buy handfuls of licenses and here's how to put grandma in her own subscriber class."
We aren't a provider, but that doesn't mean we don't need to shape -- it seems most of these companies are shooting for million dollar contracts with CLECs and couldn't care less about our ilk, though.
The entire value of such a system to us is all in receiving robustly QA'd service signature updates -- our "subscriber" system is nothing like a big ISPs so we'd be happy to hand code that, but we just do not have the staff to be beta testing DPI signatures from volunteer security mailing lists, much less writing our own. I suspect it's probably the opposite in the provider space -- at least one tech dedicated to traffic analysis but an overwhelming deluge of bureaucratic subscriber contracts drawn up by law school washouts to keep apace of.
There's no Cisco material touting how they have a lab full of techs testing all the updated SCE-BB signatures before they ship them out, or even how often they promise to ship them out. For all we know they could strand us with stale signatures until they get around to updating them a year later.
Best of luck. We won't be needing a new traffic shaper for a couple of years, so I guess I'm kinda happy we don't need to try to buy into this mess quite yet. If things don't improve by them I guess this Quantum Flow Processor will just lie fallow at 1% utilization and we'll buy an inline swatter from a company small enough to care.
Re: Has anyone used (or is knowledgeable on) ISG feature? (Intel
Thanks indeed for your response.
In fact I could not obtain any support at all from Cisco (Spain) even if I explained we were a small software company that required ISG to complement an existing solution for a BIG mobile operator. The question was supposed to be escalated to the US more than 1 month ago.
Myself, I was actually able to better understand the configuration and licenses required for the feature, with a final question about the capacity (maximum number of sessions). My conclusions and questions are at the end of this email, in case you or anyone else is interested.
Anyway, our main requirement is not traffic shaping, but providing a captive portal (redirect unauthorized traffic to some node, and be able to let the box know when an IP is "authorized"/"unauthorized".Cisco used to have a smaller feature to do this called SSG (service selection gateway) which is end-of-lifed, I believe.
If you know a box that does this, please advise! And it would be nice if you could recommend an "inline packet swatter".
For demo, I have done it myself with linux and iptables, but the time to make it business-class may be more costly than buying some product.
The issues I have had trying to find out information from Juniper ("subscriber management" feature) are similar!!
Final Question about ISG capacity
We wish to use the Intelligent Services Gateway (ISG) functionality, which seems supported only on Cisco 10000, 7600, 7300 and 7200 routers.
Our traffic requirements are not too high (500Mbps), but due to the following number of sessions limitation in 7200/7300, the right platform for us seems the 7600:
We would actually need 50000-100000 consurrent sessions.
On Cisco 7600, the feature seems supported by default on Cisco IOS 12.2SR without the need for an extra license, even with the plain "IP Services" flavour of IOS.
However, we have the following fundamental questions that we could not completely resolve with the documentation or software configurator tool. Maximum number of consurrent sessions supported
Our sessions would be of the "IP session" kind, meaning:
"An IP session includes all the traffic that is associated with a single subscriber IP address". On the documentation, this is the applicable information that we find regarding the number of sessions:
http://www9.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_acess_sub_sessns_ps6922_TSD_Products_Configuration_Guide_Chapter.html [...] Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards [...] The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays: - Cisco 7600 chassis—32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases) - ES+ line card—4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases) - SIP400 line card—8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases) Let us suppose that we use the SIP400 line card, since ES+ is far from our networking requirements.
Please confirm/answer the following:
No special license is required to use ISG with SIP400.
Is the 8000 session limitation per SIP400 module or per SPA attached to it?
I read in the documentation, that the SAMI card enhances the maximum number of ISG sessions:
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sup_sami_blade.html The ISG Support for SAMI Blade feature combines the subscriber management features and functions of the Cisco Intelligent Services Gateway (ISG) with the processing power of the Cisco Service Application Module for IP (SAMI). The Cisco SAMI blade has six PowerPC (PPC) processors and occupies just one slot in the Cisco 7600 series router. This means that you can support many ISG features for up to 600,000 subscribers on a single router.
We then assume that the SAMI blade overcomes the limitations noted above: 32,000 session/chassis and 8,000 sessions/SIP400. Correct?
No extra license is required to use ISG with SAMI.
Based on this assumptions, an example configuration for a single node could be:
Product Description Quantity
CISCO7604 Cisco 7604 Chassis 1
FAN-MOD-4HS High-Speed Fan Module for 7604/6504-E 1
7604-RSP720C-P Cisco 7604 Chassis,4-slot,RSP720-3C,PS 1
2700W-AC Dummy PID 2700 W AC Power Supply for 7604 1
CAB-C19-CBN Cabinet Jumper Power Cord, 250 VAC 16A, C20-C19 Connectors 1
S764ISK9-12233SRE Cisco 7600-RSP720 IOS IP SERVICES SSH 1
7600-SIP-400 Cisco 7600 Series SPA Interface Processor-400 1
SPA-2X1GE Cisco 2-port Gigabit Ethernet Shared Port Adapter 2
WS-SVC-SAMI-BB-K9 Service Application Module for IP ( 6 x PPC w/ 1GB) (Cryto) 1
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...