ISG - SCE Integration using SCMP

ISG (Intelligent service Gateway) is a broadband agregation router to deliver service from service provider to the broadband subscriber. Using ISG we can control and implement dynamic policy to the subscriber such as turbo button (upgrade or downgrade speed), Parental control, Subscriber self-control using Captive Portal / Redirect Wallgarden Service and External-policy controll using CoA. For more advanced implementation is to implement ISG colaborative with SCE as a DPI (deep packet inspection) service control. Using SCE we can make some of different service levels for subscriber. We can control the subscriber trafic in the aplication layer (layer7) or we can use taffic shaping capabilites.

To integrate SCE and ISG we can use SCMP, it allows that isg and SCE to manage subscriber session and apply subscriber to particular service / profile dynamically intsead of using subscriber manager (SM) using SCABB application. External Portal / Walled garden can send a Coa packet (CoA RFC 3576) to ISG to change the user's service. In the isg policy we can define any package that will be sent using Coa to SCE include the GUID / user identity, next when the SCE accept the CoA, it will assign the package to this GUID.

I try to make a lab to implement this integration, using isg and sce 2020. Here is the diagram:

DIAGRAM :
-----------------------------------------------------------------------------------------------------------------



-----------------------------------------------------------------------------------------------------------------

ISG configuration :

ISGD2#
!
aaa attribute list coa
attribute type nas-ip-address 172.16.0.29
!
!
!
aaa server radius policy-device
key peditea
message-authenticator ignore
client 192.168.50.77 vrf vpn_internet key peditea
!


Verify the SCMP peer in the ISG:

ISGD2#sh subscriber policy peer all
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:55
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:34
Inform owner on pull: TRUE
Total number of associated sessions: 1


CoA from ISG to SCE :

*Aug 4 06:16:27.582: RADIUS(00000000): Send CoA Request to 192.168.50.77:3799 id 1645/53, len 211
*Aug 4 06:16:27.582: RADIUS: authenticator C7 E2 B1 A2 F5 7B 13 65 - 98 05 83 9B A5 DF 5E CE
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"
*Aug 4 06:16:27.582: RADIUS: NAS-Port [5] 6 60000
*Aug 4 06:16:27.582: RADIUS: NAS-Port-Id [87] 21 "nas-port:0/0/0/86/0"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "subscriber:command=updateSess"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 32
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 26 "subscriber:policy-name=6"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 36
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 30 "subscriber:service-monitor=1"
*Aug 4 06:16:27.582: RADIUS: NAS-IP-Address [4] 6 172.16.0.29
*Aug 4 06:16:27.582: RADIUS: User-Name [1] 10 "fadlytea"
*Aug 4 06:16:27.582: RADIUS: Framed-IP-Address [8] 6 172.16.94.2
*Aug 4 06:16:27.586: RADIUS: Received from id 1645/53 192.168.50.77:3799, CoA Ack Response, len 63
*Aug 4 06:16:27.586: RADIUS: authenticator B8 00 27 53 E2 DF 79 28 - 82 30 38 3F 76 A9 85 06
*Aug 4 06:16:27.586: RADIUS: NAS-IP-Address [4] 6 192.168.50.77
*Aug 4 06:16:27.586: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.586: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"

Verify the user session GUID:

ISGD2#sh subscriber policy peer all detail
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:57
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:36
Inform owner on pull: TRUE
Total number of associated sessions: 1
Associated session details:
CA9B591E0000003C

ISGD2#


Verify SCMP peer in the SCE :




SCE2020-2#sh scmp all
SCMP Connection 'isg-dev2' status:
172.16.0.29 auth-port 1645 acct-port 1646
Connection state: Connected
Peer protocol-version: 2.0
Keep-alive interval: 100 seconds
Force single SCE: Yes
Send session start: Yes
Time connected: 9 minutes, 18 seconds




Verify subscriber session GUID mapping package in SCE :

SCE2020-2#SH interface LineCard 0 subscriber name CA9B591E0000003C
Subscriber 'CA9B591E0000003C' manager: isg-dev2
Subscriber 'CA9B591E0000003C' properties:
downVlinkId=0
monitor=1
new_classification_policy=0
packageId=6
QpLimit[0..17]=0*17,8
QpSet[0..17]=0*17,1
upVlinkId=0
Subscriber 'CA9B591E0000003C' read-only properties:
concurrentAttacksNumber=0
PV_QP_QuotaSetCounter[0..17]=0*18
PV_QP_QuotaUsageCounter[0..17]=0*18
PV_REP_nonReportedSessionsInTUR=0
P_aggPeriodType=5
P_blockReportCounter=0
P_endOfAggPeriodTimestamp=0
P_firstTimeParty=TRUE
P_localEndOfAggPeriodTimestamp=0
P_MibSubCounters16[0..31][0..1]=0*64
P_MibSubCounters32[0..31][0..1]=0*64
P_newParty=TRUE
p_numOfRedirections=0
P_partyCurrentDownVLink=0
P_partyCurrentPackage=6
P_partyCurrentUpVLink=0
P_partyGoOnlineTime=0
P_partyMonth=0
P_serviceReportedBitMap=0
Subscriber 'CA9B591E0000003C' mappings:
IP 172.16.94.2 - Expiration (sec): Unlimited
Subscriber 'CA9B591E0000003C' has 0 active sessions.
Aging disabled
SCE2020-2#