Document Number EDCS- 599439

Based on Template EDCS-228142 Rev 11

Created By Calvin Person

Cisco Content Service Gateway

CSG1 to CSG2 Migration

Modification History
Revision Date Originator Comments
1 05-29-07 Calvin Person First Revision

Copyright 2007 Cisco Systems Company Confidential 1

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
Cisco Content Service Gateway...................................................................................................... 1

CSG1 to CSG2 Migration ............................................................................................................... 1

Modification History....................................................................................................................... 1

1 Purpose ..................................................................................................................................... 3

2 Chassis and Supervisor Support ............................................................................................... 3

3 CSG2 Upgrade Procedure ........................................................................................................ 3

4 Supervisor Configuration ......................................................................................................... 4

5 CSG2 Configuration ................................................................................................................. 6

6 CSG1 to CSG2 Configuration Migration ................................................................................. 9

7 CSG2 HA Changes................................................................................................................. 11

8 CSG1 to CSG2 Variable Changes & Deletions ..................................................................... 15

Copyright 2007 Cisco Systems Company Confidential 2

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
1 Purpose
The purpose of this document is to provide install and migration details when converting from
CSG1 to CSG2; covering configuration changes required to route traffic to CSG2 module as well
as command line changes from first generation to second generation modules. Although this
document is for internal audiences, we expect this information to be used by the documentation
and field teams to communicate with customers as appropriate.

2 Chassis and Supervisor Support

The CSG2 module is supported in 7600 chassis with Sup720-3BXL (future - RSP720 / SUP32).
Supported minimum IOS is 12.2(18)SRB.
As the Cisco 7600 and 6500 platforms diverge, the 6500 platform will not be supported. For
those accounts that currently have a 6500 chassis, there will be a special release available based
on approval from the 7600 team.

3 CSG2 Upgrade Procedure

Feature CSG2 CSG1 CSG2 Benefit

Software Upgrade SAMI blade only Blade SW No supervisor
upgrade and upgrade needed
Supervisor IOS for CSG2 feature
upgrade for new enhancements
features CSG2 can be
upgraded
independently of
the supervisor

1) Software Upgrade on CSG2 is done from SUP:

a. To upload an image:
upgrade hw-module slot {slot} software file {file}
b. For the new image to take effect you must:
hw module {slot} reset

Copyright 2007 Cisco Systems Company Confidential 3

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 DemoPod2#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 Service and Application module for IP WS-SVC-SAMI-BB
2 Supervisor Engine 720 (Active) WS-SUP720-3BXL

DemoPod2#upgrade hw-module slot 1 software file disk0:c6svcsami-csg-

mz.bouncer_csg.070116
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
DemoPod2#

DemoPod2#hw-module mod 1 reset

c. To show upgrade status

show upgrade software progress

4 Supervisor Configuration
Feature CSG2
Supervisors Sup720-3BXL at FCS
Sup32, newer Sups as released.
Supervisor IOS Trains 12.2(18)SRB (7600 native)

With the introduction of CSG2, there is a change in the configuration process for the Supervisor as well
as the CSG2 module. This section will detail the changes for the Supervisor.

2) Supervisor Configurations for CSG2:

a. Define the SVCLC commands in order to route the traffic to the CSG2 module
svclc multiple-vlan-interfaces
svclc module x vlan-group
svclc vlan-group

Copyright 2007 Cisco Systems Company Confidential 4

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 Supervisor Configurations
The CSG2 module is in slot 2 and is being defined to be a part of vlan-group 1 & 6 (Note: You can
define only on vlan-group if desired)

DemoPod2(config)#svclc multiple-vlan-interfaces
DemoPod2(config)#svclc module 2 vlan-group 1,6
DemoPod2(config)#svclc vlan-group 1 5,30,43,765
DemoPod2(config)#svclc vlan-group 6 6

b. Define RCMD commands to allow CSG2 to copy files to and from the Supervisor
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd remote-host

Supervisor Configurations
DemoPod2(config)#no ip rcmd domain-lookup
DemoPod2(config)#ip rcmd rcp-enable
DemoPod2(config)#ip rcmd remote-host * 99 * enable
!
DemoPod2(config)#access-list 99 permit 127.0.0.0 0.255.255.255
!

c. Define the Supervisor to be NTP Master to CSG2 (If the Supervisor is already configured to be a
NTP client, there is no need to change that option).
ntp master
ntp update-calendar

Supervisor Configurations
DemoPod2(config)#ntp master
DemoPod2(config)#ntp update-calendar
DemoPod2# sh ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1

Copyright 2007 Cisco Systems Company Confidential 5

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
5 CSG2 Configuration
With the introduction of CSG2, there is a change in the configuration process for the Supervisor as well
as the CSG2 module. This section will detail the changes for the CSG2. One key difference - unlike
CSG1 configuration, which is modified and stored along with the Supervisor configuration,
CSG2 is configured by either a session or telnet to the Control Processor (CP), processor 3, from
the Supervisor.

1) CSG2 configuration is saved on SUP bootflash (and slave supervisor bootflash):

Note: This allows easy hardware replacement as the configuration will be preserved if we replace a CSG2
module in the same slot.

dir bootflash:
dir slavebootflash:

Supervisor Bootflash:

19 -rw- 42 Dec 21 2006 21:22:31 +00:00 SLOT5SAMIC4.cfg

20 -rw- 42 Dec 21 2006 21:22:31 +00:00 SLOT5SAMIC5.cfg
21 -rw- 42 Dec 21 2006 21:22:31 +00:00 SLOT5SAMIC6.cfg
22 -rw- 42 Dec 21 2006 21:22:31 +00:00 SLOT5SAMIC7.cfg
23 -rw- 42 Dec 21 2006 21:22:31 +00:00 SLOT5SAMIC8.cfg
34 -rw- 1373 May 9 2007 14:02:53 +00:00 SLOT5SAMIC3.cfg

2) To configure CSG2, session into module from SUP:

a. Always session into the CP/Processor 3 to configure or monitor CSG2:
session slot #mod processor 3 or
telnet 127.0.0.x3 (x=CSG2 slot number)

3. CSG2 Configuration Commands

a) Define GigabitEthernet sub-interfaces for vlan traffic (Client and Server)
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address x.x.x.x 255.255.255.0

Copyright 2007 Cisco Systems Company Confidential 6

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 b) Define the subscriber vlan (faces the client)
(If you do not define subscriber vlan, traffic will not route.)
Any vlan that is not defined as subscriber is inherently network (server) vlans.

ip csg subscriber

c) Define Standby (HSRP feature – With CSG1 this was referred to as Fault-Tolerance)

standby ip x.x.x.x secondary

d) Define Radius endpoint, proxy features

If only one CSG2 is configured, you must define a secondary IP address under the GigEthernet
interface that will be used as the Radius (proxy, endpoint) IP address.
If a redundant pair of CSGs is deployed, use the standby IP secondary address as the Radius (proxy,
endpoint) address.

ip address x.x.x.x secondary

standby ip x.x.x.x secondary

ip csg radius endpoint x.x.x.x key cisco

e) Define NTP to point to Supervisor

ntp server 127.0.0.x1 (x = Supervisor Slot)

f) Define IP route statements

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 10.2.4.0 255.255.255.0 10.2.5.1

CSG2 Configuration:

Copyright 2007 Cisco Systems Company Confidential 7

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 This configuration shows the deployment of one CSG2 with no HSRP configuration. A secondary
IP address is used for Radius endpont. Notice, the same IP address is used for secondary IP add and
Radius endpoint.

interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip csg subscriber
ip address 10.2.3.10 255.255.255.0 secondary
ip address 10.2.3.1 255.255.255.0
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 10.2.5.6 255.255.255.0
ip address 10.2.5.7 255.255.255.0
!
ip csg radius endpoint 10.2.3.10 key cisco
!
ip route 0.0.0.0 0.0.0.0 10.2.13.20
ip route 10.2.4.0 255.255.255.0 10.2.5.2
!
no ip http server
!
!
ntp server 127.0.0.61 ** The Supervisor is in slot 6 **
end

This configuration shows the deployment of dual CSG2 in HSRP pair. The standby IP secondary
address is used for Radius endpoint. Notice, the same IP address is used for standby IP secondary
address and Radius endpoint.

interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip csg subscriber
ip address 10.2.3.1 255.255.255.0
standby ip 10.2.3.10 secondary
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 10.2.5.6 255.255.255.0 secondary

Copyright 2007 Cisco Systems Company Confidential 8

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 standby ip 10.2.5.7 secondary
!
ip csg radius endpoint 10.2.3.10 key cisco
ip csg radius endpoint 10.2.5.7 key cisco

6 CSG1 to CSG2 Configuration Migration

Refer to CSG2 Installation and Configuration Guide (EDCS-590235) & CSG2 Command History (EDCS-
590235) for all configuration changes. CCO URL will be provided upon FCS.
There are a number of command line changes from CSG1 to CSG2. This document will not cover all
changes but does make note of some of the most important.

1) User-Group and Accounting commands are removed with CSG2. The sub-commands that normally
appear under these two are now global commands on CSG2.
2) CSG1 Fault Tolerance has now changed to CSG2 HSRP
3) CSG1 variable commands are removed, replaced with CSG2 global commands
4) Additional command changes

This section shows a CSG1 configuration compared to CSG2

CSG1 CSG2
ip csg user-group CSG ip csg user-group is removed.
entries max 300000 ip csg entries kut maximum 300000
entries idle 3610 pod ip csg entries kut idle 3610 pod
radius userid Calling-Station-Id ip csg radius userid Calling-Station-Id
radius stop purge vsa 3gpp 11 ip csg radius stop purge vsa 3gpp 11
radius pod attribute 44 ip csg radius pod attribute 44
radius pod nas 1700 key <xxx> ip csg radius pod nas 1700 key <xxx>
user-profile server radius pass ip csg entries kut profile radius pass
quota local-port 7000 ip csg quota-server local-port 7000
quota activate 2 ip csg quota-server activate 2
no quota server reassign no ip csg quota-server reassign
quota server 10.0.250.151 3386 1 ip csg quota-server 10.0.250.151 3386 1
quota server 10.0.250.152 3386 2 ip csg quota-server 10.0.250.152 3386 2
(CSG allows QS IP address and VRF to be defined. This was
not possible in CSG1)
ip csg accounting TEST ip csg accounting is removed

Copyright 2007 Cisco Systems Company Confidential 9

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 user-group TEST user-group is removed
records max 1000 ip csg bma messages 1000
keepalive 300 ip csg bma keepalive 300
agent activate 3 sticky 30 ip csg bma activate 3 sticky 30
records format variable single-cdr ip csg records format variable combined http (or wap)
record-storage local-port 2000 ip csg psd local-port 2000
record-storage 10.7.55.1 ip csg psd 10.7.55.1
agent local-port 3392 ipcsg bma local-port 3392
agent 10.10.1.20 3386 1 ip csg bma 10.10.1.20 3386 1
agent 172.18.7.9 3386 2 ip csg bma 172.18.7.9 3386 2
report http header all ip csg report header WORD (HTTP header name)
report radius attribute 23 ip csg report radius attribute 23
inservice inservice is removed
ip csg policy HTTP ip csg policy HTTP
accounting type http customer-string http accounting customer-string http
(type command is removed from Policy)
ip csg content HTTP ip csg content HTTP
ip any tcp 80 ip any tcp 80
idle 30 idle 30
replicate replicate
policy HTTP policy HTTP
inservice parse protocol http (You must add this command for
! Layer 7 inspection of protocols)
inservice
!
ip csg ruleset R1 ruleset command is removed

ip csg weight ZERO 0 ip csg weight (name) is removed

! !
ip csg service FREE ip csg service FREE
content WAP_CONN policy WAP- content WAP_CONN policy WAP- REDIR weight
REDIR weight ZERO 0
ip csg service SEARCH ip csg service SEARCH
basis fixed basis fixed
idle 30 idle 30
authorize content aoc enable
content SEARCH policy content SEARCH policy GOOGLEIMAGE weight 2
GOOGLEIMAGE weight TWO

module ContentServicesGateway 2 module ContentServicesGateway command & sub-

vlan 137 server commands have been removed

Copyright 2007 Cisco Systems Company Confidential10

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 ip address 10.7.13.50 255.255.255.0
gateway 10.7.13.20
alias 10.7.13.10 255.255.255.0

7 CSG2 HA Changes

Feature CSG2 CSG1 CSG2 Benefits

State detection HSRP CSM "FT" L3 virtualization
using HSRP
messaging on HA
interfaces rather
than ft vlan.
Hello messages on
non-dedicated
VLANs
Note: CSG2
cannot be paired
with a CSG1 for
HA purposes
State Sync CSG UDP State FT (Broadcast) Routable unicast
Sync State Sync IP HA messages
remove
requirements of
dedicated FT
VLAN.
Configuration Interdevice/IPC FT configuration Alternate
and Monitoring config monitoring
commands, and
config.

1) CSG2 uses standard HSRP and Redundancy Inter-device for high-availability.

2) CSG2 Replication:
To configure state replication between redundant CSG systems, the top level “ip csg
replicate” command is added to the configuration. This command specifies the local and
remote communication addresses and ports for state sync messages between the CSG
systems. This command enables stateful replication of CSG state data structures
including the user and radius tables:

Copyright 2007 Cisco Systems Company Confidential11

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 ip csg replicate [vrf vrfname]local-ip remote-ip base-port
no ip csg replicate

Note that session/flow level replication is controlled with a separate command in content
submode, to allow for user/quota state sync independent of per-flow replication:

replicate delay { delay seconds}

3) Configure HSRP and Redundancy Interdevice/IPC:

a. Enable Inter-Device Redundancy:
redundancy inter-device
scheme standby SB

b. Configure the Inter-Device Communication Transport:

ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.10.24.14
remote-port 5000
remote-ip 10.10.24.13

c. Enable HSRP:
interface gig 0/0.10
standby 5 name SB

d. Monitoring or debugging CSG2 HA:

debug ip csg replicate
debug redundancy progression
debug redundancy inter-dev
debug standby

show redundancy state

show redundancy Interdev
show ipc sctp statistics
show ip csg stats

4) External restrictions and configurations:

a. The CSG2 will be reloaded every time it moves out of active state.
b. No preemption is allowed, the current active unit needs to be shutdown and reloaded for the
standby unit to become active.
c. Recommended procedure for HSRP/Redundancy related configuration changes in an active-
standby CSG2 topology:

 Take the unit out of redundancy state:

Copyright 2007 Cisco Systems Company Confidential12

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 “no scheme standby” under “redundancy inter-device”
 Save the configuration and reload the device
 Change the configuration and put the device back to redundancy group
 Save the configuration and reload

d. When CSG2s’ are load balanced with a firewall load balancer (FWLB), standby use-bia must
be configured under HSRP configuration to ensure that the MAC address of the active CSG2
device changes (from FWLB’s perspective) when a switchover occurs.

5) Sample Configuration:

Vlan: 20
Standby IP: 10.10.25.1

10.10.25.14 10.10.25.13

Active Standby

10.10.24.14 10.10.24.13

Vlan: 10
Standby IP: 10.10.24.1
Standby Name: “SB”

Active Configuration:

redundancy inter-device
scheme standby SB
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.10.24.14
remote-port 5000
remote-ip 10.10.24.13
!
interface gig 0/0
!
interface gig 0/0.10

Copyright 2007 Cisco Systems Company Confidential13

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
 ip csg subscriber
encaps dot1q 10  vlan 10
ip address 10.10.24.14 255.255.255.0
standby use-bia
standby 5 ip 10.10.24.1
standby 5 ip 10.10.24.100 secondary
standby 5 name SB
!
interface gig 0/0.20
encaps dot1q 20  vlan 20
ip address 10.10.25.14 255.255.255.0
standby use-bia
standby 5 ip 10.10.25.1
standby 5 follow SB
!
ip csg replicate 10.10.24.14 10.10.14.13 2000
ip csg radius endpoint 10.10.24.100 key cisco

Standby Configuration:

redundancy inter-device
scheme standby SB
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.10.24.13
remote-port 5000
remote-ip 10.10.24.14
!
interface gig 0/0
!
interface gig 0/0.10
ip csg subscriber
encaps dot1q 10
ip address 10.10.24.13 255.255.255.0
standby use-bia
standby 5 ip 10.10.24.1
standby 5 ip 10.10.24.100 secondary
standby 5 priority 95
standby 5 name SB
!
interface gig 0/0.20
encaps dot1q 20
ip address 10.10.25.13 255.255.255.0
standby use-bia
standby 5 ip 10.10.25.1
standby 5 priority 95
standby 5 follow SB
!
ip csg replicate 10.10.24.13 10.10.24.14 2000
ip csg radius endpoint 10.10.24.100 key cisco

Copyright 2007 Cisco Systems Company Confidential14

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
8 CSG1 to CSG2 Variable Changes & Deletions
 Migrate environment variables:

CSG_BASIS_BYTE_LOW_QUOTA_MAX 10000000
CSG_BASIS_FIXED_LOW_QUOTA_MAX 10000000
CSG_BASIS_SEC_LOW_QUOTA 10
-> ip csg service submode: reauthorization threshold

CSG_FRAG_BUFFER_MAX 10240
CSG_FRAG_LIFETIME 5
CSG_FRAG_POOL_MAX 16384
-> ip csg entries fragment max <n> [lifetime <n>]

CSG_GTP_MAX_RETRIES 3
CSG_GTP_RETRY_TIME 4
CSG_GTP_TX_WINDOW 128
-> ip csg gtp { keepalive | retries | retransmit | window }

CSG_HTTP_STATS_DELAY 0
-> ip csg service submode: records delay

CSG_OBSCURE_X_FORWARDED_FOR 1
-> ip csg content submode: subscriber-ip http-header x-forwarded-for [obscure]

CSG_REDIRECTS_INTERVAL 8
CSG_REDIRECTS_MAX 15
-> ip csg redirects { interval | max }

CSG_SESSION_MAX 1000000
-> ip csg entries session user max

CSG_SMTP_CDR_HEADER_REDUCTION 0
-> ip csg report smtp rfc2822

CSG_WAP_APPEND_AOC_URL 0
-> ip csg service submode: aoc append url

CSG_WAP_DROP_UKNOWN_PACKETS 0
-> ip csg block

CSG_WAP_REPORT_ACTUAL_PDU_TYPE 0
-> ip csg report wap actual-pdu

CSG_ZERO_QUOTA_TIMEOUT_INIT 4
CSG_ZERO_QUOTA_TIMEOUT_MAX 60
-> ip csg service submode: reauthorization timeout

HTTP_CASE_SENSITIVE_MATCHING 1
-> ip csg policy submode: case-sensitive

Copyright 2007 Cisco Systems Company Confidential15

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
  Environment variables Deletions:

ARP_INTERVAL 300
ARP_LEARNED_INTERVAL 14400
ARP_GRATUITOUS_INTERVAL 15
ARP_RATE 10
ARP_RETRIES 3
ARP_LEARN_MODE 1

CSG_BASIS_BYTE_RESERVED_MAX 10000000
CSG_BILL_Q_HI_THRESHOLD 5000
CSG_BILL_Q_LO_THRESHOLD 3000
CSG_EXTRA_DEBUG
CSG_FAST_FIN_TIMEOUT 10
CSG_FAILOVER_DELAY 180
CSG_FTP_HA_WAIT_DELAY 20
CSG_FTP_PWD 0
CSG_FT_CONTENT 0
CSG_FT_SESSION_DELAY 0
CSG_FREE_CONTENT_ACCESS_PERMIT 0
CSG_HTTP_FIXED_INTERM_CDRS 0
CSG_IXP_FPGA_TRAP_ENABLED 0
CSG_IXP_POLL 720
CSG_IXP_WATCHDOG_ENABLED 0
CSG_IXP_WATCHDOG_TIMEOUT 60
CSG_MAX_BPLANS 128
CSG_MEM_FAILOVER_THRESHOLD
CSG_MEM_MAX_FREQUENCY
CSG_MEM_MAX_THRESHOLD
CSG_MEM_WARN_FREQUENCY
CSG_MEM_WARN_THRESHOLD
CSG_QUOTA_BLOCK 1
CSG_RADIUS_PROXY_CLIENT_REUSE 7200
CSG_REGEX_PLUS
CSG_RPR_PLUS_DELAY 90
CSG_SVC_CDR_MODE_QGRANT 65535

Copyright 2007 Cisco Systems Company Confidential16

A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.