Feedback
Contents
M through Z
- match (radius-filter)
- match access-group (ISG)
- match access-list
- match authen-status
- match authenticated-domain
- match authenticated-username
- match dnis
- match media
- match mlp-negotiated
- match nas-port
- match no-username
- match protocol (ISG)
- match service-name
- match source-ip-address
- match timer
- match tunnel-name
- match unauthenticated-domain
- match unauthenticated-username
- match vrf
- matchnot (radius-filter)
- message-authenticator ignore
- method-list
- passthru downstream ipv6
- password (ISG)
- police (ISG)
- policy-map
- policy-map type control
- policy-map type service
- policy-name
- policy-peer
- port
- prepaid config
- proxy (ISG RADIUS proxy)
- radius filter
- radius-server attribute 31
- radius-server attribute nas-port-id include
- re-authenticate do-not-apply
- redirect log translations
- redirect server-group
- redirect session-limit
- redirect to (ISG)
- server ip
- server-key
- service (ISG)
- service deny (ISG)
- service local (ISG)
- service relay (ISG)
- service vpdn group (ISG)
- service-monitor
- service-policy
- service-policy type control
- service-policy type service
- session-identifier (ISG)
- set-timer
- sgi beep listener
- sg-service-group
- sg-service-type
- sg-service-type external policy
- show class-map type control
- show class-map type traffic
- show database data
- show dwnld_mgr
- show idmgr
- show interface monitor
- show ip portbundle ip
- show ip portbundle status
- show ip subscriber
- show ipv6 nd ra session
- show platform isg session
- show platform isg session-count
- show policy-map type control
- show policy-map type service
- show processes cpu monitor
- show pxf cpu iedge
- show pxf cpu isg
- show radius-proxy client
- show radius-proxy session
- show redirect group
- show redirect translations
- show sgi
- show ssm
- show subscriber default-session
- show subscriber policy dpm statistics
- show subscriber policy peer
- show subscriber service
- show subscriber session
- show subscriber statistics
- show subscriber trace statistics
- show subscriber trace history
- show subscriber trace statistics
- show tech-support subscriber
- source
- subscriber accounting accuracy
- subscriber accounting ssg
- subscriber feature prepaid
- subscriber policy recording
- subscriber redundancy
- subscriber trace event
- subscriber trace history
- test sgi xml
- threshold (ISG)
- timeout absolute (ISG)
- timeout idle
- timer (ISG RADIUS proxy)
- trust
match (radius-filter)
To configure a condition to check for filter match criteria, use the match command in RADIUS filter configuration mode. To remove filter match criteria, use the no form of this command.
match { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
no match { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
Usage Guidelines
Use the match command to check for the attribute to be present in the packet. The vendor-type and ven-type-number keyword-argument pair specifies the attributes associated with a specific vendor. If no attribute is specified, the condition matches the filter for any attribute of the specific vendor:
match access-group (ISG)
To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove the ACL from a class map, use the no form of this command.
match access-group { input | output } { access-list-number | name access-list-name }
no match access-group { input | output } { access-list-number | name access-list-name }
Syntax Description
input
Specifies match criteria for input traffic.
output
Specifies match criteria for output traffic.
access-list-number
A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. Range is 1 to 2799.
name access-list-name
A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters
Usage Guidelines
The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.
The ACL must be defined using the ip access-list command.
After a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class and the default class.
ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.
Examples
The following example shows a class map named “acl144” that is configured to use ACL 144 as the input match criterion for this class:
class-map type traffic match-any acl144 match access-group input 144Related Commands
Command
Description
class-map type traffic
Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class.
class type traffic
Associates a traffic class map with a service policy map.
ip access-list
Defines an IP access list or object group access control list (OGACL).
match access-list
To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.
Syntax Description
access-list-number
Integer from 100 to 199 that is the number or name of an extended access list.
Usage Guidelines
You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
match authen-status
To create a condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authen-status { authenticated | unauthenticated }
no match authen-status { authenticated | unauthenticated }
Syntax Description
authenticated
Subscriber has been authenticated.
unauthenticated
Subscriber has not been authenticated.
Command Default
A condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status is not created.
Usage Guidelines
The match authen-statuscommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type type control match-all CONDA match authen-status unauthenticated match timer TIMERA policy-map type control RULEA class type control always event session-start 1 set-timer TIMERA 1 [minutes] ! class type control CONDA event timed-policy-expiry 1 service disconnectRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match authenticated-domain
To create a condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authenticated-domain { domain-name | regexp regular-expression }
no match authenticated-domain
Syntax Description
domain-name
Domain name.
regexp regular-expression
Regular expression to be matched against subscriber’s authenticated domain name.
Command Default
A condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain is not created.
Usage Guidelines
The match authenticated-domaincommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that will evaluate true if a subscriber’s domain matches the regular expression “.*com”.
class-map type control match-all MY-CONDITION1 match authenticated-domain regexp ".*com"Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match authenticated-username
To create a condition that will evaluate true if a subscriber’s authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authenticated-username { username | regexp regular-expression }
no match authenticated-username { username | regexp regular-expression }
Syntax Description
username
Username
regexp regular-expression
Matches the regular expression against the subscriber’s authenticated username.
Usage Guidelines
The match authenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which evaluates to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true for the class as a whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match authenticated-username regexp "user@.*com" match authenticated-domain regexp ".*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier authenticated-usernameRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match dnis
To create a condition that will evaluate true if a subscriber’s Dialed Number Identification Service number (DNIS number, also referred to as called-party number ) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
dnis
DNIS number.
regexp regular-expression
Matches the regular expression against the subscriber’s DNIS number.
Command Default
A condition that will evaluate true if a subscriber’s DNIS number matches the specified DNIS is not created.
Usage Guidelines
The match dniscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match dnis reg-exp 5550100 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier dnis!Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match media
To create a condition that will evaluate true if a subscriber’s access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.
match media { async | atm | ether | ip | isdn | mpls | serial }
no match media { async | atm | ether | ip | isdn | mpls | serial }
Command Default
A condition that will evaluate true if a subscriber’s access media type matches the specified media type is not created.
Usage Guidelines
The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERS match media ether match nas-port type ether slot 3match mlp-negotiated
To create a condition that will evaluate true depending on whether or not a subscriber’s session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
no
The subscriber’s session was not multilink PPP negotiated.
yes
The subscriber’s session was multilink PPP negotiated.
Usage Guidelines
The match mlp-negotiatedcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match mlp-negotiated command:
class-map type control match-all class3 match mlp-negotiated yes ! policy-map type control rule4 class type control class3 event session-start 1 authorize authenticated-usernameRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match nas-port
To create a condition that will evaluate true if a subscriber’s network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.
match nas-port { adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number }
no match nas-port { adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number }
Syntax Description
adapter adapter-number
Interface adapter number.
channel channel-number
Interface channel number.
circuit-id name
Circuit ID
ipaddr ip-address
IP address.
port port-number
Port number.
remote-id name
Remote ID.
shelf shelf-number
Interface shelf number.
slot slot-number
Slot number.
sub-interface sub-interface-number
Subinterface number.
type interface-type
Interface type.
vci vci-number
Virtual channel identifier.
vlan vlan-id
VLAN ID.
vpi vpi-number
Virtual path identifier.
Command Default
A condition that will evaluate true if a subscriber’s NAS port identifier matches the specified value is not created.
Usage Guidelines
The match nas-portcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERS class type control name NOT-ATM match media ether match nas-port type ether slot 3Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match no-username
To create a condition that will evaluate true if a subscriber’s username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
no
The subscriber’s username is available.
yes
The subscriber’s username is not available.
Command Default
A condition that will evaluate true if a subscriber’s username is available is not created.
Usage Guidelines
The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match no-username command:
class-map type control match-all class3 match no-username yes ! policy-map type control rule4 class type control class3 event session-start 1 service localRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match protocol (ISG)
To create a condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.
match protocol { atom | ip | pdsn | ppp | vpdn }
no match protocol { atom | ip | pdsn | ppp | vpdn }
Syntax Description
atom
Any Transport over MPLS (AToM).
ip
IP.
pdsn
Packet Data Serving Node (PDSN).
ppp
Point-to-Point Protocol (PPP).
vpdn
Virtual Private Dialup Network (VPDN).
Command Default
A condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type is not created.
Usage Guidelines
The match protocolcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:
class-map type control match-any MY-CONDITION match protocol vpdnRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match service-name
To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
match service-name { service-name | regexp regular-expression }
no service-name { service-name | regexp regular-expression }
Syntax Description
service-name
Service name.
regexp regular-expression
Regular expression to be matched against subscriber’s service name.
Command Default
A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.
Usage Guidelines
The match service-namecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures ISG to authenticate subscribers associated with the service before downloading the service:
aaa authentication login AUTHEN local aaa authorization network SERVICE group radius ! class-map type control match-any MY-CONDITION2 match service-name "gold" match service-name "bronze" match service-name "silver" ! policy-map type control MY-RULE2 class type control MY-CONDITION2 event service-start 1 authenticate aaa list AUTHEN 2 service-policy type service aaa list SERVICE identifier service-name ! service-policy type control MY-RULE2Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match source-ip-address
To create a condition that will evaluate true if a subscriber’s source IP address matches the specified IP address, use the match source-ip-addresscommand in control class-map configuration mode. To remove the condition, use the no form of this command.
Command Default
A condition that will evaluate true if a subscriber’s source IP address matches the specified IP address is not created.
Usage Guidelines
The match source-ip-addresscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match source-ip-address 10.0.0.0 255.255.255.0 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier source-ip-address !Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match timer
To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.
match timer { timer-name | regexp regular-expression }
no match timer { timer-name | regexp regular-expression }
Syntax Description
timer-name
Name of the policy timer.
regexp regular-expression
Regular expression to be matched against the timer name.
Command Default
A condition that will evaluate true when the specified timer expires is not created.
Usage Guidelines
The match timercommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type control match-all CONDA match authen-status unauthenticated match timer TIMERA policy-map type control RULEA class type control always event session-start 1 set-timer TIMERA 1 ! class type control CONDA event timed-policy-expiry 1 service disconnectRelated Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match tunnel-name
To create a condition that will evaluate true if a subscriber’s Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
match tunnel-name { tunnel-name | regexp regular-expression }
no match tunnel-name { tunnel-name | regexp regular-expression }
Command Default
A condition that will evaluate true if a subscriber’s VPDN tunnel name matches the specified tunnel name is not created.
Usage Guidelines
The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match tunnel-name LAC ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier tunnel-name !match unauthenticated-domain
To create a condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name, use the match unauthenticated-domaincommand in control class-map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-domain { domain-name | regexp regular-expression }
no match unauthenticated-domain { domain-name | regexp regular-expression }
Syntax Description
domain-name
Domain name.
regexp regular-expression
Regular expression to be matched against subscriber’s domain name.
Command Default
A condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name is not created.
Usage Guidelines
The match unauthenticated-domaincommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain “abc.com”:
class-map type control match-all MY-FORWARDED-USERS match unauthenticated-domain "xyz.com"Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match unauthenticated-username
To create a condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username, use the match unauthenticated-usernamecommand in control class-map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-username { username | regexp regular-expression }
no match unauthenticated-username { username | regexp regular-expression }
Syntax Description
username
Username.
regexp regular-expression
Regular expression to be matched against the subscriber’s username.
Command Default
A condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username is not created.
Usage Guidelines
The match unauthenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates “class3” with the control policy map called “rule4”.
class-map type control match-all class3 match identifier unauthenticated-username regexp "user@.*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier unauthenticated-username!Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
match vrf
To create a condition that evaluates true if a subscriber’s VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.
match vrf { vrf-name | regexp regular-expression }
no match vrf { vrf-name | regexp regular-expression }
Syntax Description
vrf-name
Name of the VRF.
regexp regular-expression
Regular expression to be matched against the subscriber’s VRF.
Command Default
A condition that will evaluate true if a subscriber’s VRF matches the specified VRF is not created.
Usage Guidelines
The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
matchnot (radius-filter)
To configure a condition to check for a filter criteria that do not match, use the matchnot command in RADIUS filter configuration mode. To remove a filter match criteria for an unsuccessful match, use the no form of this command.
matchnot { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
no matchnot { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
Usage Guidelines
Use the matchnot command to check whether an attribute is absent from the packet. The vendor-type and ven-type-number keyword/argument pair specifies the attribute that is associated with a specific vendor. If no attribute option is specified, the condition matches the filter for any attribute of the specific vendor.
message-authenticator ignore
To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignorecommand in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.
Usage Guidelines
Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.
method-list
To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.
method-list { accounting | authorization } name-of-method-list
no method-list { accounting | authorization } name-of-method-list
Usage Guidelines
The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.
Examples
The following example shows an ISG prepaid feature configuration in which a method list called “ap-mlist” is specified for prepaid accounting and the default method list is specified for prepaid authorization:
subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password ciscoRelated Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
prepaid config
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile
passthru downstream ipv6
To allow IPv6 downstream traffic from an Intelligent Services Gateway (ISG) interface to pass through to a subscriber without an established subscriber session, use the passthru downstream ipv6 command in IP subscriber configuration mode. To prevent downstream traffic from passing through without a subscriber session, use the no form of this command.
Usage Guidelines
The passthru downstream ipv6 command enables pass through of IPv6 downstream traffic if an IPv6-specific initiator is configured with the initiator unclassified ip-address or initiator unclassified ip-address ipv6 command.
This command enables subscribers to receive services, such as support and security updates, even if a subscriber session is not present.
If an IPv4-specific initiator is configured on the interface with the initiator unclassified ip-address ipv4 command, IPv6 downstream traffic is allowed without the pass through feature but IPv4 downstream traffic is blocked.
Examples
The following example shows that Ethernet interface 0/0 has been configured to allow IPv6 downstream traffic to be forwarded to subscribers even if a subscriber session is not present.
interface GigabitEthernet0/0/0 ip address 192.0.2.1 255.255.255.0 ipv6 address 2001:DB8::1/64 ipv6 enable no cdp enable service-policy type control my-policy2 ip subscriber routed initiator unclassified ip-address passthru downstream ipv6password (ISG)
To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.
Syntax Description
password
Password that the ISG will use in authorization and reauthorization requests. The default password is cisco.
Examples
The following example shows an ISG prepaid feature configuration in which the password is “pword” :
subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password pwordRelated Commands
Command
Description
prepaid config
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.
police (ISG)
To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.
police { input | output } committed-rate [ normal-burst excess-burst ]
no police { input | output } committed-rate [ normal-burst excess-burst ]
Syntax Description
input
Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network.
output
Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber.
committed-rate
Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 128000000000 (or 128 Gbps).
normal-burst
(Optional) Normal burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the normal burst size is not specified, it is calculated from the committed rate using the following formula:
Normal burst = 1.5 * committed rate (scaled and converted to byte per msec)
excess-burst
(Optional) Excess burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the excess burst is not specified, it is calculated from the normal burst value using the following formula:
Excess burst = 2 * normal burst
Usage Guidelines
ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.
Session-based policing applies to the aggregate of subscriber traffic for a session.
Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.
Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.
Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.
Examples
The following example shows the configuration of flow-based ISG policing in a service policy map:
class-map type traffic match-any C3 match access-group in 103 match access-group out 203 policy-map type service P3 class type traffic C3 police input 20000 30000 60000 police output 21000 31500 63000policy-map
To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-mapcommand in global configuration mode. To delete a policy map, use the no form of this command.
Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers
policy-map [ type { stack | access-control | port-filter | queue-threshold | logging log-policy } ] policy-map-name
no policy-map [ type { stack | access-control | port-filter | queue-threshold | logging log-policy } ] policy-map-name
Cisco 10000 Series Router
policy-map [ type { control | service } ] policy-map-name
no policy-map [ type { control | service } ] policy-map-name
Cisco CMTS and 7600 Series Router
policy-map [ type { class-routing ipv4 unicast unicast-name | control control-name | service service-name } ] policy-map-name
no policy-map [ type { class-routing ipv4 unicast unicast-name | control control-name | service service-name } ] policy-map-name
Syntax Description
type
(Optional) Specifies the policy-map type.
stack
(Optional) Determines the exact pattern to look for in the protocol stack of interest.
access-control
(Optional) Enables the policy map for the flexible packet matching feature.
port-filter
(Optional) Enables the policy map for the port-filter feature.
queue-threshold
(Optional) Enables the policy map for the queue-threshold feature.
logging
(Optional) Enables the policy map for the control-plane packet logging feature.
log-policy
(Optional) Type of log policy for control-plane logging.
policy-map-name
Name of the policy map.
control
(Optional) Creates a control policy map.
control-name
Name of the control policy map.
service
(Optional) Creates a service policy map.
service-name
Name of the policy-map service.
class-routing
Configures the class-routing policy map.
ipv4
Configures the class-routing IPv4 policy map.
unicast
Configures the class-routing IPv4 unicast policy map.
unicast-name
Unicast policy-map name.
Command History
Usage Guidelines
Use the policy-map command to specify the name of the policy map to be created, added, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for quality of service (QoS) class maps on Cisco 7600 systems.
NoteFor QoS class maps on Cisco 7600 series routers, the limits are 1024 class maps and 256 classes in a policy map.
A policy map containing ATM set cell loss priority (CLP) bit QoS cannot be attached to PPP over X (PPPoX) sessions. The policy map is accepted only if you do not specify the set atm-clp command.
A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In such cases, if the policy map is already attached to other interfaces, the map is removed from those interfaces.
NoteThis limitation does not apply on Cisco 7600 series routers that have session initiation protocol (SIP)-400 access-facing line cards.
Whenever you modify a class policy in an attached policy map, class-based weighted fair queuing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.
NotePolicy-map installation via subscriber-profile is not supported. If you configure an unsupported policy map and there are a large number of sessions, an equally large number of messages print on the console. For example, if there are 32,000 sessions, then 32,000 messages print on the console at 9,600 baud.
Class Queues (Cisco 10000 Series Routers Only)
The Performance Routing Engine (PRE)2 allows you to configure 31 class queues in a policy map.
In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.
Control Policies (Cisco 10000 Series Routers Only)
Control policies define the actions that your system will take in response to the specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions are executed.
There are three steps involved in defining a control policy:
- Using the class-map type control command, create one or more control class maps.
- Using the policy-map type control command, create a control policy map.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
Service Policies (Cisco 10000 Series Routers Only)
Service policy maps and service profiles contain a collection of traffic policies and other functions. Traffic policies determine which function is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Policy Map Restrictions (Catalyst 6500 Series Switches Only)
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. This release and platform has the following restrictions for using policy maps and match commands:
Examples
The following example shows how to create a policy map called “policy1” and configure two class policies included in that policy map. The class policy called “class1” specifies a policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy the configured match criteria are directed.
! The following commands create class-map class1 and define its match criteria: class-map class1 match access-group 136 ! The following commands create the policy map, which is defined to contain policy ! specification for class1 and the default class: policy-map policy1 class class1 bandwidth 2000 queue-limit 40 class class-default fair-queue 16 queue-limit 20The following example shows how to create a policy map called “policy9” and configure three class policies to belong to that map. Of these classes, two specify the policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies a policy for the default class called “class-default” to which packets that do not satisfy the configured match criteria are directed.
policy-map policy9 class acl136 bandwidth 2000 queue-limit 40 class ethernet101 bandwidth 3000 random-detect exponential-weighting-constant 10 class class-default fair-queue 10 queue-limit 20The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.
Router> enable Router# configure terminal Router(config)# policy-map type control TEST Router(config-control-policymap)# class type control always event session-start Router(config-control-policymap-class-control)# 1 service-policy type service name QoS_Service Router(config-control-policymap-class-control)# endExamples
The following example shows the configuration of a control policy map named “rule4”. Control policy map rule4 contains one policy rule, which is the association of the control class named “class3” with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control rule4 class type control class3 authorize nas-port-id ! service-policy type control rule4The following example shows the configuration of a service policy map named “redirect-profile”:
policy-map type service redirect-profile class type traffic CLASS-ALL redirect to group redirect-sgExamples
The following example shows how to define a policy map for the 802.1p domain:
enable configure terminal policy-map cos7 class cos7 set cos 2 endThe following example shows how to define a policy map for the MPLS domain:
enable configure terminal policy-map exp7 class exp7 set mpls experimental topmost 2 endRelated Commands
Command
Description
bandwidth (policy-map class)
Specifies or modifies the bandwidth allocated for a class belonging to a policy map.
class (policy-map)
Specifies the name of the class whose policy you want to create or change, and its default class before you configure its policy.
class class-default
Specifies the default class whose bandwidth is to be configured or modified.
class-map
Creates a class map to be used for matching packets to a specified class.
fair-queue (class-default)
Specifies the number of dynamic queues to be reserved for use by the class-default class as part of the default class policy.
match access-group
Configures the match criteria for a class map on the basis of the specified ACL.
queue-limit
Specifies or modifies the maximum number of packets that the queue can hold for a class policy configured in a policy map.
random-detect (interface)
Enables WRED or DWRED.
random-detect exponential-weighting-constant
Configures the WRED and DWRED exponential weight factor for the average queue size calculation.
random-detectservice-policy precedence
Configures WRED and DWRED parameters for a particular IP precedence.
service-policy
Attaches a policy map to an input interface or VC or an output interface or VC to be used as the service policy for that interface or VC.
set atm-clp precedence
Sets the ATM CLP bit when a policy map is configured.
policy-map type control
To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type controlcommand in global configuration mode. To delete the control policy map, use the no form of this command.
Syntax Description
tag
Network Admission Control (NAC) specific policy type.
policy-map-name
Name of the control policy map.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SXI
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE 2.3
This command was integrated into a release earlier than Cisco IOS XE Release 2.3.
15.0(1)M
This command was modified in a release earlier than 15.0(1)M. The tag keyword and policy-map-name argument were added.
Usage Guidelines
Control policies define the actions that your system will take in response to specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
- Create one or more control class, maps by using the class-map type control command.
- Create a control policy, map by using the policy-map type control command.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
- Apply the control policy map to a context by using the service-policy type control command.
Examples
The following example shows the configuration of a control policy map called “rule4.” Control policy map “rule4” contains one policy rule, which is the association of the control class “class3” with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control tag rule4 class type control class3 authorize nas-port-id ! service-policy type control rule4policy-map type service
To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type servicecommand in global configuration mode. To delete a service policy map, use the no form of this command.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS Release XE 2.4.
Usage Guidelines
Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.
An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type servicecommand, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.
Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.
policy-name
To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.
Command History
Release
Modification
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.
policy-peer
To configure a subscriber policy peer connection, use the policy-peercommand in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.
policy-peer [ address ip-address ] keepalive seconds
no policy-peer [ address ip-address ] keepalive seconds
Syntax Description
address
(Optional) Configures the IP address of the peer that is to be connected.
ip-address
Specifies the IP address of the peer to be connected.
keepalive
Configures the keepalive value to be used to monitor the peering relationship.
seconds
Keepalive value, in seconds. Range: 5 to 3600. Default: 0.
Command History
Release
Modification
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco Release 12.2(33)SB.
Usage Guidelines
Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.
port
To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.
prepaid config
To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.
prepaid config { name-of-configuration | default }
no prepaid config { name-of-configuration | default }
Syntax Description
name-of-configuration
A named configuration of prepaid billing parameters.
default
The default configuration of prepaid billing parameters.
Usage Guidelines
ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:
subscriber feature prepaid default threshold time 0 seconds threshold volume 0 bytes method-list authorization default method-list accounting default password ciscoThe default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
Examples
The following example shows prepaid billing enabled in a service called “mp3”. The prepaid billing parameters in the configuration “conf-prepaid” will be used for “mp3” prepaid sessions.
policy-map type service mp3 class type traffic CLASS-ACL-101 authentication method-list cp-mlist accounting method-list cp-mlist prepaid config conf-prepaid subscriber feature prepaid conf-prepaid threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password ciscoproxy (ISG RADIUS proxy)
To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.
action-number proxy [ aaa list { list-name | default } ] [ accounting aaa list acc-list-name ]
no action-number proxy [ aaa list { list-name | default } ] [ accounting aaa list acc-list-name ]
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
aaa list
(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list.
list-name
Name of the AAA method list to which RADIUS packets are sent.
default
Specifies that RADIUS packets will be sent to the default RADIUS server.
accounting aaa list
Defines a method list to which accounting is sent.
acc-list-name
Name of the accounting AAA method list to which RADIUS packets are sent.
Usage Guidelines
The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accountingcommand.
Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.
Examples
The following example configures an accounting method list called “LIST-LOCAL”. The server group called “AAA-GROUP1” is the method specified in the method list. A control policy called “POLICY-LOCAL” is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list “LIST-LOCAL”.
Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1 Router(config)# policy-map type control POLICY-LOCAL Router(config-control-policymap)# class type control always event acct-notification Router(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCALradius filter
To filter RADIUS packets that are received by the Intelligent Services Gateway (ISG), use the radius filter command in global configuration mode. To remove the RADIUS packet filter configuration, use the no form of this command.
Usage Guidelines
Use the radius filter command to enable ISG to filter RADIUS packets based on the filter criteria. Use this command along with match , matchnot , and filter commands.Examples
The following example shows how to configure a RADIUS packet filter with the match-all keyword.
Device(config)# radius filter match-all filter1Related Commands
Command
Description
filter (ISG RADIUS proxy)
Applies ISG RADIUS packet filters to the RADIUS proxy server or client.
match (radius-filter)
Configures a condition to check for a filter match criterion.
matchnot (radius-filter)
Configures a condition to check for a filter criterion that does not match.
radius-server attribute 31
To enable Calling-Station-ID (attribute 31) options, use the radius-server attribute 31 command in global configuration mode. To disable Calling-Station-ID (attribute 31) options, use the no form of this command.
radius-server attribute 31 { append-circuit-id | mac format { default | ietf | { one-byte | three-byte | two-byte } delimiter { colon | dot | hyphen } | unformatted } [ lower-case | upper-case ] | remote-id | send nas-port-detail [mac-only] }
no radius-server attribute 31 { append-circuit-id | mac format | remote-id | send nas-port-detail [mac-only] }
Syntax Description
append-circuit-id
Appends the PPP over Ethernet (PPPoE) tag circuit ID and the Network Access Server (NAS) port ID to the Calling-Station-ID (attribute 31).
mac format
Specifies the format used to display the MAC address in the calling station ID.
default
Specifies the MAC address in the default format (0000.4096.3e4a).
ietf
Specifies the MAC address in the IETF format (00-00-40-96-3E-4A).
one-byte
Specifies the MAC address in a one-byte format (00.00.40.96.3e.4a).
three-byte
Specifies the MAC address in a three-byte format (000040.963e4a).
two-byte
Specifies the MAC address in a two-byte format (0000.4096.3e4a).
delimiter
Specifies the delimiter used in the MAC address.
colon
Specifies colon (:) as the delimiter in the MAC address (00:00:40:96:3e:4a).
dot
Specifies dot (.) as the delimiter in the MAC address (00.00.40.96.3e.4a).
hyphen
Specifies hyphen (-) as the delimiter in the MAC address (00-00-40-96-3e-4a).
unformatted
Specifies an unformatted MAC address (000040963e4a).
lower-case
(Optional) Specifies the MAC address in lower case.
upper-case
(Optional) Specifies the MAC address in upper case.
remote-id
Specifies the remote ID as the calling station ID in accounting records and access requests.
send nas-port-detail
Includes all NAS port details in the calling station ID.
mac-only
(Optional) Includes only the MAC address, if available, in the calling station ID.
Command Default
The Calling-Station-ID (attribute 31) information is not sent to the authentication, authorization, and accounting (AAA) server.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(31)SB2
This command was modified. The mac format, default, ietf, unformatted, send nas-port-detail, and mac-only keywords were added.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
Cisco IOS XE Release 3.7S
This command was integrated into Cisco IOS XE Release 3.7S. The one-byte, three-byte, two-byte, delimiter, colon, dot, hyphen, lower-case, and upper-case keywords were added.
Usage Guidelines
- Intelligent Services Gateway (ISG) RADIUS Proxy Sessions When the DHCP lease query is used, ISG RADIUS proxy receives both the MAC address and the Mobile Station Integrated Services Digital Network Number (MSISDN) as the Calling-Station-ID (attribute 31) option from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose either the MAC address or the MSISDN as the calling station ID and send the ID to ISG accounting records. The following example shows how to specify the MAC address to be displayed in the IETF format:
Device(config)# radius-server attribute 31 mac format ietfThe following example shows how to allow the remote ID to be sent as the Calling-Station-ID:Device(config)# radius-server attribute 31 remote-idThe following example shows how to include NAS port details in the Calling-Station-ID:Device(config)# radius-server attribute 31 send nas-port-detailThe following example shows how to include only the MAC address, if available, in the Calling-Station-ID:Device(config)# radius-server attribute 31 send nas-port-detail mac-only
- PPP over ATM Sessions When you use the send nas-port-detail mac-only keyword, the calling station ID information is sent through access and accounting requests in the following format:
host.domain:vp_descr:vpi:vci
- PPP over Ethernet over ATM (PPPoEoA) Sessions When you use the send nas-port-detail mac-only keyword, the calling station ID information is sent through access and accounting requests in the following format:
host.domain:vp_descr:vpi:vciradius-server attribute nas-port-id include
To include DHCP option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) in the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To return to the default behavior, use the no form of this command.
radius-server attribute nas-port-id include identifier1 [ plus identifier2 ] [ plus identifier3 ] [ separator separator ]
no radius-server attribute nas-port-id include
Syntax Description
identifier1,2,3
Identifier for authorization. Valid keywords are:
- circuit-id
- remote-id
- vendor-class-id
plus
(Optional) Separates identifiers if more than one is specified.
separator separator
(Optional) Symbol to be used for separating identifiers in accounting records and authentication requests. The symbol can be any alphanumeric character. The colon (:) is the default separator.
Command Default
The NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.
Command History
Release
Modification
12.2(33)SRD
This command was introduced.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Usage Guidelines
When you use the radius-server attribute nas-port-id include command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the pluskeyword between each pair as a separator.
The NAS-Port-ID is shown in the accounting records as it is specified in this command, with the plus keyword replaced by a separator. The colon (:) is the default separator.
When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in this command, preceded by the string “nas-port:”.
Examples
The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:
Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-idIf the circuit ID is “xyz”, the remote ID is “abc”, and the vendor-class ID is “123”, the NAS-Port-ID will be sent to the accounting records as “abc:xyz:123” and the username will be sent as “nas-port:abc:xyz:123” in the authentication request.
The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, “#”:
Router(config)# radius-server attribute nas-port-id include circuit-id plus vendor-class-id separator #If the circuit ID is “xyz” and the vendor-class ID is “123”, the NAS-Port-ID will be sent to the accounting records as “xyz#123” and the username will be sent as “nas-port:xyz#123” in the authentication request.
re-authenticate do-not-apply
To prevent Intelligent Services Gateway (ISG) from applying data from reauthentication profiles to subscriber sessions, use the re-authenticate do-not-applycommand in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)Usage Guidelines
The re-authenticate do-not-apply command prevents ISG from updating the subscriber session with data from a reauthentication profile. During the Extensible Authentication Protocol (EAP) authentication process, for example, ISG will not update the subscriber session with the user-name from the reauthentication profile if this command is configured.
This command can be configured globally for all RADIUS proxy clients, or it can be configured for specific clients. The client-specific configuration of this command overrides the global configuration.
Examples
The following example shows how to prevent ISG from applying reauthentication data to subscriber sessions, for all RADIUS proxy clients:
aaa server radius proxy re-authenticate do-not-applyredirect log translations
To enable the Layer 4 Redirect Logging feature for Intelligent Services Gateway (ISG), use the redirect log translations command in global configuration mode. To disable Layer 4 redirect logging, use the no form of this command.
Syntax Description
basic
Exports Layer 4 redirect translation event information using the basic template format.
extended
Exports Layer 4 translation event information using the extended template format, which includes additional debugging information.
exporter-name
Name of the flow exporter to use for exporting the logging information, as defined by the flow exporter command.
Usage Guidelines
The redirect log translations command allows ISG to export records for Layer 4 redirect translation events to an external collector. These records can be used to identify users with applications that do not react to HTTP redirect.
The name of the flow exporter specified for the exporter-name argument must be configured with the flow exporter command before using the redirect log translations command.
For a description of the fields included in the basic and extended template formats, see the “Configuring Layer 4 Redirect Logging” chapter in the Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S.
Examples
The following example shows that the flow exporter named L4R-EXPORTER is assigned as the exporter to use for logging redirect translations. There are two types of export templates for Layer 4 redirect logging: IPv4 and IPv6.
flow exporter L4R-EXPORTER destination 172.16.10.3 transport udp 90 ! ! redirect log translations basic exporter L4R-EXPORTERredirect server-group
To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.
Usage Guidelines
Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.
After defining a redirect server group with the redirect server-group command, add individual servers to the server group by using the server ip command. The server group must contain at least one redirect server before it can be configured under a traffic class service.
The IP addresses of all the servers configured under a redirect group must be either IPv4 or IPv6. A mix of IPv4 and IPv6 redirect server addresses within the same server group is not supported.
Examples
The following example shows the configuration of a server group named PORTAL that contains two servers, both with an IPv4 address:
redirect server-group PORTAL server ip 10.2.36.253 port 80 server ip 10.76.86.83 port 81The following example shows the configuration of a server group named PORTAL2 that contains two servers, both with an IPv6 address:
redirect server-group PORTAL2 server ip 2001:DB8:C003:12::2918 port 8080 server ip 2001:DB8:1:1::26/64 port 8081Related Commands
Command
Description
redirect to (ISG)
Redirects ISG Layer 4 traffic to a specified server or server group.
server ip
Adds a server to an ISG Layer 4 redirect server group.
show redirect group
Displays information about ISG Layer 4 redirect server groups.
show redirect translations
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.
redirect session-limit
To set the maximum number of Layer 4 redirects allowed for each Intelligent Services Gateway (ISG) subscriber session, use the redirect session-limitcommand in global configuration mode. To restore the default value, use the no form of this command.
Command History
Release
Modification
12.2(33)SB8
This command was introduced.
12.2(33)XNE1
This command was integrated into Cisco IOS Release 12.2(33)XNE1.
12.2(33)SRD4
This command was integrated into Cisco IOS Release 12.2(33)SRD4.
12.2(33)SRE1
This command was integrated into Cisco IOS Release 12.2(33)SRE1.
Cisco IOS XE Release 3.5S
This command was modified. Support for IPv6 sessions was added.
Cisco IOS XE Release 3.8S
This command was modified. The maximum-number argument was modified to support a maximum of 512 Layer 4 redirects.
Usage Guidelines
The redirect session-limit command limits the number of redirect translations that can be created by unauthenticated subscribers that are redirected to the server group.
The maximum number applies to both IPv4 and IPv6 single-stack sessions. For dual-stack sessions, this command limits the total translations per subscriber; IPv4 and IPv6 translations are added together.
Examples
The following example limits the number of L4 redirects to five for a single session:
Router(config)# redirect session-limit 5Related Commands
Command
Description
redirect server-group
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)
Redirects ISG Layer 4 traffic to a specified server or server group.
show redirect translations
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.
redirect to (ISG)
To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in service policy-map class configuration mode. To disable redirection, use the no form of this command.
redirect to { group server-group-name | ip server-ip-address [ port port-number ] } [ duration seconds [ frequency seconds ] ]
no redirect to { group server-group-name | ip server-ip-address [ port port-number ] } [ duration seconds [ frequency seconds ] ]
Syntax Description
group server-group-name
Server group to which traffic will be redirected.
ip server-ip-address
IP address of the server to which traffic will be redirected.
port port-number
(Optional) Port number on the server to which traffic will be redirected.
duration seconds
(Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected.
frequency seconds
(Optional) Period of time, in seconds, between redirect activations.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRE
This command was modified. It was removed from interface configuration mode.
Cisco IOS XE Release 2.5
This command was modified. It was removed from interface configuration mode.
Cisco IOS XE Release 3.5S
This command was modified. The server-ip-address argument accepts IPv6 addresses.
Usage Guidelines
The redirect to command redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.
A redirect server group is defined with the redirect server-group command. The server group must contain at least one redirect server, defined with the server ip command, before it can be configured under a traffic class service.
The ISG Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:
- Permanent redirection—Specified traffic is redirected to the specified server all the time.
- Initial redirection—Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.
- Periodic redirection—Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.
This command can be configured only once under any traffic class service on the Cisco ASR 1000 Series Router.
Examples
The following example redirects Layer 4 traffic to the servers specified in server group “ADVT-SERVER”:
policy-map type service L4R-SERVICE class type traffic L4R-TC redirect to group ADVT-SERVERExamples
The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.
redirect to ip 10.2.36.253The following example configures ISG to redirect all traffic coming from the subscriber interface to 2001:DB8:C003:12::2918 port 80:
redirect to ip 2001:DB8:C003:12::2918 port 80Examples
The following example redirects all traffic to the servers configured in the server group “ADVT-SERVER” for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:
redirect to group ADVT-SERVER duration 60Examples
The following example redirects all traffic to server group “ADVT-SERVER” for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.
redirect to group ADVT-SERVER duration 60 frequency 3600Related Commands
Command
Description
redirect server-group
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
server ip
Adds a server to an ISG Layer 4 redirect server group.
show redirect group
Displays information about ISG Layer 4 redirect server groups.
show redirect translations
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.
server ip
To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server ip command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.
Usage Guidelines
Use the server ip command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server ip command can be entered more than once to add multiple servers to the server group.
ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named “ADVT-SERVER”:
redirect server-group ADVT-SERVER server ip 10.0.0.0 port 8080 server ip 10.1.2.3 port 8081Related Commands
Command
Description
redirect server-group
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)
Redirects ISG Layer 4 traffic to a specified server or server group.
show redirect group
Displays information about ISG Layer 4 redirect server groups.
show redirect translations
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.
server-key
To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.
Syntax Description
0
(Optional) An unencrypted key will follow.
7
(Optional) A hidden key will follow.
word
Unencrypted server key.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.
service (ISG)
To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service { disconnect | local | vpdn }
no action-number service { disconnect | local | vpdn }
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
disconnect
Disconnect the session.
local
Locally terminate the session.
VPDN
Virtual Private Dialup Network (VPDN) tunnel service.
Usage Guidelines
The servicecommand configures an action in a control policy map.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
service deny (ISG)
To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.
Usage Guidelines
The service deny command denies network service to subscriber sessions that use the service policy map.
service local (ISG)
To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.
Usage Guidelines
The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.
When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.
Examples
The following example provides local termination service to subscriber sessions for which the “my_service” service policy map is activated:
! policy-map type service my_service service localRelated Commands
Command
Description
ip vrf forwarding (service policy map)
Associates the service with a VRF.
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG service.
service vpdn group
Provides VPDN service.
vpdn-group
Associates a VPDN group with a customer or VPDN profile.
service relay (ISG)
To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relaycommand in service policy-map configuration mode. To disable message relay, use the no form of this command.
Syntax Description
pppoe
Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay.
vpdn group vpdn-group-name
Provides VPDN service by obtaining the configuration from a predefined VPDN group.
service vpdn group (ISG)
To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn groupcommand in service policy-map configuration mode. To remove VPDN service, use the no form of this command.
Syntax Description
vpdn-group-name
Provides the VPDN service by obtaining the configuration from a predefined VPDN group.
Usage Guidelines
The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.
A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.
service-monitor
To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitorcommand in service policy map configuration mode. To remove service monitoring, use the no form of this command.
Usage Guidelines
The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.
service-policy
To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.
service-policy [ type access-control ] { input | output } policy-map-name
no service-policy [ type access-control ] { input | output } policy-map-name
Cisco 10000 Series and Cisco 7600 Series Routers
service-policy [ history | { input | output } policy-map-name | type control control-policy-name ]
no service-policy [ history | { input | output } policy-map-name | type control control-policy-name ]
Syntax Description
type access-control
(Optional) Determines the exact pattern to look for in the protocol stack of interest.
input
Attaches the specified policy map to the input interface or input VC.
output
Attaches the specified policy map to the output interface or output VC.
policy-map-name
The name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters in length.
history
(Optional) Maintains a history of quality of service (QoS) metrics.
type control control-policy-name
(Optional) Creates a Class-Based Policy Language (CPL) control policy map that is applied to a context.
Command Default
No service policy is specified. A control policy is not applied to a context. No policy map is attached.
Command Modes
ATM VC bundle configuration (config-atm-bundle)
ATM PVP configuration (config-if-atm-l2trans-pvp)
ATM VC configuration mode (config-if-atm-vc)
Ethernet service configuration (config-if-srv)
Global configuration (config)
Interface configuration (config-if)
Static maps class configuration (config-map-class)
ATM PVC-in-range configuration (cfg-if-atm-range-pvc)
Subinterface configuration (config-subif)
Command History
Release
Modification
12.0(5)T
This command was introduced.
12.0(5)XE
This command was integrated into Cisco IOS Release 12.0(5)XE.
12.0(7)S
This command was integrated into Cisco IOS Release 12.0(7)S.
12.0(17)SL
This command was implemented on the Cisco 10000 series routers.
12.1(1)E
This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(2)T
This command was modified to enable low latency queueing (LLQ) on Frame Relay VCs.
12.2(14)SX
Support for this command was implemented on Cisco 7600 series routers. Support was added for output policy maps.
12.2(15)BX
This command was implemented on the ESR-PRE2.
12.2(17d)SXB
This command was implemented on the Supervisor Engine 2 and integrated into Cisco IOS Release 12.2(17d)SXB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(2)T
This command was modified. Support was added for subinterface configuration mode and for ATM PVC-in-range configuration mode to extend policy map functionality on an ATM VC to the ATM VC range.
12.4(4)T
The type stack and type control keywords were added to support flexible packet matching (FPM).
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.3(7)XI2
This command was modified to support subinterface configuration mode and ATM PVC-in-range configuration mode for ATM VCs on the Cisco 10000 series router and the Cisco 7200 series router.
12.2(18)ZY
The type stack and type control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).
12.2(33)SRC
Support for this command was enhanced on Cisco 7600 series routers.
12.2(33)SB
This command was modified. The command was implemented on the Cisco 10000 series router for the PRE3 and PRE4.
Cisco IOS XE Release 2.3
This command was modified to support ATM PVP configuration mode.
12.4(18e)
This command was modified to prevent simultaneous configuration of legacy traffic-shaping and Cisco Modular QoS CLI (MQC) shaping on the same interface.
Cisco IOS XE Release 3.3S
This command was modified to support Ethernet service configuration mode.
Cisco IOS XE Release 3.5S
This command was modified. An error displays if you try to configure the service-policy input or service-policy output command when the ip subscriber interface command is already configured on the interface.
15.2(1)S
This command was modified to allow simultaneous nonqueueing policies to be enabled on subinterfaces.
Usage Guidelines
The table below shows which configuration mode to choose based on the intended use of the command.
Table 1 Configuration Modes Based on Command Application Application
Mode
Standalone VC
ATM VC submode
ATM VC bundle members
ATM VC Bundle configuration
A range of ATM PVCs
Subinterface configuration
Individual PVC within a PVC range
ATM PVC-in-range configuration
Frame Relay VC
Static maps class configuration
Ethernet services, Ethernet VCs (EVCs)
Ethernet service configuration
You can attach a single policy map to one or more interfaces or to one or more VCs to specify the service policy for those interfaces or VCs.
A service policy specifies class-based weighted fair queueing (CBWFQ). The class policies that make up the policy map are then applied to packets that satisfy the class map match criteria for the class.
Before you can attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent (99 percent on the Cisco 10008 router) of the interface bandwidth or the bandwidth allocated to the VC.
Before you can enable low latency queueing (LLQ) for Frame Relay (priority queueing [PQ]/CBWFQ), you must first enable Frame Relay traffic shaping (FRTS) on the interface using the frame-relay traffic-shaping command in interface configuration mode. You then attach an output service policy to the Frame Relay VC using the service-policy command in Static maps class configuration mode.
To attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent of the interface bandwidth or the bandwidth allocated to the VC. For a Frame Relay VC, the total amount of bandwidth allocated must not exceed the minimum committed information rate (CIR) configured for the VC less any bandwidth reserved by the frame-relay voice bandwidth or frame-relay ip rtp priority Static maps class configuration mode commands. If these values are not configured, the minimum CIR defaults to half of the CIR.
Configuring CBWFQ on a physical interface is possible only if the interface is in the default queueing mode. Serial interfaces at E1 (2.048 Mbps) and below use weighted fair queueing (WFQ) by default. Other interfaces use first-in first-out (FIFO) by default. Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM permanent virtual circuit (PVC) does not override the default queueing method.
When you attach a service policy with CBWFQ enabled to an interface, commands related to fancy queueing such as those pertaining to fair queueing, custom queueing, priority queueing, and Weighted Random Early Detection (WRED) are available using the modular quality of service CLI (MQC). However, you cannot configure these features directly on the interface until you remove the policy map from the interface.
NoteYou can modify a policy map attached to an interface or VC, changing the bandwidth of any of the classes that make up the map. Bandwidth changes that you make to an attached policy map are effective only if the aggregate of the bandwidth amount for all classes that make up the policy map, including the modified class bandwidth, is less than or equal to 75 percent of the interface bandwidth or the VC bandwidth. If the new aggregate bandwidth amount exceeds 75 percent of the interface bandwidth or VC bandwidth, the policy map is not modified.
After you apply the service-policy command to set a class of service (CoS) bit to an Ethernet interface, the policy remains active as long as there is a subinterface that is performing 8021.Q or Inter-Switch Link (ISL) trunking. Upon reload, however, the service policy is removed from the configuration with the following error message:
Process "set" action associated with class-map voip failed: Set cos supported only with IEEE 802.1Q/ISL interfaces.Simultaneous Nonqueueing QoS Policies
Beginning in Cisco IOS Release 15.2(1)S, you can configure simultaneous nonqueueing QoS policies on an ATM subinterface and ATM PVC, or on a Frame Relay (FR) subinterface and data-link connection identifier (DLCI). However, simultaneous queueing policies are still not allowed, because they create hierarchical queueing framework layer contention. If you try to configure simultaneous queueing policies, the policies are rejected and the router displays an error message.
NoteIf both the PVC or DLCI and subinterface policies are applied under the same subinterface, the policy under the PVC or DLCI takes precedence and the subinterface policy has no effect.
Cisco 10000 Series Router Usage Guidelines
The Cisco 10000 series router does not support applying CBWFQ policies to unspecified bit rate (UBR) VCs.
To attach a policy map to an interface or a VC, the aggregate of the configured minimum bandwidth of the classes that make up the policy map must be less than or equal to 99 percent of the interface bandwidth or the bandwidth allocated to the VC. If you attempt to attach a policy map to an interface when the sum of the bandwidth assigned to classes is greater than 99 percent of the available bandwidth, the router logs a warning message and does not allocate the requested bandwidth to all of the classes. If the policy map is already attached to other interfaces, it is removed from them.
The total bandwidth is the speed (rate) of the ATM layer of the physical interface. The router converts the minimum bandwidth that you specify to the nearest multiple of 1/255 (ESR-PRE1) or 1/65,535 (ESR-PRE2) of the interface speed. When you request a value that is not a multiple of 1/255 or 1/65,535, the router chooses the nearest multiple.
The bandwidth percentage is based on the interface bandwidth. In a hierarchical policy, the bandwidth percentage is based on the nearest parent shape rate.
By default, a minimum bandwidth guaranteed queue has buffers for up to 50 milliseconds of 256-byte packets at line rate, but not less than 32 packets.
For Cisco IOS Release 12.0(22)S and later releases, to enable LLQ for Frame Relay (priority queueing (PQ)/CBWFQ) on the Cisco 10000 series router, first create a policy map and then assign priority to a defined traffic class using the priority command. For example, the following sample configuration shows how to configure a priority queue with a guaranteed bandwidth of 8000 kb/s. In the example, the Business class in the policy map named “map1” is configured as the priority queue. The map1 policy also includes the Non-Business class with a minimum bandwidth guarantee of 48 kb/s. The map1 policy is attached to serial interface 2/0/0 in the outbound direction.
class-map Business match ip precedence 3 policy-map map1 class Business priority police 8000 class Non-Business bandwidth 48 interface serial 2/0/0 frame-relay encapsulation service-policy output map1On the PRE2, you can use the service-policy command to attach a QoS policy to an ATM subinterface or to a PVC. However, on the PRE3, you can attach a QoS policy only to a PVC.
Cisco 7600 Series Routers
The output keyword is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Do not attach a service policy to a port that is a member of an EtherChannel.
Although the CLI allows you to configure QoS based on policy feature cards (PFCs) on the WAN ports on the OC-12 ATM optical services modules (OSM) and on the WAN ports on the channelized OSMs, PFC-based QoS is not supported on the WAN ports on these OSMs. OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.
PFC QoS supports the optional output keyword only on VLAN interfaces. You can attach both an input policy map and an output-policy map to a VLAN interface.
Cisco 10000 Series Routers Control Policy Maps
Activate a control policy map by applying it to a context. A control policy map can be applied to one or more of the following types of contexts, which are listed in order of precedence:
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context. Only one control policy map can be applied to a given context.
Abbreviated Form of the service-policy Command
In Cisco IOS Release 12.2(33)SB and later releases, the router does not accept the abbreviated form (ser) of the service-policy command. Instead, you must spell out the command name service- before the router accepts the command. For example, the following error message displays when you attempt to use the abbreviated form of the service-policy command:
interface GigabitEthernet1/1/0 ser out ? % Unrecognized command ser ? % Unrecognized commandAs shown in the following example, when you enter the command as service- followed by a space, the router parses the command as service-policy. Entering the question mark causes the router to display the command options for the service-policy command.
service- ? input Assign policy-map to the input of an interface output Assign policy-map to the output of an interface type Configure CPL Service PolicyIn releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the service-policy command. For example, the router accepts the following commands:
interface GigabitEthernet1/1/0 ser out testExamples
The following example shows how to attach a policy map to a Fast Ethernet interface:
interface fastethernet 5/20 service-policy input pmap1The following example shows how to attach the service policy map named “policy9” to DLCI 100 on output serial interface 1 and enables LLQ for Frame Relay:
interface Serial1/0.1 point-to-point frame-relay interface-dlci 100 class fragment map-class frame-relay fragment service-policy output policy9The following example shows how to attach the service policy map named “policy9” to input serial interface 1:
interface Serial1 service-policy input policy9The following example attaches the service policy map named “policy9” to the input PVC named “cisco”:
pvc cisco 0/34 service-policy input policy9 vbr-nt 5000 3000 500 precedence 4-7The following example shows how to attach the policy named “policy9” to output serial interface 1 to specify the service policy for the interface and enable CBWFQ on it:
interface serial1 service-policy output policy9The following example attaches the service policy map named “policy9” to the output PVC named "cisco":
pvc cisco 0/5 service-policy output policy9 vbr-nt 4000 2000 500 precedence 2-3Examples
The following example shows how to attach the service policy named “userpolicy” to DLCI 100 on serial subinterface 1/0/0.1 for outbound packets:
interface serial 1/0/0.1 point-to-point frame-relay interface-dlci 100 service-policy output userpolicy
NoteYou must be running Cisco IOS Release 12.0(22)S or a later release to attach a policy to a DLCI in this way. If you are running a release prior to Cisco IOS Release 12.0(22)S, attach the service policy as described in the previous configuration examples using the legacy Frame Relay commands, as shown in the example “how to attach the service policy map named “policy9” to DLCI 100 on output serial interface 1 and enable LLQ for Frame Relay”.
The following example shows how to attach a QoS service policy named “map2” to PVC 0/101 on the ATM subinterface 3/0/0.1 for inbound traffic:
interface atm 3/0/0 atm pxf queueing interface atm 3/0/0.1 pvc 0/101 service-policy input map2
NoteThe atm pxf queueing command is not supported on the PRE3 or PRE4.
The following example shows how to attach a service policy named “myQoS” to physical Gigabit Ethernet interface 1/0/0 for inbound traffic. VLAN 4, configured on Gigabit Ethernet subinterface 1/0/0.3, inherits the service policy of physical Gigabit Ethernet interface 1/0/0.
interface GigabitEthernet 1/0/0 service-policy input myQoS interface GigabitEthernet 1/0/0.3 encapsulation dot1q 4The following example shows how to apply the policy map named “policy1” to the virtual template named “virtual-template1” for all inbound traffic. In this example, the virtual template configuration also includes Challenge Handshake Authentication Protocol (CHAP) authentication and PPP authorization and accounting.
interface virtual-template1 ip unnumbered Loopback1 no peer default ip address ppp authentication chap vpn1 ppp authorization vpn1 ppp accounting vpn1 service-policy input policy1The following example shows how to attach the service policy map named “voice” to ATM VC 2/0/0 within a PVC range of a total of three PVCs and enable subinterface configuration mode where a point-to-point subinterface is created for each PVC in the range. Each PVC created as part of the range has the voice service policy attached to it.
configure terminal interface atm 2/0/0 range pvc 1/50 1/52 service-policy input voiceThe following example shows how to attach the service policy map named “voice” to ATM VC 2/0/0 within a PVC range, where every VC created as part of the range has the voice service policy attached to it. The exception is PVC 1/51, which is configured as an individual PVC within the range and has a different service policy named “data” attached to it in ATM PVC-in-range configuration mode.
configure terminal interface atm 2/0/0 range pvc 1/50 1/52 service-policy input voice pvc-in-range 1/51 service-policy input dataThe following example shows how to configure a service group named “PREMIUM-SERVICE” and apply the input policy named “PREMIUM-MARK-IN” and the output policy named “PREMIUM-OUT” to the service group:
policy-map type service PREMIUM-SERVICE service-policy input PREMIUM-MARK-IN service-policy output PREMIUM-OUTThe following example shows a policy map and interface configuration that supported simultaneous nonqueueing policies:
Policy-map p-map class c-map set mpls experimental imposition 4 interface ATM1/0/0.1 multipoint no atm enable-ilmi-trap xconnect 10.1.1.1 100001 encapsulation mpls service-policy input p-map pvc 1/41 l2transport no epd ! pvc 1/42 l2transport no epd ! pvc 1/43 l2transport no epd interface ATM1/0/0.101 multipoint no atm enable-ilmi-trap pvc 9/41 l2transport xconnect 10.1.1.1 1001011 encapsulation mpls service-policy input p-map ! pvc 10/41 l2transport xconnect 10.1.1.1 1001012 encapsulation mpls !The following example shows how to attach simultaneous nonqueueing QoS policies on an ATM subinterface and ATM PVC:
interface atm 1/0/0.101 pvc 9/41 service-policy input p-mapRelated Commands
Command
Description
class-map
Accesses QoS class-map configuration mode to configure QoS class maps.
frame-relay ip rtp priority
Reserves a strict priority queue on a Frame Relay PVC for a set of RTP packet flows belonging to a range of UDP destination ports,
frame-relay traffic-shaping
Enables both traffic shaping and per-virtual-circuit queueing for all PVCs and SVCs on a Frame Relay interface.
frame-relay voice bandwidth
Specifies the amount of bandwidth to be reserved for voice traffic on a specific DLCI.
ip subscriber interface
Creates an ISG IP interface session.
policy-map
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
priority
Gives priority to a class of traffic belonging to a policy map.
show policy-map
Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.
show policy-map interface
Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface.
traffic-shape rate
Enables traffic shaping for outbound traffic on an interface.
service-policy type control
To apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To remove a control policy, use the no form of this command.
service-policy type control { policy-map-name | default [ def-policy-map-name ] }
no service-policy type control [ policy-map-name | default [ def-policy-map-name ] ]
Command Modes
Global configuration (config)
Interface configuration (config-if)
Subinterface configuration (config-subif)
Virtual template configuration (config-if)
ATM VC class configuration (config-vc-class)
ATM VC configuration (config-if-atm-vc)
Usage Guidelines
A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:
- Global
- Interface
- Subinterface
- Virtual template
- Virtual circuit (VC) class
- Permanent virtual circuit (PVC)
In the list above, the context types are numbered in the order of increasing precedence. Control policy maps that are applied to higher priority contexts take precedence over policy maps applied to more general contexts. For example, a control policy map that is applied to a PVC takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted in a context.
Only one control policy map can be applied to a given context.
service-policy type service
To activate an Intelligent Services Gateway (ISG) service, use the service-policy type service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service-policy type service [unapply] [ aaa list list-name ] { name service-name | identifier { authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username } }
no action-number service-policy type service [unapply] [ aaa list list-name ] { name service-name | identifier { authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username } }
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
unapply
(Optional) Deactivates the specified service.
aaa
(Optional) Specifies that a AAA method list will be used to activate the service.
list list-name
(Optional) Activates the service using the specified authentication, authorization, and accounting (AAA) method list.
name service-name
Name of the service.
identifier
Activates a service that has the same name as the specified identifier.
authenticated-domain
Authenticated domain name.
authenticated-username
Authenticated username.
dnis
Dialed Number Identification Service number (also referred to as the called-party number ).
nas-port
Network access server (NAS) port identifier.
tunnel-name
VPDN tunnel name.
unauthenticated-domain
Unauthenticated domain name.
unauthenticated-username
Unauthenticated username.
Usage Guidelines
The service-policy type servicecommand configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.
Note that if you use the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 service-policy type service aaa list default identifier authenticated-domainthe following will display in the output for the show running-config command:
1 service-policy type service identifier authenticated-domainNamed method lists will display in the show running-config command output.
Services are configured in service profiles on the AAA server or in service policy maps on the router.
Examples
The following example configures an ISG control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber’s authenticated domain name:
policy-map type control MY-RULE2 class type control MY-CONDITION2 event service-start 1 authenticate aaa list AUTHEN 2 service-policy type service aaa list SERVICE identifier authenticated-domainRelated Commands
Command
Description
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG subscriber service.
session-identifier (ISG)
To correlate RADIUS server requests and identify a session in the Intelligent Services Gateway (ISG) RADIUS proxy, use the session-identifier command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable this function, use the no form of this command.
session-identifier { attribute number | vsa vendor id type number }
no session-identifier { attribute number | vsa vendor id type number }
Syntax Description
attribute
Specifies the calling station attribute of the session to be identified.
number
The attribute number. For example, attribute 1 denotes username.
vsa
Specifies the vendor-specific attribute (VSA) of the session to be identified.
vendor id
Specifies the vendor type and ID.
type number
Specifies the VSA type and number.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)Usage Guidelines
The ISG RADIUS proxy identifies a new session based on the calling station attributes. Usually, attribute 31 is used to identify the session for requests. However, it is possible that attribute 31 may not always be unique to identify the session. There are attributes such as username (RADIUS attribute 1), circuit-ID (RADIUS VSA), and so on, that could be used to identify the session and correlate RADIUS requests. By using the session-identifier command, you can configure the RADIUS proxy to accept other attributes or VSAs to identify the session in the RADIUS proxy and correlate requests from the downstream device. A downstream device is a device whose data is logged by a data recorder on a different node.
Examples
The following example shows how to configure the ISG to identify the session using the RADIUS VSA vendor type and correlate the requests for a RADIUS proxy client with IP address 10.0.0.16:
Router(config-locsvr-proxy-radius)# client 10.0.0.l6 255.255.255.0 Router(config-locsvr-radius-client)# session-identifier vsa vendor 12 type 123Related Commands
Command
Description
aaa server radius proxy
Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.
calling-station-id format
Specifies the format if the attribute of the calling station is attribute 31.
client ( ISG RADIUS proxy )
Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.
set-timer
To start a named policy timer, use the set-timer command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
name-of-timer
Name of the policy timer.
minutes
Timer interval, in minutes. Range is from 1 to 10100.
Usage Guidelines
The set-timercommand configures an action in a control policy map.
Expiration of a named policy timer generates the timed-policy-expiry event.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples
The following example configures a policy timer called “TIMERA”. When TIMERA expires the service will be disconnected.
class-map type control match-all CONDE match timer TIMERA policy-map type type control RULEA class type control <some_cond> event session-start 1 set-timer TIMERA 1 class type control CONDE event timed-policy-expiry 1 service disconnectsgi beep listener
To enable Service Gateway Interface (SGI), use the sgi beep listener command in global configuration mode. To disable SGI, use the no form of this command.
Syntax Description
port
(Optional) TCP port on which to listen. The default is assigned by Internet Assigned Numbers Authority (IANA).
acl
(Optional) Applies an access control list (ACL) to restrict incoming client connections.
access-list
Name of the access list that is to be applied.
sasl
(Optional) Configures a Simple Authentication Security Layer (SASL) profile to use during the session establishment.
sasl-profile
Name of SASL profile being used during session establishment.
encrypt
(Optional) Configures transport layer security (TLS) for SGI.
trustpoint
Name of trustpoint being used by the TLS connection.
sg-service-group
To associate an Intelligent Services Gateway (ISG) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.
Usage Guidelines
A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.
Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.
sg-service-type
To identify an Intelligent Services Gateway (ISG) service as primary or secondary, use the sg-service-type command in service policy-map configuration mode. To remove this specification, use the no form of this command.
Syntax Description
primary
Identifies the service as a primary service, which is a service that contains a network-forwarding policy.
secondary
Identifies the service as a secondary service, which is a service that does not contain a network-forwarding policy. This is the default.
Usage Guidelines
An ISG primary service is a service that contains a network-forwarding policy, such as a virtual routing or forwarding instance (VRF) or tunnel specification. A service must be identified as a primary service by using the sg-service-type primary command. Any service that is not a primary service is identified as a secondary service by default. In other words, the service policy map for a primary service must include a network-forwarding policy and the sg-service-type primary command. A secondary service must not include a network-forwarding policy, and inclusion of the sg-service-type secondary command is optional.
sg-service-type external policy
To identify an Intelligent Services Gateway (ISG) service as an external policy, use the sg-service-type external policycommand in service policy-map configuration mode. To remove this specification, use the no form of this command.
Command History
Release
Modification
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
An external policy service type identifies a service as being provided by an external device. The external device is configured in a peering relationship with the ISG device via the aaa server radius policy-device command. The external device handles policies for user sessions that use the service.
show class-map type control
To display information about Intelligent Services Gateway (ISG) control class maps, use the show class-map type control command in privileged EXEC mode.
Usage Guidelines
Use the show class-map type control command to display information about ISG control class maps, including statistics on the number of times a particular class has been evaluated and what the results were.
Examples
The following example shows sample output for the show class-map type controlcommand:
Router# show class-map type control Condition Action Exec Hit Miss Comp --------- ------ ---- --- ---- ----The table below describes the significant fields shown in the display.
Table 2 show class-map type control Field Descriptions Field
Description
Exec
Number of times this line was executed.
Hit
Number of times this line evaluated to true.
Miss
Number of times this line evaluated to false.
Comp
Number of times this line completed the execution of its condition without a need to continue on to the end.
Related Commands
Command
Description
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
clear class-map type control
Clears the ISG control class map counters.
show policy-map type control
Displays information about ISG control policy maps.
show class-map type traffic
To display Intelligent Services Gateway (ISG) traffic class maps and their matching criteria, use the show class-map type traffic command in privileged EXEC mode.
Examples
The following example shows configuration of a traffic class-map and corresponding sample output for the show class-map type traffic command. The output is self-explanatory.
! access-list 101 permit ip any any access-list 102 permit ip any any ! class-map type traffic match-any PEER_TRAFFIC match access-group output 102 match access-group input 101 ! Router# show class-map type traffic Class-map: match-any PEER_TRAFFIC ------------------------------------------------------ Output: Extended IP access list 102 10 permit ip any any Input: Extended IP access list 101 10 permit ip any anyshow database data
To display information about an identity manager (IDMGR) database, use the show database datacommand in privileged EXEC mode.
Usage Guidelines
You can use the show database namescommand to get a list of database names. The show database data command displays information about the IDMGR for the specified database name.
Examples
The following are sample output from the show database data command:
Router# show database data IDMGR-Session-DB 2 Total records = 1 ------------------------------ Record 0 (key 1) session-handle = 88000002 aaa-unique-id = 0000000C composite-key = 00174574302F303A313A656E63617020646F74317120313030 authen-status = unauthen Router# show database data IDMGR-Service-DB 2 Total records = 1 ------------------------------ Record 0 (key 5) session-handle = 2E000004 service-name = PBHK idmgr-svc-key = 2E00000402000001 authen-status = unauthenThe table below describes the significant fields shown in the display.
show dwnld_mgr
To display information about the download manager, use the show dwnld_mgrcommand in privileged EXEC mode.
Syntax Description
AAA Unique ID
Specifies the Accounting, Authentication, and Authorization (AAA) unique ID from where the profiles are downloaded.
unique-ID
Unique ID of the AAA server.
all
Specifies all the profiles.
profiles
Specifies the global configuration profile.
name profile-name
Specifies the name of the global configuration profile.
Usage Guidelines
You can use the show dwnld_mgr command to view information about the download manager. The download manager is used to download global configuration profiles such as connectivity fault management (CFM) maintenance association (MA) profile for Programmable Ethernet. These profiles contain configuration information that is consumed by the client and then applied at the global level. These profiles are shared, that is, they are applied to multiple sessions. The download manager downloads and adds the shared profiles to the cache.
The download manager serves two primary functions:
Examples
The following is sample output from the show dwnld_mgr profiles all command:
Router# show dwnld_mgr profiles all ******************************************************* Name: itag:3000 Reference: 1 Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED Clients Waiting: F1000003, 0A6AD658, 0000000C ********************************************************The following is sample output from the show dwnld_mgr profiles namecommand:
Router# show dwnld_mgr profiles name itag:300 ******************************************************* Name: itag:3000 Reference: 1 Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED Clients Waiting: F1000003, 0A6AD658, 0000000C ********************************************************The table below describes the significant fields shown in the displays.
show idmgr
To display information related to the Intelligent Services Gateway (ISG) session identity, use the show idmgr command in privileged EXEC mode.
show idmgr { [ memory detailed component substring ] | service key session-handle session-handle service-key key-value | session key | aaa-unique-id aaa-unique-id-string | domainip-vrf ip-address ip-address vrf-id vrf-id | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-guid session-guid | session-handle session-handle-string | session-id session-id-string | circuit-id circuit-id | pppoe-unique-id pppoe-id | statistics }
Syntax Description
memory
Displays memory-usage information related to ID management.
detailed
(Optional) Displays detailed memory-usage information related to ID management.
component
(Optional) Displays information for the specified ID management component.
substring
(Optional) Substring to match the component name.
service key
Displays ID information for a specific service.
session-handle session-handle-string
Displays the unique identifier for a session.
service-key key-value
Displays ID information for a specific service.
session key
Displays ID information for a specific session and its related services.
aaa-unique-id aaa-unique-id-string
Displays the authentication, authorization, and accounting (AAA) unique ID for a specific session.
domainip-vrf ip-address ip-address
Displays the service-facing IP address for a specific session.
vrf-id vrf-id
Displays the VPN routing and forwarding (VRF) ID for the specific session.
nativeip-vrf ip-address ip-address
Displays the subscriber-facing IP address for a specific session.
portbundle ip ip-address
Displays the port bundle IP address for a specific session.
bundle bundle-number
Displays the bundle number for a specific session.
session-guid session-guid
Displays the global unique identifier for a session.
session-handle session-handle-string
Displays the session identifier for a specific session.
session-id session-id-string
Displays the session identifier used to construct the value for RADIUS attribute 44 (Acct-Session-ID).
circuit-id circuit-id
Displays the user session information in the ID Manager (IDMGR) database when you specify the unique circuit ID tag.
pppoe-unique-id pppoe-id
Displays the PPPoE unique key information in the ID Manager (IDMGR) database when you specify the unique PPPoE unique ID tag
statistics
Displays statistics related to storing and retrieving ID information.
Examples
The following sample output for the show idmgr command displays information about the service called “service”:
Router# show idmgr service key session-handle 48000002 service-key service session-handle = 48000002 service-name = service idmgr-svc-key = 4800000273657276696365 authen-status = authenThe following sample output for the show idmgr command displays information about a session and the service that is related to the session:
Router# show idmgr session key session-handle 48000002 session-handle = 48000002 aaa-unique-id = 00000002 authen-status = authen username = user1 Service 1 information: session-handle = 48000002 service-name = service idmgr-svc-key = 4800000273657276696365The following sample output for the show idmgr command displays information about the global unique identifier of a session:
Router# show idmgr session key session-guid 020202010000000C session-handle = 18000003 aaa-unique-id = 0000000C authen-status = authen interface = nas-port:0.0.0.0:2/0/0/42 authen-status = authen username = FortyTwo addr = 100.42.1.1 session-guid = 020202010000000C The following sample output for the show idmgr command displays information about the user session information in the ID Manager (IDMGR) database by specifying the unique circuit ID tag: Router# show idmgr session key circuit-id Ethernet4/0.100:PPPoE-Tag-1 session-handle = AA000007 aaa-unique-id = 0000000E circuit-id-tag = Ethernet4/0.100:PPPoE-Tag-1 interface = nas-port:0.0.0.0:0/1/1/100 authen-status = authen username = user1@cisco.com addr = 106.1.1.3 session-guid = 650101020000000E The session hdl AA000007 in the record is valid The session hdl AA000007 in the record is valid No service record foundThe table below describes the significant fields shown in the display.
Table 5 show idmgr Field Descriptions Field
Description
session-handle
Unique identifier of the session.
service-name
Service name for this session.
idmgr-svc-key
The ID manager service key of this session.
authen-status
Indicates whether the session has been authenticated or unauthenticated.
aaa-unique-id
AAA unique ID of the session.
username
The username associated with this session.
interface
The interface details of this session.
addr
The IP address of this session.
session-guid
Global unique identifier of this session.
show interface monitor
To display interface statistics that will be updated at specified intervals, use the show interface monitor command in user EXEC or privileged EXEC mode.
Usage Guidelines
The show interface monitor command allows you to monitor an interface by displaying interface statistics and updating those statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter “E” to end the display, “C” to clear the counters, or “F” to freeze the display.
Examples
The following example shows sample output for the show interface monitor command. The display will be updated every 10 seconds.
Router# show interface ethernet 0/0 monitor interval 10 Router Name: Scale3-Router8 Update Secs: 10 Interface Name: Ethernet 0/0 Interface Status: UP, line is up Line Statistics: Total: Rate(/s) Delta Input Bytes: 123456 123 7890 Input Packets: 3456 56 560 Broadcast: 1333 6 60 OutputBytes: 75717 123 1230 Output Packets: 733 44 440 Error Statistics: Total: Delta: Input Errors: 0 0 CRC Errors: 0 0 Frame Errors: 0 0 Ignored: 0 0 Output Errors: 0 0 Collisions: 0 0 No. Interface Resets: 2 End = e Clear = c Freeze = f Enter Command:The table below describes the significant fields shown in the display.
Table 6 show interface monitor Field Descriptions Field
Description
Line Statistics
Information about the physical line. The delta column indicates the difference between the current display and the display before the last update.
Input Bytes
Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system.
Input Packets
Total number of error-free packets received by the system.
Broadcast
Total number of broadcast or multicast packets received by the interface.
OutputBytes
Total number of bytes sent by the system.
Output Packets
Total number of packets sent by the system.
Error Statistics
Displays statistics about errors. The delta column indicates the difference between the current display and the display before the last update.
Input Errors
Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.
CRC Errors
Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.
Frame Errors
Number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.
Ignored
Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. Broadcast storms and bursts of noise can cause the ignored count to be increased.
Output Errors
Sum of all errors that prevented the final transmission of datagrams out of the interface from being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories.
Collisions
Number of messages transmitted because of an Ethernet collision. A packet that collides is counted only once in output packets.
No. Interface Resets
Number of times an interface has been completely reset. This can happen if packets queued for transmission were not sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal, or by a cable problem. If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down.
show ip portbundle ip
To display information about a particular Intelligent Services Gateway (ISG) port bundle, use the show ip portbundle ip command in privileged EXEC mode.
Usage Guidelines
Use the show ip portbundle ip command to display the port mappings in a port bundle.
Examples
The following example is sample output for the show ip portbundle ip command:
Router# show ip portbundle ip 10.2.81.13 bundle 65 Portbundle IP address: 10.2.81.13 Bundlenumber: 65 Subscriber VRF: VRF2 Subscriber Portmappings: Subscriber IP: 10.0.0.2 Subscriber Port: 11019 Mapped Port: 1040The table below describes the significant fields shown in the display.
show ip portbundle status
To display a information about Intelligent Services Gateway (ISG) port-bundle groups, use the show ip portbundle status command in privileged EXEC mode.
Usage Guidelines
Use the show ip portbundle status command to display a list of port-bundle groups, port-bundle length, and the number of free and in-use port bundles in each group.
Examples
The following example is sample output for the show ip portbundle status command when issued with no keywords:
Router# show ip portbundle status Bundle-length = 4 Bundle-groups: - IP Address Free Bundles In-use Bundles 10.2.81.13 4031 1The table below describes the significant fields shown in the display.
Table 8 show ip portbundle status Field Descriptions Field
Description
Bundle-length
Number of ports per bundle and number of bundles per bundle group.
Bundle-groups
List of bundle groups.
IP Address
IP address of a bundle group.
Free Bundles
Number of free bundles in the specified bundle group.
In-use Bundles
Number of in-use bundles in the specified bundle group.
show ip subscriber
To display information about Intelligent Services Gateway (ISG) IP subscriber sessions, use the show ip subscriber command in user EXEC or privileged EXEC mode.
show ip subscriber [ interface interface-name [ detail | statistics ] | ip ip-address | mac mac-address | redundancy | static list list-name | statistics { arp | dangling } | [ vrf vrf-name ] [ dangling seconds ] [detail] ]
Syntax Description
Command History
Release
Modification
12.2(31)SB2
This command was introduced.
12.2(33)SRC
Support for this command was added on the Cisco 7600 series router.
Cisco IOS XE Release 2.2
This command was integrated into Cisco IOS XE Release 2.2.
12.2(33)SRE
This command was modified. The static and list keywords were added.
12.2(33)SRE1
This command was modified. The statistics and arp keywords were added.
Cisco IOS XE Release 3.4S
This command was modified. The output was enhanced to include information about IPv6 sessions.
Usage Guidelines
A session that is not fully established within a specified period of time is referred to as a dangling session. The show ip subscriber command can be used with the dangling keyword to display dangling sessions. The seconds argument allows you to specify how long the session can remain unestablished before it is considered dangling.
Examples
The following is sample output from the show ip subscriber command without any keywords:
Router# show ip subscriber Displaying subscribers in the default service vrf: Type Subscriber Identifier Display UID Status --------- ---------------------- ------------ ------ connected aaaa.1111.cccc [1] upThe following is sample output from the show ip subscriber command using the detail keyword. Detailed information is displayed about all the IP subscriber sessions associated with vrf1.
Router# show ip subscriber vrf vrf1 detail IP subscriber: 0000.0000.0002, type connected, status up display uid: 6, aaa uid: 17 segment hdl: 0x100A, session hdl: 0x96000005, shdb: 0xBC000005 session initiator: dhcp discovery access address: 10.0.0.3 service address: vrf1, 10.0.0.3 conditional debug flag: 0x0 control plane state: connected, start time: 1d06h data plane state: connected, start time: 1d06h arp entry: [vrf1] 10.0.0.3, Ethernet0/0 midchain adj: 10.0.0.3 on multiservice1 forwarding statistics: packets total: received 3542, sent 3538 bytes total: received 2184420, sent 1158510 packets dropped: 0, bytes dropped: 0The following is sample output from the show ip subscriber command using the list keyword. Detailed information is displayed about all the IP subscriber static sessions associated with the server list group called l1 on the 7600 series router.
Router# show ip subscriber static list l1 Total static sessions for list l1: 1, Total IF attached: 1 Interface: GigabitEthernet0/3, VRF: 0, 1The following is sample output from the show ip subscribercommand using the statistics arpkeywords:
Router# show ip subscriber statistics arp Current IP Subscriber ARP Statistics Total number of ARP reqs received : 27 ARP reqs received on ISG interfaces : 25 IP subscriber ARP reqs replied to : 1 Dst on ISG : 0 Src/Dst in same subnet : 0 IP subscriber ARP reqs ignored : 2 For route back to CPE : 2 For no routes to dest. : 0 Gratuitous : 0 Due to invalid src IP : 0 Due to other errors : 0 IP sub ARP reqs with default action : 24The table below describes the significant fields shown in the displays, in alphabetical order.
Table 9 show ip subscriber Field Descriptions Field
Description
Dst on ISG
Number of ARP requests that ISG replied to for a destination on ISG.
For route back to CPE
Number of ARP requests that ISG ignored because the destination IP address is on the same VLAN as the customer premises equipment (CPE).
For no routes to dest.
Number of ARP requests ignored by ISG because there was no route to the destination.
Gratuitous
Number of ARP requests ignored by ISG because they are gratuitous. A gratuitous ARP request is issued by a device for the sole purpose of keeping other devices informed of its presence on the network.
IP sub ARP reqs with default action
Number of ARP requests for which ISG performed no special action.
Src/Dst in same subnet
Number of ARP requests that ISG replied to that had a source and destination IP address in the same subnet.
Session initiator
Type of packet that initiated the subscriber session.
show ipv6 nd ra session
To display information about unicast IPv6 router advertisement (RA) sessions, use the show ipv6 nd ra session command in privileged EXEC mode.
Syntax Description
Command History
Usage Guidelines
Use the show ipv6 nd ra session command to display information about all unicast IPv6 RA sessions configured on a specific interface.
Examples
Device# show ipv6 nd ra session ethernet 0/0 Interface Ethernet0/0, owner 2A, sessions 4, started 4 * Session 1 3001::/64, flags C0, valid 1800, preferred 1800 * Session 2 3001:0:0:1::/64, flags C0, valid 1800, preferred 1800 * Session 3 3001:0:0:2::/64, flags C0, valid 1800, preferred 1800 * Session 4 3001:0:0:3::/64, flags C0, valid 1800, preferred 1800show platform isg session
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions for a line card and the features applied on a session, use the show platform isg session command in privileged EXEC mode.
Usage Guidelines
The show platform isg session command displays the total number of active subscriber sessions on the line card and information about the features that are configured on a session. For example, QoS or SACL.
Examples
This example shows the output for all installed line cards:
Router# show platform isg session 15 0 detail if_num 14 va_if_num 0 pid 15 type IPSIP flags 0x0 state BOUND hvlan v1(vc) 1014 v2 1200 0 dbg off STATS(pkts, bytes) RX(0, 0) ctrl(0, 0) drop(0, 0) TX(0, 0) ctrl(0, 0) drop(0, 0) --------------------------------------------------======================================== TenGigabitEthernet4/2.1 - if_number 14 15 policymap pmap-brr1-parent dir Output np 1 port 0 pm_num 4 lookuptype 1 flowid 256 --------------------------------------------------- policymap pmap-brr1-parent classid 0 dfs classid 2 classmap config: cmap flags 0x6 feature flags 0x9 queue config: gqid/pgqid 4/2 police config: N/A marking config: N/A WRED config: N/A classmap instance: cfn statid 0 node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0 statid: commit/excess/drop 1294464/1327232/1360000 policy pmap-brr1-parent classid 0 dfs classid 2 level 0 --------------------------------------------------------------- Statistics type Packet count Byte count queue: commit 0 0 excess 0 0 drop 0 0 cur depth 0 --------------------------------------------------- policymap pmap-brr-child1 classid 1 dfs classid 0 classmap config: cmap flags 0x4 feature flags 0x100 police config:cir/cbs: 50000000/1562500 pir/pbs: 0/1562500 clr/mef/algo: 0/0/1 0:XMIT, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0 1:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0 2:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0 marking config: N/A WRED config: N/A classmap instance: cfn statid 508327 node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0 statid: commit/excess/drop 1294464/1327232/1360000 police handle: np/index/type 1/1/fast tb 65697 statid: conform/exceed/violate 115116/115117/115118 POLICE profile[0] inuse 1 cir/cbs 50000000/1562500 pir/pbs 0/1562500 clr/mef/algo 0/0x0/1 [D]POLICE - index 0 cir/cbs: 6250000/1559756 pir/pbs: 0/0 clr/mef/algo: 0/0/1 policy pmap-brr-child1 classid 1 dfs classid 0 level 1 --------------------------------------------------------------- Statistics type Packet count Byte count classification 0 0 police: conform 0 0 exceed 0 0 violate 0 0 -- tcam index table result: 0x30000C001 0x0 0x0 0x0 flow hash table result: 0x7C1A70301000080 0x100000003 FLW-07C1A703 01000080 00000001 00000003 TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128 Flow Stat:508327, Plcr1 TB/Stat-1/3, Plcr2 TB/Stat-0/0 ---------------------------------------------- Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 norm WFQ level 4 index 0 weight 10 inuse 3 [D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10 [D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0 -- Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0 SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264 [D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408 WFQ level 3 index 1 weight 81 inuse 1 [D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1 [D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33 -- Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I Wf SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616 [D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952 WFQ level 2 index 0 weight 2 inuse 1 [D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2 [D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0 [D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0 -- Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I Wf *** --------------------------------------------------- policymap pmap-brr-child1 classid 0 dfs classid 1 classmap config: cmap flags 0x4 feature flags 0x1000 police config: N/A marking config: on coso 1 WRED config: N/A classmap instance: cfn statid 508328 node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0 statid: commit/excess/drop 1294464/1327232/1360000 policy pmap-brr-child1 classid 0 dfs classid 1 level 1 --------------------------------------------------------------- Statistics type Packet count Byte count classification 0 0 -- tcam index table result: 0x101300000000 0x400500000000 0x0 0x0 flow hash table result: 0x7C1A80301000080 0x0 FLW-07C1A803 01000080 00000000 00000000 TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128 Flow Stat:508328, Plcr1 TB/Stat-0/0, Plcr2 TB/Stat-0/0 ---------------------------------------------- Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 norm WFQ level 4 index 0 weight 10 inuse 3 [D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10 [D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0 -- Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0 SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264 [D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408 WFQ level 3 index 1 weight 81 inuse 1 [D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1 [D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33 -- Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I Wf SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616 [D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952 WFQ level 2 index 0 weight 2 inuse 1 [D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2 [D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0 [D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0 -- Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I Wfshow platform isg session-count
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions by line card, use the show platform isg session-count command in privileged EXEC mode.
Usage Guidelines
The show platform isg session-count command displays either the total number of active subscriber sessions on the router, with individual totals by line card, or it displays the details for an individual line card in a specific slot.
The Cisco 7600 router limits the number of supported subscriber sessions per line card and per router chassis. Use this command to monitor the number of currently active sessions to ensure that the following limits are not exceeded:
Examples
The following example shows the output for all installed line cards:
Router# show platform isg session-count all Total sessions per chassis : 8000 Slot Sess-count Max Sess-count ---- ---------- -------------- 5 8000 16000The following example shows the output for the ES+ line card in slot 5:
Router# show platform isg session-count 5 ES+ line card Sessions on a port-channel are instantiated on all member ports Port-group Sess-instance Max Sess-instance ---------- ------------- ----------------- Gig5/1-Gig5/5 4000 4000 Gig5/16-Gig5/20 4000 4000The table below describes the significant fields shown in the display, in alphabetical order.
Table 10 show platform isg session-count Field Descriptions Field
Description
Max Sess-count
Maximum number of sessions allowed per line card.
Max Sess-instance
Maximum number of session instances allowed per port group.
Port-group
Port numbers included in each port group.
Sess-count
Total number of active sessions per line card.
Sess-instance
Total number of session instances per port group.
Slot
Number of the router slot in which the card is installed.
Total sessions per chassis
Total number of sessions for all line cards on the router.
show policy-map type control
To display information about Intelligent Services Gateway (ISG) control policy maps, use the show policy-map type control command in privileged EXEC mode.
Usage Guidelines
Use the show policy-map type control command to display information about ISG control policies, including statistics on the number of times each policy-rule within the policy map has been executed
Examples
The following example shows sample output for the show policy-map type control command:
Router# show policy-map type control Rule: internal-rule-acct-logon Class-map: always event account-logon Action: 1 authenticate aaa list default Executed0 Key: "Exec" - The number of times this rule action line was executedshow policy-map type service
To displays the contents of Intelligent Services Gateway (ISG) service policy maps and service profiles and session-related attributes, use the show policy-map type service command in privileged EXEC mode.
Examples
The following example shows the configuration of a service profile called “prep_service” on a AAA server and the corresponding sample output for the show policy-map type service command.
Examples
Configuration of prep_service on simulator radius subscriber 8 authentication prep_service pap cisco idle-timeout 600 vsa cisco generic 1 string "traffic-class=input access-group 102"show processes cpu monitor
To display CPU utilization statistics that will be updated at specified intervals, use the show processes cpu monitor command in user EXEC or privileged EXEC mode.
Usage Guidelines
The show processes cpu monitor command allows you to monitor CPU utilization statistics by displaying updated statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter “E” to end the display or “F” to freeze the display.
Examples
The following example shows sample output for the show processes cpu monitor command:
Router# show processes cpu monitor CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 772 712 1084 0.08% 0.04% 0.02% 0 Exec 67 276 4151 66 0.08% 0.03% 0.01% 0 L2TP mgmt daemon 116 604 2263 266 0.16% 0.05% 0.01% 0 IDMGR CORE End = e Freeze = f Enter Command:The table below describes the significant fields shown in the display.
Table 12 show processes cpu monitor Field Descriptions Field
Description
CPU utilization for five seconds
CPU utilization for the last 5 seconds and the percentage of CPU time spent at the interrupt level.
one minute
CPU utilization for the last minute and the percentage of CPU time spent at the interrupt level.
five minutes
CPU utilization for the last 5 minutes and the percentage of CPU time spent at the interrupt level.
PID
Process ID.
Runtime(ms)
CPU time the process has used (in milliseconds).
Invoked
Number of times the process has been invoked.
uSecs
Microseconds of CPU time for each process invocation.
5Sec
CPU utilization by task in the last 5 seconds.
1Min
CPU utilization by task in the last minute.
5Min
CPU utilization by task in the last 5 minutes.
TTY
Terminal that controls the process.
Process
Name of the process.
show pxf cpu iedge
To display Parallel eXpress Forwarding (PXF) policy and template information, use the show pxf cpu iedgecommand in privileged EXEC mode.
show pxf cpu iedge [detail | policy policy-name | template]
Syntax Description
detail
(Optional) Displays detailed information about policies and templates.
policy policy-name
(Optional) Displays summary policy information.
template
(Optional) Displays summary template information.
show pxf cpu isg
To display Parallel eXpress Forwarding (PXF) Intelligent Services Gateway (ISG) policy and template information, use the show pxf cpu isgcommand in privileged EXEC mode.
show radius-proxy client
To display information about Intelligent Services Gateway (ISG) RADIUS proxy client devices, use the show radius-proxy client command in privileged EXEC mode.
Examples
The following is sample output from the show radius-proxy client ip-address command:
Device# show radius-proxy client 192.0.2.1 Configuration details for client 192.0.2.1 Shared secret: password1 Msg Auth Ignore: No Local auth port: 1812 Local acct port: 1813 Acct method list: SVC_ACCT Session Summary: RP ID IP Address 1. 3707764753 203.0.113.1 2. 4110417938 203.0.113.2The table below describes the significant fields shown in the display:
Table 13 show radius-proxy client ip-address Field Descriptions Field
Description
Shared secret
Shared secret between the ISG RADIUS proxy server and the client device.
Msg Auth Ignore
Indicates whether message-authenticator validation is performed for RADIUS packets coming from this client.
Local auth port
Port on which ISG listens for authentication packets from this client.
Local acct port
Port on which ISG listens for accounting packets from this client.
Acct method list
Method list to which the ISG RADIUS proxy client forwards accounting packets.
Session Summary
Summary of ISG sessions that are associated with the specified client device.
RP ID
ISG RADIUS proxy identifier for the session.
IP Address
IP address associated with the session.
show radius-proxy session
To display information about specific Intelligent Services Gateway (ISG) RADIUS proxy sessions, use the show radius-proxy session command in privileged EXEC mode.
show radius-proxy session { clid calling-line-ID | id radius-proxy-ID | ip ip-address [ vrf vrf-name ] }
Syntax Description
clid calling-line-ID
Displays information about the RADIUS proxy session associated with the specified calling line identifier (CLID).
id radius-proxy-ID
Displays information about a session associated with the specified RADIUS proxy ID.
ip ip-address
Displays information about the RADIUS proxy session associated with the specified IP address.
vrf vrf-name
(Optional) Displays information about the RADIUS proxy session associated with the specified virtual routing and forwarding (VRF) instance.
Note The vrf vrf-name keyword-argument is not supported in Cisco IOS Release 12.2(31)SB2.
Command History
Release
Modification
12.2(31)SB2
This command was introduced.
Cisco IOS XE Release 3.6S
This command was integrated into Cisco IOS XE Release 3.6S. The clid keyword was added.
Cisco IOS XE Release 3.7S
This command was modified. The output was enhanced to display information about disconnect timers for accounting stop and reauthentication failure.
Examples
The following is sample output from the show radius-proxy session id radius-proxy-ID command. The fields in the output are self-explanatory.
Device# show radius-proxy session id 1234567890 Session Keys: Caller ID: aaaa.bbbb.cccc Other Attributes: Username: username1 User IP: unassigned Called ID: Client Information: NAS IP: 192.0.2.1 NAS ID: localhost State Details: State: authenticated Timer: ip-address (timeout: 240s, remaining: 166s)The following sample output from the show radius-proxy session ip ip-address command displays details of the disconnect timer for accounting stop. The fields in the output are self-explanatory:
Device# show radius-proxy session ip 203.0.113.1 Session Keys: Calling-Station-Id:aaaa.bbbb.cccc Other Attributes: Caller ID: aaaa.bbbb.cccc Username: username1 User IP: 203.0.113.1 Called ID: Client Information: NAS IP: 192.0.2.1 NAS ID: localhost AP1 IP: 192.0.2.1 AP2 IP: 192.0.2.2 HOTSPOT IP: 192.0.2.1 State Details: State: activated Timer: none disconnect acct-stop (timeout: 150s, remaining: 143s)The following sample output from the show radius-proxy session ip ip-address command displays details of the disconnect timer for reauthentication failure. The fields in the output are self-explanatory:
Device# show radius-proxy session ip 203.0.113.1 Session Keys: Calling-Station-Id:aaaa.bbbb.cccc Other Attributes: Caller ID: aaaa.bbbb.cccc Username: username1 User IP: 203.0.113.1 Called ID: Client Information: NAS IP: 192.0.2.1 NAS ID: localhost AP1 IP: 192.0.2.1 AP2 IP: 192.0.2.2 HOTSPOT IP: 192.0.2.1 State Details: State: activated Timer: none disconnect reauth-fail (timeout: 150s, remaining: 143s)show redirect group
To display information about Intelligent Services Gateway (ISG) Layer 4 redirect server groups, use the show redirect group command in privileged EXEC mode.
Usage Guidelines
Use the show redirect translations command without the group-name argument to display information about all Layer 4 redirect server groups.
Examples
The following example shows sample output for the show redirect group command:
Router# show redirect group redirect-group-default Showing all servers of the group redirect-group-default Server created : using cli Server Port 10.30.81.22 8090Related Commands
Command
Description
redirect server-group
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)
Redirects ISG Layer 4 traffic to a specified server or server group.
server (ISG)
Adds a server to an ISG Layer 4 redirect server group.
show redirect translations
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.
show redirect translations
To display information about the Intelligent Services Gateway (ISG) Layer 4 redirect mappings for subscriber sessions, use the show redirect translations command in privileged EXEC mode.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SB8
This command was modified. Information about the number of redirect translations was added to the output.
12.2(33)XNE1
This command was integrated into Cisco IOS Release 12.2(33)XNE1.
12.2(33)SRD4
This command was integrated into Cisco IOS Release 12.2(33)SRD4.
12.2(33)SRE1
This command was integrated into Cisco IOS Release 12.2(33)SRE1.
Cisco IOS XE Release 3.5S
This command was modified. The ipv4, ipv6, and verbose keywords were added.
Usage Guidelines
Use the show redirect translations command without the ip ip-address keyword and argument to display Layer 4 redirect mappings for all subscriber sessions.
Examples
The following is sample output from the show redirect translations command displaying information about each active redirect translation:
Router# show redirect translations Prot Destination IP/Port Server IP/Port TCP 10.0.1.2 23 10.0.2.2 23 TCP 10.0.1.2 23 10.0.2.2 23 TCP 10.0.1.2 23 10.0.2.2 23 Total Number of Translations: 3The following is sample output from the show redirect translations ipv6 command displaying information about each active IPv6 redirect translation:
Router# show redirect translations ipv6 Prot Destination IP/Port Server IP/Port TCP 2001:DB8:2222:1044::72 80 2001:DB8:C003:12::2918 8080 TCP 2001:DB8:2222:1044::73 80 2001:DB8:C003:12::2918 8080 Total Number of Translations: 5The following is sample output from the show redirect translations verbose command displaying additional information about each active redirect translation:
Router# show redirect translations verbose Prot Destination IP/Port Server IP/Port Source IP/Port InFlags OutFlags Timestamp TCP 10.1.0.1 80 10.10.0.1 8080 10.0.0.1 3881 - - 02/28/11 11:48:01 TCP 10.1.0.2 80 10.10.0.1 8080 10.0.0.1 3882 FIN - 02/28/11 11:50:01 TCP 10.1.0.4 80 10.10.0.1 8080 10.0.0.2 4002 - - 02/28/11 11:55:08 TCP 2001:DB8:2222:1044::72 80 2001:DB8:C003:12::2918 8080 2001:DB8:C003:13::2928 5001 SYN - 02/28/11 10:25:12 TCP 2001:DB8:2222:1044::73 80 2001:DB8:C003:12::2918 8080 2001:DB8:C003:13::2928 8002 - FIN 02/28/11 10:22:15 Total Number of Translations: 5The table below describes the significant fields shown in the display, in alphabetical order.
Table 14 show redirect translations Field Descriptions Field
Description
Destination IP/port
IP address and port number of the connection destination.
In Flags, Out Flags
TCP flags. For example, ACK, FIN, SYN, or Null.
Prot
Protocol used, either TCP or User Data Protocol (UDP).
Server IP/port
IP address and port number of the redirect server.
Total Number of Translations
Total number of active translations.
Related Commands
Command
Description
redirect server-group
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect session-limit
Sets the maximum number of Layer 4 redirects allowed for each ISG subscriber session.
redirect to (ISG)
Redirects ISG Layer 4 traffic to a specified server or server group.
server ip (ISG)
Adds a server to an ISG Layer 4 redirect server group.
show redirect group
Displays information about ISG Layer 4 redirect server groups.
show sgi
To display information about current Service Gateway Interface (SGI) sessions or statistics, use the show sgi command in privileged EXEC mode.
Syntax Description
session
Displays information about the current SGI session.
statistics
Displays information about the current SGI statistics
Examples
The following example shows information about SGI sessions started and currently running, including the running state:
Router# show sgi session sgi sessions: open 1(max 10, started 15 session id:1;started at 9:08:05; state OPENThe following example shows statistical information about SGI and the SGI processes that have been started:
Router# show sgi statistics sgi statistics total messages received 45 current active messages 5; maximum active messages 7 total isg service requests 4 current active services 2; maximum active services 2 sgi process statistics process sgi handler 1 pid 95, cpu percent (last minute) 1, cpu runtime 10(msec), memory accocated 4200 (bytes)show ssm
To display Segment Switching Manager (SSM) information for switched Layer 2 segments, use the show ssmcommand in privileged EXEC mode.
show ssm { cdb | feature id [feature-id] | id | memory [ chunk variable { feature | queue | segment } | detail ] | segment id [segment-id] | switch id [switch-id] }
Syntax Description
cdb
Displays information about the SSM capabilities database.
feature id
Displays information about SSM feature settings.
feature-id
(Optional) Displays information for a specific feature ID.
id
Displays information for all SSM IDs.
memory
Displays memory usage information.
chunk variable
(Optional) Displays memory usage information for memory consumed by variable chunks.
feature
Displays information about memory consumed by the feature.
queue
Displays information about memory consumed by the queue.
segment
Displays information about memory consumed by the segment.
detail
(Optional) Displays detailed memory usage information.
segment id
Displays information about SSM segment settings.
segment-id
(Optional) Displays information for a specific SSM segment.
switch id
Displays information about SSM switch settings.
switch-id
(Optional) Displays information for a specific SSM switch ID.
Command History
Release
Modification
12.2(22)S
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Use the show ssm command to determine the segment ID for an active switched Layer 2 segment. The segment ID can be used with the debug condition xconnect command to filter debug messages by segment.
Examples
The following example shows sample output for the show ssm cdb command. The output for this command varies depending on the type of hardware being used.
Router# show ssm cdb Switching paths active for class SSS: ------------------------------------- |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC| --------+---+---+----+---+----+------+----+------+---+----+--------+-------+ FR | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | Eth | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | Vlan | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/E | -/E |-/-|-/- | -/E | -/E | HDLC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | PPP/AC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | L2TP | E | E | E |E/-| E | E | E | -/- | E | E | E | E | L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E | L2F |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPTP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | ATM/AAL5| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/VCC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/VPC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/Cell| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | PPP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPPoE |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPPoA |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | Lterm |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | VFI |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI| --------+--------+----+---+-----+-----+-----+---+-----+------+---+ FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2TP | E |-/- | E | E | E | E |-/-| -/- | -/- |-/-| L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2F | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPTP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPPoE | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPPoA | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| Lterm | -/- |-/- | E | E | E | E | E | E | E |-/-| TC | -/- |-/- |-/-| -/- | -/- | E | E | E | E |-/-| IP-If | -/- |-/- |-/-| -/- | -/- | E | E | E | -/- |-/-| IP-SIP | -/- |-/- |-/-| -/- | -/- | E | E | -/- | E |-/-| VFI | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Switching paths active for class ADJ: ------------------------------------- |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC| --------+---+---+----+---+----+------+----+------+---+----+--------+-------+ FR | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | Eth | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | Vlan | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | HDLC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | PPP/AC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | L2TP |-/E|-/E|-/E |-/-|-/E | -/E | E | -/- |E/-|E/- | -/E | -/E | L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E | L2F |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPTP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | ATM/AAL5| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/VCC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/VPC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/Cell| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | PPP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPPoE |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPPoA |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | Lterm |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | VFI |E/-| E | E |E/-|E/- | E/- |-/- | -/E |-/-|-/- | E | E | |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI| --------+--------+----+---+-----+-----+-----+---+-----+------+---+ FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| L2TP | -/E |-/- |E/-| E/- | E/- | E/- |-/-| -/- | -/- |-/-| L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2F | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPTP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| PPP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPPoE | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPPoA | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Lterm | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| TC | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| IP-If | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| IP-SIP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| VFI | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Key: '-' - switching type is not available 'R' - switching type is available but not enabled 'E' - switching type is enabled 'D' - switching type is disabledThe following example displays SSM output of the show ssm id command on a device with one active Layer 2 Tunnel Protocol Version 3 (L2TPv3) segment and one active Frame Relay segment. The segment ID field is shown in bold.
Router# show ssm id SSM Status: 1 switch Switch-ID 4096 State: Open Segment-ID: 8193 Type: L2TPv3[8] Switch-ID: 4096 Physical intf: Remote Allocated By: This CPU Class: SSS State: Active L2X switching context: Session ID Local 16666 Remote 54742 TxSeq 0 RxSeq 0 Tunnel end-point addr Local 10.1.1.2 Remote 10.1.1.1 SSS Info Switch Handle 0x98000000 Ciruit 0x1B19510 L2X Encap [24 bytes] 45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02 01 01 01 01 00 00 D5 D6 Class: ADJ State: Active L2X H/W Switching Context: Session Id Local 16666 Remote 54742 Tunnel Endpoint Addr Local 10.1.1.2 Remote 10.1.1.1 Adjacency 0x1513348 [complete] PW IP, Virtual3:16666 L2X Encap [24 bytes] 45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02 01 01 01 01 00 00 D5 D6 Segment-ID: 4096 Type: FR[1] Switch-ID: 4096 Physical intf: Local Allocated By: This CPU Class: SSS State: Active AC Switching Context: Se2/0:200 SSS Info - Switch Handle=0x98000000 Ckt=0x1B194B0 Interworking 0 Encap Len 0 Boardencap Len 0 MTU 1584 Class: ADJ State: Active AC Adjacency context: adjacency = 0x1513618 [complete] RAW Serial2/0:200Additional output displayed by this command is either self-explanatory or used only by Cisco engineers for internal debugging of SSM processes.
The following example shows sample output for the show ssm memory command:
Router# show ssm memory Allocator-Name In-use/Allocated Count ---------------------------------------------------------------------------- SSM CM API large segment : 208/33600 ( 0%) [ 1] Chunk SSM CM API medium segment : 144/20760 ( 0%) [ 1] Chunk SSM CM API segment info c : 104/160 ( 65%) [ 1] SSM CM API small segment : 0/19040 ( 0%) [ 0] Chunk SSM CM inQ interrupt msgs : 0/20760 ( 0%) [ 0] Chunk SSM CM inQ large chunk ms : 0/33792 ( 0%) [ 0] Chunk SSM CM inQ msgs : 104/160 ( 65%) [ 1] SSM CM inQ small chunk ms : 0/20760 ( 0%) [ 0] Chunk SSM DP inQ msg chunks : 0/10448 ( 0%) [ 0] Chunk SSM Generic CM Message : 0/3952 ( 0%) [ 0] Chunk SSM HW Class Context : 64/10832 ( 0%) [ 1] Chunk SSM ID entries : 144/11040 ( 1%) [ 3] Chunk SSM ID tree : 24/80 ( 30%) [ 1] SSM INFOTYPE freelist DB : 1848/2016 ( 91%) [ 3] SSM SEG Base : 240/34064 ( 0%) [ 2] Chunk SSM SEG freelist DB : 5424/5592 ( 96%) [ 3] SSM SH inQ chunk msgs : 0/5472 ( 0%) [ 0] Chunk SSM SH inQ interrupt chun : 0/5472 ( 0%) [ 0] Chunk SSM SW Base : 56/10920 ( 0%) [ 1] Chunk SSM SW freelist DB : 5424/5592 ( 96%) [ 3] SSM connection manager : 816/1320 ( 61%) [ 9] SSM seg upd info : 0/2464 ( 0%) [ 0] Chunk Total allocated: 0.246 Mb, 252 Kb, 258296 bytesshow subscriber default-session
To display information about Intelligent Services Gateway (ISG) subscriber default sessions, use the show subscriber default-session command in privileged EXEC mode.show subscriber policy dpm statistics
To display statistics for DHCP policy module (DPM) session contexts, use the show subscriber policy dpm statisticscommand in privileged EXEC mode.
Usage Guidelines
The show subscriber policy dpm statistics command displays cumulative information about the event traces that are captured for DPM session contexts. To clear the statistics, use the clear s ubscriber policy dpm statistics command.
Examples
The following is sample output from the show subscriber policy dpm statisticscommand.
Router# show subscriber policy dpm statistics Message Received Duplicate Ignored Total Discover Notification : 284 0 291 Offer Notification : 0 0 2 Address Assignment Notif : 2 0 2 DHCP Classname request : 0 290 290 Input Intf Override : 0 10 293 Lease Termination Notif : 0 0 2 Session Restart Request : 0 0 0 Response to DHCP request for classname Average Time : Max Time : MAC address for Max Time : Response to DHCP Offer Notification Average Time : 30ms Max Time : 36ms MAC address for Max Time : aaaa.2222.cccc Overall since last clear Total Discover Init Sessions : 2 Total Restarted Sessions : 0 Average set up time for Discover initiated sessions : 2s26ms Min set up time among Discover initiated sessions : 2s20ms Max set up time among Discover initiated sessions : 2s32ms Current active Sessions Total Discover Init Sessions : 0 Total Restarted Sessions : 0 Average set up time for Discover initiated sessions : Min set up time among Discover initiated sessions: 2s20ms Max set up time among Discover initiated sessions : MAC of session with Max DHCP Setup Time : aaaa.2222.cccc Total number of DPM contexts allocated : 7 Total number of DPM contexts freed : 6 Total number of DPM contexts currently without session : 1 Elapsed time since counters last cleared : 2h15m20sThe table below describes some of the fields shown in the sample output, in alphabetical order.
Table 15 show subscriber policy dpm statistics Field Descriptions Field
Description
Average set up time for Discover initiated sessions
Average amount of time that it took to set up a Discover initiated session, for overall sessions and currently active sessions.
Elapsed time since counters last cleared
Amount of time that has passed since the clear subscriber policy dpm statistics command was last used.
MAC of session with Max DHCP Setup Time
MAC address of the session with the longest DHCP setup time.
Max set up time among Discover initiated sessions
Amount of time that it took to set up the Discover initiated session with the longest setup time, for overall sessions and currently active sessions.
Message Received
Total number of messages that were received, by message type, and the number of messages that were duplicated or ignored.
Min set up time among Discover initiated sessions
Amount of time that it took to set up the Discover initiated session with the shortest setup time, for overall sessions and currently active sessions.
Overall since last clear
Cumulative statistics for all of the sessions that occurred since the last time the counters were cleared with the clear subscriber policy dpm statistics command.
Total Discover Init Sessions
Total number of Discover initiated sessions, for overall sessions and currently active sessions.
Total Restarted Sessions
Total number of sessions that were restarted, for overall sessions and currently active sessions.
show subscriber policy peer
To display the details of a subscriber policy peer, use the show subscriber policy peer command in user EXEC or privileged EXEC mode.
Usage Guidelines
PUSH mode or PULL mode is established when the peering relationship between the Intelligent Services Gateway (ISG) and Service Control Engine (SCE) devices is initiated. PUSH mode refers to the ISG device pushing out information to the SCE device about a new session. PULL mode refers to the SCE device requesting session identity when it first notices new unidentified traffic.
Only one SCE device in PUSH mode can be integrated with the ISG device. If another SCE device in PUSH mode requests a connection with the ISG device, a disconnect message is sent to the first SCE device that is in PUSH mode.
Examples
The following is sample output from the show subscriber policy peercommand.
Router# show subscriber policy peer all Peer IP: 10.1.1.3 Conn ID: 105 Mode: PULL State: ACTIVE Version: 1.0 Conn up time: 00:01:01 Conf keepalive: 0 Negotiated keepalive: 25 Time since last keepalive: 00:00:11 Inform owner on pull: TRUE Total number of associated sessions: 2 Associated session details: 1E010101000000A0 1E010101000000A1The table below describes some of the fields shown in the sample output.
show subscriber service
To display information about Intelligent Services Gateway (ISG) subscriber services, use the show subscriber service command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7600 series router.
15.1(2)S
This command was modified. The name keyword and service-name argument were added.
Cisco IOS XE Release 3.3
This command was modified. The name keyword and service-name argument were added.
Usage Guidelines
If you enter the show subscriber service command without any keywords or arguments, information is displayed for all services on the ISG router.
Examples
The following example shows output from the show subscriber service command for a service named platinum:
Router# show subscriber service name platinum Service "Platinum": Profile name: Platinum, 4 references traffic-class "input access-group 102" policy-directive "authenticate aaa list PPP1" Class Id In: 00000002 Class Id Out: 00000003 Current Subscriber Information using service "Platinum": Total sessions: 1 Codes: lterm - Local Term, fwd - forwarded, unauth - unathenticated, authen - authenticated, TC Ct. - Number of Traffic Classes on the main session Uniq ID Interface State Service Up-time TC Ct. Identifier 1 IP auth lterm 19:32:05 2 jsmithThe following example shows output from the show subscriber service command using the name and detailed keywords:
Router# show subscriber service name platinum detailed Service "Platinum": Version 1: SVM ID : DC000001 Class Id In: 00000000 Class Id Out: 00000001 Locked by : SVM-Printer [1] Locked by : PM-Service [1] Locked by : PM-Info [1] Locked by : FM-Bind [1] Locked by : Accounting-Feature [1] Profile : 07703430 Profile name: Platinum, 3 references password <hidden> username "Platinum" accounting-list "default" Feature : Accounting Feature IDB type : Sub-if or not required Feature Data : 24 bytes: : 000000 00 00 DC 00 00 01 07 6F .......o : 000008 CB C8 00 00 04 0F 00 00 ........ : 000010 00 03 00 00 00 00 00 00 ........ Current Subscriber Information using service "Platinum" Total sessions: 1 Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - authenticated, TC Ct. - Number of Traffic Classes on the main session Uniq ID Interface State Service Up-time TC Ct. Identifier 1 IP authen Lterm 00:26:02 1 jsmithThe table below describes the significant fields shown in the displays, in alphabetical order.
Table 17 show subscriber service Field Descriptions Field
Description
accounting-list
AAA method list to which accounting updates are sent.
Child ID
Identifier of the parent session.
Class Id In
Class identifier of the class used by the service in the input direction.
Class Id Out
Class identifier of the class used by the service in the output direction.
Parent ID
Identifier of the parent session.
policy-directive
Directive defined in the service profile to authenticate the service at the specified server.
SVM ID
Service manager identifier.
State
Indicates whether the session has been authenticated or is unauthenticated.
Total sessions
Number of main sessions on the ISG.
traffic-class
Traffic class used by the service.
Uniq ID
Unique session identifier.
show subscriber session
To display information about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber session command in privileged EXEC mode.
show subscriber session [ identifier identifier | uid session-identifier | username username ] [ detailed | feature name | flow service service-name ]
Syntax Description
identifier identifier
(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are as follows:
- authenticated-domain domain-name—Displays information about sessions with the specified authenticated domain name.
- authenticated-username username—Displays information about sessions with the specified authenticated username.
- auto-detect—Displays information about sessions that use autodetect. (Authorization is performed on the basis of the circuit ID or remote ID.)
- dnis number—Displays information about sessions with the specified dialed number identification service (DNIS) number.
- mac-address mac-address—Displays information about sessions with the specified MAC address.
- source-ip-address ip-address subnet-mask—Displays information about sessions that are associated with the specified source IP address.
- timer name—Displays information about sessions that use the specified timer.
- tunnel-name name—Displays information about sessions that are associated with the specified VPDN tunnel.
- unauthenticated-domain domain-name—Displays information about sessions with the specified unauthenticated domain name.
- unauthenticated-username username—Displays information about sessions with the specified unauthenticated username.
- vrf vrf-name—Displays information about sessions with the specified VPN routing and forwarding (VRF) identifier.
uid session-identifier
(Optional) Displays information about sessions with the specified unique identifier.
username username
(Optional) Displays information about sessions that are associated with the specified username.
detailed
(Optional) Displays detailed information about sessions.
feature name
(Optional) Displays information about specific Layer 2 features installed on the parent session. To display feature names, use the question mark (?) online help function.
Valid keywords and arguments are as follows:
- access-list—Per-user access control list (ACL) feature
- accounting—Accounting feature
- compression—Compression feature
- filter—Per-user filter feature
- idle-timer—Idle timeout feature
- ip-config—IP configuration feature
- keepalive—Keepalive feature
- l4redirect—Layer 4 redirect (L4R) feature
- modem-on-hold—Modem-on-hold feature
- policing—Policing feature
- portbundle—Portbundle hostkey feature
- prepaid-absolute—Prepaid absolute timeout feature
- prepaid-idle—Prepaid idle timeout feature
- qos-peruser—Quality of service (QoS) policy map feature
- session-timer—Absolute timeout feature
- tariff-switching—Tariff switching feature
- time-monitor—Prepaid time monitor feature
- volume-monitor—Prepaid volume monitor feature
flow service service-name
(Optional) Displays detailed information about the specified flow service installed on the parent session.
Command Default
If you enter the command without any keywords or arguments, the output displays information about all sessions on the ISG device.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7600 series routers.
15.0(1)S
This command replaced the show sss session command.
15.1(2)S
This command was modified. The feature name and flow service service-name keyword-argument pairs were added. The output of the identifier, uid, and username keywords was enhanced to include classifier information.
Cisco IOS XE Release 3.3S
This command was modified. The feature name and flow service service-name keyword-argument pairs were added. The output of the identifier, uid, and username keywords was enhanced to include classifier information.
Cisco IOS XE Release 3.4S
This command was modified. The output was enhanced to include information about IPv6 sessions, and the tariff-switching keyword was added for the name argument in the feature keyword.
Cisco IOS XE Release 3.5S
This command was modified. The output of the detailed keyword was enhanced to include the IP address of sessions.
15.2(1)S
This command was modified. The output of the detailed and uid keywords was enhanced to indicate that the active L4R rules are unavailable when no policy rules exist in a subscriber session.
Cisco IOS XE Release 3.7S
This command was modified. The output of the detailed keyword was enhanced to include the RADIUS proxy ID of sessions.
Usage Guidelines
When an identifier is specified, the output displays only those sessions that match the identifier.
You must configure the policy-map type control policy-map-name command to display the following fields in the show subscriber session detailed command output:
Examples
The following is sample output from the show subscriber session command:
Device# show subscriber session Current Subscriber Information: Total sessions 1 Uniq ID Interface State Service Up-time TC Ct. Identifier 1 IP authen lterm 00:27:18 1 10.10.10.10 2 Vi3 authen lterm 00:09:04 1 rouble-pppoeThe following is sample output from the show subscriber session command with the uid and flow service keywords specifying the service named Service1:
Device# show subscriber session uid 1 flow service Service1 Codes: Class-id - Classification Identifier, Pri. - Priority -------------------------------------------------- Type: IP, UID: 1, Identity: user1, State: authen Session Up-time: 00:05:20, Last Changed: 00:04:56 Switch-ID: 4096 Service Name: Service1, Active Time = 00:05:20 Classifiers: Class-id Dir Packets Bytes Pri. Definition 3 Out 0 0 0 Match ACL 101 2 In 0 0 0 Match ACL 101 Features: L4 Redirect: Class-id Rule cfg Definition Source 2 #1 SVC to ip 10.0.2.2 Service1 Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 2 In 8000 1000 1000 Service1 3 Out 8000 1000 1000 Service1The following is sample output from the show subscriber session command with the uid and feature keywords specifying the accounting feature:
Device# show subscriber session uid 1 feature accounting Type: IP, UID: 1, Identity: user1, State: authen Session Up-time: 00:05:50, Last Changed: 00:05:26 Switch-ID: 4096 Features: Accounting: Class-id Dir Packets Bytes Source 0 In 1 100 Service3 1 Out 0 0 Service3The following is sample output from the show subscriber session command with the detailed keyword:
NoteThe Classifiers section is not displayed when the detailed keyword is used in the Cisco 7600 series routers.
Device# show subscriber session detailed Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: IP, UID: 1, Identity: user1, State: authen IPv4 Address: 192.168.2.1 Session Up-time: 00:04:51, Last Changed: 00:04:27 Switch-ID: 4096 Radius-Proxy ID: 4227858433 Policy information: Context 076B8F48: Handle 50000001 AAA_id 0000000C: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Downloaded User profile, including services: accounting-list "default" username "Service1" traffic-class "output access-group 101" traffic-class "input access-group 101" l4redirect "redirect to ip 10.0.2.2" ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000" sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: user1, 2 references sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: Service1, 3 references password <hidden> username "Service1" traffic-class "output access-group 101" traffic-class "input access-group 101" l4redirect "redirect to ip 10.0.2.2" ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: Service3, 3 references password <hidden> username "Service3" accounting-list "default" Active services associated with session: name "Service1", applied before account logon name "Service3", applied before account logon Rules, actions and conditions executed: subscriber rule-map RULEB condition always event session-start 1 service-policy type service name Service3 2 service-policy type service name Service1 3 service-policy type service name prep_service subscriber rule-map RULEB condition always event account-logon 1 authenticate aaa list PPP1 Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1 100 0 Match Any 1 Out 0 0 0 Match Any 2 In 0 0 0 Match ACL 101 3 Out 0 0 0 Match ACL 101 Features: IP Config: M=Mandatory, T=Tag, Mp=Mandatory pool Flags Peer IP Address Pool Name Interface 172.16.0.0 pool2 Lo0 :: pppv6_1 Lo0 QoS Policy Map: Class-id Dir Policy Name Source 0 In QoSService1 Peruser 1 Out QoSService2 Peruser Accounting: Class-id Dir Packets Bytes Source 0 In 1 100 Service3 1 Out 0 0 Service3 L4 Redirect: Class-id Rule cfg Definition Source 2 #1 SVC to ip 10.0.2.2 Service1 Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 2 In 8000 1000 1000 Service1 3 Out 8000 1000 1000 Service1 Configuration Sources: Type Active Time AAA Service ID Name SVC 00:04:51 - Service1 USR 00:04:27 - Peruser SVC 00:04:51 570425346 Service3 INT 00:04:51 - Ethernet0/0The following is sample output from the show subscriber session command with the detailed keyword when no policy rules exist in a subscriber session.
NoteThe message “No Active Installed Rules” under the L4 Redirect field header of the output is displayed only when no policy rules of the L4R feature exist in a subscriber session. If any L4R rules exist in any of the flow services of the session, the output displays the existing L4R rules.
Device# show subscriber session detailed Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: IP, UID: 1, Identity: user1, State: authen IPv4 Address: 192.68.2.1 Session Up-time: 00:04:51, Last Changed: 00:04:27 Switch-ID: 4096 Radius-Proxy ID: 4227858433 Policy information: Context 076B8F48: Handle 50000001 AAA_id 0000000C: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Downloaded User profile, including services: accounting-list "default" username "Service1" traffic-class "output access-group 101" traffic-class "input access-group 101" l4redirect "redirect to ip 10.0.2.2" ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000" sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: user1, 2 references sub-qos-policy-in "QoSService1" sub-qos-policy-out "QoSService2" prepaid-config "default" Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Unapplied) (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: prep_service, 9 references traffic-class "input access-group 102" traffic-class "output access-group 102" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: Service1, 3 references password <hidden> username "Service1" traffic-class "output access-group 101" traffic-class "input access-group 101" l4redirect "redirect to ip 10.0.2.2" ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: Service3, 3 references password <hidden> username "Service3" accounting-list "default" Active services associated with session: name "Service1", applied before account logon name "Service3", applied before account logon Rules, actions and conditions executed: subscriber rule-map RULEB condition always event session-start 1 service-policy type service name Service3 2 service-policy type service name Service1 3 service-policy type service name prep_service subscriber rule-map RULEB condition always event account-logon 1 authenticate aaa list PPP1 Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1 100 0 Match Any 1 Out 0 0 0 Match Any 2 In 0 0 0 Match ACL 101 3 Out 0 0 0 Match ACL 101 Features: L4 Redirect: Class-id Rule cfg Definition Source No Active Installed Rules. Portbundle Hostkey: Class-id IP address Bundle Number Source 0 10.5.1.1 65 service-pbhk Configuration Sources: Type Active Time AAA Service ID Name SVC 00:01:20 - l4redirect SVC 00:01:20 - service-pbhk INT 00:01:20 - GigabitEthernet0/1/0The following table describes the significant fields in alphabetical order, shown in the displays.
Table 18 show subscriber session Field Descriptions Field
Description
Class-id
Classification identifier in inbound and outbound directions.
Definition
Class definition for the match criteria.
Dir
Direction of the class, either in or out.
Identifier
Username that is used for authorization.
Interface
Interface displayed for main sessions. For traffic flows, the value “Traffic-Cl” is displayed.
Packets
Number of packets that are classified to a particular class.
Pri.
Configured priority of the class.
Rules, actions and conditions executed
Control policy rules, actions, and control class maps (conditions) that have been executed for the session.
Service
Signifies the network plumbing service. Possible values are:
State
Indicates whether the session is authenticated or unauthenticated.
Total sessions
Number of main sessions on the ISG.
Up-time
Duration (in hh:mm:ss format) for which the session is running.
Uniq ID
Unique session identifier.
show subscriber statistics
To display statistics about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber statistics command in privileged EXEC mode.
Syntax Description
identifier identifier
(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are:
- authenticated-domain domain-name—Displays information about sessions with the specified authenticated domain name.
- authenticated-username username—Displays information about sessions with the specified authenticated username.
- auto-detect—Displays information about sessions that use auto-detect. (Authorization is performed on the basis of circuit ID or remote ID.)
- dnis number—Displays information about sessions with the specified Dialed Number Identification Service (DNIS) number.
- mac-address mac-address—Displays information about sessions with the specified MAC address.
- adapter adapter-number
- channel channel-number
- circuit-id circuit-identifier
- ipaddr ip-address
- port port-number
- remote-id shelf-number
- shelf shelf-number
- slot slot number
- sub-interface sub-interface-number
- type interface type
- vci virtual-channel-identifier
- vendor-class-id vendor-class-identifier
- vlan virtual-lan-id
- vpi virtual-path-identifier
- source-ip-address ip-address subnet-mask—Displays information about sessions associated with the specified source IP address.
- timer timer-name—Displays information about sessions that use the specified timer.
- tunnel-name tunnel-name—Displays information about sessions associated with the specified VPDN tunnel.
- unauthenticated-domain domain-name—Displays information about sessions with the specified unauthenticated domain name.
- unauthenticated-username username—Displays information about sessions with the specified unauthenticated username.
- vrf vrf-name—Displays information about sessions with the specified virtual routing and forwarding (VRF) identifier.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRC
This command was modified. Support for this command was implemented on the Cisco 7600 series router.
15.1(2)S
This command was integrated into Cisco IOS Release 15.1(2)S. The output was enhanced to display statistics onf flows and features.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S. The output was enhanced to display statistics of flows and features.
Cisco IOS XE Release 3.7S
This command was modified. The output was enhanced to display statistics of lite sessions.
Usage Guidelines
If you enter the show subscriber statistics command without any keywords or arguments, statistics are displayed for all sessions on the ISG device.
Examples
The following is sample output from the show subscriber statistics command:
Device# show subscriber statistics Current Subscriber Statistics: Number of sessions currently up: 1 Number of sessions currently pending: 0 Number of sessions currently authenticated: 0 Number of sessions currently unauthenticated: 1 Highest number of sessions ever up at one time: 1 Mean up-time duration of sessions: 00:20:30 Total number of sessions up so far: 1 Mean call rate per minute: 0, per hour: 1 Number of sessions failed to come up: 0 Current Lite Session Statistics: Number of lite sessions currently up: 1 Number of lite sessions up so far: 2 Number of lite sessions converted to full session: 0 Number of lite sessions failed to convert to dedicated sessions: 0 Number of account logons failed to find lite sessions: 0 Mean call rate per minute: 0, per hour: 2 Number of lite session failed to come up: 0 PBHK zero: 0 Default Session not in Connected State 0 Current Flow Statistics: Number of flows currently up: 3 Highest number of flows ever up at one time: 3 Mean up-time duration of flows: 00:20:30 Number of flows failed to come up: 0 Total number of flows up so far: 3 Access type based session count: IP-Interface sessions = 1 Feature Installation Count: Direction Feature Name None Inbound Outbound Accounting 0 1 1 L4 Redirect 0 2 1 Policing 0 1 1 Portbundle Hostkey 0 1 0 SHDBs in use : 1 SHDBs allocated : 1 SHDBs freed : 0 SHDB handles associated with each client type Client Name Count =========== ======= LTerm 1 AAA 1 CCM 1 SSS FM 1 IP_IF 1 ISG Classifier 1 CCM Group 1 PM 1 PM cluster 0The table below describes the significant fields shown in the display:
Table 19 show subscriber statistics Field Descriptions Field
Description
Mean call rate per minute, per hour
Total number of sessions that have come up per minute and per hour since the device has been up or since the last statistics were cleared.
Current Flow Statistics
Statistics about flows installed on parent sessions.
Mean up-time duration of sessions
Mean amount of time for which a session is up across sessions.
Access type based session count
Number of PPP over Ethernet (PPPoE) and IP sessions.
Feature Installation Count
Names of features installed on parent sessions and the number of instances of each feature in the inbound, outbound, and non-data path direction.
show subscriber trace statistics
To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statisticscommand in user EXEC or privileged EXEC mode.
Usage Guidelines
The show subscriber trace statisticscommand displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace statisticscommand, showing information for both the DPM and the PM.
Router# show subscriber trace statistics Event Trace History Statistics: DPM Logging enabled All time max records: 5 Max records: 5 Current records: 5 Current log size: 200 Proposed log size 200 Oldest, newest index: 0 : 4 Event Trace History Statistics: Policy Manager Logging enabled All time max records: 4 Max records: 4 Current records: 4 Current log size: 64 Proposed log size 64 Oldest, newest index: 0 : 3The table below describes some of the fields shown in the sample output, in the order in which they display.
Table 20 show subscriber trace statistics Field Descriptions Field
Description
Logging enabled/disabled
Displays whether history logging is enabled with the subscriber trace history command.
All time max records
Maximum number of trace records that were ever saved in this history log.
Max records
Number of trace records that were saved in this history log before it was last cleared.
Current records
Number of trace records that are currently saved in this history log.
Current log size
Number of trace records that can be saved in this history log.
Proposed log size
Number of records that can be saved to the history log as defined by the subscriber trace history command. This value becomes the current log size when the log is cleared with the clear subscriber trace historycommand.
Oldest, newest index
Oldest and newest indexes of the array that is used to store the records saved to the history log.
Related Commands
Command
Description
clear subscriber trace history
Clears the trace history log for ISG subscriber sessions.
show subscriber trace history
Displays the event traces for ISG subscriber sessions that are saved in the trace history log.
subscriber trace event
Enables event tracing for software components involved in ISG subscriber sessions.
subscriber trace history
Enables saving the event traces for ISG subscriber sessions to a history log.
show subscriber trace history
To display the event traces for Intelligent Services Gateway (ISG) subscriber sessions that are saved in the trace history log, use the show subscriber trace historycommand in user EXEC or privileged EXEC mode.
show subscriber trace history { all | dpm | pm } [ all | client-ip-address ip-address | mac-address mac-address | reason number | uid session-id ]
Syntax Description
all
Displays trace information for both the DHCP policy module (DPM) and the policy manager (PM).
dpm
Displays trace information for the DPM.
pm
Displays trace information for the PM.
all
(Optional) Displays all trace information. Output is not filtered based on the specific IP address, MAC address, reason, or unique ID.
client-ip-address ip-address
(Optional) Displays trace information for sessions that match the specified client IP address.
mac-address mac-address
(Optional) Displays trace information for sessions that match the specified client MAC address.
reason number
(Optional) Displays trace information for sessions that match the specified logging reason. Range: 1 to 6.
uid session-id
(Optional) Displays trace information for sessions that match the specified unique ID of the subscriber session. Range: 1 to 4294967295.
Usage Guidelines
Use the show subscriber trace history command, without any optional keywords, to display all session traces that are saved in the respective history log. To display the trace data for specific sessions, use one of the optional keywords for the IP address, MAC address, logging reason, or unique ID (UID). The router filters the output based on the keyword and displays only those traces that match the selected keyword.
Sessions that are marked as interesting, either because of an error or because the session failed, are saved to the trace history buffer if the subscriber trace history command is enabled. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace historycommand with the client-ip-address keyword.
Router# show subscriber trace history dpm client-ip-address 10.0.0.2 DPM session info: 5CC14D0 MAC: aaaa.2222.cccc IP: 10.0.0.2 UID: 2 reason: PM callback to clear ========================= ET 11:46:03.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Start ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,No Sess,sess alloc,sess-start OK ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:03.959 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 11:46:03.975 PST Mon Aug 30 2010 PM callback Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS ET 11:46:05.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Update ET 11:46:05.959 PST Mon Aug 30 2010 dhcp offer rc OK w delay,acc.if ret ET 11:46:05.983 PST Mon Aug 30 2010 PM callback Session Update Succes, rc offer cb no-err,notify stdby,Case: \ UPDATE_SUCCESS ET 11:46:05.987 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:05.991 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OK rc same IP ET 11:56:52.743 PST Mon Aug 30 2010 PM invoke rc OK, Session-Stop ET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease term rsn 4, rc OK ET 11:56:52.759 PST Mon Aug 30 2010 PM callback Terminate, rc end sess,Case: REQ_TERMINATEThe following is sample output from the show subscriber trace historycommand with the reason keyword.
Router# show subscriber trace history dpm reason 2 DPM session info: 5CC14D0 MAC: aaaa.2222.cccc IP: 10.0.0.2 UID: 2 reason: PM callback to clear ========================= ET 11:46:03.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Start ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,No Sess,sess alloc,sess-start OK ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:03.959 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 11:46:03.975 PST Mon Aug 30 2010 PM callback Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS ET 11:46:05.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Update ET 11:46:05.959 PST Mon Aug 30 2010 dhcp offer rc OK w delay,acc.if ret ET 11:46:05.983 PST Mon Aug 30 2010 PM callback Session Update Succes, rc offer cb no-err,notify stdby,Case: \ UPDATE_SUCCESS ET 11:46:05.987 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:05.991 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OK rc same IP ET 11:56:52.743 PST Mon Aug 30 2010 PM invoke rc OK, Session-Stop ET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease term rsn 4, rc OK ET 11:56:52.759 PST Mon Aug 30 2010 PM callback Terminate, rc end sess,Case: REQ_TERMINATEThe following is sample output from the show subscriber trace history command with the all keyword. Note that this is the same output that displays if you use the show subscriber trace history dpm command, without any of the optional keywords.
Router# show subscriber trace history dpm all DPM session info: 5CC14D0 MAC: aaaa.2222.cccc IP: 10.0.0.2 UID: 2 reason: PM callback to clear ========================= ET 11:46:03.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Start ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,No Sess,sess alloc,sess-start OK ET 11:46:03.959 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:03.959 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 11:46:03.975 PST Mon Aug 30 2010 PM callback Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS ET 11:46:05.959 PST Mon Aug 30 2010 PM invoke rc OK, Session-Update ET 11:46:05.959 PST Mon Aug 30 2010 dhcp offer rc OK w delay,acc.if ret ET 11:46:05.983 PST Mon Aug 30 2010 PM callback Session Update Succes, rc offer cb no-err,notify stdby,Case: \ UPDATE_SUCCESS ET 11:46:05.987 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 11:46:05.991 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OK rc same IP ET 11:56:52.743 PST Mon Aug 30 2010 PM invoke rc OK, Session-Stop ET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease term rsn 4, rc OK ET 11:56:52.759 PST Mon Aug 30 2010 PM callback Terminate, rc end sess,Case: REQ_TERMINATE DPM session info: 5CC1708 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 3 reason: PM callback to clear ========================= ET 12:11:04.279 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:12:17.351 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:12:17.351 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:12:17.351 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:12:20.487 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:12:20.487 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:12:20.487 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:12:24.503 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:12:24.503 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:12:24.503 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:13:38.383 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:13:38.383 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:13:38.383 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:13:41.719 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:13:41.719 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:13:41.719 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:13:45.727 PST Mon Aug 30 2010 i-if change ,MAC ok,ignore: same i/f ET 12:13:45.727 PST Mon Aug 30 2010 dhcp discover rc OK,proc prev req ET 12:13:45.727 PST Mon Aug 30 2010 dhcp get class rc no c-aware cfg ET 12:13:59.475 PST Mon Aug 30 2010 PM callback Terminate, rc end sess,Case: REQ_TERMINATE DPM session info: 5CC1940 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 4 reason: PM callback to clear ========================= . . . DPM session info: 5CC1B78 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 5 reason: PM callback to clear ========================= . . . DPM session info: 5CC1DB0 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 6 reason: PM callback to clear ========================= . . . PM session info: 5CBCE98 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 3 reason: dangling session cleared ========================= ET 11:57:31.531 PST Mon Aug 30 2010 init request OLDST[0]:initial-req NEWST[0]:initial-req fxn[0]:sss_policy_invoke_service_sel FLAGS:0 ET 11:57:31.535 PST Mon Aug 30 2010 got apply config success OLDST[8]:wait-for-events NEWST[8]:wait-for-events fxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7 PM session info: 5CBCFB0 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 4 reason: dangling session cleared ========================= ET 12:14:59.467 PST Mon Aug 30 2010 init request OLDST[0]:initial-req NEWST[0]:initial-req fxn[0]:sss_policy_invoke_service_sel FLAGS:0 ET 12:14:59.475 PST Mon Aug 30 2010 got apply config success OLDST[8]:wait-for-events NEWST[8]:wait-for-events fxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7 PM session info: 5CBD0C8 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 5 reason: dangling session cleared ========================= ET 12:44:42.127 PST Mon Aug 30 2010 init request OLDST[0]:initial-req NEWST[0]:initial-req fxn[0]:sss_policy_invoke_service_sel FLAGS:0 ET 12:44:42.135 PST Mon Aug 30 2010 got apply config success OLDST[8]:wait-for-events NEWST[8]:wait-for-events fxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7 PM session info: 5CBD1E0 MAC: aaaa.2222.cccc IP: 0.0.0.0 UID: 6 reason: dangling session cleared ========================= ET 13:14:24.983 PST Mon Aug 30 2010 init request OLDST[0]:initial-req NEWST[0]:initial-req fxn[0]:sss_policy_invoke_service_sel FLAGS:0 ET 13:14:24.991 PST Mon Aug 30 2010 got apply config success OLDST[8]:wait-for-events NEWST[8]:wait-for-events fxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7The table below describes some of the significant fields shown in the sample output.
Table 21 show subscriber trace history Field Descriptions Field
Description
DPM session info
Unique identifier for the DPM context.
PM session info
Unique identifier for the PM context.
MAC
MAC address of the subscriber session.
IP
IP address of the subscriber session.
UID
Unique ID of the subscriber session.
reason
Reason that the event trace was logged to the history buffer.
Related Commands
Command
Description
clear subscriber trace history
Clears the trace history log for ISG subscriber sessions.
show subscriber trace statistics
Displays statistics about the event traces for ISG subscriber sessions that were saved to the history log.
subscriber trace history
Enables saving the event traces for ISG subscriber sessions to a history log.
show subscriber trace statistics
To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statisticscommand in user EXEC or privileged EXEC mode.
Usage Guidelines
The show subscriber trace statisticscommand displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace statisticscommand, showing information for both the DPM and the PM.
Router# show subscriber trace statistics Event Trace History Statistics: DPM Logging enabled All time max records: 5 Max records: 5 Current records: 5 Current log size: 200 Proposed log size 200 Oldest, newest index: 0 : 4 Event Trace History Statistics: Policy Manager Logging enabled All time max records: 4 Max records: 4 Current records: 4 Current log size: 64 Proposed log size 64 Oldest, newest index: 0 : 3The table below describes some of the fields shown in the sample output, in the order in which they display.
Table 22 show subscriber trace statistics Field Descriptions Field
Description
Logging enabled/disabled
Displays whether history logging is enabled with the subscriber trace history command.
All time max records
Maximum number of trace records that were ever saved in this history log.
Max records
Number of trace records that were saved in this history log before it was last cleared.
Current records
Number of trace records that are currently saved in this history log.
Current log size
Number of trace records that can be saved in this history log.
Proposed log size
Number of records that can be saved to the history log as defined by the subscriber trace history command. This value becomes the current log size when the log is cleared with the clear subscriber trace historycommand.
Oldest, newest index
Oldest and newest indexes of the array that is used to store the records saved to the history log.
Related Commands
Command
Description
clear subscriber trace history
Clears the trace history log for ISG subscriber sessions.
show subscriber trace history
Displays the event traces for ISG subscriber sessions that are saved in the trace history log.
subscriber trace event
Enables event tracing for software components involved in ISG subscriber sessions.
subscriber trace history
Enables saving the event traces for ISG subscriber sessions to a history log.
show tech-support subscriber
To display device-state information for an Intelligent Services Gateway (ISG) subscriber to assist in troubleshooting, use the show tech-support subscriber command in privileged EXEC mode.
Command History
Usage Guidelines
The show tech-support subscriber command displays a large amount of configuration information about a Cisco device. The output can be used to troubleshoot an issue or be provided to a technical support representative when reporting a problem.
Tip
This command can generate a large amount of output. You may want to redirect the output to a file using the show <command> | redirect command syntax extension. Redirecting the output to a file also makes sending the output to your Cisco Technical Support representative easier.The output of the show tech-support subscriber command contains output from the following show commands, as listed in the order below:
- show clock
- show version
- show running-config
- show subscriber statistics
- show pppoe statistics
- show pppoe summary
- show ppp statistics
- show ppp summary
- show processes memory | include SSS
- show processes cpu | include SSS
The output of the show tech-support subscriber platform command contains output from the above show commands as well as the following show commands, as listed in the order below:
- show platform software status control-process brief
- show platform software subscriber counters
- show platform software subscriber template state
- show platform software subscriber template
- show platform software subscriber rp active counters
- show platform software subscriber rp active data-base summary
- show platform software subscriber rp active data-base template
- show platform software subscriber fp active counters
- show platform software subscriber fp active accounting
- show platform software subscriber fp active policing
- show platform software subscriber fp active l4redirect
- show platform software subscriber fp active portbundle
- show platform software subscriber fp active ffr
- show platform software subscriber fp active ipv6-accounting
- show platform software subscriber fp active template state
- show platform software subscriber fp active template
- show platform software object fp active stat
- show platform software object fp active object-type-count | exc _0_
- show platform software object fp active error-object
- show platform hardware qfp active feature subscriber state
- show platform hardware qfp active feature subscriber state ac
- show platform hardware qfp active feature subscriber state ipsub
- show platform hardware qfp active feature subscriber state ipsub template
- show platform hardware qfp active feature subscriber state l2tp
- show platform hardware qfp active feature subscriber state l2tpv3
- show platform hardware qfp active feature subscriber state pppoe
- show platform hardware qfp active feature subscriber state pppoa
- show platform hardware qfp active feature subscriber state feature
- show platform hardware qfp active feature subscriber state feature accounting
- show platform hardware qfp active feature subscriber state feature policing
- show platform hardware qfp active feature subscriber state feature l4redirect
- show platform hardware qfp active feature subscriber state feature portbundle
- show platform hardware qfp active feature subscriber state feature ffr
- show platform hardware qfp active feature subscriber state feature tc
- show platform hardware qfp active class class statistics | exc _0_
- show platform hardware qfp active class class class client tc all
- show platform hardware qfp active tcam resource-manager usage
- show platform hardware qfp active infra shared-memory all
- show platform hardware qfp act infra exmem statistics
- show platform hardware qfp act infra exmem statistics user
- show platform hardware qfp act infra punt stat type per-cause | exc _0_
- show platform hardware qfp act infra punt stat type global-drop | exc _0_
- show platform hardware qfp act infra punt stat type inject-drop | exc _0_
- show platform hardware qfp act infra punt stat type punt-drop | exc _0_
- show platform hardware qfp act stat drop
- show platform hardware qfp act datapath util summary
Examples
The following is sample output from the show tech-support subscriber command:
Device# show tech-support subscriber | inc show ------------------ show clock ------------------ *17:35:23.481 EDT Thu Feb 21 2013 ------------------ show version ------------------ ------------------ show running-config ------------------ . . . aaa authentication login default none aaa authentication ppp default local aaa authorization network default local aaa authorization network AAA_METHOD group AUTH_SG local aaa authorization subscriber-service default local aaa accounting network AAA_METHOD start-stop group FREERAD ! ! aaa server radius proxy key <removed> session-identifier attribute 31 accounting port 6618 client 10.0.0.1 ! ! ! . . . subscriber service multiple-accept subscriber authorization enable service-policy type control LOGON_RULE_PASS ! . . . interface GigabitEthernet0/0/2.44 encapsulation dot1Q 44 ip address 10.0.0.2 255.0.0.0 service-policy type control LOG_TC_4 ip subscriber routed initiator unclassified ip-address ! . . . ------------------ show sss tech-support ------------------ ------------------ show subscriber statistics ------------------ . . . Current Subscriber Statistics: Number of sessions currently up: 1 Number of sessions currently pending: 0 Number of sessions currently authenticated: 0 Number of sessions currently unauthenticated: 1 Highest number of sessions ever up at one time: 1 Mean up-time duration of sessions: 1d20h Total number of sessions up so far: 1 Mean call rate per minute: 0, per hour: 0 Number of sessions failed to come up: 0 . . . ------------------ show pppoe statistics ------------------ ------------------ show pppoe summary ------------------ ------------------ show ppp statistics ------------------ ------------------ show ppp summary ------------------ ------------------ show processes memory | include SSS ------------------ ------------------ show processes cpu | include SSS ------------------The following is sample output from the show tech-support subscriber platform command:
Device# show tech-support subscriber platform | inc show ------------------ show clock ------------------ ------------------ show version ------------------ ------------------ show running-config ------------------ ------------------ show sss tech-support ------------------ ------------------ show subscriber statistics ------------------ ------------------ show pppoe statistics ------------------ ------------------ show pppoe summary ------------------ ------------------ show ppp statistics ------------------ ------------------ show ppp summary ------------------ ------------------ show processes memory | include SSS ------------------ ------------------ show processes cpu | include SSS ------------------ -------- show platform software status control-process brief -------- -------- show platform software subscriber counters -------- -------- show platform software subscriber template state -------- Templating is turned OFF, 0 templates, 0 sessions -------- show platform software subscriber template -------- Templating is turned OFF, 0 templates, 0 sessions -------- show platform software subscriber rp active counters -------- -------- show platform software subscriber rp active data-base summary -------- -------- show platform software subscriber rp active data-base template -------- -------- show platform software subscriber fp active counters -------- -------- show platform software subscriber fp active accounting -------- Subscriber Accounting records: Total : 3 Segment Class Id In/Out EVSI QFP Hdl AOM State ------------------------------------------------------------------------ 0x0102001000001004 2/3 16908305 148 created 0x0102001000001004 4/5 16908306 149 created 0x0102001000001004 6/7 16908307 150 created -------- show platform software subscriber fp active policing -------- -------- show platform software subscriber fp active l4redirect -------- -------- show platform software subscriber fp active portbundle -------- -------- show platform software subscriber fp active ffr -------- -------- show platform software subscriber fp active ipv6-accounting -------- -------- show platform software subscriber fp active template state -------- -------- show platform software subscriber fp active template -------- -------- show platform software object fp active stat -------- -------- show platform software object fp active object-type-count | exc _0_ -------- -------- show platform software object fp active error-object -------- -------- show platform hardware qfp active feature subscriber state -------- -------- show platform hardware qfp active feature subscriber state ac -------- -------- show platform hardware qfp active feature subscriber state ipsub -------- Subscriber IPSUB State: Current number of IP L2/Routed session: 1 Current number of IP Interface session: 0 IPSUB L2 Session Lookup Depth: Distribution: 100% QFP Number 0: ipsub_dbg_cfg: 0x00000000 -------- show platform hardware qfp active feature subscriber state ipsub template -------- -------- show platform hardware qfp active feature subscriber state l2tp -------- -------- show platform hardware qfp active feature subscriber state l2tpv3 -------- -------- show platform hardware qfp active feature subscriber state pppoe -------- -------- show platform hardware qfp active feature subscriber state pppoa -------- -------- show platform hardware qfp active feature subscriber state feature -------- -------- show platform hardware qfp active feature subscriber state feature accounting -------- -------- show platform hardware qfp active feature subscriber state feature policing -------- -------- show platform hardware qfp active feature subscriber state feature l4redirect -------- -------- show platform hardware qfp active feature subscriber state feature portbundle -------- -------- show platform hardware qfp active feature subscriber state feature ffr -------- -------- show platform hardware qfp active feature subscriber state feature tc class-group -------- -------- show platform hardware qfp active feature subscriber state feature tc transaction -------- -------- show platform hardware qfp active class class statistics | exc _0_ -------- -------- show platform hardware qfp active class class class client tc all -------- -------- show platform hardware qfp active tcam resource-manager usage -------- -------- show platform hardware qfp active infra shared-memory all -------- QFP shared-memory info shm_win_name max_win_size curr_win_size alloc_space free_space allocs frees ----------------------------------------------------------------------------------------------------- CGM 301989888 8785920 6868784 1917136 2206 231 CPP_EXMEM 67108864 4206592 3751824 454768 588 0 CPP_FM_STAT 4194304 2101248 32 2101216 1 0 CPP_HA 4194304 2101248 32 2101216 1 0 DRV_CPP0 4194304 2363392 278784 2084608 261 0 DRV_HAL 4194304 2101248 64 2101184 1 0 IFM 134217728 55197696 53147040 2050656 1098 0 TCAM_RM_IPC 5767336 2101248 32 2101216 1 0 TCAM_RM_REGINFO 4194304 2101248 160 2101088 2 0 . . . -------- show platform hardware qfp act infra exmem statistics -------- -------- show platform hardware qfp act infra exmem statistics user -------- -------- show platform hardware qfp act infra punt stat type per-cause | exc _0_ -------- -------- show platform hardware qfp act infra punt stat type global-drop | exc _0_ -------- -------- show platform hardware qfp act infra punt stat type inject-drop | exc _0_ -------- -------- show platform hardware qfp act infra punt stat type punt-drop | exc _0_ -------- -------- show platform hardware qfp act stat drop -------- ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- BadUidbIdx 15238 2285862 BadUidbSubIdx 8 1168 Disabled 15 1698 EsfL4rBadConfig 10 1460 EssIpsubFsolDrop 63 9198 InjectErr 61 8070 Ipv4NoAdj 3 168 Ipv4NoRoute 159700908 23316332568 -------- show platform hardware qfp act datapath util summary -------- CPP 0: 5 secs 1 min 5 min 60 min Input: Total (pps) 1004 1005 1005 1005 (bps) 1203776 1204440 1204424 1204432 Output: Total (pps) 3 4 4 4 (bps) 13240 9088 8488 8384 Processing: Load (pct) 0 0 0 0source
To specify the interface for which the main IP address will be mapped by the Intelligent Services Gateway (ISG) to the destination IP addresses in subscriber traffic, use the sourcecommand in IP portbundle configuration mode. To remove this specification, use the no form of this command.
Syntax Description
interface-type interface-number
Interface whose main IP address is used as the ISG source IP address.
Usage Guidelines
The ISG Port-Bundle Host Key feature enables an ISG to map the destination IP addresses in subscriber traffic to the IP address of a specified ISG interface.
All ISG source IP addresses specified with the sourcecommand must be routable in the management network in which the portal resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, ISG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple ISG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.
Examples
In the following example, the ISG will map the destination IP addresses in subscriber traffic to the main IP address of Ethernet interface 0/0/0:
ip portbundle source ethernet 0/0/0Related Commands
Command
Description
ip portbundle (service)
Enables the ISG Port-Bundle Host Key feature for a service.
length
Specifies the ISG port-bundle length.
show ip portbundle ip
Displays information about a particular ISG port bundle.
show ip portbundle status
Displays information about ISG port-bundle groups.
subscriber accounting accuracy
subscriber accounting ssg
To display the subscriber inbound and outbound data in accounting records in Service Selection Gateway (SSG) format, use the subscriber accounting ssgcommand in global configuration mode. To disable the SSG accounting format, use the no form of this command.
Usage Guidelines
The subscriber accounting ssgcommand allows Intelligent Services Gateway (ISG) to use the same format as SSG for the subscriber inbound and outbound byte counts in the ssg-control-info accounting attribute. By default, ISG reverses the inbound and outbound values in the ssg-control-info attribute. This command makes ISG compatible with SSG accounting.
subscriber feature prepaid
To create or modify a configuration of Intelligent Services Gateway (ISG) prepaid billing parameters that can be referenced from a service policy map or service profile, use the subscriber feature prepaid command in global configuration mode. To delete the configuration, use the no form of this command.
subscriber feature prepaid { name-of-configuration | default }
no subscriber feature prepaid { name-of-configuration | default }
Usage Guidelines
Use the subscriber feature prepaid command to create or modify a prepaid billing parameter configuration.
ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the AAA server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
A default prepaid configuration exists with the following parameters:
subscriber feature prepaid default threshold time 0 seconds threshold volume 0 bytes method-list authorization default method-list accounting default password ciscoThe default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
You can also use the subscriber feature prepaidcommand to create a named prepaid configuration. Named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
Examples
The following example shows prepaid billing enabled in a service called “mp3”. The prepaid billing parameters in the configuration “conf-prepaid” will be used for “mp3” prepaid sessions.
policy-map type service mp3 class type traffic CLASS-ACL-101 authentication method-list cp-mlist accounting method-list cp-mlist prepaid config conf-prepaid subscriber feature prepaid conf-prepaid threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password ciscosubscriber policy recording
To enable iEdge policy subscriber recording use the subscriber policy recording command in global configuration mode. To disable the iEdge subscriber recording settings, use the no form of this command.
Syntax Description
profile
Records subscriber policy profiles as they download.
service
Records subscriber service profiles as they download.
user
Records subscriber user profiles as they download.
rules
Records subscriber rules, condition, and actions as they execute.
limit number
Limits the number of rule events that get recorded. The range is from 0 to 4294967294
subscriber redundancy
To configure the broadband subscriber session redundancy policy for synchronization between High Availability (HA) active and standby processors, use the subscriber redundancy command in global configuration mode. To delete the policy, use the no form of this command.
subscriber redundancy { bulk limit { cpu percent delay seconds [ allow sessions ] | time seconds } | dynamic limit { cpu percent delay seconds | [ allow sessions ] | periodic-update interval [minutes] } | delay seconds | rate sessions seconds | disable }
no subscriber redundancy { bulk limit { cpu | time } | dynamic limit { cpu | periodic-update interval [minutes] } | delay | rate | disable }
Syntax Description
bulk
Configures a bulk synchronization redundancy policy.
limit
Specifies the synchronization limit.
dynamic
Configures a dynamic synchronization redundancy policy.
cpu percent
Specifies, in percent, the CPU busy threshold value. Range: 1 to 100. Default: 90.
delay seconds
Specifies the minimum time, in seconds, for a session to be ready before bulk or dynamic synchronization occurs. Range: 1 to 33550.
allow sessions
(Optional) Specifies the minimum number of sessions to synchronize when the CPU busy threshold is exceeded and the specified delay is met. Range: 1 to 2147483637. Default: 25.
time seconds
Specifies the maximum time, in seconds, for bulk synchronization to finish. Range: 1 to 3000.
periodic-update interval
Enables the periodic update of accounting statistics for subscriber sessions.
minutes
(Optional) Interval, in minutes, for the periodic update. Range: 10 to 1044. Default: 15.
rate sessions seconds
Specifies the number of sessions per time period for bulk and dynamic synchronization.
disable
Disables stateful switchover (SSO) for all subscriber sessions.
Command History
Release
Modification
12.2(31)SB2
This command was introduced.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
Cisco IOS XE Release 3.3S
This command was integrated into Cisco IOS XE Release 3.3S.
Cisco IOS XE Release 3.5S
This command was modified. The periodic-update interval keyword and minutes argument were added.
15.2(1)S
This command was modified. The disable keyword was added.
Usage Guidelines
Cisco IOS HA functionality for broadband protocols and applications allows for SSO and In-Service Software Upgrade (ISSU) features that minimize planned and unplanned downtime and failures. HA uses the cluster control manager (CCM) to manage the capability to synchronize subscriber session initiation on the standby processor of a redundant processor system.
- Use the bulk keyword to create and modify the redundancy policy used during bulk (startup) synchronization.
- Use the dynamic keyword with the limit keyword to tune subscriber redundancy policies that throttle dynamic synchronization by monitoring CPU usage and synchronization rates.
- Use the delay keyword to establish the minimum session duration for synchronization and to manage dynamic synchronization of short-duration calls.
- Use the rate keyword to throttle the number of sessions to be synchronized per period.
- Use the dynamic keyword with the periodic-update interval keyword to enable subscriber sessions to periodically synchronize their dynamic accounting statistics (counters) on the standby processor. The periodic update applies to new and existing subscriber sessions. All subscriber sessions do not synchronize their data at exactly the same time. Session synchronization is spread out based on the session creation time and other factors. This command is rejected if a previous instance of the command has not finished processing.
- Use the disable keyword to disable SSO for all subscriber sessions.
Examples
The following example shows how to configure a 10-second delay when CPU usage exceeds 90 percent during bulk synchronization, after which 25 sessions will be synchronized before the CCM again checks the CPU usage:
Router(config)# subscriber redundancy bulk limit cpu 90 delay 10 allow 25The following example shows how to configure a maximum time of 90 seconds for bulk synchronization to be completed:
Router(config)# subscriber redundancy bulk limit time 90The following example shows how to configure a 15-second delay when CPU usage exceeds 90 percent during dynamic synchronization, after which 25 sessions will be synchronized before the CCM again checks the CPU usage:
Router(config)# subscriber redundancy dynamic limit cpu 90 delay 15 allow 25The following example shows how to configure 2000 sessions to be synchronized per second during bulk and dynamic synchronization:
Router(config)# subscriber redundancy rate 2000 1The following example shows how to configure a periodic update so that subscriber sessions synchronize their accounting statistics every 30 minutes:
Router(config)# subscriber redundancy dynamic periodic-update interval 30The following example shows how to disable SSO for all subscriber sessions:
Router(config)# subscriber redundancy disablesubscriber trace event
To enable event tracing for software modules that are involved in Intelligent Services Gateway (ISG) subscriber sessions, use the subscriber trace eventcommand in global configuration mode. To disable event tracing, use the no form of this command.
Syntax Description
dpm
Enables event tracing for the DHCP policy module (DPM).
pm
Enables event tracing for the policy manager (PM) module.
retain
(Optional) Saves event traces for existing subscriber sessions until the DPM context is destroyed.
Usage Guidelines
The subscriber trace eventcommand enables event traces to be collected for existing subscriber sessions. It allows you to capture the trace of an event immediately as it occurs, before the session ends and the data is lost. Cisco Technical Assistance Center (TAC) personnel may request this event trace information when resolving issues with ISG subscriber sessions.
Sessions that are marked as interesting, because the session became stuck in a state, entered an error state, or failed due to an error, can be saved to a trace history buffer if the subscriber trace history command is enabled.
The system deletes (prunes) the event traces for sessions that are not considered interesting. Traces for existing sessions are maintained until the session is removed or pruned.
Event traces are retained until the corresponding IP session reaches the up state. If the retain keyword is configured, the trace data is retained until the DPM context is destroyed.
There is a limit of 20 event traces for each DPM session and eight for each PM session.
Examples
The following example shows how to enable event tracing for the DPM component:
Router(config)# subscriber trace event dpm retainRelated Commands
Command
Description
show subscriber policy dpm context
Displays event traces for DPM session contexts.
show subscriber trace history
Displays the event traces for ISG subscriber sessions that are saved in the history log.
subscriber trace history
Enables the event traces for ISG subscriber sessions to be saved to a history log.
subscriber trace history
To enable saving event traces for Intelligent Services Gateway (ISG) subscriber sessions to a history log, use the subscriber trace historycommand in global configuration mode. To disable saving the event trace history, use the no form of this command.
subscriber trace history { dpm | pm } [ size max-records ]
no subscriber trace history { dpm | pm } [ size max-records ]
Syntax Description
dpm
Saves DHCP policy module (DPM) event traces to the history log.
pm
Saves policy manager (PM) event traces to the history log.
size max-records
(Optional) Maximum number of subscriber session traces that can be stored in the history log buffer. Range: 10 to 1000. Default: 100.
Command Default
DPM and PM history logs are disabled; maximum size of history log buffers is 100 sessions.
Usage Guidelines
The subscriber trace historycommand allows event traces to be saved to a history log and optionally modifies the size of the history log buffer. Sessions that are marked as interesting, because the session became stuck in a state, entered an error state, or failed due to an error, are saved to the trace history log. Event tracing must be enabled for the module using the subscriber trace event command.
Each software module has its own history log buffer. When the history log buffer reaches its configured capacity, the oldest event trace is written over by the newest event trace until you increase the size of the history log with this command or you clear the history log using the clear subscriber trace history command.
Modifying the size of the buffer with this command does not change the number of sessions that are currently saved to the history buffer. The no subscriber trace history command prevents any new sessions from being saved to the history log; it does not clear the current history log.
Examples
The following example shows how to set the DPM history log size to 200 sessions.
Router(config)# subscriber trace history dpm size 200Related Commands
Command
Description
clear subscriber trace history
Clears the trace history log for ISG subscriber sessions.
show subscriber trace history
Displays the event traces for ISG subscriber sessions that are saved in the trace history log.
show subscriber trace statistics
Displays statistics about the event traces for ISG subscriber sessions that were saved to the history log.
subscriber trace event
Enables event tracing for software modules involved in ISG subscriber sessions.
test sgi xml
To feed a file into the Service Gateway Interface (SGI) process for testing of SGI XML files when an external client is not available, use the test sgi xml command in privileged EXEC configuration mode.
Usage Guidelines
This command is used to verify the format of an SGI XML request. The XML file must be copied onto the router before it can be used by the test sgi xml command.
The external client is currently under development. In the absence of an external client, the test command can be used to verify the XML for specific SGI operations.
threshold (ISG)
To configure the threshold at which the Intelligent Services Gateway (ISG) will send a reauthorization request to the prepaid billing server, use the threshold command in ISG prepaid configuration mode. To reset the threshold to the default value, use the no form of this command.
threshold { time number-of-seconds | volume number-of-bytes }
no threshold { time number-of-seconds | volume number-of-bytes }
Syntax Description
time
Specifies the threshold for time-based prepaid sessions.
number-of-seconds
When a quota, in seconds, has been depleted to this number, ISG will send a reauthorization request. Default = 0.
volume
Specifies the threshold for volume-based prepaid sessions.
number-of-bytes
When a quota, in bytes, has been depleted to this number, ISG will send a reauthorization request. Default = 0.
Command Default
ISG sends reauthorization requests when the subscriber runs out of quota, which is equivalent to a prepaid threshold of 0 seconds or 0 bytes.
Usage Guidelines
By default, an ISG sends reauthorization requests to the billing server when a subscriber has run out of quota. ISG prepaid thresholds allows an ISG to send reauthorization requests before subscribers completely run out of quota. When a prepaid threshold is configured, the ISG sends a reauthorization request to the billing server when the amount of quota remaining is equal to the value of the threshold.
Examples
The following example shows an ISG prepaid feature configuration in which the threshold for time-based sessions is 20 seconds and the threshold for volume-based sessions is 0 bytes. When a time-based prepaid session has 20 seconds of quota remaining, the ISG will send a reauthorization request to the prepaid billing server. For volume-based prepaid sessions, the ISG will send a reauthorization request when the entire quota has been used up.
subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password ciscoRelated Commands
Command
Description
prepaid config
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.
timeout absolute (ISG)
To specify the maximum Intelligent Services Gateway (ISG) subscriber session lifetime, use the timeout absolute command in service policy map class configuration mode. To return to the default value, use the no form of this command.
Usage Guidelines
The timeout absolute command controls how long an ISG subscriber session can be connected before it is terminated.
Examples
The following example sets the subscriber session limit to 300 seconds:
class-map type traffic match-any traffic-class match access-group input 101 match access-group output 102 policy-map type service video-service class type traffic traffic-class police input 20000 30000 60000 police output 21000 31500 63000 timeout absolute 300 class type traffic default droptimeout idle
To specify how long an Intelligent Services Gateway (ISG) subscriber session can be idle before it is terminated, use the timeout idle command in service policy map class configuration mode. To return to the default value, use the no form of this command.
Syntax Description
duration-in-seconds
Number of seconds a subscriber session can be idle before it is terminated. Range: n to 15552000. The minimum value is platform and release-specific. For more information, use the question mark (?) online help function.
both
(Optional) Applies the idle timer to traffic in both the inbound and outbound directions.
inbound
(Optional) Applies the idle timer to traffic in the inbound direction only.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRC
This command was modified. The minimum value of the duration-in-seconds argument was changed from 1 to a platform-specific number.
Cisco IOS XE Release 3.5S
This command was modified. The maximum value of the duration-in-seconds argument was increased from 4294967 seconds to 15552000 seconds.
Cisco IOS XE Release 3.6S
This command was modified. The both and inbound keywords were added.
Usage Guidelines
The timeout idle command controls how long a connection can be idle before it is terminated. If this command is not configured, the connection is not terminated regardless of how long it is idle.
If the timeout idle command is configured under a traffic class, and it is configured without any keywords, the timer applies in the direction of the traffic class.
The table below shows the keywords that are available based on the direction of the traffic class where the timeout idle command is configured. It also shows the default behavior if the command is configured without a keyword.
Idle Timer Is Configured Here
Keywords Available
Default Behavior if No Keyword
Inbound and outbound IP sessions
both, inbound
Timer is applied to the configured direction. If no timer direction is specified, the timer is applied in the outbound direction.
Inbound and outbound traffic class, or classless service
both, inbound
Timer is applied to the configured direction for an inbound and outbound traffic class. If no direction is specified, the timer is applied in the outbound direction.
Note In releases before Cisco IOS XE Release 3.6S, the idle timer is always applied in the inbound direction for classless services.
Inbound traffic class only
inbound
Timer is applied in the inbound direction.
Outbound traffic class only
—
Timer is applied in the outbound direction.
Examples
The following example shows that the idle connection time is limited to 30 seconds in the inbound direction:
class-map type traffic match-any traffic-class match access-group input 101 match access-group output 102 policy-map type service video-service class type traffic traffic-class police input 20000 30000 60000 police output 21000 31500 63000 timeout idle 30 inbound class type traffic default droptimer (ISG RADIUS proxy)
To configure the maximum amount of time for which an Intelligent Services Gateway (ISG) session waits for an event before terminating the session, use the timer command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable the timer, use the no form of this command.
timer { disconnect { acct-stop | reauth-fail } | ip-address | reconnect | request | roaming } seconds
no timer { disconnect { acct-stop | reauth-fail } | ip-address | reconnect | request | roaming }
Syntax Description
disconnect
Specifies a timer for disconnecting the session.
acct-stop
Specifies a timer for disconnecting the session after an accounting-stop request is received by ISG.
reauth-fail
Specifies a timer for disconnecting the session during an Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM) reauthentication failure.
ip-address
Specifies a timer for the IP address assigned to the session.
reconnect
Specifies a timer for reconnecting the session.
request
Specifies a timer for receiving an access request from a client device.
roaming
Specifies a timer for hotspot roaming.
seconds
Duration (in seconds) for which ISG waits before terminating a RADIUS proxy session. The range is from 0 to 43200. The default is 0.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)
Command History
Release
Modification
12.2(31)SB2
This command was introduced.
15.0(1)S
This command was integrated into Cisco IOS Release 15.0(1)S. The reconnect keyword was added.
Cisco IOS XE Release 3.5S
This command was integrated into Cisco IOS XE Release 3.5S. The roaming keyword was added.
Cisco IOS XE Release 3.7S
This command was modified. The disconnect keyword was added.
Usage Guidelines
Use the timer command to adjust your network to accommodate slow-responding devices.
ISG RADIUS proxy timers can be specified per client or globally for all RADIUS proxy clients. The per-client configuration overrides the global configuration. The timer is set by the RADIUS proxy in response to the termination of a subscriber IP session that is associated with the RADIUS proxy session. While the timer is running, the RADIUS proxy session is maintained regardless of whether the subscriber IP session (that was created after the timer was started) exists or not. If a subscriber IP session does not exist when the timer expires, the RADIUS proxy session is deleted. The timer is available only for open authenticated RADIUS proxy sessions.
Examples
The following example shows how to configure ISG to wait for 20 seconds for an access request packet before terminating the RADIUS proxy session:
Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# timer request 20The following example shows how to configure the RADIUS proxy session roaming timer:
Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# timer roaming 60The following example shows how to configure the RADIUS proxy session disconnect delay timer for accounting stop in RADIUS proxy client mode:
Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# client 192.0.2.1 Device(config-locsvr-radius-client)# timer disconnect acct-stop 30The following example shows how to configure the RADIUS proxy session disconnect delay timer for reauthentication failure in RADIUS proxy client mode:
Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# client 192.0.2.1 Device(config-locsvr-radius-client)# timer disconnect reauth-failure 20Related Commands
Command
Description
aaa server radius proxy
Enables ISG RADIUS proxy server configuration mode, in which global ISG RADIUS proxy parameters can be configured.
client (ISG RADIUS proxy)
Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.
trust
To define a trust state for traffic that is classified through the class policy-map configuration command, use the trust command in policy-map class configuration mode. To return to the default setting, use the no form of this command.
Syntax Description
cos
(Optional) Classifies an ingress packet by using the packet class of service (CoS) value. For an untagged packet, the port default CoS value is used.
dscp
(Optional) Classifies an ingress packet by using the packet differentiated services code point (DSCP) values (most significant 6 bits of the 8-bit service-type field). For a non-IP packet, the packet CoS value is used if the packet is tagged. If the packet is untagged, the default port CoS value is used to map CoS to DSCP.
precedence
(Optional) Classifies the precedence of the ingress packet.
Command History
Release
Modification
12.2(14)SX
This command was introduced on the Catalyst 6500 series.
12.2(33)SRA
This command was implemented on the Catalyst 7600 series.
Usage Guidelines
Use this command to distinguish the quality of service (QoS) trust behavior for certain traffic from other traffic. For example, inbound traffic with certain DSCP values can be trusted. You can configure a class map to match and trust the DSCP values in the inbound traffic.
Trust values set with this command supersede trust values set with the qos trust interface configuration command.
If you specify the trust cos command, QoS uses the received or default port CoS value and the CoS-to-DSCP map to generate a DSCP value for the packet.
If you specify the trust dscp command, QoS uses the DSCP value from the ingress packet. For non-IP packets that are tagged, QoS uses the received CoS value; for non-IP packets that are untagged, QoS uses the default port CoS value. In either case, the DSCP value for the packet is derived from the CoS-to-DSCP map.
Examples
The following example shows how to define a port trust state to trust inbound DSCP values for traffic classified with “class1” :
Router# configure terminal Router(config)# policy-map policy1 Router(config-pmap)# class class1 Router(config-pmap-c)# trust dscp Router(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit Router(config-pmap-c)# end Router#You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
Command
Description
class
Specifies the name of the class whose traffic policy you want to create or change.
police
Configures the Traffic Policing feature.
policy-map
Creates a policy map that can be attached to multiple ports to specify a service policy and enters policy-map configuration mode.
set
Marks IP traffic by setting a CoS, DSCP, or IP-precedence in the packet.
show policy-map
Displays information about the policy map.
