Downloads |
 Feedback
|
Table Of Contents
Prerequisites for Tag and Template
Requirements for Tag and Template
Information About Tag and Template
How to Configure Tag and Template
Defining a Class Map for a Specific Type and Associating Match Conditions with It
Associating the Class Map with the Policy Map and Applying Actions for Classes That Match
Associating the Service Policy with a Specific IP Admission Rule
Monitoring the Template Configuration
Verifying the Template Configuration
Configuration Examples for Tag and Template
Typical Tag and Template Configuration: Example
Feature Information for Tag and Template
Tag and Template
First Published: February 27, 2006Last Updated: February 27, 2006The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Tag and Template" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Tag and Template
•
•
•
•
•
Prerequisites for Tag and Template
•
Requirements for Tag and Template
•
Information About Tag and Template
Before configuring Tag and Template, you should understand the following concepts:
Tag and Template Overview
In a typical Network Admission Control deployment, an access control server (ACS) or a RADIUS server is used for validating the user posture information and for applying the policies on the network access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has inherent problems associated with it, namely:
•
•
To overcome the above problems, the Tag and Template concept has been introduced. The concept is that the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user group may have a tag with the name "usergroup1." When the NAD queries the ACS for the policies, the ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the NAD can map the tag to a specific template that can have a set of policies that are associated with the user group. This mapping provides administrators with the flexibility to configure the template on a NAD basis, and the policies can change from NAD to NAD even though the tag is the same.
In summary, a template must be configured on the NAD, and the template must be associated with a tag. When the ACS sends the policies back to the NAD, the template that matches the tag that was received from the ACS is used.
How to Configure Tag and Template
This section includes the following procedures:
•
•
•
•
•
Defining a Class Map for a Specific Type and Associating Match Conditions with It
To define a class map and associate match conditions with it, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
Associate the class map with the policy map and apply actions for classes that match.
Associating the Class Map with the Policy Map and Applying Actions for Classes That Match
To associate the class map with the policy map and apply actions for classes that match, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
Associate the service policy with a specific IP admission table.
Associating the Service Policy with a Specific IP Admission Rule
The policy map defined above can be associated with an IP authentication proxy or IP admission rule. To associate the map with the IP authentication proxy or IP admission rule, perform the following steps.
Note
SUMMARY STEPS
1.
2.
3.
or
ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]
DETAILED STEPS
Monitoring the Template Configuration
To monitor the template configuration, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Verifying the Template Configuration
To verify the template configuration, perform the following steps. The show commands can be used individually or together.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for Tag and Template
This section provides the following configuration example.
•
Typical Tag and Template Configuration: Example
In the following service policy (Tag and Template) example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."
Class Map Definition for the "healthy class" Type Tag
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# endClass Map Definition for the "non_healthy_class" Type Tag
Router (config)# class-map type tag non_healthy_classRouter (config-cmap)# match tag non_healthyRouter (config-cmap)# endPolicy Map Is Defined
! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# exitThe following line refers to the non_healthy class that was defined above.Router (config-pmap)# class non_healthy_classRouter(config-pmap-c)# identity policy non_healthy_policyRouter (config-pmap-c)# endIdentity Policy Can Be Defined As Follows
Router (config)# identity policy healthy_policy! The following line is the IP access list for healthy users.Router (config-identity-policy)# access-group healthyRouter (config-identity-policy)# endRouter (config)# identity policy non_healthy_policyRouter (config-identity-policy)# access-group non_healthyRouter (config-identity-policy)# endAccess Lists Can Be Defined As Follows
Router (config)# ip access-list extended healthy_class! The following line can be anything, but as an example, traffic is being allowed.Router (config-ext-nacl)# permit ip any anyRouter (config-ext-nac)# endRouter (config)# ip access-list extended non_healthy_class! The following line is only an example. In practical cases, you could prevent a user from accessing specific networks.Router (config-ext-nacl)# deny ip any anyRouter (config-ext-nac)# endPolicy Map That Was Defined Above Is Associated with the IP Admission Name
Router (config)# ip admission name greentree service-policy type tag global_class! In the next line, the admission name can be associated with the interface.Router (config)# interface fastethernet 1/0Router (config-if)# ip admission greentreeIn the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.
Where to Go Next
The tag attribute must be configured in the RADIUS profile using the following Cisco attribute-value (AV) pair: tag-name={tag string}.
For information about configuring RADIUS AV pairs, see the subsection "Configuring Cisco AV Pairs" in the section "Related Documents."
Additional References
The following sections provide references related to Tag and Template.
Related Documents
Cisco IOS commands
Cisco IOS Master Command List, Release 12.4T
Configuring Cisco RADIUS AV pairs
The section "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.4
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands only.
New Commands
Modified Commands
class-map
To create a class map to be used for matching packets to a specified class, use the class-map command in global configuration mode. To remove an existing class map from the router, use the no form of this command.
class-map [type {stack | access-control | port-filter | queue-threshold | tag}]
[match-all | match-any] class-map-nameno class-map [type {stack | access-control | port-filter | queue-threshold | tag}]
[match-all | match-any] class-map-nameSyntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the name of the class for which you want to create or modify class-map match criteria. Use of the class-map command enables class-map configuration mode in which you can enter one of the match commands to configure the match criteria for this class. Packets arriving at either the input or output interface (determined by how the service-policy command is configured) are checked against the match criteria configured for a class map to determine if the packet belongs to that class.
When configuring a class map, you can use one or more match commands to specify match criteria. For example, you can use the match access-group command, the match protocol command, or the match input-interface command. The match commands vary according to the Cisco IOS release. For more information about match criteria and match commands, see the "Modular Quality of Service Command-Line Interface (CLI)" chapter of the Cisco IOS Quality of Service Solutions Configuration Guide.
Examples
The following example specifies class101 as the name of a class, and it defines a class map for this class. The class called class101 specifies policy for traffic that matches access control list 101.
class-map class101match access-group 101The following example shows how to define FPM traffic classes for slammer and UDP packets. The match criteria defined within the class maps is for slammer and UDP packets with an IP length not to exceed 404 bytes, UDP port 1434, and pattern 0x4011010 at 224 bytes from start of IP header.
load protocol disk2:ip.phdfload protocol disk2:udp.phdfclass-map type stack match-all ip-udpdescription "match UDP over IP packets"match field ip protocol eq 0x11 next udpclass-map type access-control match-all slammerdescription "match on slammer packets"match field udp dest-port eq 0x59Amatch field ip length eq 0x194match start 13-start offset 224 size 4 eq 0x4011010The following example shows how to configure a port-filter policy to drop all traffic destined to closed or "nonlistened" ports except SNMP.
Router (config)# class-map type port-filter pf-classRouter (config-cmap)# match not port udp 123Router (config-cmap)# match closed-portsRouter (config-cmap)# exitRouter (config)# policy-map type port-filter pf-policyRouter (config-pmap)# class pf-classRouter (config-pmap-c)# dropRouter(config-pmap-c)# endThe following example shows how to configure a class map for the type tag "healthy_class" and how to attach the class map "healthy_class" to the policy map.
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# end...! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# endRelated Commands
class type tag
To associate a class map with a policy map, use the class type tag command in policy map configuration mode. To disassociate the command, use the no form of this command.
class type tag {class-name} [insert-before {class-name}]
no class type tag {class-name} [insert-before {class-name}]
Syntax Description
Command Default
A class map is not associated with a policy map.
Command Modes
Policy map configuration
Command History
Usage Guidelines
If this command is used and the class is not configured, an error is generated to the user. The error may be something such as "% class map {name} not configured." If the class needs to be inserted before a specific class map, the insert-before keyword can be used. The insert-before keyword is typically needed if the administrator is configuring any per-host class maps and would like it inserted before a specific class map. The class type tag command creates the policy map class configuration mode. There can be multiple classes under the policy map.
Examples
The following example shows the class map "usergroup1_class" is to be associated with a policy map:
class type tag usergroup1_classRelated Commands
policy-map
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
debug tag-template event
To display the tag application on a session (an Authentication Proxy or Extensible Authentication Protocol over UDP session), use the debug tag-template event command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug tag-template event
no debug tag-template event
Syntax Description
This command has no arguments or keywords.
Command Default
Debugging is turned off.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows that the tag application on a session is to be displayed:
Router# debug tag-template eventRelated Commands
identity policy (policy-map)
To create an identity policy, use the command in policy map class configuration mode. To remove the policy, use the no form of this command.
identity policy {policy-name}
no identity policy {policy-name}
Syntax Description
Command Default
An identity policy is not created.
Command Modes
Policy map configuration
Command History
Usage Guidelines
This command refers to the global identity policy that is configured on the device that contains the access policies that are to be applied. Only a single identity policy can be configured under the policy class configuration submode. If the identity policy is not defined on the device, an error is generated during the application of the policy.
Examples
The following example shows that an identity policy is being configured:
Router (config)# policy-map type control tag healthy_pmapRouter (config-pmap)# class healthy_classRouter (config-pmap-class)# identity policy healthy_identityRouter (config-pmap-class)# endIn the following example, an identity policy named "healthy_policy" is being configured:
Router (config)# identity policy healthy_identityRouter (config-identity-policy)# access-group healthy_aclRouter (config-identity-policy)# endRelated Commands
class type tag
Associates a class map with a policy map.
policy-map
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
ip admission name
To create an IP network admission control rule, use the ip admission name command in global configuration mode. To remove the network admission control rule, use the no form of this command.
ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}]
no ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}]
Syntax Description
Defaults
An IP network admission control rule is not created.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced.
12.4(6)T
The bypass and service-policy type tag keywords and bypass-name and service-policy-name arguments were added.
Usage Guidelines
The admission rule defines how you apply admission control.
You can associate the named rule with an ACL, providing control over which hosts use the admission control feature. If no standard access list is defined, the named admission rule intercepts IP traffic from all hosts whose connection-initiating packets are received at the configured interface.
The list keyword option allows you to apply a standard, extended (1 through 199) or named access list to a named admission control rule. IP connections that are initiated by hosts in the access list are intercepted by the admission control feature.
The bypass keyword allows an administrator the choice of not having to use the EAPoUDP-based posture validation for the hosts that are trying to connect on the port. The bypass can be used if an administrator knows that the hosts that are connected on the port do no have the Cisco Trust Agent client installed.
The service policy type tag {service-policy-name} keywords and argument allow you to associate the service policy of the type tag with the IP admission rule. On the network access device (NAD), a set of policies can be associated with an arbitrary tag string, and if the AAA server sends the same tag in response to the posture validation or authentication response, the policies that are associated with the tag can be applied on the host. The service policy keyword is an optional keyword, and if the service policy is not associated with the IP admission name, the policies that are received from the AAA server are applied on the host.
Examples
The following example shows that an IP admission control rule is named "greentree" and that it is associated with ACL "101." Any IP traffic that is destined to a previously configured network (using the access-list command) will be subjected to antivirus state validation using EAPoUDP.
Router (config)# ip admission name greentree eapoudp list 101The following example shows that EAPoUDP bypass has been configured:
Router (config)# ip admission name greentree eapoudp bypass list 101In the following service policy example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."
Class Map Definition for the "healthy class" Type Tag
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# endClass Map Definition for the "non_healthy_class" Type Tag
Router (config)# class-map type tag non_healthy_classRouter (config-cmap)# match tag non_healthyRouter (config-cmap)# endPolicy Map Is Defined
! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# exitThe following line refers to the non_healthy class that was defined above.Router (config-pmap)# class non_healthy_classRouter(config-pmap-c)# identity policy non_healthy_policyRouter (config-pmap-c)# endIdentity Policy Can Be Defined As Follows
Router (config)# identity policy healthy_policy! The following line is the IP access list for healthy users.Router (config-identity-policy)# access-group healthyRouter (config-identity-policy)# endRouter (config)# identity policy non_healthy_policyRouter (config-identity-policy)# access-group non_healthyRouter (config-identity-policy)# endAccess Lists Can Be Defined As Follows
Router (config)# ip access-list extended healthy_class! The following line can be anything, but as an example, traffic is being allowed.Router (config-ext-nacl)# permit ip any anyRouter (config-ext-nac)# endRouter (config)# ip access-list extended non_healthy_class! The following line is only an example. In practical cases, you could prevent a user from accessing specific networks.Router (config-ext-nacl)# deny ip any anyRouter (config-ext-nac)# endPolicy Map That Was Defined Above Is Associated with the IP admission name
Router (config)# ip admission name greentree service-policy type tag global_class! In the next line, the admission name can be associated with the interface.Router (config)# interface fastethernet 1/0Router (config-if)# ip admission greentreeIn the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.
Related Commands
ip auth-proxy name
To create an authentication proxy rule, use the ip auth-proxy name command in global configuration mode. To remove the authentication proxy rules, use the no form of this command.
ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name}]
no ip auth-proxy name auth-proxy-name
Syntax Description
Defaults
The default value is equal to the value set with the ip auth-proxy auth-cache-time command.
Command Modes
Global configuration
Command History
Usage Guidelines
This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command.
Use the inactivity-timer min option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user access control list, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted.
Use the list option to associate a set of specific IP addresses or a named ACL with the ip auth-proxy name command.
Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces.
Note
Examples
The following example creates the HQ_users authentication proxy rule. Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
ip auth-proxy name HQ_users httpThe following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10:
access-list 10 192.168.7.0 0.0.0.255ip auth-proxy name Mfg_users http list 10The following example sets the timeout value for Mfg_users to 30 minutes:
access-list 15 anyip auth-proxy name Mfg_users http inactivity-timer 30 list 15The following example disables the Mfg_users rule:
no ip auth-proxy name Mfg_usersThe following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration:
no ip auth-proxyRelated Commands
match port-type
To match the access policy on the basis of the port for a class map, use the match port-type command in class map configuration mode. To delete the port type, use the no form of this command.
match port-type {routed | switched}
no match port-type {routed | switched}
Syntax Description
Command Default
Access policy is not matched.
Command Modes
Class map configuration
Command History
Usage Guidelines
This command is used because, on the basis of the port on which a user is connecting, the access policies that are applied to it can be different.
Examples
The following example shows that an access policy has been matched on the basis of the port for a class map:
Router (config-cmap)# match port routed
Related Commands
class-map
Creates a class map to be used for matching packets to a specified class.
match tag (class-map)
Specifies the tag to be matched for a tag type of class map.
match tag (class-map)
To specify the tag to be matched for a tag type of class map, use the match tag command in class map configuration mode. To delete the tag, use the no form of this command.
match tag {tag-name}
no match tag {tag-name}
Syntax Description
Command Default
No match tags are defined.
Command Modes
Class map configuration
Command History
Usage Guidelines
The access control server (ACS) sends the tag attribute to the network access device (NAD) using the Cisco attribute-value (AV) pair. (The tag attribute can also be sent to the NAD using the IETF attribute 88.
Examples
The following example shows that the tag to be matched is named "healthy":
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# end
Related Commands
class-map
Creates a class map to be used for matching packets to a specified class.
policy-map
To create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration command. To delete a policy map, use the no form of this command.
policy-map [type access-control | type control tag] policy-map-name
no policy-map [type access-control | type control tag] policy-map-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.4(4)T
The type access-control keywords were added to support flexible packet matching.
12.4(6)T
The type control tag keyword was added.
Usage Guidelines
Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class map. Entering the policy-map command enables QoS policy-map configuration mode in which you can configure or modify the class policies for that policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. You use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 64 class maps, no policy map can contain more than 64 class policies.
A single policy map can be attached to multiple interfaces concurrently. When you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies comprising the policy map. In this case, if the policy map is already attached to other interfaces, it is removed from them.
Whenever you modify class policy in an attached policy map, CBWFQ is notified and the new classes are installed as part of the policy map in the CBWFQ system.
Examples
The following example creates a policy map called policy1 and configures two class policies included in that policy map. The class policy called class1 specifies policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy configured match criteria are directed.
! The following commands create class-map class1 and defines its match criteria:class-map class1match access-group 136! The following commands create the policy map, which is defined to contain policy! specification for class1 and the default class:policy-map policy1class class1bandwidth 2000queue-limit 40class class-defaultfair-queue 16queue-limit 20The following example creates a policy map called policy9 and configures three class policies to belong to that map. Of these classes, two specify policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies policy for the default class called class-default to which packets that do not satisfy configured match criteria are directed.
policy-map policy9class acl136bandwidth 2000queue-limit 40class ethernet101bandwidth 3000random-detect exponential-weighting-constant 10class class-default fair-queue 10queue-limit 20Related CommandsThe following example shows that a policy map type tag has been created:
! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# exitThe following line refers to the non_healthy class that was defined above.Router (config-pmap)# class non_healthy_classRouter(config-pmap-c)# identity policy non_healthy_policyRouter (config-pmap-c)# endRelated Commands
show class-map
To display all class maps and their matching criteria, use the show class-map command in privileged EXEC mode.
show class-map [type {stack | access-control | tag}] [class-map-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can use the show class-map command to display all class maps and their matching criteria. If you enter the optional class-map-name argument, the specified class map and its matching criteria will be displayed.
Examples
In the following example, three class maps are defined. Packets that match access list 103 belong to class c3, IP packets belong to class c2, and packets that come through input Ethernet interface 1/0 belong to class c1. The output from the show class-map command shows the three defined class maps.
Router# show class-mapClass Map c3Match access-group 103Class Map c2Match protocol ipClass Map c1Match input-interface Ethernet1/0In the following example, a class map called "c1" has been defined, and the Frame Relay DLCI number of 500 has been specified as a match criterion:
Router# show class-mapclass map match-all c1match fr-dlci 500The following example shows that the type tag keyword has been used to determine the class-map configuration.
Router# show class-map type tagclass map type tag match-all temp (id 1)match tag healthyTable 1 describes the significant fields shown in the display.
Table 1 show class-map Field Descriptions1
Class-map
Class of traffic being displayed. Output is displayed for each configured class map in the policy. The choice for implementing class matches (for example, match-all or match-any) can also appear next to the traffic class.
Match
Match criteria specified for the class map. Choices include criteria such as the Frame Relay DLCI number, Layer 3 packet length, IP precedence, IP differentiated services code point (DSCP) value, Multiprotocol Label Switching (MPLS) experimental value, access groups, and quality of service (QoS) groups.
1 A number in parentheses may appear next to the class-map name, and match criteria information. The number is for Cisco internal use only and can be disregarded.
Related Commands
show epm session ip
To display whether tag policies have been applied, use the show epm session ip command in privileged EXEC mode.
show epm session ip {ip-address | summary}
Syntax Description
ip-address
Information is displayed for a specific IP address.
summary
Information is displayed for all sessions.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows information for all sessions:
Router# show epm session ip summaryTotal sessions seen so far : 1Total active sessions : 1Session IP Address : 10.9.0.1The following output shows information specifically for IP address 10.9.0.1
Router# show epm session ip 10.9.0.1Admission feature : EapoudpTag Received : healthyPolicy map used : tempClass map matched : tempTable 2 describes significant fields shown in the displays.
show policy-map
To display the configuration of all classes for a specified service policy map or all classes for all existing policy maps, use the show policy-map command in privileged EXEC mode.
show policy-map [policy-map] [type control tag]
Syntax Description
policy-map
(Optional) Name of the service policy map whose complete configuration is to be displayed.
type control tag
(Optional) Displays information about the policy map type tag.
Defaults
All existing policy map configurations are displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show policy-map command displays the configuration of a service policy map created using the policy-map command. You can use the show policy-map command to display all class configurations comprising any existing service policy map, whether or not that service policy map has been attached to an interface.
Examples
The following is sample output from the show policy-map command. This sample output displays the contents of a policy map called "policy1." In policy 1, traffic policing on the basis of a committed information rate (CIR) of 20 percent has been configured, and the bc and be have been specified in milliseconds. As part of the traffic policing configuration, optional conform, exceed, and violate actions have been specified.
Router# show policy-map policy1Policy Map policy1Class class1police cir percent 20 bc 300 ms pir percent 40 be 400 msconform-action transmitexceed-action dropviolate-action dropThe following example shows that the type control tag is to be displayed:
Router# show policy-map type control tagPolicy Map type tag tempClass tempTable 3 describes the significant fields shown in the display.
Related Commands
Feature Information for Tag and Template
Table 4 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
