Feedback
Table Of Contents
match unauthenticated-username
radius-server attribute nas-port-id include
sg-service-type external policy
show platform isg session-count
debug subscriber policy dpm timestamps
show subscriber policy dpm statistics
show subscriber trace statistics
match access-group (ISG)
To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove ACL match criteria from a class map, use the no form of this command.
match access-group {input | output} {access-group | name access-group-name}
no match access-group {input | output} {access-group | name access-group-name}
Syntax Description
Command Default
No match criteria are configured.
Command Modes
Traffic class-map configuration
Command History
Usage Guidelines
The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.
To use the match access-group command for traffic classes, you must first enter the class-map type traffic command to specify the name of the traffic class whose match criteria you want to establish.
Once a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class, and the default class.
ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.
Examples
The following example configures a class map called "acl144" and specifies the ACL numbered 144 to be used as the input match criterion for this class:
class-map type traffic match-any acl144match access-group input 144Related Commands
match access-list
To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.
match access-list access-list-number
no match access-list access-list-number
Syntax Description
Command Default
The Intelligent Services Gateway (ISG) port-maps all TCP traffic.
Command Modes
IP portbundle configuration
Command History
Usage Guidelines
You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
Examples
In the following example, the ISG will port-map packets that are permitted by access list 100:
ip portbundlematch access-list 100source ip Ethernet0/0/0!...!access-list 100 permit ip 10.0.0.0 0.255.255.255 host 10.13.6.100access-list 100 deny ip any anyRelated Commands
match authen-status
To create a condition that will evaluate true if a subscriber's authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authen-status {authenticated | unauthenticated}
no match authen-status {authenticated | unauthenticated}
Syntax Description
authenticated
Subscriber has been authenticated.
unauthenticated
Subscriber has not been authenticated.
Command Default
A condition that will evaluate true if a subscriber's authentication status matches the specified authentication status is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match authen-status command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type type control match-all CONDAmatch authen-status unauthenticatedmatch timer TIMERApolicy-map type control RULEAclass type control always event session-start1 set-timer TIMERA 1 [minutes]!class type control CONDA event timed-policy-expiry1 service disconnectRelated Commands
match authenticated-domain
To create a condition that will evaluate true if a subscriber's authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authenticated-domain {domain-name | regexp regular-expression}
no match authenticated-domain
Syntax Description
domain-name
Domain name.
regexp regular-expression
Regular expression to be matched against subscriber's authenticated domain name.
Command Default
A condition that will evaluate true if a subscriber's authenticated domain matches the specified domain is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match authenticated-domain command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that will evaluate true if a subscriber's domain matches the regular expression ".*com".
class-map type control match-all MY-CONDITION1match authenticated-domain regexp ".*com"Related Commands
match authenticated-username
To create a condition that will evaluate true if a subscriber's authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
match authenticated-username {username | regexp regular-expression}
no match authenticated-username {username | regexp regular-expression}
Syntax Description
username
Username
regexp regular-expression
Matches the regular expression against the subscriber's authenticated username.
Command Default
A condition is not created.
Command Modes
Control class-map configuration (config-control-classmap)
Command History
Usage Guidelines
The match authenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which evaluates to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true for the class as a whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".
class-map type control match-all class3match authenticated-username regexp "user@.*com"match authenticated-domain regexp ".*com"!policy-map type control rule4class type control class3 event session-start1 authorize identifier authenticated-usernameRelated Commands
match dnis
To create a condition that will evaluate true if a subscriber's Dialed Number Identification Service number (DNIS number, also referred to as called-party number) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.
match dnis {dnis | regexp regular-expression}
no match dnis {dnis | regexp regular-expression}
Syntax Description
dnis
DNIS number.
regexp regular-expression
Matches the regular expression against the subscriber's DNIS number.
Command Default
A condition that will evaluate true if a subscriber's DNIS number matches the specified DNIS is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match dnis command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".
class-map type control match-all class3match dnis reg-exp 5550100!policy-map type control rule4class type control class3 event session-start1 authorize identifier dnis!Related Commands
match media
To create a condition that will evaluate true if a subscriber's access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.
match media {async | atm | ether | ip | isdn | mpls | serial}
no match media {async | atm | ether | ip | isdn | mpls | serial}
Syntax Description
async
Asynchronous media.
atm
ATM.
ether
Ethernet.
ip
IP.
isdn
ISDN.
mpls
Multiprotocol Label Switching (MPLS).
serial
Serial.
Command Default
A condition that will evaluate true if a subscriber's access media type matches the specified media type is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERSmatch media ethermatch nas-port type ether slot 3Related Commands
match mlp-negotiated
To create a condition that will evaluate true depending on whether or not a subscriber's session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.
match mlp-negotiated {no | yes}
no match mlp-negotiated {no | yes}
Syntax Description
no
The subscriber's session was not multilink PPP negotiated.
yes
The subscriber's session was multilink PPP negotiated.
Command Default
A condition is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match mlp-negotiated command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match mlp-negotiated command:
class-map type control match-all class3match mlp-negotiated yes!policy-map type control rule4class type control class3 event session-start1 authorize authenticated-usernameRelated Commands
match nas-port
To create a condition that will evaluate true if a subscriber's network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.
match nas-port {adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command Default
A condition that will evaluate true if a subscriber's NAS port identifier matches the specified value is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match nas-port command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERSclass type control name NOT-ATMmatch media ethermatch nas-port type ether slot 3Related Commands
match no-username
To create a condition that will evaluate true if a subscriber's username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
match no-username {no | yes}
no match no-username {no | yes}
Syntax Description
Command Default
A condition that will evaluate true if a subscriber's username is available is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match no-username command:
class-map type control match-all class3match no-username yes!policy-map type control rule4class type control class3 event session-start1 service localRelated Commands
match protocol (ISG)
To create a condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.
match protocol {atom | ip | pdsn | ppp | vpdn}
no match protocol {atom | ip | pdsn | ppp | vpdn}
Syntax Description
atom
Any Transport over MPLS (AToM).
ip
IP.
pdsn
Packet Data Serving Node (PDSN).
ppp
Point-to-Point Protocol (PPP).
vpdn
Virtual Private Dialup Network (VPDN).
Command Default
A condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match protocol command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:
class-map type control match-any MY-CONDITIONmatch protocol vpdnRelated Commands
match service-name
To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
match service-name {service-name | regexp regular-expression}
no service-name {service-name | regexp regular-expression}
Syntax Description
service-name
Service name.
regexp regular-expression
Regular expression to be matched against subscriber's service name.
Command Default
A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match service-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures ISG to authenticate subscribers associated with the service before downloading the service:
aaa authentication login AUTHEN localaaa authorization network SERVICE group radius!class-map type control match-any MY-CONDITION2match service-name "gold"match service-name "bronze"match service-name "silver"!policy-map type control MY-RULE2class type control MY-CONDITION2 event service-start1 authenticate aaa list AUTHEN2 service-policy type service aaa list SERVICE identifier service-name!service-policy type control MY-RULE2Related Commands
match source-ip-address
To create a condition that will evaluate true if a subscriber's source IP address matches the specified IP address, use the match source-ip-address command in control class-map configuration mode. To remove the condition, use the no form of this command.
match source-ip-address ip-address subnet-mask
no match source-ip-address ip-address subnet-mask
Syntax Description
Command Default
A condition that will evaluate true if a subscriber's source IP address matches the specified IP address is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match source-ip-address command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".
class-map type control match-all class3match source-ip-address 10.0.0.0 255.255.255.0!policy-map type control rule4class type control class3 event session-start1 authorize identifier source-ip-address!Related Commands
match timer
To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.
match timer {timer-name | regexp regular-expression}
no match timer {timer-name | regexp regular-expression}
Syntax Description
timer-name
Name of the policy timer.
regexp regular-expression
Regular expression to be matched against the timer name.
Command Default
A condition that will evaluate true when the specified timer expires is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match timer command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type control match-all CONDAmatch authen-status unauthenticatedmatch timer TIMERApolicy-map type control RULEAclass type control always event session-start1 set-timer TIMERA 1!class type control CONDA event timed-policy-expiry1 service disconnectRelated Commands
match tunnel-name
To create a condition that will evaluate true if a subscriber's Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
match tunnel-name {tunnel-name | regexp regular-expression}
no match tunnel-name {tunnel-name | regexp regular-expression}
Syntax Description
tunnel-name
VPDN tunnel name.
regexp regular-expression
Regular expression to be matched against the subscriber's tunnel name.
Command Default
A condition that will evaluate true if a subscriber's VPDN tunnel name matches the specified tunnel name is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".
class-map type control match-all class3match tunnel-name LAC!policy-map type control rule4class type control class3 event session-start1 authorize identifier tunnel-name!Related Commands
match unauthenticated-domain
To create a condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name, use the match unauthenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-domain {domain-name | regexp regular-expression}
no match unauthenticated-domain {domain-name | regexp regular-expression}
Syntax Description
domain-name
Domain name.
regexp regular-expression
Regular expression to be matched against subscriber's domain name.
Command Default
A condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match unauthenticated-domain command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain "abc.com":
class-map type control match-all MY-FORWARDED-USERSmatch unauthenticated-domain "xyz.com"Related Commands
match unauthenticated-username
To create a condition that will evaluate true if a subscriber's unauthenticated username matches the specified username, use the match unauthenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
match unauthenticated-username {username | regexp regular-expression}
no match unauthenticated-username {username | regexp regular-expression}
Syntax Description
username
Username.
regexp regular-expression
Regular expression to be matched against the subscriber's username.
Command Default
A condition that will evaluate true if a subscriber's unauthenticated username matches the specified username is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match unauthenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".
class-map type control match-all class3match identifier unauthenticated-username regexp "user@.*com"!policy-map type control rule4class type control class3 event session-start1 authorize identifier unauthenticated-username!Related Commands
match vrf
To create a condition that evaluates true if a subscriber's VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.
match vrf {vrf-name | regexp regular-expression}
no match vrf {vrf-name | regexp regular-expression}
Syntax Description
vrf-name
Name of the VRF.
regexp regular-expression
Regular expression to be matched against the subscriber's VRF.
Command Default
A condition that will evaluate true if a subscriber's VRF matches the specified VRF is not created.
Command Modes
Control class-map configuration
Command History
Usage Guidelines
The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a policy that will be applied to subscribers who belong to the VRF "FIRST".
class-map type control TESTmatch vrf FIRSTpolicy-map type control GLOBALclass type control TEST event session-start1 service-policy type service name FIRST-SERVICERelated Commands
class-map type control
Creates an ISG control class map.
class type control
Specifies a control class for which actions may be configured in an ISG control policy map.
message-authenticator ignore
To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignore command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.
message-authenticator ignore
no message-authenticator ignore
Syntax Description
This command has no arguments or keywords.
Command Default
Message-authenticator validation is performed.
Command Modes
RADIUS proxy server configuration
RADIUS proxy client configurationCommand History
Usage Guidelines
Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.
Examples
The following example disables message-authenticator validation:
aaa server radius proxymessage-authenticator ignoreRelated Commands
aaa server radius proxy
Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.
method-list
To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.
method-list {accounting | authorization} name-of-method-list
no method-list {accounting | authorization}name-of-method-list
Syntax Description
Command Default
A method list is not specified.
Command Modes
Prepaid configuration
Command History
Usage Guidelines
The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.
Examples
The following example shows an ISG prepaid feature configuration in which a method list called "ap-mlist" is specified for prepaid accounting and the default method list is specified for prepaid authorization:
subscriber feature prepaid conf-prepaidinterim-interval 5threshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword ciscoRelated Commands
password (ISG)
To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.
password password
no password password
Syntax Description
password
Password that the ISG will use in authorization and reauthorization requests. The default password is cisco.
Command Default
ISG uses the default password (cisco).
Command Modes
Prepaid configuration
Command History
Examples
The following example shows an ISG prepaid feature configuration in which the password is "pword" :
subscriber feature prepaid conf-prepaidinterim-interval 5threshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword pwordRelated Commands
police (ISG)
To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.
police {input | output} committed-rate [normal-burst excess-burst]
no police {input | output} committed-rate [normal-burst excess-burst]
Syntax Description
Command Default
ISG policing is not enabled.
Command Modes
Service policy-map class configuration
Command History
Usage Guidelines
ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.
Session-based policing applies to the aggregate of subscriber traffic for a session.
Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.
Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.
Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.
Examples
The following example shows the configuration of flow-based ISG policing in a service policy map:
class-map type traffic match-any C3match access-group in 103match access-group out 203policy-map type service P3class type traffic C3police input 20000 30000 60000police output 21000 31500 63000Related Commands
policy-map
To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command.
Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers
policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name
no policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name
Cisco 10000 Series Router
policy-map [type {control | service}] policy-map-name
no policy-map [type {control | service}] policy-map-name
Cisco 7600 Series Router
policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name
no policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name
Syntax Description
Command Default
The policy map is not configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the policy-map command to specify the name of the policy map to be created, added, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for quality of service (QoS) class maps on Cisco 7600 series routers.
Note
For QoS class maps on Cisco 7600 series routers, the limits are 1024 class maps and 256 classes in a policy map.
A policy map containing ATM set cell loss priority (CLP) bit QoS cannot be attached to PPP over X (PPPoX) sessions. The policy map is accepted only if you do not specify the set atm-clp command.
A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In such cases, if the policy map is already attached to other interfaces, the map is removed from those interfaces.
Note
Whenever you modify a class policy in an attached policy map, the class-based weighted fair queueing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.
Note
Class Queues (Cisco 10000 Series Routers Only)
The Performance Routing Engine (PRE)2 allows you to configure 31 class queues in a policy map.
In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.
Control Policies (Cisco 10000 Series Routers Only)
Control policies define the actions that your system will take in response to the specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions are executed.
There are three steps involved in defining a control policy:
1.
2.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3.
Service Policies (Cisco 10000 Series Routers Only)
Service policy maps and service profiles contain a collection of traffic policies and other functions. Traffic policies determine which function is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Policy Map Restrictions (Catalyst 6500 Series Switches Only)
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. This release and platform has the following restrictions for using policy maps and match commands:
•
•
–
–
Examples
The following example shows how to create a policy map called "policy1" and configure two class policies included in that policy map. The class policy called "class1" specifies a policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy the configured match criteria are directed.
! The following commands create class-map class1 and define its match criteria:class-map class1match access-group 136! The following commands create the policy map, which is defined to contain policy! specification for class1 and the default class:policy-map policy1class class1bandwidth 2000queue-limit 40class class-defaultfair-queue 16queue-limit 20The following example show how to create a policy map called "policy9" and configure three class policies to belong to that map. Of these classes, two specify the policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies a policy for the default class called "class-default" to which packets that do not satisfy the configured match criteria are directed.
policy-map policy9class acl136bandwidth 2000queue-limit 40class ethernet101bandwidth 3000random-detect exponential-weighting-constant 10class class-defaultfair-queue 10queue-limit 20The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.
Router> enableRouter# configure terminalRouter(config)# policy-map type control TESTRouter(config-control-policymap)# class type control always event session-startRouter(config-control-policymap-class-control)# 1 service-policy type service name QoS_ServiceRouter(config-control-policymap-class-control)# endExamples for Cisco 10000 Series Routers Only
The following example shows the configuration of a control policy map named "rule4". Control policy map rule4 contains one policy rule, which is the association of the control class named "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3match access-type pppoematch domain cisco.comavailable nas-port-id!policy-map type control rule4class type control class3authorize nas-port-id!service-policy type control rule4The following example shows the configuration of a service policy map named "redirect-profile":
policy-map type service redirect-profileclass type traffic CLASS-ALLredirect to group redirect-sgRelated Commands
policy-map type control
To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type control command in global configuration mode. To delete the control policy map, use the no form of this command.
policy-map type control policy-map-name
no policy-map type control policy-map-name
Syntax Description
Command Default
A control policy map is not created.
Command Modes
Global configuration
Command History
Usage Guidelines
Control policies define the actions that your system will take in response to specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
1.
2.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3.
Examples
The following example shows the configuration of a control policy map called "rule4." Control policy map "rule4" contains one policy rule, which is the association of the control class "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3match access-type pppoematch domain cisco.comavailable nas-port-id!policy-map type control rule4class type control class3authorize nas-port-id!service-policy type control rule4Related Commands
policy-map type service
To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type service command in global configuration mode. To delete a service policy map, use the no form of this command.
policy-map type service policy-map-name
no policy-map type service
Syntax Description
Command Default
A service policy map is not created.
Command Modes
Global configuration (config)
Command History
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS Release XE 2.4.
Usage Guidelines
Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.
An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.
Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Examples
The following example shows how to create a service policy map called redirect-profile:
policy-map type service redirect-profileclass type traffic CLASS-ALLredirect to group redirect-sgRelated Commands
policy-name
To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.
policy-name policy
no policy-name policy
Syntax Description
Command Default
The default policy is used for all subscribers.
Command Modes
Service policy map configuration (config-service-policymap)
Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.
Examples
The following example shows how to configure the subscriber policy name "SCE-SERVICE".
Router(config)# policy-map type service SCE-SERVICERouter(config-service-policymap)# sg-service-type external-policyRouter(config-service-policymap)# policy-name GOLDRelated Commands
policy-peer
To configure a subscriber policy peer connection, use the policy-peer command in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.
policy-peer [address ip-address] {keepalive seconds}
no policy-peer [address ip-address] {keepalive seconds}
Syntax Description
Command Modes
Global configuration (config)
Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco Release 12.2(33)SB.
Usage Guidelines
Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.
Examples:
The following example configures a subscriber policy peer connection with a keepalive value of 5 seconds.
Router(config)# policy-peer address 10.0.0.100 keepalive 5Related Commands
port
To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
port port-number
no port port-number
Syntax Description
Command Default
The device listens for RADIUS requests on the default port (port 1700).
Command Modes
Dynamic authorization local server configuration (config-locsvr-da-radius)
Command History
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.
Examples
The following example specifies port 1650 as the port on which the device listens for RADIUS requests:
aaa server radius dynamic-authorclient 10.0.0.1port 1650Related Commands
aaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
prepaid config
To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.
prepaid config {name-of-configuration | default}
no prepaid config {name-of-configuration | default}
Syntax Description
name-of-configuration
A named configuration of prepaid billing parameters.
default
The default configuration of prepaid billing parameters.
Command Default
Prepaid billing is not enabled.
Command Modes
Service policy traffic class configuration
Command History
Usage Guidelines
ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:
subscriber feature prepaid defaultthreshold time 0 secondsthreshold volume 0 bytesmethod-list authorization defaultmethod-list accounting defaultpassword ciscoThe default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
Examples
The following example shows prepaid billing enabled in a service called "mp3". The prepaid billing parameters in the configuration "conf-prepaid" will be used for "mp3" prepaid sessions.
policy-map type service mp3class type traffic CLASS-ACL-101authentication method-list cp-mlistaccounting method-list cp-mlistprepaid config conf-prepaidsubscriber feature prepaid conf-prepaidthreshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword ciscoRelated Commands
subscriber feature prepaid
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.
proxy (ISG RADIUS proxy)
To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.
action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]
no action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]
Syntax Description
Command Default
RADIUS packets are sent to the default method list.
Command Modes
Control policy-map class configuration (config-control-policymap-class-control)
Command History
12.2(31)SB2
This command was introduced.
12.2(33)SRC
The accounting aaa list keyword was added.
12.2(33)SB
This command was implemented on the Cisco 10000 series.
Usage Guidelines
The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accounting command.
Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.
Examples
The following example configures an accounting method list called "LIST-LOCAL". The server group called "AAA-GROUP1" is the method specified in the method list. A control policy called "POLICY-LOCAL" is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list "LIST-LOCAL".
Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1Router(config)# policy-map type control POLICY-LOCALRouter(config-control-policymap)# class type control always event acct-notificationRouter(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCALRelated Commands
proxy (RADIUS proxy)
To configure Intelligent Services Gateway (ISG) to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.
action-number proxy [aaa list {list-name | default}]
no action-number proxy [aaa list {list-name | default}
Syntax Description
Command Default
RADIUS packets are sent to the default method list.
Command Modes
Control policy-map class configuration
Command History
Usage Guidelines
The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa authorization radius-proxy command.
Control policies define the actions the system takes in response to specified events and conditions. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples
The following example configures an ISG RADIUS proxy authorization method list called "RP". The server group called "EAP" is the method specified in that method list. A control policy called "PROXYRULE" is configured with a policy rule that causes ISG to forward RADIUS packets to the method list "RP".
aaa authorization radius-proxy RP group EAP...policy-map type control PROXYRULEclass type control always event session-start1 proxy aaa list RPRelated Commands
radius-server attribute 31
To configure Calling-Station-ID (attribute 31) options, use the radius-server attribute 31 command in global configuration mode. To disable the Calling-Station-ID (attribute 31) options, use the no form of this command.
radius-server attribute 31 {append-circuit-id | mac format {default | ietf | unformatted} | remote-id | send nas-port-detail [mac-only]}
no radius-server attribute 31 {append-circuit-id | mac format {default | ietf | unformatted} | remote-id | send nas-port-detail [mac-only]}
Syntax Description
Command Default
The Calling-Station-ID (attribute 31) is not sent.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
•
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
host.domain:vp_descr:vpi:vci•
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
mac_addr•
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
host.domain:vp_descr:vpi:vci•
When DHCP lease query is used, ISG RADIUS proxy recieves MAC address as well as MSISDN as the Calling-Station-ID (attribute 31) from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose one of them as the Calling Station ID and send it to the ISG accounting records.
The following example shows how to specify the MAC address in the Calling Station ID to be displayed in IETF format:
Router(config)# radius-server attribute 31 mac format ietfThe following example shows how to allow the remote ID to be sent as the Calling Station ID:
Router(config)# radius-server attribute 31 remote-idThe following example shows how to allow the NAS port details to be included in the Calling Station ID:
Router(config)# radius-server attribute 31 send nas-port-detailThe following example shows how to allow only the MAC address, if available, to be included in the Calling-Station-ID:
Router(config)# radius-server attribute 31 send nas-port-detail mac-onlRelated Commands
radius-server attribute nas-port-id include
Uses the DHCP relay agent information option 60 and option 82 and configures the NAS-Port-ID to authenticate a user.
radius-server attribute nas-port-id include
To include DHCP option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) in the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To return to the default behavior, use the no form of this command.
radius-server attribute nas-port-id include {identifier1 [plus identifier2] [plus identifier3]} [separator separator]
no radius-server attribute nas-port-id include
Syntax Description
Command Default
The NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.
Command Modes
Global configuration (config)
Command History
12.2(33)SRD
This command was introduced.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Usage Guidelines
When you use the radius-server attribute nas-port-id include command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the plus keyword between each pair as a separator.
The NAS-Port-ID is shown in the accounting records as it is specified in this command, with the plus keyword replaced by a separator. The colon (:) is the default separator.
When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in this command, preceded by the string "nas-port:".
Examples
The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:
Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-idIf the circuit ID is "xyz", the remote ID is "abc", and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "abc:xyz:123" and the username will be sent as "nas-port:abc:xyz:123" in the authentication request.
The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, "#":
Router(config)# radius-server attribute nas-port-id include circuit-id plus vendor-class-id separator #If the circuit ID is "xyz" and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "xyz#123" and the username will be sent as "nas-port:xyz#123" in the authentication request.
Related Commands
authorize identifier
Initiates a request for authorization based on a specified identifier in an ISG control policy.
re-authenticate do-not-apply
To prevent Intelligent Services Gateway (ISG) from applying data from reauthentication profiles to subscriber sessions, use the re-authenticate do-not-apply command in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command.
re-authenticate do-not-apply
no re-authenticate do-not-apply
Syntax Description
This command has no arguments or keywords.
Command Default
ISG applies data from the reauthentication profile to subscriber sessions.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)Command History
Usage Guidelines
The re-authenticate do-not-apply command prevents ISG from updating the subscriber session with data from a reauthentication profile. During the Extensible Authentication Protocol (EAP) authentication process, for example, ISG will not update the subscriber session with the username from the reauthentication profile if this command is configured.
This command can be configured globally for all RADIUS proxy clients, or it can be configured for specific clients. The client-specific RADIUS proxy configuration of this command overrides the global RADIUS proxy server configuration.
Examples
The following example shows how to prevent ISG from applying reauthentication data to subscriber sessions for all RADIUS proxy clients:
aaa server radius proxyre-authenticate do-not-applyRelated Commands
redirect server-group
To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.
redirect server-group group-name
no server-group group-name
Syntax Description
Command Default
A redirect server group is not defined.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.
After defining a redirect server group with the redirect server-group command, identify individual servers for inclusion in the server group using the server command in Layer 4 redirect server group configuration mode.
Examples
The following example shows the configuration of a server group called "PORTAL":
redirect server-group PORTALserver ip 10.2.36.253 port 80Related Commands
redirect session-limit
To set the maximum number of Layer 4 redirects allowed for each Intelligent Services Gateway (ISG) subscriber session, use the redirect session-limit command in global configuration mode. To reset to the default, use the no form of this command.
redirect session-limit maximum-number
no redirect session-limit
Syntax Description
Command Default
An unlimited number of redirects are allowed per session.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The redirect session-limit command limits the number of redirect translations that can be created by unauthenticated subscribers that are redirected to the server group.
Examples
The following example limits the number of L4 redirects to five for a single session:
Router(config)# redirect session-limit 5Related Commands
redirect to (ISG)
To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in service policy-map class configuration mode. To disable redirection, use the no form of this command.
redirect to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]
no redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]
Syntax Description
Command Default
Subscriber Layer 4 traffic is not redirected.
Command Modes
Service policy-map class configuration (config-service-policymap)
Command History
Usage Guidelines
The ISG Layer 4 Redirect feature redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.
The Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:
•
•
•
Examples
Redirecting Layer 4 Traffic to a Server Group: Example
The following example redirects Layer 4 traffic to the servers specified in server group "ADVT-SERVER":
redirect to group ADVT-SERVERRedirecting Layer 4 Traffic to a Specific IP Address: Examples
The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.
redirect list 100 to ip 10.2.36.253The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253 port 80:
redirect list 100 to ip 10.2.36.253 port 80Initial Redirection: Example
The following example redirects all traffic to the servers configured in the server group "ADVT-SERVER" for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:
redirect to group ADVT-SERVER duration 60Periodic Redirection: Example
The following example redirects all traffic to server group "ADVT-SERVER" for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.
redirect to group ADVT-SERVER duration 60 frequency 3600Related Commands
server
To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.
server ip ip-address port port
no server ip ip-address port port
Syntax Description
ip ip-address
IP address of the server to be added to the redirect server group.
port port
TCP port of the server to be added to the redirect server group.
Command Default
A server is not added to the redirect server group.
Command Modes
Layer 4 redirect server group configuration
Command History
Usage Guidelines
Use the server command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server command can be entered more than once to add multiple servers to the server group.
ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named "ADVT-SERVER":
redirect server-group ADVT-SERVERserver ip 10.0.0.0 port 8080server ip 10.1.2.3 port 8081Related Commands
server-key
To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.
server-key [0 | 7] word
no server-key [0 | 7] word
Syntax Description
0
(Optional) An unencrypted key will follow.
7
(Optional) A hidden key will follow.
word
Unencrypted server key.
Command Default
A server key is not configured.
Command Modes
Dynamic authorization local server configuration (config-locsvr-da-radius)
Command History
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.
Examples
The following example configures "cisco" as the shared server key:
aaa server radius dynamic-authorclient 10.0.0.1server-key ciscoRelated Commands
aaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
service (ISG)
To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service {disconnect | local | vpdn}
no action-number service {disconnect | local | vpdn}
Syntax Description
Command Default
PPP sessions are locally terminated.
Command Modes
Control policy-map class configuration
Command History
Usage Guidelines
The service command configures an action in a control policy map.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples
The following example shows how configure ISG to locally terminate sessions for PPP subscribers:
policy-map type control MY-RULE1class type control MY-CONDITION2 event session-start1 service localRelated Commands
service deny (ISG)
To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.
service deny
no service deny
Syntax Description
The command has no arguments or keywords.
Command Default
Service is not denied to the session.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
The service deny command denies network service to subscriber sessions that use the service policy map.
Examples
The following example denies service to subscriber sessions that use the service called "service1":
policy-map type service service1service denyRelated Commands
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG subscriber service.
service local (ISG)
To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.
service local
no service local
Syntax Description
This command has no arguments or keywords.
Command Default
Local termination service is not specified.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.
When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.
Examples
The following example provides local termination service to subscriber sessions for which the "my_service" service policy map is activated:
!policy-map type service my_serviceservice localRelated Commands
service relay (ISG)
To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relay command in service policy-map configuration mode. To disable message relay, use the no form of this command.
service relay pppoe vpdn group vpdn-group-name
no service relay pppoe vpdn group vpdn-group-name
Syntax Description
Command Default
Relay of PAD messages over an L2TP tunnel is not enabled.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
The service relay command is configured as part of a service policy-map.
Examples
The following example configures sessions that use the service policy-map "service1" to contain outgoing tunnel information for the relay of PAD messages over an L2TP tunnel:
policy-map type serviceservice relay pppoe vpdn group Sample1.netRelated Commands
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG subscriber service.
service vpdn group (ISG)
To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn group command in service policy-map configuration mode. To remove VPDN service, use the no form of this command.
service vpdn group vpdn-group-name
no service vpdn group vpdn-group-name
Syntax Description
vpdn-group-name
Provides the VPDN service by obtaining the configuration from a predefined VPDN group.
Command Default
VPDN service is not provided for ISG subscriber sessions.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.
A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.
Examples
The following example provides VPDN service to sessions that use the service called "service" and uses VPDN group 1 to obtain VPDN configuration information:
policy-map type service service1service vpdn group 1Related Commands
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG subscriber service.
service-monitor
To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitor command in service policy map configuration mode. To remove service monitoring, use the no form of this command.
service-monitor {enable | disable}
no service-monitor {enable | disable}
Syntax Description
Command Default
Service monitoring is not configured.
Command Modes
Service policy map configuration (config-service-policymap)
Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.
Examples
The following example configures service monitoring for a service policy called "SCE-SERVICE4".
Router(config)# policy-map type service SCE-SERVICE4Router(config-service-policymap)# sg-service-type external policyRouter(config-service-policymap)# service-monitor enableRelated Commands
policy-name
Configures a subscriber policy name.
sg-service-type external policy
Identifies an ISG service as an external policy.
service-policy
To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.
service-policy [type access-control] {input | output} policy-map-name
no service-policy [type access-control] {input | output} policy-map-name
Cisco 10000 Series and Cisco 7600 Series Routers
service-policy [history | {input | output} policy-map-name | type control control-policy-name]
no service-policy [history | {input | output} policy-map-name | type control control-policy-name]
Syntax Description
Command Default
No service policy is specified.
A control policy is not applied to a context.
No policy map is attached.Command Modes
ATM bundle-VC configuration (config-atm-bundle)
ATM PVP configuration (config-if-atm-l2trans-pvp)
ATM VC mode (config-if-atm-vc)
Global configuration (config)
Interface configuration (config-if)
Map-class configuration (config-map-class)
PVC-in-range configuration (cfg-if-atm-range-pvc)
PVC range subinterface configuration (config-subif)Command History
Usage Guidelines
Choose the command mode according to the intended use of the command, as follows:
You can attach a single policy map to one or more interfaces or to one or more VCs to specify the service policy for those interfaces or VCs.
A service policy specifies class-based weighted fair queueing (CBWFQ). The class policies that make up the policy map are then applied to packets that satisfy the class map match criteria for the class.
To successfully attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent (99 percent on the Cisco 10008 router) of the interface bandwidth or the bandwidth allocated to the VC.
To enable Low Latency queueing (LLQ) for Frame Relay (priority queueing [PQ]/CBWFQ), you must first enable Frame Relay Traffic Shaping (FRTS) on the interface using the frame-relay traffic-shaping command in interface configuration mode. You then attach an output service policy to the Frame Relay VC using the service-policy command in map-class configuration mode.
For a policy map to be successfully attached to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent of the interface bandwidth or the bandwidth allocated to the VC. For a Frame Relay VC, the total amount of bandwidth allocated must not exceed the minimum committed information rate (CIR) configured for the VC less any bandwidth reserved by the frame-relay voice bandwidth or frame-relay ip rtp priority map-class commands. If these values are not configured, the minimum CIR defaults to half of the CIR.
Configuring CBWFQ on a physical interface is possible only if the interface is in the default queueing mode. Serial interfaces at E1 (2.048 Mbps) and below use weighted fair queueing (WFQ) by default. Other interfaces use first-in first-out (FIFO) by default. Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM permanent virtual circuit (PVC) does not override the default queueing method.
When you attach a service policy with CBWFQ enabled to an interface, commands related to fancy queueing such as those pertaining to fair queueing, custom queueing, priority queueing, and Weighted Random Early Detection (WRED) are available using the modular quality of service command-line interface (MQC). However, you cannot configure these features directly on the interface until you remove the policy map from the interface.
You can modify a policy map attached to an interface or VC, changing the bandwidth of any of the classes that make up the map. Bandwidth changes that you make to an attached policy map are effective only if the aggregate of the bandwidth amount for all classes that make up the policy map, including the modified class bandwidth, is less than or equal to 75 percent of the interface bandwidth or the VC bandwidth. If the new aggregate bandwidth amount exceeds 75 percent of the interface bandwidth or VC bandwidth, the policy map is not modified.
After you apply the service-policy command to set a class of service (CoS) bit to an Ethernet interface, the policy is set in motion as long as there is a subinterface that is performing 8021.Q or Inter-Switch Link (ISL) trunking. Upon reload, however, the service policy is removed from the configuration with the following error message:
Process `set' action associated with class-map voip failed: Set cos supported only with IEEE 802.1Q/ISL interfaces.Cisco 10000 Series Router Usage Guidelines
The Cisco 10000 series router does not support applying CBWFQ policies to unspecified bit rate (UBR) VCs.
For a policy map to be successfully attached to an interface or a VC, the aggregate of the configured minimum bandwidth of the classes that make up the policy map must be less than or equal to 99 percent of the interface bandwidth or the bandwidth allocated to the VC. If you attempt to attach a policy map to an interface when the sum of the bandwidth assigned to classes is greater than 99 percent of the available bandwidth, the router logs a warning message and does not allocate the requested bandwidth to all of the classes. If the policy map is already attached to other interfaces, it is removed from them.
The total bandwidth is the speed (rate) of the ATM layer of the physical interface. The router converts the minimum bandwidth that you specify to the nearest multiple of 1/255 (ESR-PRE1) or 1/65535 (ESR-PRE2) of the interface speed. When you request a value that is not a multiple of 1/255 or 1/65535, the router chooses the nearest multiple.
The bandwidth percentage is based on the interface bandwidth. In a hierarchical policy, the bandwidth percentage is based on the nearest parent shape rate.
By default, a minimum bandwidth guaranteed queue has buffers for up to 50 milliseconds of 256-byte packets at line rate, but not less than 32 packets.
For Cisco IOS Release 12.0(22)S and later releases, to enable LLQ for Frame Relay (priority queueing (PQ)/CBWFQ) on the Cisco 10000 series router, first create a policy map and then assign priority to a defined traffic class using the priority command. For example, the following sample configuration shows how to configure a priority queue with a guaranteed bandwidth of 8000 kbps. In the example, the Business class in the policy map named "map1" is configured as the priority queue. The map1 policy also includes the Non-Business class with a minimum bandwidth guarantee of 48 kbps. The map1 policy is attached to serial interface 2/0/0 in the outbound direction.
class-map Businessmatch ip precedence 3policy-map map1class Businessprioritypolice 8000class Non-Businessbandwidth 48interface serial 2/0/0frame-relay encapsulationservice-policy output map1On the PRE2, you can use the service-policy command to attach a QoS policy to an ATM subinterface or to a PVC. However, on the PRE3, you can attach a QoS policy only to a PVC.
Cisco 7600 Series Routers
The output keyword is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Do not attach a service policy to a port that is a member of an EtherChannel.
Although the CLI allows you to configure QoS based on policy feature cards (PFCs) on the WAN ports on the OC-12 ATM optical services modules (OSM) and on the WAN ports on the channelized OSMs, PFC-based QoS is not supported on the WAN ports on these OSMs. OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.
PFC QoS supports the optional output keyword only on VLAN interfaces. You can attach both an input policy map and an output-policy map to a VLAN interface.
Cisco 10000 Series Routers Control Policy Maps
A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts, which are listed in order of precedence:
1.
2.
3.
4.
5.
6.
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context. Only one control policy map can be applied to a given context.
In Cisco IOS Release 12.2(33)SB and later releases, the router no longer accepts the abbreviated form (ser) of the service-policy command. Instead, you must spell out the command name service- before the router accepts the command.
For example, the following error message displays when you attempt to use the abbreviated form of the service-policy command:
interface GigabitEthernet1/1/0ser out ?% Unrecognized commandser ?% Unrecognized commandAs shown in the following example, when you enter the command as service- followed by a space, the router parses the command as service-policy. Entering the question mark causes the router to display the command options for the service-policy command.
service- ?input Assign policy-map to the input of an interfaceoutput Assign policy-map to the output of an interfacetype Configure CPL Service PolicyIn releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the service-policy command. For example, the router accepts the following commands:
interface GigabitEthernet1/1/0ser out testExamples
The following example shows how to attach a policy map to a Fast Ethernet interface:
interface fastethernet 5/20service-policy input pmap1The following example shows how to attach the service policy map named "policy9" to DLCI 100 on output serial interface 1 and enables LLQ for Frame Relay:
interface Serial1/0.1 point-to-pointframe-relay interface-dlci 100class fragmentmap-class frame-relay fragmentservice-policy output policy9The following example shows how to attach the service policy map named "policy9" to input serial interface 1:
interface Serial1service-policy input policy9The following example attaches the service policy map named "policy9" to the input PVC named "cisco":
pvc cisco 0/34 service-policy input policy9vbr-nt 5000 3000 500 precedence 4-7The following example shows how to attach the policy named "policy9" to output serial interface 1 to specify the service policy for the interface and enable CBWFQ on it:
interface serial1service-policy output policy9The following example attaches the service policy map named "policy9" to the output PVC named "cisco":
pvc cisco 0/5 service-policy output policy9 vbr-nt 4000 2000 500 precedence 2-3Cisco 10000 Series Router Examples
The following example shows how to attach the service policy named "userpolicy" to DLCI 100 on serial subinterface 1/0/0.1 for outbound packets:
interface serial 1/0/0.1 point-to-pointframe-relay interface-dlci 100service-policy output userpolicy
Note
The following example shows how to attach a QoS service policy named "map2" to PVC 0/101 on the ATM subinterface 3/0/0.1 for inbound traffic:
interface atm 3/0/0atm pxf queuinginterface atm 3/0/0.1pvc 0/101service-policy input map2
Note
The following example shows how to attach a service policy named "myQoS" to physical Gigabit Ethernet interface 1/0/0 for inbound traffic. VLAN 4, configured on Gigabit Ethernet subinterface 1/0/0.3, inherits the service policy of physical Gigabit Ethernet interface 1/0/0.
interface GigabitEthernet 1/0/0service-policy input myQoSinterface GigabitEthernet 1/0/0.3encapsulation dot1q 4The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range of a total of three PVCs and enable PVC range configuration mode where a point-to-point subinterface is created for each PVC in the range. Each PVC created as part of the range has the voice service policy attached to it.
configure terminalinterface atm 2/0/0range pvc 1/50 1/52service-policy input voiceThe following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range, where every VC created as part of the range has the voice service policy attached to it. The exception is PVC 1/51, which is configured as an individual PVC within the range and has a different service policy named "data" attached to it in PVC-in-range configuration mode.
configure terminalinterface atm 2/0/0range pvc 1/50 1/52service-policy input voicepvc-in-range 1/51service-policy input dataThe following example shows how to configure a service group named "PREMIUM-SERVICE" and apply the input policy named "PREMIUM-MARK-IN" and the output policy named "PREMIUM-OUT" to the service group:
policy-map type service PREMIUM-SERVICEservice-policy input PREMIUM-MARK-INservice-policy output PREMIUM-OUTRelated Commands
service-policy type control
To apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To unapply the control policy, use the no form of this command.
service-policy type control policy-map-name
no service-policy type control policy-map-name
Syntax Description
Command Default
A control policy is not applied to a context.
Command Modes
Global configuration
Interface configuration
Subinterface configuration
Virtual template configuration
ATM VC class configuration
ATM VC configurationCommand History
Usage Guidelines
A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:
1.
2.
3.
4.
5.
6.
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context.
Only one control policy map may be applied to a given context.
Examples
The following example applies the control policy map "RULEA" to Ethernet interface 0:
interface Ethernet 0service-policy type control RULEARelated Commands
policy-map type control
Creates or modifies a control policy map, which defines an ISG control policy.
service-policy type service
To activate an Intelligent Services Gateway (ISG) service, use the service-policy type service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
no action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
Syntax Description
Command Default
A service is not activated.
Command Modes
Control policy-map class configuration
Command History
Usage Guidelines
The service-policy type service command configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.
Note that if you use the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 service-policy type service aaa list default identifier authenticated-domainthe following will display in the output for the show running-config command:
1 service-policy type service identifier authenticated-domainNamed method lists will display in the show running-config command output.
Services are configured in service profiles on the AAA server or in service policy maps on the router.
Examples
The following example configures an ISG control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber's authenticated domain name:
policy-map type control MY-RULE2class type control MY-CONDITION2 event service-start1 authenticate aaa list AUTHEN2 service-policy type service aaa list SERVICE identifier authenticated-domainRelated Commands
session-identifier (ISG)
To correlate RADIUS server requests and identify a session in the Intelligent Services Gateway (ISG) RADIUS proxy, use the session-identifier command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable this function, use the no form of this command.
session-identifier {attribute number | vsa vendor id type number}
no session-identifier {attribute number | vsa vendor id type number}
Syntax Description
Command Default
RADIUS proxy server correlates calling station attributes (attribute 31).
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)Command History
Usage Guidelines
The ISG RADIUS proxy identifies a new session based on the calling station attributes. Usually, attribute 31 is used to identify the session for requests. However, it is possible that attribute 31 may not always be unique to identify the session. There are attributes such as username (RADIUS attribute 1), circuit-ID (RADIUS VSA), and so on, that could be used to identify the session and correlate RADIUS requests. By using the session-identifier command, you can configure the RADIUS proxy to accept other attributes or VSAs to identify the session in the RADIUS proxy and correlate requests from the downstream device. A downstream device is a device whose data is logged by a data recorder on a different node.
Examples
The following example shows how to configure the ISG to identify the session using the RADIUS VSA vendor type and correlate the requests for a RADIUS proxy client with IP address 10.0.0.16:
Router(config-locsvr-proxy-radius)# client 10.0.0.l6 255.255.255.0Router(config-locsvr-radius-client)# session-identifier vsa vendor 12 type 123Related Commands
set-timer
To start a named policy timer, use the set-timer command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number set-timer name-of-timer minutes
no action-number set-timer name-of-timer minutes
Syntax Description
action-number
Number of the action. Actions are executed sequentially within the policy rule.
name-of-timer
Name of the policy timer.
minutes
Timer interval, in minutes. Range is from 1 to 10100.
Command Default
A named policy timer is not started.
Command Modes
Control policy-map class configuration
Command History
Usage Guidelines
The set-timer command configures an action in a control policy map.
Expiration of a named policy timer generates the timed-policy-expiry event.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples
The following example configures a policy timer called "TIMERA". When TIMERA expires the service will be disconnected.
class-map type control match-all CONDEmatch timer TIMERApolicy-map type type control RULEAclass type control <some_cond> event session-start1 set-timer TIMERA 1class type control CONDE event timed-policy-expiry1 service disconnectRelated Commands
sgi beep listener
To enable Service Gateway Interface (SGI), use the sgi beep listener command in global configuration mode. To disable SGI, use the no form of this command.
sgi beep listener [port] [acl access-list] [sasl sasl-profile] [encrypt trustpoint]
no sgi beep listener
Syntax Description
Command Default
The SGI is not enabled.
Command Modes
Global configuration (config)
Command History
Examples
Router(config)# sgi beep listener 2089Related Commands
sg-service-group
To associate an Intelligent Services Gateway (ISG) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.
sg-service-group service-group-name
no sg-service-group service-group-name
Syntax Description
Command Default
The service is not part of a service group.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.
Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.
Examples
The following example associates the service called "primarysvc1" with the service group "group1":
policy-map type service primarysvc1sg-service-group group1Related Commands
sg-service-type
To identify an Intelligent Services Gateway (ISG) service as primary or secondary, use the sg-service-type command in service policy-map configuration mode. To remove this specification, use the no form of this command.
sg-service-type {primary | secondary}
no sg-service-type {primary | secondary}
Syntax Description
Command Default
A service is not identified as a primary service.
Command Modes
Service policy-map configuration
Command History
Usage Guidelines
An ISG primary service is a service that contains a network-forwarding policy, such as a virtual routing or forwarding instance (VRF) or tunnel specification. A service must be identified as a primary service by using the sg-service-type primary command. Any service that is not a primary service is identified as a secondary service by default. In other words, the service policy map for a primary service must include a network-forwarding policy and the sg-service-type primary command. A secondary service must not include a network-forwarding policy, and inclusion of the sg-service-type secondary command is optional.
Examples
The following example identifies a service as a primary service:
policy-map type service service1ip vrf forwarding bluesg-service-type primaryRelated Commands
policy-map type service
Creates or modifies a service policy map, which is used to define an ISG subscriber service.
sg-service-type external policy
To identify an Intelligent Services Gateway (ISG) service as an external policy, use the sg-service-type external policy command in service policy-map configuration mode. To remove this specification, use the no form of this command.
sg-service-type external policy external-policy
no sg-service-type external policy external-policy
Syntax Description
Command Default
A service is not identified as an external policy.
Command Modes
Service policy-map configuration (config-service-policymap)
Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
An external policy service type identifies a service as being provided by an external device. The external device is configured in a peering relationship with the ISG device via the aaa server radius policy-device command. The external device handles policies for user sessions that use the service.
Examples
The following example identifies the ISG service as an external policy:
Router(config)# policy-map type service SCE-SERVICE-LOCALRouter(config-service-policymap)# sg-service-type external-policyRelated Commands
show class-map type control
To display information about Intelligent Services Gateway (ISG) control class maps, use the show class-map type control command in privileged EXEC mode.
show class-map type control
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show class-map type control command to display information about ISG control class maps, including statistics on the number of times a particular class has been evaluated and what the results were.
Examples
The following example shows sample output for the show class-map type control command:
Router# show class-map type controlCondition Action Exec Hit Miss Comp--------- ------ ---- --- ---- ----Table 3 describes the significant fields shown in the display.
Related Commands
show class-map type traffic
To display Intelligent Services Gateway (ISG) traffic class maps and their matching criteria, use the show class-map type traffic command in privileged EXEC mode.
show class-map type traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows configuration of a traffic class-map and corresponding sample output for the show class-map type traffic command. The output is self-explanatory.
!access-list 101 permit ip any anyaccess-list 102 permit ip any any!class-map type traffic match-any PEER_TRAFFICmatch access-group output 102match access-group input 101!Router# show class-map type trafficClass-map: match-any PEER_TRAFFIC------------------------------------------------------Output:Extended IP access list 10210 permit ip any anyInput:Extended IP access list 10110 permit ip any anyRelated Commands
show idmgr
To display information related to the Intelligent Services Gateway (ISG) session identity, use the show idmgr command in privileged EXEC mode.
show idmgr {memory [detailed [component [substring]]] | service key session-handle session-handle-string service-key key-value | session key {aaa-unique-id aaa-unique-id-string | domainip-vrf ip-address ip-address vrf-id vrf-id | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-guid session-guid | session-handle session-handle-string | session-id session-id-string | circuit-id circuit-id | pppoe-unique-id pppoe-id} | statistics}
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
12.2(28)SB
This command was introduced.
Cisco IOS XE Release 2.6
The circuit-id keyword and circuit-id argument was added.
Examples
The following sample output for the show idmgr command displays information about the service called "service":
Router# show idmgr service key session-handle 48000002 service-key servicesession-handle = 48000002service-name = serviceidmgr-svc-key = 4800000273657276696365authen-status = authenThe following sample output for the show idmgr command displays information about a session and the service that is related to the session:
Router# show idmgr session key session-handle 48000002session-handle = 48000002aaa-unique-id = 00000002authen-status = authenusername = user1Service 1 information:session-handle = 48000002service-name = serviceidmgr-svc-key = 4800000273657276696365The following sample output for the show idmgr command displays information about the global unique identifier of a session:
Router# show idmgr session key session-guid 020202010000000Csession-handle = 18000003aaa-unique-id = 0000000Cauthen-status = autheninterface = nas-port:0.0.0.0:2/0/0/42authen-status = authenusername = FortyTwoaddr = 100.42.1.1session-guid = 020202010000000CThe following sample output for the show idmgr command displays information about the user session information in the ID Manager (IDMGR) database by specifying the unique circuit ID tag:Router# show idmgr session key circuit-id Ethernet4/0.100:PPPoE-Tag-1
session-handle = AA000007
aaa-unique-id = 0000000E
circuit-id-tag = Ethernet4/0.100:PPPoE-Tag-1
interface = nas-port:0.0.0.0:0/1/1/100
authen-status = authen
username = user1@cisco.com
addr = 106.1.1.3
session-guid = 650101020000000E
The session hdl AA000007 in the record is valid
The session hdl AA000007 in the record is valid
No service record foundTable 4 describes the significant fields shown in the display.
Related Commands
subscriber access pppoe unique-key circuit-id
Specifies a unique circuit ID tag for a PPPoE user session to be tapped on the router.
show interface monitor
To display interface statistics that will be updated at specified intervals, use the show interface monitor command in user EXEC or privileged EXEC mode.
show interface interface-type interface-number monitor [interval seconds]
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
The show interface monitor command allows you to monitor an interface by displaying interface statistics and updating those statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display, "C" to clear the counters, or "F" to freeze the display.
Examples
The following example shows sample output for the show interface monitor command. The display will be updated every 10 seconds.
Router# show interface ethernet 0/0 monitor interval 10Router Name: Scale3-Router8 Update Secs: 10Interface Name: Ethernet 0/0 Interface Status: UP, line is upLine Statistics: Total: Rate(/s) DeltaInput Bytes: 123456 123 7890Input Packets: 3456 56 560Broadcast: 1333 6 60OutputBytes: 75717 123 1230Output Packets: 733 44 440Error Statistics: Total: Delta:Input Errors: 0 0CRC Errors: 0 0Frame Errors: 0 0Ignored: 0 0Output Errors: 0 0Collisions: 0 0No. Interface Resets: 2End = e Clear = c Freeze = fEnter Command:Table 5 describes the significant fields shown in the display.
Related Commands
show interfaces
Displays statistics for all interfaces configured on the router or access server.
show ip portbundle ip
To display information about a particular Intelligent Services Gateway (ISG) port bundle, use the show ip portbundle ip command in privileged EXEC mode.
show ip portbundle ip port-bundle-ip-address bundle port-bundle-number
Syntax Description
port-bundle-ip-address
IP address used to identify the port bundle.
bundle port-bundle-number
Port bundle number.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show ip portbundle ip command to display the port mappings in a port bundle.
Examples
The following example is sample output for the show ip portbundle ip command:
Router# show ip portbundle ip 10.2.81.13 bundle 65Portbundle IP address: 10.2.81.13 Bundlenumber: 65Subscriber VRF: VRF2Subscriber Portmappings:Subscriber IP: 10.0.0.2 Subscriber Port: 11019 Mapped Port: 1040Table 6 describes the significant fields shown in the display.
Table 6 show ip portbundle ip Field Descriptions
Subscriber IP
Subscriber IP address.
Subscriber Port
Subscriber port number.
Mapped Port
Port assigned by the ISG.
Related Commands
show ip portbundle status
To display a information about Intelligent Services Gateway (ISG) port-bundle groups, use the show ip portbundle status command in privileged EXEC mode.
show ip portbundle status [free | inuse]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show ip portbundle status command to display a list of port-bundle groups, port-bundle length, and the number of free and in-use port bundles in each group.
Examples
The following example is sample output for the show ip portbundle status command when issued with no keywords:
Router# show ip portbundle statusBundle-length = 4Bundle-groups: -IP Address Free Bundles In-use Bundles10.2.81.13 4031 1Table 7 describes the significant fields shown in the display.
Related Commands
show ip subscriber
To display information about Intelligent Services Gateway (ISG) IP subscriber sessions, use the show ip subscriber command in user EXEC or privileged EXEC mode.
show ip subscriber [mac mac-address | [vrf vrf-name] [[dangling seconds] [detail] | interface interface-name [detail | statistics] | ip ip-address | static list listname | statistics {arp | dangling}]]
Syntax Description
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
Usage Guidelines
A session that has not been fully established within a specified period of time is referred to as a dangling session. The show ip subscriber command can be used with the dangling keyword to display dangling sessions. The seconds argument allows you to specify how long the session has to remain unestablished before it is considered dangling.
The interface and static list keywords are available only on the Cisco 7600 series router.
Examples
The following is sample output from the show ip subscriber command without any keywords:
Router# show ip subscriberDisplaying subscribers in the default service vrf:Type Subscriber Identifier Display UID Status--------- ---------------------- ------------ ------connected aaaa.1111.cccc [1] upThe following is sample output from the show ip subscriber command using the detail keyword. Detailed information is displayed about all the IP subscriber sessions associated with vrf1.
Router# show ip subscriber vrf vrf1 detailIP subscriber: 0000.0000.0002, type connected, status updisplay uid: 6, aaa uid: 17segment hdl: 0x100A, session hdl: 0x96000005, shdb: 0xBC000005session initiator: dhcp discoveryaccess address: 10.0.0.3service address: vrf1, 10.0.0.3conditional debug flag: 0x0control plane state: connected, start time: 1d06hdata plane state: connected, start time: 1d06harp entry: [vrf1] 10.0.0.3, Ethernet0/0midchain adj: 10.0.0.3 on multiservice1forwarding statistics:packets total: received 3542, sent 3538bytes total: received 2184420, sent 1158510packets dropped: 0, bytes dropped: 0The following is sample output from the show ip subscriber command using the list keyword. Detailed information is displayed about all the IP subscriber static sessions associated with the server list group called l1 on the 7600 series router.
Router# show ip subscriber static list l1Total static sessions for list l1: 1, Total IF attached: 1Interface: GigabitEthernet0/3, VRF: 0, 1The following is sample output from the show ip subscriber command using the statistics arp keywords:
Router# show ip subscriber statistics arpCurrent IP Subscriber ARP StatisticsTotal number of ARP reqs received : 27ARP reqs received on ISG interfaces : 25IP subscriber ARP reqs replied to : 1Dst on ISG : 0Src/Dst in same subnet : 0IP subscriber ARP reqs ignored : 2For route back to CPE : 2For no routes to dest. : 0Gratuitous : 0Due to invalid src IP : 0Due to other errors : 0IP sub ARP reqs with default action : 24Table 8 describes the significant fields shown in the display.
Related Commands
clear ip subscriber
Disconnects and removes all or specified ISG IP subscriber sessions.
ip subscriber list
Creates an IP subscriber static server group.
show platform isg session
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions for a line card and the features applied on a session, use the show platform isg session command in privileged EXEC mode.
show platform isg session session-id subinteface-number [detail]
Syntax Description
Command Default
No default behavior or values.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The show platform isg session command displays the total number of active subscriber sessions on the line card and information about the features that are configured on a session. For example, QoS or SACL.
Examples
This example shows the output for all installed line cards:
Router# show platform isg session 15 0 detailif_num 14 va_if_num 0 pid 15 type IPSIP flags 0x0 state BOUND hvlan v1(vc) 1014 v2 1200 0 dbg offSTATS(pkts, bytes) RX(0, 0) ctrl(0, 0) drop(0, 0) TX(0, 0) ctrl(0, 0) drop(0, 0)--------------------------------------------------========================================TenGigabitEthernet4/2.1 - if_number 14 15 policymap pmap-brr1-parent dir Outputnp 1 port 0 pm_num 4 lookuptype 1 flowid 256---------------------------------------------------policymap pmap-brr1-parent classid 0 dfs classid 2classmap config: cmap flags 0x6 feature flags 0x9queue config: gqid/pgqid 4/2police config: N/A marking config: N/AWRED config: N/Aclassmap instance: cfn statid 0node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0statid: commit/excess/drop 1294464/1327232/1360000policy pmap-brr1-parent classid 0 dfs classid 2 level 0---------------------------------------------------------------Statistics type Packet count Byte countqueue:commit 0 0excess 0 0drop 0 0cur depth 0---------------------------------------------------policymap pmap-brr-child1 classid 1 dfs classid 0classmap config: cmap flags 0x4 feature flags 0x100police config:cir/cbs: 50000000/1562500 pir/pbs: 0/1562500 clr/mef/algo: 0/0/10:XMIT, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/01:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/02:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0 marking config: N/AWRED config: N/Aclassmap instance: cfn statid 508327node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0statid: commit/excess/drop 1294464/1327232/1360000police handle: np/index/type 1/1/fast tb 65697 statid: conform/exceed/violate 115116/115117/115118POLICE profile[0] inuse 1 cir/cbs 50000000/1562500 pir/pbs 0/1562500 clr/mef/algo 0/0x0/1[D]POLICE - index 0 cir/cbs: 6250000/1559756 pir/pbs: 0/0 clr/mef/algo: 0/0/1policy pmap-brr-child1 classid 1 dfs classid 0 level 1---------------------------------------------------------------Statistics type Packet count Byte countclassification 0 0police:conform 0 0exceed 0 0violate 0 0--tcam index table result: 0x30000C001 0x0 0x0 0x0flow hash table result: 0x7C1A70301000080 0x100000003FLW-07C1A703 01000080 00000001 00000003TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128Flow Stat:508327, Plcr1 TB/Stat-1/3, Plcr2 TB/Stat-0/0----------------------------------------------Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 normWFQ level 4 index 0 weight 10 inuse 3[D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10[D]Entity Param - level:4 index:128 Mode/Priority: Enabled/NormalShape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0--Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264[D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408WFQ level 3 index 1 weight 81 inuse 1[D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1[D]Entity Param - level:3 index:16 Mode/Priority: Enabled/NormalShape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33--Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I WfSHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616[D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952WFQ level 2 index 0 weight 2 inuse 1[D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2[D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0[D]Entity Param - level:2 index:0 Mode/Priority: Enabled/PropagatedShape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0--Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I Wf***---------------------------------------------------policymap pmap-brr-child1 classid 0 dfs classid 1classmap config: cmap flags 0x4 feature flags 0x1000police config: N/Amarking config: on coso 1WRED config: N/Aclassmap instance: cfn statid 508328node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0statid: commit/excess/drop 1294464/1327232/1360000policy pmap-brr-child1 classid 0 dfs classid 1 level 1---------------------------------------------------------------Statistics type Packet count Byte countclassification 0 0--tcam index table result: 0x101300000000 0x400500000000 0x0 0x0flow hash table result: 0x7C1A80301000080 0x0FLW-07C1A803 01000080 00000000 00000000TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128Flow Stat:508328, Plcr1 TB/Stat-0/0, Plcr2 TB/Stat-0/0----------------------------------------------Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 normWFQ level 4 index 0 weight 10 inuse 3[D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10[D]Entity Param - level:4 index:128 Mode/Priority: Enabled/NormalShape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0--Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264[D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408WFQ level 3 index 1 weight 81 inuse 1[D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1[D]Entity Param - level:3 index:16 Mode/Priority: Enabled/NormalShape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33--Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I WfSHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616[D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952WFQ level 2 index 0 weight 2 inuse 1[D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2[D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0[D]Entity Param - level:2 index:0 Mode/Priority: Enabled/PropagatedShape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0--Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I WfRelated Commands
show platform isg session-count
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions by line card, use the show platform isg session-count command in privileged EXEC mode.
show platform isg session-count {all | slot}
Syntax Description
all
Displays information for all line cards on the router.
slot
Displays information for a specific line card.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The show platform isg session-count command displays either the total number of active subscriber sessions on the router, with individual totals by line card, or it displays the details for an individual line card in a specific slot.
The Cisco 7600 router limits the number of supported subscriber sessions per line card and per router chassis. Use this command to monitor the number of currently active sessions to ensure that the following limits are not exceeded:
•
•
•
Examples
The following example shows the output for all installed line cards:
Router# show platform isg session-count allTotal sessions per chassis : 8000Slot Sess-count Max Sess-count---- ---------- --------------5 8000 16000The following example shows the output for the ES+ line card in slot 5:
Router# show platform isg session-count 5ES+ line cardSessions on a port-channel are instantiated on all member portsPort-group Sess-instance Max Sess-instance---------- ------------- -----------------Gig5/1-Gig5/5 4000 4000Gig5/16-Gig5/20 4000 4000Table 9 describes the significant fields shown in the display, in alphabetical order.
Related Commands
show subscriber session
Displays information about subscriber sessions on the ISG router.
show policy-map type control
To display information about Intelligent Services Gateway (ISG) control policy maps, use the show policy-map type control command in privileged EXEC mode.
show policy-map type control
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show policy-map type control command to display information about ISG control policies, including statistics on the number of times each policy-rule within the policy map has been executed
Examples
The following example shows sample output for the show policy-map type control command:
Router# show policy-map type controlRule: internal-rule-acct-logonClass-map: always event account-logonAction: 1 authenticate aaa list defaultExecuted0Key:"Exec" - The number of times this rule action line was executedRelated Commands
show policy-map type service
To displays the contents of Intelligent Services Gateway (ISG) service policy maps and service profiles and session-related attributes, use the show policy-map type service command in privileged EXEC mode.
show policy-map type service
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows the configuration of a service profile called "prep_service" on a AAA server and the corresponding sample output for the show policy-map type service command.
Service Profile Configuration
Configuration of prep_service on simulator radius subscriber 8authentication prep_service pap ciscoidle-timeout 600vsa cisco generic 1 string "traffic-class=input access-group 102"Sample Output of show policy-map type service Command
Router# show policy-map type serviceCurrent policy profile DB contents are:Profile name: prep_service, 4 referencesidletime 600 (0x258)traffic-class "input access-group 102"Table 10 describes the significant fields shown in the display.
Related Commands
show class-map type traffic
Displays ISG traffic class maps and their matching criteria.
show processes cpu monitor
To display CPU utilization statistics that will be updated at specified intervals, use the show processes cpu monitor command in user EXEC or privileged EXEC mode.
show processes cpu monitor [interval minutes]
Syntax Description
interval seconds
(Optional) Interval, in minutes, at which the display will be updated. Range: 5 to 3600. Default: 5.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
The show processes cpu monitor command allows you to monitor CPU utilization statistics by displaying updated statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display or "F" to freeze the display.
Examples
The following example shows sample output for the show processes cpu monitor command:
Router# show processes cpu monitorCPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process3 772 712 1084 0.08% 0.04% 0.02% 0 Exec67 276 4151 66 0.08% 0.03% 0.01% 0 L2TP mgmt daemon116 604 2263 266 0.16% 0.05% 0.01% 0 IDMGR COREEnd = e Freeze = fEnter Command:Table 11 describes the significant fields shown in the display.
Related Commands
show processes cpu
Displays CPU utilization information about the active processes in a device.
show pxf cpu iedge
To display Parallel eXpress Forwarding (PXF) policy and template information, use the show pxf cpu iedge command in privileged EXEC mode.
show pxf cpu iedge [detail | policy policy-name | template]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example shows PXF template information:
Router# show pxf cpu iedge templateSuper ACL name OrigCRC Class Count CalcCRC1sacl_2 4EA94046 2 00000000if_info 71BA3F20Related Commands
show pxf cpu isg
To display Parallel eXpress Forwarding (PXF) Intelligent Services Gateway (ISG) policy and template information, use the show pxf cpu isg command in privileged EXEC mode.
show pxf cpu isg [detail | policy policy-name | template]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following example shows the ISG template information:
Router# show pxf cpu isg templateSuper ACL name OrigCRC Class Count CalcCRC1sacl_2 4EA94046 2 00000000if_info 71BA3F20Related Commands
show radius-proxy client
To display information about Intelligent Services Gateway (ISG) RADIUS proxy client devices, use the show radius-proxy client command in privileged EXEC mode.
show radius-proxy client ip-address [vrf vrf-name]
Syntax Description
ip-address
IP address of the RADIUS proxy client.
vrf vrf-name
(Optional) VRF associated with the RADIUS proxy client.
Note
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show radius-proxy client command can be used to find out which subscribers are associated with which RADIUS clients.
Examples
The following example shows sample output for the show radius-proxy client command:
Router# show radius-proxy client 10.45.45.3Configuration details for client 10.45.45.3Shared secret: blue#@!$%&/ Msg Auth Ignore: NoLocal auth port: 1111 Local acct port: 2222Acct method list: FWDACCTSession Summary:RP ID IP Address1. 687865867 10.1.1.1Table 12 describes the significant fields shown in the display.
Related Commands
show radius-proxy session
Displays information about specific ISG RADIUS proxy sessions.
show radius-proxy session
To display information about specific Intelligent Services Gateway (ISG) RADIUS proxy sessions, use the show radius-proxy session command in privileged EXEC mode.
show radius-proxy session {id radius-proxy-ID | ip ip-address [vrf vrf-name]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following example shows sample output for the show radius-proxy session command:
Router# show radius-proxy session id 1694498816Session Keys:Caller ID: 000b.4691.e2e3Other Attributes:Username: aashUser IP: unassignedCalled ID:Client Information:NAS IP: 10.45.45.2NAS ID: localhostState Details:State: authenticatedTimer: ip-address (timeout: 240s, remaining: 166s)Related Commands
show radius-proxy client
Displays information about ISG RADIUS proxy client devices.
show redirect group
To display information about Intelligent Services Gateway (ISG) Layer 4 redirect server groups, use the show redirect group command in privileged EXEC mode.
show redirect group [group-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show redirect translations command without the group-name argument to display information about all Layer 4 redirect server groups.
Examples
The following example shows sample output for the show redirect group command:
Router# show redirect group redirect-group-defaultShowing all servers of the group redirect-group-defaultServer created : using cliServer Port10.30.81.22 8090Related Commands
show redirect translations
To display information about the Intelligent Services Gateway (ISG) Layer 4 redirect mappings for subscriber sessions, use the show redirect translations command in privileged EXEC mode.
show redirect translations [ip ip-address]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the show redirect translations command without the ip ip-address keyword and argument to display Layer 4 redirect mappings for all subscriber sessions.
Examples
The following is sample output from the show redirect translations command displaying information about each active redirect translation:
Router# show redirect translationsLoad for five secs: 1%/0%; one minute: 2%; five minutes: 2%Time source is hardware calendar, *11:48:06.383 PST Wed Oct 21 2009Maximum allowed number of L4 Redirect translations per session: 5Destination IP/port Server IP/port Prot In Flags Out Flags Timestamp10.0.1.2 23 10.0.2.2 23 TCP Oct 21 2009 11:48:0110.0.1.2 23 10.0.2.2 23 TCP Oct 21 2009 11:48:0110.0.1.2 23 10.0.2.2 23 TCP Oct 21 2009 11:48:01Total Number of Translations: 3Highest number of L4 Redirect: 3 by session with source IP 10.0.0.2Table 9 describes the significant fields shown in the display, in alphabetical order.
Related Commands
show sgi
To display information about current Service Gateway Interface (SGI) sessions or statistics, use the show sgi command in privileged EXEC mode.
show sgi {session | statistics}
Syntax Description
session
Displays information about the current SGI session.
statistics
Displays information about the current SGI statistics
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example shows information about SGI sessions started and currently running, including the running state:
Router# show sgi sessionsgi sessions: open 1(max 10, started 15session id:1;started at 9:08:05; state OPENThe following example shows statistical information about SGI and the SGI processes that have been started:
Router# show sgi statisticssgi statisticstotal messages received 45current active messages 5; maximum active messages 7total isg service requests 4current active services 2; maximum active services 2sgi process statisticsprocess sgi handler 1pid 95, cpu percent (last minute) 1, cpu runtime 10(msec), memory accocated 4200 (bytes)Related Commands
debug sgi
Enables debugging for SGI.
sgi beep listener
Enables SGI.
test sgi xml
Allows onboard testing of SGI XML files when an external client is not available.
show ssm
To display Segment Switching Manager (SSM) information for switched Layer 2 segments, use the show ssm command in privileged EXEC mode.
show ssm {cdb | feature id [feature-id] | id | memory [chunk variable {feature | queue | segment} | detail] | segment id [segment-id] | switch id [switch-id]}
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(22)S
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Use the show ssm command to determine the segment ID for an active switched Layer 2 segment. The segment ID can be used with the debug condition xconnect command to filter debug messages by segment.
Examples
The following example shows sample output for the show ssm cdb command. The output for this command varies depending on the type of hardware being used.
Router# show ssm cdbSwitching paths active for class SSS:-------------------------------------|FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|--------+---+---+----+---+----+------+----+------+---+----+--------+-------+FR | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |Eth | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |Vlan | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/E | -/E |-/-|-/- | -/E | -/E |HDLC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |PPP/AC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |L2TP | E | E | E |E/-| E | E | E | -/- | E | E | E | E |L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E |L2F |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPTP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |ATM/AAL5| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/VCC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/VPC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/Cell| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |PPP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPPoE |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPPoA |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |Lterm |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |VFI |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E ||ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|--------+--------+----+---+-----+-----+-----+---+-----+------+---+FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2TP | E |-/- | E | E | E | E |-/-| -/- | -/- |-/-|L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2F | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPTP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPPoE | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPPoA | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|Lterm | -/- |-/- | E | E | E | E | E | E | E |-/-|TC | -/- |-/- |-/-| -/- | -/- | E | E | E | E |-/-|IP-If | -/- |-/- |-/-| -/- | -/- | E | E | E | -/- |-/-|IP-SIP | -/- |-/- |-/-| -/- | -/- | E | E | -/- | E |-/-|VFI | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Switching paths active for class ADJ:-------------------------------------|FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|--------+---+---+----+---+----+------+----+------+---+----+--------+-------+FR | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |Eth | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |Vlan | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |HDLC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |PPP/AC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |L2TP |-/E|-/E|-/E |-/-|-/E | -/E | E | -/- |E/-|E/- | -/E | -/E |L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E |L2F |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPTP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |ATM/AAL5| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/VCC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/VPC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/Cell| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |PPP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPPoE |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPPoA |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |Lterm |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |VFI |E/-| E | E |E/-|E/- | E/- |-/- | -/E |-/-|-/- | E | E ||ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|--------+--------+----+---+-----+-----+-----+---+-----+------+---+FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|L2TP | -/E |-/- |E/-| E/- | E/- | E/- |-/-| -/- | -/- |-/-|L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2F | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPTP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|PPP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPPoE | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPPoA | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Lterm | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|TC | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|IP-If | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|IP-SIP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|VFI | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Key:'-' - switching type is not available'R' - switching type is available but not enabled'E' - switching type is enabled'D' - switching type is disabledThe following example displays SSM output of the show ssm id command on a device with one active Layer 2 Tunnel Protocol Version 3 (L2TPv3) segment and one active Frame Relay segment. The segment ID field is shown in bold.
Router# show ssm idSSM Status: 1 switchSwitch-ID 4096 State: OpenSegment-ID: 8193 Type: L2TPv3[8]Switch-ID: 4096Physical intf: RemoteAllocated By: This CPUClass: SSSState: ActiveL2X switching context:Session ID Local 16666 Remote 54742TxSeq 0 RxSeq 0Tunnel end-point addr Local 10.1.1.2 Remote 10.1.1.1SSS Info Switch Handle 0x98000000 Ciruit 0x1B19510L2X Encap [24 bytes]45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 0201 01 01 01 00 00 D5 D6Class: ADJState: ActiveL2X H/W Switching Context:Session Id Local 16666 Remote 54742Tunnel Endpoint Addr Local 10.1.1.2 Remote 10.1.1.1Adjacency 0x1513348 [complete] PW IP, Virtual3:16666L2X Encap [24 bytes]45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 0201 01 01 01 00 00 D5 D6Segment-ID: 4096 Type: FR[1]Switch-ID: 4096Physical intf: LocalAllocated By: This CPUClass: SSSState: ActiveAC Switching Context: Se2/0:200SSS Info - Switch Handle=0x98000000 Ckt=0x1B194B0Interworking 0 Encap Len 0 Boardencap Len 0 MTU 1584Class: ADJState: ActiveAC Adjacency context:adjacency = 0x1513618 [complete] RAW Serial2/0:200Additional output displayed by this command is either self-explanatory or used only by Cisco engineers for internal debugging of SSM processes.
The following example shows sample output for the show ssm memory command:
Router# show ssm memoryAllocator-Name In-use/Allocated Count----------------------------------------------------------------------------SSM CM API large segment : 208/33600 ( 0%) [ 1] ChunkSSM CM API medium segment : 144/20760 ( 0%) [ 1] ChunkSSM CM API segment info c : 104/160 ( 65%) [ 1]SSM CM API small segment : 0/19040 ( 0%) [ 0] ChunkSSM CM inQ interrupt msgs : 0/20760 ( 0%) [ 0] ChunkSSM CM inQ large chunk ms : 0/33792 ( 0%) [ 0] ChunkSSM CM inQ msgs : 104/160 ( 65%) [ 1]SSM CM inQ small chunk ms : 0/20760 ( 0%) [ 0] ChunkSSM DP inQ msg chunks : 0/10448 ( 0%) [ 0] ChunkSSM Generic CM Message : 0/3952 ( 0%) [ 0] ChunkSSM HW Class Context : 64/10832 ( 0%) [ 1] ChunkSSM ID entries : 144/11040 ( 1%) [ 3] ChunkSSM ID tree : 24/80 ( 30%) [ 1]SSM INFOTYPE freelist DB : 1848/2016 ( 91%) [ 3]SSM SEG Base : 240/34064 ( 0%) [ 2] ChunkSSM SEG freelist DB : 5424/5592 ( 96%) [ 3]SSM SH inQ chunk msgs : 0/5472 ( 0%) [ 0] ChunkSSM SH inQ interrupt chun : 0/5472 ( 0%) [ 0] ChunkSSM SW Base : 56/10920 ( 0%) [ 1] ChunkSSM SW freelist DB : 5424/5592 ( 96%) [ 3]SSM connection manager : 816/1320 ( 61%) [ 9]SSM seg upd info : 0/2464 ( 0%) [ 0] ChunkTotal allocated: 0.246 Mb, 252 Kb, 258296 bytesRelated Commands
debug subscriber policy dpm timestamps
To include timestamp information for DHCP policy module (DPM) messages in debugging output, use the debug subscriber policy dpm timestamps command in privileged EXEC mode. To remove timestamp information from output, use the no form of this command.
debug subscriber policy dpm timestamps
no debug subscriber policy dpm timestamps
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The debug subscriber policy dpm timestamps command enables the timestamp information for the latest DPM message that was received to be saved after a session is established. The timestamp for DPM messages is displayed in debugging output, including output from the show subscriber policy dpm context command.
Timestamp information is removed by default after a session is established. Enabling this command preserves the timestamp information so that it can be included in debugging output. This command does not display any debugging output; it enables timestamp output for other debug and show commands.
Examples
The following example shows how to include timestamp information in debug output:
Router# debug subscriber policy dpm timestampsSG dhcp message timestamps debugging is onRelated Commands
show subscriber policy dpm context
Displays event traces for DPM session contexts.
show subscriber policy dpm statistics
To display statistics for DHCP policy module (DPM) session contexts, use the show subscriber policy dpm statistics command in privileged EXEC mode.
show subscriber policy dpm statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The show subscriber policy dpm statistics command displays cumulative information about the event traces that are captured for DPM session contexts. To clear the statistics, use the clear subscriber policy dpm statistics command.
Examples
The following is sample output from the show subscriber policy dpm statistics command.
Router# show subscriber policy dpm statisticsMessage Received Duplicate Ignored TotalDiscover Notification : 284 0 291Offer Notification : 0 0 2Address Assignment Notif : 2 0 2DHCP Classname request : 0 290 290Input Intf Override : 0 10 293Lease Termination Notif : 0 0 2Session Restart Request : 0 0 0Response to DHCP request for classnameAverage Time : Max Time :MAC address for Max Time :Response to DHCP Offer NotificationAverage Time : 30ms Max Time : 36msMAC address for Max Time : aaaa.2222.ccccOverall since last clearTotal Discover Init Sessions : 2Total Restarted Sessions : 0Average set up time for Discover initiated sessions : 2s26msMin set up time among Discover initiated sessions : 2s20msMax set up time among Discover initiated sessions : 2s32msCurrent active SessionsTotal Discover Init Sessions : 0Total Restarted Sessions : 0Average set up time for Discover initiated sessions :Min set up time among Discover initiated sessions: 2s20msMax set up time among Discover initiated sessions :MAC of session with Max DHCP Setup Time : aaaa.2222.ccccTotal number of DPM contexts allocated : 7Total number of DPM contexts freed : 6Total number of DPM contexts currently without session : 1Elapsed time since counters last cleared : 2h15m20sTable 14 describes some of the fields shown in the sample output, in alphabetical order.
Related Commands
show subscriber policy peer
To display the details of a subscriber policy peer, use the show subscriber policy peer command in user EXEC or privileged EXEC mode.
show subscriber policy peer {address ip-address | handle connection-handle-id | all}
Syntax Description
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
12.2(33)SRC
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Usage Guidelines
PUSH mode or PULL mode is established when the peering relationship between the Intelligent Services Gateway (ISG) and Service Control Engine (SCE) devices is initiated. PUSH mode refers to the ISG device pushing out information to the SCE device about a new session. PULL mode refers to the SCE device requesting session identity when it first notices new unidentified traffic.
Only one SCE device in PUSH mode can be integrated with the ISG device. If another SCE device in PUSH mode requests a connection with the ISG device, a disconnect message is sent to the first SCE device that is in PUSH mode.
Examples
The following is sample output from the show subscriber policy peer command.
Router# show subscriber policy peer allPeer IP: 10.1.1.3Conn ID: 105Mode: PULLState: ACTIVEVersion: 1.0Conn up time: 00:01:01Conf keepalive: 0Negotiated keepalive: 25Time since last keepalive: 00:00:11Inform owner on pull: TRUETotal number of associated sessions: 2Associated session details:1E010101000000A01E010101000000A1Table 15 describes some of the fields shown in the sample output.
Table 15 show subscriber policy peer Field Descriptions
Related Commands
subscriber-policy
Defines or modifies the forward and filter decisions of the subscriber policy.
show subscriber session
To display information about subscriber sessions on an Intelligent Services Gateway (ISG), use the show subscriber session command in privileged EXEC mode.
show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | auto-detect | dnis dnis-number | mac-address mac-address | media type | nas-port port-identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name tunnel-name | unauthenticated-domain domain-name | unauthenticated-username username | vrf vrf-name} | uid session-identifier | username username] [detailed]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
If the show subscriber session command is entered without any keywords or arguments, information is displayed for all sessions on the ISG. When an identifier is specified, information is displayed for only those sessions that match the identifier.
Examples
The following is sample output from the show subscriber session command:
Router# show subscriber sessionCurrent Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time6 Traffic-Cl unauthen Ltm Internal rouble-pppoe 00:09:045 Vi3 authen Local Term rouble-pppoe 00:09:04The following is sample output from the show subscriber session command with an identifier specified. In this case, information is displayed for the session with the session identifier 3.
Router# show subscriber session identifier uid 3Current Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time-------------------------------------------------- Unique Session ID: 3 Identifier: 10.0.0.2 SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:00:15, Last Changed: 00:00:15Policy information: Authentication status: authen Rules, actions and conditions executed: subscriber rule-map RULEB condition always event session-start 1 authorize identifier source-ip-addressConfiguration sources associated with this session:Interface: Ethernet0/0, Active Time = 00:00:15Table 16 describes the significant fields shown in the displays.
Related Commands
show vpdn session
Displays session information about the L2TP and L2F protocols, and PPPoE tunnels in a VPDN.
show subscriber trace history
To display the event traces for Intelligent Services Gateway (ISG) subscriber sessions that are saved in the trace history log, use the show subscriber trace history command in user EXEC or privileged EXEC mode.
show subscriber trace history {all | dpm | pm} [all | client-ip-address ip-address | mac-address mac-address | reason number | uid session-id]
Syntax Description
Command Default
Displays all session traces saved in the respective history log.
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
Usage Guidelines
Use the show subscriber trace history command, without any optional keywords, to display all session traces that are saved in the respective history log. To display the trace data for specific sessions, use one of the optional keywords for the IP address, MAC address, logging reason, or unique ID (UID). The router filters the output based on the keyword and displays only those traces that match the selected keyword.
Sessions that are marked as interesting, either because of an error or because the session failed, are saved to the trace history buffer if the subscriber trace history command is enabled. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace history command with the client-ip-address keyword.
Router# show subscriber trace history dpm client-ip-address 10.0.0.2DPM session info: 5CC14D0MAC: aaaa.2222.cccc IP: 10.0.0.2UID: 2 reason: PM callback to clear=========================ET 11:46:03.959 PST Mon Aug 30 2010 PM invokerc OK, Session-StartET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,No Sess,sess alloc,sess-start OKET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:03.959 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 11:46:03.975 PST Mon Aug 30 2010 PM callbackGot Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYSET 11:46:05.959 PST Mon Aug 30 2010 PM invokerc OK, Session-UpdateET 11:46:05.959 PST Mon Aug 30 2010 dhcp offerrc OK w delay,acc.if retET 11:46:05.983 PST Mon Aug 30 2010 PM callbackSession Update Succes, rc offer cb no-err,notify stdby,Case: \UPDATE_SUCCESSET 11:46:05.987 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:05.991 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OKrc same IPET 11:56:52.743 PST Mon Aug 30 2010 PM invokerc OK, Session-StopET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease termrsn 4, rc OKET 11:56:52.759 PST Mon Aug 30 2010 PM callbackTerminate, rc end sess,Case: REQ_TERMINATEThe following is sample output from the show subscriber trace history command with the reason keyword.
Router# show subscriber trace history dpm reason 2DPM session info: 5CC14D0MAC: aaaa.2222.cccc IP: 10.0.0.2UID: 2 reason: PM callback to clear=========================ET 11:46:03.959 PST Mon Aug 30 2010 PM invokerc OK, Session-StartET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,No Sess,sess alloc,sess-start OKET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:03.959 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 11:46:03.975 PST Mon Aug 30 2010 PM callbackGot Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYSET 11:46:05.959 PST Mon Aug 30 2010 PM invokerc OK, Session-UpdateET 11:46:05.959 PST Mon Aug 30 2010 dhcp offerrc OK w delay,acc.if retET 11:46:05.983 PST Mon Aug 30 2010 PM callbackSession Update Succes, rc offer cb no-err,notify stdby,Case: \UPDATE_SUCCESSET 11:46:05.987 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:05.991 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OKrc same IPET 11:56:52.743 PST Mon Aug 30 2010 PM invokerc OK, Session-StopET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease termrsn 4, rc OKET 11:56:52.759 PST Mon Aug 30 2010 PM callbackTerminate, rc end sess,Case: REQ_TERMINATEThe following is sample output from the show subscriber trace history command with the all keyword. Note that this is the same output that displays if you use the show subscriber trace history dpm command, without any of the optional keywords.
Router# show subscriber trace history dpm allDPM session info: 5CC14D0MAC: aaaa.2222.cccc IP: 10.0.0.2UID: 2 reason: PM callback to clear=========================ET 11:46:03.959 PST Mon Aug 30 2010 PM invokerc OK, Session-StartET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,No Sess,sess alloc,sess-start OKET 11:46:03.959 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:03.959 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 11:46:03.975 PST Mon Aug 30 2010 PM callbackGot Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYSET 11:46:05.959 PST Mon Aug 30 2010 PM invokerc OK, Session-UpdateET 11:46:05.959 PST Mon Aug 30 2010 dhcp offerrc OK w delay,acc.if retET 11:46:05.983 PST Mon Aug 30 2010 PM callbackSession Update Succes, rc offer cb no-err,notify stdby,Case: \UPDATE_SUCCESSET 11:46:05.987 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 11:46:05.991 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 11:46:05.995 PST Mon Aug 30 2010 dhcp assign OKrc same IPET 11:56:52.743 PST Mon Aug 30 2010 PM invokerc OK, Session-StopET 11:56:52.743 PST Mon Aug 30 2010 dhcp lease termrsn 4, rc OKET 11:56:52.759 PST Mon Aug 30 2010 PM callbackTerminate, rc end sess,Case: REQ_TERMINATEDPM session info: 5CC1708MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 3 reason: PM callback to clear=========================ET 12:11:04.279 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:12:17.351 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:12:17.351 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:12:17.351 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:12:20.487 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:12:20.487 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:12:20.487 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:12:24.503 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:12:24.503 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:12:24.503 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:13:38.383 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:13:38.383 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:13:38.383 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:13:41.719 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:13:41.719 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:13:41.719 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:13:45.727 PST Mon Aug 30 2010 i-if change,MAC ok,ignore: same i/fET 12:13:45.727 PST Mon Aug 30 2010 dhcp discoverrc OK,proc prev reqET 12:13:45.727 PST Mon Aug 30 2010 dhcp get classrc no c-aware cfgET 12:13:59.475 PST Mon Aug 30 2010 PM callbackTerminate, rc end sess,Case: REQ_TERMINATEDPM session info: 5CC1940MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 4 reason: PM callback to clear=========================...DPM session info: 5CC1B78MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 5 reason: PM callback to clear=========================...DPM session info: 5CC1DB0MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 6 reason: PM callback to clear=========================...PM session info: 5CBCE98MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 3 reason: dangling session cleared=========================ET 11:57:31.531 PST Mon Aug 30 2010 init requestOLDST[0]:initial-reqNEWST[0]:initial-reqfxn[0]:sss_policy_invoke_service_sel FLAGS:0ET 11:57:31.535 PST Mon Aug 30 2010 got apply config successOLDST[8]:wait-for-eventsNEWST[8]:wait-for-eventsfxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7PM session info: 5CBCFB0MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 4 reason: dangling session cleared=========================ET 12:14:59.467 PST Mon Aug 30 2010 init requestOLDST[0]:initial-reqNEWST[0]:initial-reqfxn[0]:sss_policy_invoke_service_sel FLAGS:0ET 12:14:59.475 PST Mon Aug 30 2010 got apply config successOLDST[8]:wait-for-eventsNEWST[8]:wait-for-eventsfxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7PM session info: 5CBD0C8MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 5 reason: dangling session cleared=========================ET 12:44:42.127 PST Mon Aug 30 2010 init requestOLDST[0]:initial-reqNEWST[0]:initial-reqfxn[0]:sss_policy_invoke_service_sel FLAGS:0ET 12:44:42.135 PST Mon Aug 30 2010 got apply config successOLDST[8]:wait-for-eventsNEWST[8]:wait-for-eventsfxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7PM session info: 5CBD1E0MAC: aaaa.2222.cccc IP: 0.0.0.0UID: 6 reason: dangling session cleared=========================ET 13:14:24.983 PST Mon Aug 30 2010 init requestOLDST[0]:initial-reqNEWST[0]:initial-reqfxn[0]:sss_policy_invoke_service_sel FLAGS:0ET 13:14:24.991 PST Mon Aug 30 2010 got apply config successOLDST[8]:wait-for-eventsNEWST[8]:wait-for-eventsfxn[3]:sss_pm_action_sm_req_apply_config_success FLAGS:2B7Table 17 describes some of the significant fields shown in the sample output.
Related Commands
show subscriber trace statistics
To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statistics command in user EXEC or privileged EXEC mode.
show subscriber trace statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
Usage Guidelines
The show subscriber trace statistics command displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace statistics command, showing information for both the DPM and the PM.
Router# show subscriber trace statisticsEvent Trace History Statistics: DPMLogging enabledAll time max records: 5Max records: 5Current records: 5Current log size: 200Proposed log size 200Oldest, newest index: 0 : 4Event Trace History Statistics: Policy ManagerLogging enabledAll time max records: 4Max records: 4Current records: 4Current log size: 64Proposed log size 64Oldest, newest index: 0 : 3Table 18 describes some of the fields shown in the sample output, in the order in which they display.
Related Commands
source
To specify the interface for which the main IP address will be mapped by the Intelligent Services Gateway (ISG) to the destination IP addresses in subscriber traffic, use the source command in IP portbundle configuration mode. To remove this specification, use the no form of this command.
source interface-type interface-number
no source interface-type interface-number
Syntax Description
interface-type interface-number
Interface whose main IP address is used as the ISG source IP address.
Command Default
An interface is not specified.
Command Modes
IP portbundle configuration
Command History
Usage Guidelines
The ISG Port-Bundle Host Key feature enables an ISG to map the destination IP addresses in subscriber traffic to the IP address of a specified ISG interface.
All ISG source IP addresses specified with the source command must be routable in the management network in which the portal resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, ISG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple ISG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.
Examples
In the following example, the ISG will map the destination IP addresses in subscriber traffic to the main IP address of Ethernet interface 0/0/0:
ip portbundlesource ethernet 0/0/0Related Commands
subscriber accounting ssg
To display the subscriber inbound and outbound data in accounting records in Service Selection Gateway (SSG) format, use the subscriber accounting ssg command in global configuration mode. To disable the SSG accounting format, use the no form of this command.
subscriber accounting ssg
no subscriber accounting ssg
Syntax Description
This command has no arguments or keywords.
Command Default
SSG accounting format is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The subscriber accounting ssg command allows Intelligent Services Gateway (ISG) to use the same format as SSG for the subscriber inbound and outbound byte counts in the ssg-control-info accounting attribute. By default, ISG reverses the inbound and outbound values in the ssg-control-info attribute. This command makes ISG compatible with SSG accounting.
Examples
The following example shows how to enable ISG to use the SSG accounting format:
subscriber accounting ssgRelated Commands
subscriber feature prepaid
To create or modify a configuration of Intelligent Services Gateway (ISG) prepaid billing parameters that can be referenced from a service policy map or service profile, use the subscriber feature prepaid command in global configuration mode. To delete the configuration, use the no form of this command.
subscriber feature prepaid {name-of-configuration | default}
no subscriber feature prepaid {name-of-configuration | default}
Syntax Description
Defaults
The default configuration is used.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the subscriber feature prepaid command to create or modify a prepaid billing parameter configuration.
ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the AAA server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
A default prepaid configuration exists with the following parameters:
subscriber feature prepaid defaultthreshold time 0 secondsthreshold volume 0 bytesmethod-list authorization defaultmethod-list accounting defaultpassword ciscoThe default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
You can also use the subscriber feature prepaid command to create a named prepaid configuration. Named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
Examples
The following example shows prepaid billing enabled in a service called "mp3". The prepaid billing parameters in the configuration "conf-prepaid" will be used for "mp3" prepaid sessions.
policy-map type service mp3class type traffic CLASS-ACL-101authentication method-list cp-mlistaccounting method-list cp-mlistprepaid config conf-prepaidsubscriber feature prepaid conf-prepaidthreshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword ciscoRelated Commands
prepaid config
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber trace event
To enable event tracing for software modules that are involved in Intelligent Services Gateway (ISG) subscriber sessions, use the subscriber trace event command in global configuration mode. To disable event tracing, use the no form of this command.
subscriber trace event {dpm | pm} [retain]
no subscriber trace event {dpm | pm} [retain]
Syntax Description
Command Default
Event tracing is enabled for the DPM and PM. Retain functionality is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The subscriber trace event command enables event traces to be collected for existing subscriber sessions. It allows you to capture the trace of an event immediately as it occurs, before the session ends and the data is lost. Cisco Technical Assistance Center (TAC) personnel may request this event trace information when resolving issues with ISG subscriber sessions.
Sessions that are marked as interesting, because the session became stuck in a state, entered an error state, or failed due to an error, can be saved to a trace history buffer if the subscriber trace history command is enabled.
The system deletes (prunes) the event traces for sessions that are not considered interesting. Traces for existing sessions are maintained until the session is removed or pruned.
Event traces are retained until the corresponding IP session reaches the up state. If the retain keyword is configured, the trace data is retained until the DPM context is destroyed.
There is a limit of 20 event traces for each DPM session and eight for each PM session.
Examples
The following example shows how to enable event tracing for the DPM component:
Router(config)# subscriber trace event dpm retainRelated Commands
subscriber trace history
To enable saving event traces for Intelligent Services Gateway (ISG) subscriber sessions to a history log, use the subscriber trace history command in global configuration mode. To disable saving the event trace history, use the no form of this command.
subscriber trace history {dpm | pm} [size max-records]
no subscriber trace history {dpm | pm} [size max-records]
Syntax Description
Command Default
DPM and PM history logs are disabled; maximum size of history log buffers is 100 sessions.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The subscriber trace history command allows event traces to be saved to a history log and optionally modifies the size of the history log buffer. Sessions that are marked as interesting, because the session became stuck in a state, entered an error state, or failed due to an error, are saved to the trace history log. Event tracing must be enabled for the module using the subscriber trace event command.
Each software module has its own history log buffer. When the history log buffer reaches its configured capacity, the oldest event trace is written over by the newest event trace until you increase the size of the history log with this command or you clear the history log using the clear subscriber trace history command.
Modifying the size of the buffer with this command does not change the number of sessions that are currently saved to the history buffer. The no subscriber trace history command prevents any new sessions from being saved to the history log; it does not clear the current history log.
Examples
The following example shows how to set the DPM history log size to 200 sessions.
Router(config)# subscriber trace history dpm size 200Related Commands
test sgi xml
To feed a file into the Service Gateway Interface (SGI) process for testing of SGI XML files when an external client is not available, use the test sgi xml command in privileged EXEC configuration mode.
test sgi xml filename
Syntax Description
Command Default
A file is not submitted for testing.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command is used to verify the format of an SGI XML request. The XML file must be copied onto the router before it can be used by the test sgi xml command.
The external client is currently under development. In the absence of an external client, the test command can be used to verify the XML for specific SGI operations.
Examples
The following example shows the file `test.xml' run by the test sgi xml command:
Router# test sgi xml disk0:test.xmlRelated Commands
debug sgi
Enables debugging on SGI.
sgi beep listener
Enables SGI.
show sgi
Displays information about current SGI sessions or statistics.
threshold (ISG)
To configure the threshold at which the Intelligent Services Gateway (ISG) will send a reauthorization request to the prepaid billing server, use the threshold command in ISG prepaid configuration mode. To reset the threshold to the default value, use the no form of this command.
threshold {time number-of-seconds | volume number-of-bytes}
no threshold {time number-of-seconds | volume number-of-bytes}
Syntax Description
Command Default
ISG sends reauthorization requests when the subscriber runs out of quota, which is equivalent to a prepaid threshold of 0 seconds or 0 bytes.
Command Modes
ISG prepaid configuration
Command History
Usage Guidelines
By default, an ISG sends reauthorization requests to the billing server when a subscriber has run out of quota. ISG prepaid thresholds allows an ISG to send reauthorization requests before subscribers completely run out of quota. When a prepaid threshold is configured, the ISG sends a reauthorization request to the billing server when the amount of quota remaining is equal to the value of the threshold.
Examples
The following example shows an ISG prepaid feature configuration in which the threshold for time-based sessions is 20 seconds and the threshold for volume-based sessions is 0 bytes. When a time-based prepaid session has 20 seconds of quota remaining, the ISG will send a reauthorization request to the prepaid billing server. For volume-based prepaid sessions, the ISG will send a reauthorization request when the entire quota has been used up.
subscriber feature prepaid conf-prepaidinterim-interval 5threshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword ciscoRelated Commands
timeout absolute (ISG)
To specify the maximum Intelligent Services Gateway (ISG) subscriber session lifetime, use the timeout absolute command in service policy map class configuration mode. To remove this specification, use the no form of this command.
timeout absolute duration-in-seconds
no timeout absolute duration-in-seconds
Syntax Description
Command Default
There is no maximum subscriber session lifetime.
Command Modes
Service policy map class configuration
Command History
Usage Guidelines
The timeout absolute command controls how long an ISG subscriber session can be connected before it is terminated.
Examples
The following example sets the subscriber session limit to 300 seconds:
class-map type traffic match-any traffic-classmatch access-group input 101match access-group output 102policy-map type service video-serviceclass type traffic traffic-classpolice input 20000 30000 60000police output 21000 31500 63000timeout absolute 300class type traffic defaultdropRelated Commands
timeout idle
Specifies how long an ISG subscriber session can be idle before it is terminated.
timeout idle
To specify how long an Intelligent Services Gateway (ISG) subscriber session can be idle before it is terminated, use the timeout idle command in service policy map class configuration mode. To return to the default value, use the no form of this command.
timeout idle duration-in-seconds
no timeout idle
Syntax Description
Command Default
Idle timeout is disabled.
Command Modes
Service policy map class configuration (config-service-policymap)
Command History
Usage Guidelines
The timeout idle command controls how long a connection can be idle before it is terminated. If this command is not configured, the connection is not terminated regardless of how long it is idle.
Examples
The following example limits idle connection time in a service policy map to 30 seconds:
class-map type traffic match-any traffic-classmatch access-group input 101match access-group output 102policy-map type service video-serviceclass type traffic traffic-classpolice input 20000 30000 60000police output 21000 31500 63000timeout idle 30class type traffic defaultdropRelated Commands
timer (ISG RADIUS proxy)
To configure the maximum amount of time that Intelligent Services Gateway (ISG) waits for an event before terminating a session, use the timer command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable the timer, use the no form of this command.
timer {ip-address | reconnect | request} seconds
no timer {ip-address | reconnect | request}
Syntax Description
Command Default
The default is 0 seconds. This indicates that the timer has not started.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)Command History
12.2(31)SB2
This command was introduced.
15.0(1)S
This command was modified. The reconnect keyword was added.
Usage Guidelines
Use the timer command to adjust your network to accommodate slow-responding devices.
ISG RADIUS proxy timers can be specified globally for all RADIUS proxy clients or per client. The per-client configuration overrides the global configuration. The timer is set by the RADIUS Proxy in response to termination of a subscriber's IP session associated with the RADIUS Proxy session. While the timer is running, the RADIUS Proxy session is maintained regardless of whether the subscriber's IP session (that got created after the timer was started) exists or not. If a subscriber's IP session does not exist when the timer expires, the RADIUS Proxy session is deleted. The timer is available only for Open-Authenticated RADIUS Proxy sessions.
Examples
In the following example, ISG is configured to wait 20 seconds for an Access-Request packet before terminating a RADIUS proxy session.
aaa server radius proxytimer request 20!Related Commands
aaa server radius proxy
Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.
trust
To define a trust state for traffic that is classified through the class policy-map configuration command, use the trust command in policy-map class configuration mode. To return to the default setting, use the no form of this command.
trust [cos | dscp | precedence]
no trust [cos | dscp | precedence]
Syntax Description
Command Default
The action is not trusted.
Command Modes
Policy-map class configuration (config-pmap-c)
Command History
12.2(14)SX
This command was introduced on the Catalyst 6500 series.
12.2(33)SRA
This command was implemented on the Catalyst 7600 series.
Usage Guidelines
Use this command to distinguish the quality of service (QoS) trust behavior for certain traffic from other traffic. For example, inbound traffic with certain DSCP values can be trusted. You can configure a class map to match and trust the DSCP values in the inbound traffic.
Trust values set with this command supersede trust values set with the qos trust interface configuration command.
If you specify the trust cos command, QoS uses the received or default port CoS value and the CoS-to-DSCP map to generate a DSCP value for the packet.
If you specify the trust dscp command, QoS uses the DSCP value from the ingress packet. For non-IP packets that are tagged, QoS uses the received CoS value; for non-IP packets that are untagged, QoS uses the default port CoS value. In either case, the DSCP value for the packet is derived from the CoS-to-DSCP map.
Examples
The following example shows how to define a port trust state to trust inbound DSCP values for traffic classified with "class1":
Router# configure terminalRouter(config)# policy-map policy1Router(config-pmap)# class class1Router(config-pmap-c)# trust dscpRouter(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmitRouter(config-pmap-c)# endRouter#You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
