Cisco IOS Intelligent Services Gateway Command Reference
M through Z
Downloads: This chapterpdf (PDF - 1.0MB) The complete bookPDF (PDF - 1.81MB) | Feedback

match (radius-filter)match access-group (ISG)match access-listmatch authen-statusmatch authenticated-domainmatch authenticated-usernamematch dnismatch mediamatch mlp-negotiatedmatch nas-portmatch no-usernamematch protocol (ISG)match service-namematch source-ip-addressmatch timermatch tunnel-namematch unauthenticated-domainmatch unauthenticated-usernamematch vrfmatchnot (radius-filter)message-authenticator ignoremethod-listpassthru downstream ipv6password (ISG)police (ISG)policy-mappolicy-map type controlpolicy-map type servicepolicy-namepolicy-peerportprepaid configproxy (ISG RADIUS proxy)radius filterradius-server attribute 31radius-server attribute nas-port-id includere-authenticate do-not-applyredirect log translationsredirect server-groupredirect session-limitredirect to (ISG)server ipserver-keyservice (ISG)service deny (ISG)service local (ISG)service relay (ISG)service vpdn group (ISG)service-monitorservice-policyservice-policy type controlservice-policy type servicesession-identifier (ISG)set-timersgi beep listenersg-service-groupsg-service-typesg-service-type external policyshow class-map type controlshow class-map type trafficshow database datashow dwnld_mgrshow idmgrshow interface monitorshow ip portbundle ipshow ip portbundle statusshow ip subscribershow platform isg sessionshow platform isg session-countshow policy-map type controlshow policy-map type serviceshow processes cpu monitorshow pxf cpu iedgeshow pxf cpu isgshow radius-proxy clientshow radius-proxy sessionshow redirect groupshow redirect translationsshow sgishow ssm show subscriber policy dpm statisticsshow subscriber policy peershow subscriber serviceshow subscriber sessionshow subscriber statisticsshow subscriber trace statisticsshow subscriber trace historyshow subscriber trace statisticssourcesubscriber accounting accuracysubscriber accounting ssgsubscriber feature prepaidsubscriber policy recordingsubscriber redundancysubscriber trace eventsubscriber trace historytest sgi xmlthreshold (ISG)timeout absolute (ISG)timeout idletimer (ISG RADIUS proxy)trust

Contents

M through Z

match (radius-filter)

To configure a condition to check for filter match criteria, use the match command in RADIUS filter configuration mode. To remove filter match criteria, use the no form of this command.

match { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
no match { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }

Syntax Description

attribute

Specifies the attribute that should be included in the filter.

att-type-number

Attribute type number. The range is from 1 to 256.

vendor-type

Specifies the vendor type that should be included in the filter.

ven-type-number

Vendor type number. The range is from 1 to 256.

Command Default

Filter match criteria are not configured.

Command Modes

RADIUS filter configuration (config-radius-filter)
      

Command History

Release Modification
Cisco IOS XE Release 3.5S

This command was introduced.

Usage Guidelines

Use the match command to check for the attribute to be present in the packet. The vendor-type and ven-type-number keyword-argument pair specifies the attributes associated with a specific vendor. If no attribute is specified, the condition matches the filter for any attribute of the specific vendor:

Examples

The following example shows how to enter the RADIUS filter configuration mode and configure a match attribute and a vendor type.

Device(config)# radius filter match-all filter1
Device (config-radius-filter) match vendor-type 15 attribute 45
      

Related Commands

Command Description

matchnot (radius-filter)

Configures a filter criterion for an unsuccessful match.

radius filter

Configures RADIUS packet filters.

match access-group (ISG)

To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove the ACL from a class map, use the no form of this command.

match access-group { input | output } { access-list-number | name access-list-name }
no match access-group { input | output } { access-list-number | name access-list-name }

Syntax Description

input

Specifies match criteria for input traffic.

output

Specifies match criteria for output traffic.

access-list-number

A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. Range is 1 to 2799.

name access-list-name

A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters

Command Default

No match criteria are configured.

Command Modes

Traffic class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.

The ACL must be defined using the ip access-list command.

After a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class and the default class.

ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.

Examples

The following example shows a class map named "acl144" that is configured to use ACL 144 as the input match criterion for this class:

class-map type traffic match-any acl144 
 match access-group input 144 

Related Commands

Command

Description

class-map type traffic

Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class.

class type traffic

Associates a traffic class map with a service policy map.

ip access-list

Defines an IP access list or object group access control list (OGACL).

match access-list

To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.

match access-list access-list-number
no match access-list access-list-number

Syntax Description

access-list-number

Integer from 100 to 199 that is the number or name of an extended access list.

Command Default

The Intelligent Services Gateway (ISG) port-maps all TCP traffic.

Command Modes

IP portbundle configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.

Examples

In the following example, the ISG will port-map packets that are permitted by access list 100:

ip portbundle
 match access-list 100
 source ip Ethernet0/0/0
!
.
.
.
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 10.13.6.100
access-list 100 deny   ip any any

Related Commands

Command

Description

ip portbundle (service)

Enables the ISG Port-Bundle Host Key feature for a service.

show ip portbundle ip

Displays information about a particular ISG port bundle.

show ip portbundle status

Displays information about ISG port-bundle groups.

match authen-status

To create a condition that will evaluate true if a subscriber's authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authen-status { authenticated | unauthenticated }
no match authen-status { authenticated | unauthenticated }

Syntax Description

authenticated

Subscriber has been authenticated.

unauthenticated

Subscriber has not been authenticated.

Command Default

A condition that will evaluate true if a subscriber's authentication status matches the specified authentication status is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match authen-statuscommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.

class-map type type control match-all CONDA
 match authen-status unauthenticated
 match timer TIMERA
     
policy-map type control RULEA
 class type control always event session-start     
  1 set-timer TIMERA 1 [minutes]
!
class type control CONDA event timed-policy-expiry
 1 service disconnect

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-domain

To create a condition that will evaluate true if a subscriber's authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-domain { domain-name | regexp regular-expression }
no match authenticated-domain

Syntax Description

domain-name

Domain name.

regexp regular-expression

Regular expression to be matched against subscriber's authenticated domain name.

Command Default

A condition that will evaluate true if a subscriber's authenticated domain matches the specified domain is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match authenticated-domaincommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that will evaluate true if a subscriber's domain matches the regular expression ".*com".

class-map type control match-all MY-CONDITION1
 match authenticated-domain regexp ".*com"

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-username

To create a condition that will evaluate true if a subscriber's authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-username { username | regexp regular-expression }
no match authenticated-username { username | regexp regular-expression }

Syntax Description

username

Username

regexp regular-expression

Matches the regular expression against the subscriber's authenticated username.

Command Default

A condition is not created.

Command Modes

Control class-map configuration (config-control-classmap)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match authenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which evaluates to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true for the class as a whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".

class-map type control match-all class3
   match authenticated-username regexp "user@.*com" 
   match authenticated-domain regexp ".*com" 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier authenticated-username

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match dnis

To create a condition that will evaluate true if a subscriber's Dialed Number Identification Service number (DNIS number, also referred to as called-party number ) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.

match dnis { dnis | regexp regular-expression }
no match dnis { dnis | regexp regular-expression }

Syntax Description

dnis

DNIS number.

regexp regular-expression

Matches the regular expression against the subscriber's DNIS number.

Command Default

A condition that will evaluate true if a subscriber's DNIS number matches the specified DNIS is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match dniscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".

class-map type control match-all class3
   match dnis reg-exp 5550100 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier dnis!

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match media

To create a condition that will evaluate true if a subscriber's access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.

match media { async | atm | ether | ip | isdn | mpls | serial }
no match media { async | atm | ether | ip | isdn | mpls | serial }

Syntax Description

async

Asynchronous media.

atm

ATM.

ether

Ethernet.

ip

IP.

isdn

ISDN.

mpls

Multiprotocol Label Switching (MPLS).

serial

Serial.

Command Default

A condition that will evaluate true if a subscriber's access media type matches the specified media type is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.

class-map type control match-all MATCHING-USERS
 match media ether
 match nas-port type ether slot 3

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match mlp-negotiated

To create a condition that will evaluate true depending on whether or not a subscriber's session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.

match mlp-negotiated { no | yes }
no match mlp-negotiated { no | yes }

Syntax Description

no

The subscriber's session was not multilink PPP negotiated.

yes

The subscriber's session was multilink PPP negotiated.

Command Default

A condition is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match mlp-negotiatedcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match mlp-negotiated command:

class-map type control match-all class3
   match mlp-negotiated yes
 !
 policy-map type control rule4
  class type control class3 event session-start
   1 authorize authenticated-username

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match nas-port

To create a condition that will evaluate true if a subscriber's network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.

match nas-port { adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number }
no match nas-port { adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number }

Syntax Description

adapter adapter-number

Interface adapter number.

channel channel-number

Interface channel number.

circuit-id name

Circuit ID

ipaddr ip-address

IP address.

port port-number

Port number.

remote-id name

Remote ID.

shelf shelf-number

Interface shelf number.

slot slot-number

Slot number.

sub-interface sub-interface-number

Subinterface number.

type interface-type

Interface type.

vci vci-number

Virtual channel identifier.

vlan vlan-id

VLAN ID.

vpi vpi-number

Virtual path identifier.

Command Default

A condition that will evaluate true if a subscriber's NAS port identifier matches the specified value is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match nas-portcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.

class-map type control match-all MATCHING-USERS
 class type control name NOT-ATM
 match media ether
 match nas-port type ether slot 3

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match no-username

To create a condition that will evaluate true if a subscriber's username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match no-username { no | yes }
no match no-username { no | yes }

Syntax Description

no

The subscriber's username is available.

yes

The subscriber's username is not available.

Command Default

A condition that will evaluate true if a subscriber's username is available is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match no-username command:

class-map type control match-all class3
   match no-username yes
 !
 policy-map type control rule4
  class type control class3 event session-start
   1 service local

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match protocol (ISG)

To create a condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.

match protocol { atom | ip | pdsn | ppp | vpdn }
no match protocol { atom | ip | pdsn | ppp | vpdn }

Syntax Description

atom

Any Transport over MPLS (AToM).

ip

IP.

pdsn

Packet Data Serving Node (PDSN).

ppp

Point-to-Point Protocol (PPP).

vpdn

Virtual Private Dialup Network (VPDN).

Command Default

A condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match protocolcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:

 class-map type control match-any MY-CONDITION
  match protocol vpdn

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match service-name

To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match service-name { service-name | regexp regular-expression }
no service-name { service-name | regexp regular-expression }

Syntax Description

service-name

Service name.

regexp regular-expression

Regular expression to be matched against subscriber's service name.

Command Default

A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match service-namecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example configures ISG to authenticate subscribers associated with the service before downloading the service:

aaa authentication login AUTHEN local
aaa authorization network SERVICE group radius
!
class-map type control match-any MY-CONDITION2
 match service-name "gold"
 match service-name "bronze"
 match service-name "silver"
!
policy-map type control MY-RULE2
 class type control MY-CONDITION2 event service-start
  1 authenticate aaa list AUTHEN
  2 service-policy type service aaa list SERVICE identifier service-name
!
service-policy type control MY-RULE2

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match source-ip-address

To create a condition that will evaluate true if a subscriber's source IP address matches the specified IP address, use the match source-ip-addresscommand in control class-map configuration mode. To remove the condition, use the no form of this command.

match source-ip-address ip-address subnet-mask
no match source-ip-address ip-address subnet-mask

Syntax Description

ip-address

IP address.

subnet-mask

Subnet mask.

Command Default

A condition that will evaluate true if a subscriber's source IP address matches the specified IP address is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match source-ip-addresscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".

class-map type control match-all class3
 match source-ip-address 10.0.0.0 255.255.255.0 
!
policy-map type control rule4
 class type control class3 event session-start
  1 authorize identifier source-ip-address
!

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match timer

To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.

match timer { timer-name | regexp regular-expression }
no match timer { timer-name | regexp regular-expression }

Syntax Description

timer-name

Name of the policy timer.

regexp regular-expression

Regular expression to be matched against the timer name.

Command Default

A condition that will evaluate true when the specified timer expires is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match timercommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.

class-map type control match-all CONDA
 match authen-status unauthenticated
 match timer TIMERA
     
policy-map type control RULEA
 class type control always event session-start     
  1 set-timer TIMERA 1
!
class type control CONDA event timed-policy-expiry
 1 service disconnect

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match tunnel-name

To create a condition that will evaluate true if a subscriber's Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match tunnel-name { tunnel-name | regexp regular-expression }
no match tunnel-name { tunnel-name | regexp regular-expression }

Syntax Description

tunnel-name

VPDN tunnel name.

regexp regular-expression

Regular expression to be matched against the subscriber's tunnel name.

Command Default

A condition that will evaluate true if a subscriber's VPDN tunnel name matches the specified tunnel name is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".

class-map type control match-all class3
  match tunnel-name LAC
!
policy-map type control rule4
 class type control class3 event session-start
  1 authorize identifier tunnel-name
!

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-domain

To create a condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name, use the match unauthenticated-domaincommand in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-domain { domain-name | regexp regular-expression }
no match unauthenticated-domain { domain-name | regexp regular-expression }

Syntax Description

domain-name

Domain name.

regexp regular-expression

Regular expression to be matched against subscriber's domain name.

Command Default

A condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match unauthenticated-domaincommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain "abc.com":

class-map type control match-all MY-FORWARDED-USERS        
 match unauthenticated-domain "xyz.com"        

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-username

To create a condition that will evaluate true if a subscriber's unauthenticated username matches the specified username, use the match unauthenticated-usernamecommand in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-username { username | regexp regular-expression }
no match unauthenticated-username { username | regexp regular-expression }

Syntax Description

username

Username.

regexp regular-expression

Regular expression to be matched against the subscriber's username.

Command Default

A condition that will evaluate true if a subscriber's unauthenticated username matches the specified username is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The match unauthenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type controlcommand is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".

class-map type control match-all class3
   match identifier unauthenticated-username regexp "user@.*com" 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier unauthenticated-username!

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

match vrf

To create a condition that evaluates true if a subscriber's VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.

match vrf { vrf-name | regexp regular-expression }
no match vrf { vrf-name | regexp regular-expression }

Syntax Description

vrf-name

Name of the VRF.

regexp regular-expression

Regular expression to be matched against the subscriber's VRF.

Command Default

A condition that will evaluate true if a subscriber's VRF matches the specified VRF is not created.

Command Modes

Control class-map configuration

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

Usage Guidelines

The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a policy that will be applied to subscribers who belong to the VRF "FIRST".

class-map type control TEST
 match vrf FIRST
policy-map type control GLOBAL
 class type control TEST event session-start
  1 service-policy type service name FIRST-SERVICE

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

matchnot (radius-filter)

To configure a condition to check for a filter criteria that do not match, use the matchnot command in RADIUS filter configuration mode. To remove a filter match criteria for an unsuccessful match, use the no form of this command.

matchnot { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }
no matchnot { attribute att-type-number | vendor-type ven-type-number [ attribute att-type-number ] }

Syntax Description

attribute

Specifies the attribute that should be included in the filter.

att-type-number

Attribute type number. The range is from 1 to 256.

vendor-type

Specifies the vendor type that should be included in the filter.

ven-type-number

Vendor type number. The range is from 1 to 256.

Command Default

Filter criteria for an unsuccessful match is not configured.

Command Modes

RADIUS filter configuration (config-radius-filter)
      

Command History

Release Modification
Cisco IOS XE Release 3.5S

This command was introduced.

Usage Guidelines

Use the matchnot command to check whether an attribute is absent from the packet. The vendor-type and ven-type-number keyword/argument pair specifies the attribute that is associated with a specific vendor. If no attribute option is specified, the condition matches the filter for any attribute of the specific vendor.

Examples

The following example shows how to enter the RADIUS filter configuration mode and configure a match attribute and a vendor type.

Device(config)# radius filter match-all filter1
Device(config-radius-filter)# matchnot vendor-type 15 attribute 45
      

Related Commands

Command Description

match (radius-filter)

Configures a condition to check for a filter match criteria.

radius filter

Configures RADIUS packet filters.

message-authenticator ignore

To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignorecommand in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.

message-authenticator ignore
no message-authenticator ignore

Syntax Description

This command has no arguments or keywords.

Command Default

Message-authenticator validation is performed.

Command Modes

RADIUS proxy server configuration
RADIUS proxy client configuration

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

Usage Guidelines

Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.

Examples

The following example disables message-authenticator validation:

aaa server radius proxy 
 message-authenticator ignore 

Related Commands

Command

Description

aaa server radius proxy

Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.

method-list

To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.

method-list { accounting | authorization } name-of-method-list
no method-list { accounting | authorization } name-of-method-list

Syntax Description

accounting

Specifies the AAA method list for ISG prepaid accounting.

authorization

Specifies the AAA method list for ISG prepaid authorization.

name-of-method-list

Name of the AAA method list to which ISG will send accounting updates or authorization requests.

Command Default

A method list is not specified.

Command Modes

Prepaid configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.

Examples

The following example shows an ISG prepaid feature configuration in which a method list called "ap-mlist" is specified for prepaid accounting and the default method list is specified for prepaid authorization:

subscriber feature prepaid conf-prepaid
 interim-interval 5
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password cisco

Related Commands

Command

Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.

prepaid config

Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.

subscriber feature prepaid

Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile

passthru downstream ipv6

To allow IPv6 downstream traffic from an Intelligent Services Gateway (ISG) interface to pass through to a subscriber without an established subscriber session, use the passthru downstream ipv6 command in IP subscriber configuration mode. To prevent downstream traffic from passing through without a subscriber session, use the no form of this command.

passthru downstream ipv6

Syntax Description

This command has no arguments or keywords.

Command Default

Downstream IPv6 traffic cannot pass through without a subscriber session.

Command Modes


IP subscriber configuration (config-subscriber)

Command History

Release Modification

Cisco IOS XE Release 3.6S

This command was introduced.

Usage Guidelines

The passthru downstream ipv6 command enables pass through of IPv6 downstream traffic if an IPv6-specific initiator is configured with the initiator unclassified ip-address or initiator unclassified ip-address ipv6 command.

This command enables subscribers to receive services, such as support and security updates, even if a subscriber session is not present.

If an IPv4-specific initiator is configured on the interface with the initiator unclassified ip-address ipv4 command, IPv6 downstream traffic is allowed without the pass through feature but IPv4 downstream traffic is blocked.

Examples

The following example shows that Ethernet interface 0/0 has been configured to allow IPv6 downstream traffic to be forwarded to subscribers even if a subscriber session is not present.

interface GigabitEthernet0/0/0
 ip address 192.0.2.1 255.255.255.0
 ipv6 address 2001:DB8::1/64
 ipv6 enable
 no cdp enable
 service-policy type control my-policy2
 ip subscriber routed
  initiator unclassified ip-address
  passthru downstream ipv6

Related Commands

Command Description

initiator

Enables ISG to create an IP subscriber session upon receipt of a specified type of packet.

password (ISG)

To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.

password password
no password password

Syntax Description

password

Password that the ISG will use in authorization and reauthorization requests. The default password is cisco.

Command Default

ISG uses the default password (cisco).

Command Modes

Prepaid configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Examples

The following example shows an ISG prepaid feature configuration in which the password is "pword" :

subscriber feature prepaid conf-prepaid
 interim-interval 5
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password pword

Related Commands

Command

Description

prepaid config

Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.

subscriber feature prepaid

Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

police (ISG)

To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.

police { input | output } committed-rate [ normal-burst excess-burst ]
no police { input | output } committed-rate [ normal-burst excess-burst ]

Syntax Description

input

Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network.

output

Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber.

committed-rate

Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 128000000000 (or 128 Gbps).

normal-burst

(Optional) Normal burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the normal burst size is not specified, it is calculated from the committed rate using the following formula:

Normal burst = 1.5 * committed rate (scaled and converted to byte per msec)

excess-burst

(Optional) Excess burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the excess burst is not specified, it is calculated from the normal burst value using the following formula:

Excess burst = 2 * normal burst

Command Default

ISG policing is not enabled.

Command Modes

Service policy-map class configuration (config-service-policymap)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

15.0(1)SY

This command was modified. The maximum value for the committed-rate, normal-burst and excess-burst arguments was increased.

Usage Guidelines

ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.

Session-based policing applies to the aggregate of subscriber traffic for a session.

Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.

Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.

Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.

Examples

The following example shows the configuration of flow-based ISG policing in a service policy map:

class-map type traffic match-any C3
 match access-group in 103
 match access-group out 203 
policy-map type service P3
 class type traffic C3
  police input 20000 30000 60000
  police output 21000 31500 63000

Related Commands

Command

Description

class type traffic

Associates a previously configured traffic class to a service policy map.

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG service.

policy-map

To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-mapcommand in global configuration mode. To delete a policy map, use the no form of this command.

Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers

policy-map [ type { stack | access-control | port-filter | queue-threshold | logging log-policy } ] policy-map-name
no policy-map [ type { stack | access-control | port-filter | queue-threshold | logging log-policy } ] policy-map-name

Cisco 10000 Series Router

policy-map [ type { control | service } ] policy-map-name
no policy-map [ type { control | service } ] policy-map-name

Cisco CMTS and 7600 Series Router

policy-map [ type { class-routing ipv4 unicast unicast-name | control control-name | service service-name } ] policy-map-name
no policy-map [ type { class-routing ipv4 unicast unicast-name | control control-name | service service-name } ] policy-map-name

Syntax Description

type

(Optional) Specifies the policy-map type.

stack

(Optional) Determines the exact pattern to look for in the protocol stack of interest.

access-control

(Optional) Enables the policy map for the flexible packet matching feature.

port-filter

(Optional) Enables the policy map for the port-filter feature.

queue-threshold

(Optional) Enables the policy map for the queue-threshold feature.

logging

(Optional) Enables the policy map for the control-plane packet logging feature.

log-policy

(Optional) Type of log policy for control-plane logging.

policy-map-name

Name of the policy map.

control

(Optional) Creates a control policy map.

control-name

Name of the control policy map.

service

(Optional) Creates a service policy map.

service-name

Name of the policy-map service.

class-routing

Configures the class-routing policy map.

ipv4

Configures the class-routing IPv4 policy map.

unicast

Configures the class-routing IPv4 unicast policy map.

unicast-name

Unicast policy-map name.

Command Default

The policy map is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.4(4)T

This command was modified. The type andaccess-controlkeywords were added to support flexible packet matching. The port-filter and queue-threshold keywords were added to support control-plane protection.

12.4(6)T

This command was modified. The logging keyword was added to support control-plane packet logging.

12.2(31)SB

This command was modified. The control and servicekeywords were added to support the Cisco 10000 series router.

12.2(18)ZY

This command was modified.

  • The type andaccess-controlkeywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine.
  • The command was modified to enhance the Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/PISA engine.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.2(33)SRC

This command was modified. Support for this command was implemented on Cisco 7600 series routers.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1 and implemented on Cisco ASR 1000 series routers.

12.2(33)SCF

This command was integrated into Cisco IOS Release 12.2(33)SCF.

Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for quality of service (QoS) class maps on Cisco 7600 systems.


Note


For QoS class maps on Cisco 7600 series routers, the limits are 1024 class maps and 256 classes in a policy map.

A policy map containing ATM set cell loss priority (CLP) bit QoS cannot be attached to PPP over X (PPPoX) sessions. The policy map is accepted only if you do not specify the set atm-clp command.

A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In such cases, if the policy map is already attached to other interfaces, the map is removed from those interfaces.


Note


This limitation does not apply on Cisco 7600 series routers that have session initiation protocol (SIP)-400 access-facing line cards.

Whenever you modify a class policy in an attached policy map, class-based weighted fair queuing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.


Note


Policy-map installation via subscriber-profile is not supported. If you configure an unsupported policy map and there are a large number of sessions, an equally large number of messages print on the console. For example, if there are 32,000 sessions, then 32,000 messages print on the console at 9,600 baud.

Class Queues (Cisco 10000 Series Routers Only)

The Performance Routing Engine (PRE)2 allows you to configure 31 class queues in a policy map.

In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.

Control Policies (Cisco 10000 Series Routers Only)

Control policies define the actions that your system will take in response to the specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions are executed.

There are three steps involved in defining a control policy:

  1. Using the class-map type control command, create one or more control class maps.
  2. Using the policy-map type control command, create a control policy map.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

  1. Using the service-policy type control command, apply the control policy map to a context.

Service Policies (Cisco 10000 Series Routers Only)

Service policy maps and service profiles contain a collection of traffic policies and other functions. Traffic policies determine which function is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Policy Map Restrictions (Catalyst 6500 Series Switches Only)

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. This release and platform has the following restrictions for using policy maps and match commands:

  • You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.
  • Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:
    • A single traffic class can be configured to match a maximum of 8 protocols or applications.
    • Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example shows how to create a policy map called "policy1" and configure two class policies included in that policy map. The class policy called "class1" specifies a policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy the configured match criteria are directed.

! The following commands create class-map class1 and define its match criteria:
class-map class1
 match access-group 136
! The following commands create the policy map, which is defined to contain policy
! specification for class1 and the default class:
policy-map policy1
class class1
 bandwidth 2000
 queue-limit 40
class class-default
 fair-queue 16
 queue-limit 20

The following example shows how to create a policy map called "policy9" and configure three class policies to belong to that map. Of these classes, two specify the policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies a policy for the default class called "class-default" to which packets that do not satisfy the configured match criteria are directed.

policy-map policy9
 
class acl136
 bandwidth 2000
 queue-limit 40
 
class ethernet101
 bandwidth 3000
 random-detect exponential-weighting-constant 10
class class-default
 fair-queue 10
 queue-limit 20

The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.

Router> enable
Router# configure terminal
Router(config)# policy-map type control TEST
Router(config-control-policymap)# class type control always event session-start
Router(config-control-policymap-class-control)# 1
 service-policy type service name QoS_Service
Router(config-control-policymap-class-control)# end

Examples for Cisco 10000 Series Routers Only

The following example shows the configuration of a control policy map named "rule4". Control policy map rule4 contains one policy rule, which is the association of the control class named "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.

class-map type control match-all class3
 match access-type pppoe
 match domain cisco.com
 available nas-port-id
!
policy-map type control rule4
 class type control class3
  authorize nas-port-id
!
service-policy type control rule4

The following example shows the configuration of a service policy map named "redirect-profile":

policy-map type service redirect-profile
 class type traffic CLASS-ALL
  redirect to group redirect-sg 

Examples for the Cisco CMTS Router

The following example shows how to define a policy map for the 802.1p domain:

enable
configure terminal
 policy-map cos7
  class cos7
  set cos 2
  end

The following example shows how to define a policy map for the MPLS domain:

enable
configure terminal
 policy-map exp7
  class exp7
  set mpls experimental topmost 2
  end

Related Commands

Command

Description

bandwidth (policy-map class)

Specifies or modifies the bandwidth allocated for a class belonging to a policy map.

class (policy-map)

Specifies the name of the class whose policy you want to create or change, and its default class before you configure its policy.

class class-default

Specifies the default class whose bandwidth is to be configured or modified.

class-map

Creates a class map to be used for matching packets to a specified class.

fair-queue (class-default)

Specifies the number of dynamic queues to be reserved for use by the class-default class as part of the default class policy.

match access-group

Configures the match criteria for a class map on the basis of the specified ACL.

queue-limit

Specifies or modifies the maximum number of packets that the queue can hold for a class policy configured in a policy map.

random-detect (interface)

Enables WRED or DWRED.

random-detect exponential-weighting-constant

Configures the WRED and DWRED exponential weight factor for the average queue size calculation.

random-detectservice-policy precedence

Configures WRED and DWRED parameters for a particular IP precedence.

service-policy

Attaches a policy map to an input interface or VC or an output interface or VC to be used as the service policy for that interface or VC.

set atm-clp precedence

Sets the ATM CLP bit when a policy map is configured.

policy-map type control

To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type controlcommand in global configuration mode. To delete the control policy map, use the no form of this command.

policy-map type control tag policy-map-name
no policy-map type control tag policy-map-name

Syntax Description

tag

Network Admission Control (NAC) specific policy type.

policy-map-name

Name of the control policy map.

Command Default

A control policy map is not created.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(33)SXI

This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE 2.3

This command was integrated into a release earlier than Cisco IOS XE Release 2.3.

15.0(1)M

This command was modified in a release earlier than 15.0(1)M. The tag keyword and policy-map-name argument were added.

Usage Guidelines

Control policies define the actions that your system will take in response to specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.

There are three steps involved in defining a control policy:

  1. Create one or more control class, maps by using the class-map type control command.
  2. Create a control policy, map by using the policy-map type control command.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

  1. Apply the control policy map to a context by using the service-policy type control command.

Examples

The following example shows the configuration of a control policy map called "rule4." Control policy map "rule4" contains one policy rule, which is the association of the control class "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.

class-map type control match-all class3
 match access-type pppoe
 match domain cisco.com
 available nas-port-id
!
policy-map type control tag rule4
 class type control class3
  authorize nas-port-id
!
service-policy type control rule4

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

service-policy type control

Applies a control policy to a context.

policy-map type service

To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type servicecommand in global configuration mode. To delete a service policy map, use the no form of this command.

policy-map type service policy-map-name
no policy-map type service

Syntax Description

policy-map-name

Name of the service policy map.

Command Default

A service policy map is not created.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 2.4

This command was integrated into Cisco IOS Release XE 2.4.

Usage Guidelines

Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.

An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type servicecommand, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Examples

The following example shows how to create a service policy map called redirect-profile:

policy-map type service redirect-profile
 class type traffic CLASS-ALL
  redirect to group redirect-sg

Related Commands

Command

Description

class type traffic

Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.

policy-map type service

Displays the contents of all service policy maps.

policy-name

To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.

policy-name policy
no policy-name policy

Syntax Description

policy

Name of policy configured on the Service Control Engine (SCE) device.

Command Default

The default policy is used for all subscribers.

Command Modes

Service policy map configuration (config-service-policymap)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.

Examples

The following example shows how to configure the subscriber policy name "SCE-SERVICE".

Router(config)# policy-map type service SCE-SERVICE
Router(config-service-policymap)# sg-service-type external-policy
Router(config-service-policymap)# policy-name GOLD

Related Commands

Command

Description

sg-service-type external-policy

Identifies a service as an external policy.

policy-peer

To configure a subscriber policy peer connection, use the policy-peercommand in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.

policy-peer [ address ip-address ] keepalive seconds
no policy-peer [ address ip-address ] keepalive seconds

Syntax Description

address

(Optional) Configures the IP address of the peer that is to be connected.

ip-address

Specifies the IP address of the peer to be connected.

keepalive

Configures the keepalive value to be used to monitor the peering relationship.

seconds

Keepalive value, in seconds. Range: 5 to 3600. Default: 0.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco Release 12.2(33)SB.

Usage Guidelines

Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.

Examples

The following example configures a subscriber policy peer connection with a keepalive value of 5 seconds.

Router(config)# policy-peer address 10.0.0.100 keepalive 5

Related Commands

Command

Description

aaa server radius policy-device

Enables ISG RADIUS server configuration mode.

show subscriber policy peer

Displays the details of a subscriber policy peer.

subscriber-policy

Defines or modifies the forward and filter decisions of the subscriber policy.

port

To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.

port port-number
no port port-number

Syntax Description

port-number

Port number. The default value is port 1700.

Command Default

The device listens for RADIUS requests on the default port (port 1700).

Command Modes

Dynamic authorization local server configuration (config-locsvr-da-radius)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.

Examples

The following example specifies port 1650 as the port on which the device listens for RADIUS requests:

aaa server radius dynamic-author
 client 10.0.0.1
 port 1650

Related Commands

Command

Description

aaa server radius dynamic-author

Configures a device as a AAA server to facilitate interaction with an external policy server.

prepaid config

To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.

prepaid config { name-of-configuration | default }
no prepaid config { name-of-configuration | default }

Syntax Description

name-of-configuration

A named configuration of prepaid billing parameters.

default

The default configuration of prepaid billing parameters.

Command Default

Prepaid billing is not enabled.

Command Modes

Service policy traffic class configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.

To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:

subscriber feature prepaid default
 threshold time 0 seconds
 threshold volume 0 bytes
 method-list authorization default
 method-list accounting default
 password cisco

The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.

The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.

Examples

The following example shows prepaid billing enabled in a service called "mp3". The prepaid billing parameters in the configuration "conf-prepaid" will be used for "mp3" prepaid sessions.

policy-map type service mp3
 class type traffic CLASS-ACL-101
  authentication method-list cp-mlist
  accounting method-list cp-mlist
  prepaid config conf-prepaid 
subscriber feature prepaid conf-prepaid
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password cisco

Related Commands

Command

Description

subscriber feature prepaid

Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

proxy (ISG RADIUS proxy)

To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.

action-number proxy [ aaa list { list-name | default } ] [ accounting aaa list acc-list-name ]
no action-number proxy [ aaa list { list-name | default } ] [ accounting aaa list acc-list-name ]

Syntax Description

action-number

Number of the action. Actions are executed sequentially within the policy rule.

aaa list

(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list.

list-name

Name of the AAA method list to which RADIUS packets are sent.

default

Specifies that RADIUS packets will be sent to the default RADIUS server.

accounting aaa list

Defines a method list to which accounting is sent.

acc-list-name

Name of the accounting AAA method list to which RADIUS packets are sent.

Command Default

RADIUS packets are sent to the default method list.

Command Modes

Control policy-map class configuration (config-control-policymap-class-control)

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

12.2(33)SRC

The accounting aaa list keyword was added.

12.2(33)SB

This command was implemented on the Cisco 10000 series.

Usage Guidelines

The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accountingcommand.

Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.

Examples

The following example configures an accounting method list called "LIST-LOCAL". The server group called "AAA-GROUP1" is the method specified in the method list. A control policy called "POLICY-LOCAL" is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list "LIST-LOCAL".

Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1
Router(config)# policy-map type control POLICY-LOCAL
Router(config-control-policymap)# class type control always event acct-notification
Router(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCAL

Related Commands

Command

Description

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

radius filter

To filter RADIUS packets that are received by the Intelligent Services Gateway (ISG), use the radius filter command in global configuration mode. To remove the RADIUS packet filter configuration, use the no form of this command.

radius filter { match-all | match-any } name
no radius filter { match-all | match-any } name

Syntax Description

match-all

Defines the condition to filter RADIUS packets if all attributes match.

match-any

Defines the condition to filter RADIUS packets if at least one attribute matches.

name

Name of the filter. The range is from 1 to 31 characters.

Command Default

RADIUS packet filters are not configured.

Command Modes

Global configuration (config)
      

Command History

Release Modification
Cisco IOS XE Release 3.5S

This command was introduced.

Usage Guidelines

Use the radius filter command to enable ISG to filter RADIUS packets based on the filter criteria. Use this command along with match , matchnot , and filter commands.

Examples

The following example shows how to configure a RADIUS packet filter with the match-all keyword.

Device(config)# radius filter match-all filter1
      

Related Commands

Command Description

filter (ISG RADIUS proxy)

Applies ISG RADIUS packet filters to the RADIUS proxy server or client.

match (radius-filter)

Configures a condition to check for a filter match criterion.

matchnot (radius-filter)

Configures a condition to check for a filter criterion that does not match.

radius-server attribute 31

To configure Calling-Station-ID (attribute 31) options, use the radius-server attribute 31command in global configuration mode. To disable the Calling-Station-ID (attribute 31) options, use the no form of this command.

radius-server attribute 31 { append-circuit-id | mac format { default | ietf | unformatted } | remote-id | send nas-port-detail [ mac-only] }
no radius-server attribute 31 { append-circuit-id | mac format { default | ietf | unformatted } | remote-id | send nas-port-detail [ mac-only] }

Syntax Description

append-circuit-id

Appends the PPPoE tag circuit-id and the nas-port-id to the calling-station-id.

mac format

Specifies the format of the MAC address in the Calling Station ID. Select one of the following three options:

  • default (Example: 0000.4096.3e4a)
  • ietf (Example: 00-00-40-96-3E-4A)
  • unformatted (Example: 000040963e4a)

remote-id

Sends the remote ID as the Calling Station ID in the accounting records and access requests.

send nas-port-detail

Includes all NAS port details in the Calling Station ID.

mac-only

(Optional) Includes the MAC address only, if available, in the Calling Station ID.

Command Default

The Calling-Station-ID (attribute 31) is not sent.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(31)SB2

The mac format default ,the mac format ietf ,the mac format unformatted ,and the send nas-port-detail [mac-only] keyword options were added.

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC.

15.0(1)M

This command was integrated into Cisco IOS Release 15.0(1)M.

Usage Guidelines

  • For PPP over Ethernet over ATM (PPPoEoA) sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

host.domain:vp_descr:vpi:vci
  • For PPP over Ethernet over Ethernet (PPPoEoE) sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

mac_addr
  • For PPP over ATM sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

host.domain:vp_descr:vpi:vci
  • For Intelligent Services Gateway RADIUS Proxy sessions:

When DHCP lease query is used, ISG RADIUS proxy recieves MAC address as well as MSISDN as the Calling-Station-ID (attribute 31) from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose one of them as the Calling Station ID and send it to the ISG accounting records.

The following example shows how to specify the MAC address in the Calling Station ID to be displayed in IETF format:

Router(config)# radius-server attribute 31 mac format
 ietf

The following example shows how to allow the remote ID to be sent as the Calling Station ID:

Router(config)# radius-server attribute 31 remote-id

The following example shows how to allow the NAS port details to be included in the Calling Station ID:

Router(config)# radius-server attribute 31 send nas-port-detail

The following example shows how to allow only the MAC address, if available, to be included in the Calling-Station-ID:

Router(config)# radius-server attribute 31 send nas-port-detail mac-onl

Related Commands

Command

Description

radius-server attribute nas-port-id include

Uses the DHCP relay agent information option 60 and option 82 and configures the NAS-Port-ID to authenticate a user.

radius-server attribute nas-port-id include

To include DHCP option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) in the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To return to the default behavior, use the no form of this command.

radius-server attribute nas-port-id include identifier1 [ plus identifier2 ] [ plus identifier3 ] [ separator separator ]
no radius-server attribute nas-port-id include

Syntax Description

identifier1,2,3

Identifier for authorization. Valid keywords are:

  • circuit-id
  • remote-id
  • vendor-class-id

plus

(Optional) Separates identifiers if more than one is specified.

separator separator

(Optional) Symbol to be used for separating identifiers in accounting records and authentication requests. The symbol can be any alphanumeric character. The colon (:) is the default separator.

Command Default

The NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(33)SRD

This command was introduced.

Cisco IOS XE Release 3.1S

This command was integrated into Cisco IOS XE Release 3.1S.

Usage Guidelines

When you use the radius-server attribute nas-port-id include command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the pluskeyword between each pair as a separator.

The NAS-Port-ID is shown in the accounting records as it is specified in this command, with the plus keyword replaced by a separator. The colon (:) is the default separator.

When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in this command, preceded by the string "nas-port:".

Examples

The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:

Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id

If the circuit ID is "xyz", the remote ID is "abc", and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "abc:xyz:123" and the username will be sent as "nas-port:abc:xyz:123" in the authentication request.

The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, "#":

Router(config)# radius-server attribute nas-port-id include circuit-id plus vendor-class-id
 separator #

If the circuit ID is "xyz" and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "xyz#123" and the username will be sent as "nas-port:xyz#123" in the authentication request.

Related Commands

Command

Description

authorize identifier

Initiates a request for authorization based on a specified identifier in an ISG control policy.

re-authenticate do-not-apply

To prevent Intelligent Services Gateway (ISG) from applying data from reauthentication profiles to subscriber sessions, use the re-authenticate do-not-applycommand in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command.

re-authenticate do-not-apply
no re-authenticate do-not-apply

Syntax Description

This command has no arguments or keywords.

Command Default

ISG applies data from the reauthentication profile to subscriber sessions.

Command Modes

RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)

Command History

Release

Modification

15.0(1)S2

This command was introduced.

Usage Guidelines

The re-authenticate do-not-apply command prevents ISG from updating the subscriber session with data from a reauthentication profile. During the Extensible Authentication Protocol (EAP) authentication process, for example, ISG will not update the subscriber session with the user-name from the reauthentication profile if this command is configured.

This command can be configured globally for all RADIUS proxy clients, or it can be configured for specific clients. The client-specific configuration of this command overrides the global configuration.

Examples

The following example shows how to prevent ISG from applying reauthentication data to subscriber sessions, for all RADIUS proxy clients:

aaa server radius proxy
 re-authenticate do-not-apply

Related Commands

Command

Description

aaa server radius proxy

Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.

client (ISG RADIUS proxy)

Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.

redirect log translations

To enable the Layer 4 Redirect Logging feature for Intelligent Services Gateway (ISG), use the redirect log translations command in global configuration mode. To disable Layer 4 redirect logging, use the no form of this command.

redirect log translations { basic | extended } exporter exporter-name
no redirect log translations

Syntax Description

basic

Exports Layer 4 redirect translation event information using the basic template format.

extended

Exports Layer 4 translation event information using the extended template format, which includes additional debugging information.

exporter-name

Name of the flow exporter to use for exporting the logging information, as defined by the flow exporter command.

Command Default

Layer 4 redirect logging is disabled.

Command Modes


Global configuration (config)
      

Command History

Release Modification
Cisco IOS XE Release 3.5S

This command was introduced.

Usage Guidelines

The redirect log translations command allows ISG to export records for Layer 4 redirect translation events to an external collector. These records can be used to identify users with applications that do not react to HTTP redirect.

The name of the flow exporter specified for the exporter-name argument must be configured with the flow exporter command before using the redirect log translations command.

For a description of the fields included in the basic and extended template formats, see the "Configuring Layer 4 Redirect Logging" chapter in the Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S.

Examples

The following example shows that the flow exporter named L4R-EXPORTER is assigned as the exporter to use for logging redirect translations. There are two types of export templates for Layer 4 redirect logging: IPv4 and IPv6.

flow exporter L4R-EXPORTER
 destination 172.16.10.3
 transport udp 90
!
!         
redirect log translations basic exporter L4R-EXPORTER

Related Commands

Command Description

flow exporter

Defines a flow exporter.

show flow exporter statistics

Displays flow exporter statistics.

show flow exporter templates

Displays flow exporter template information.

redirect server-group

To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.

redirect server-group group-name
no redirect server-group group-name

Syntax Description

group-name

Name of the server group.

Command Default

A redirect server group is not defined.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 3.5S

This command was modified. Support for IPv6 addresses was added.

Usage Guidelines

Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.

After defining a redirect server group with the redirect server-group command, add individual servers to the server group by using the server ip command. The server group must contain at least one redirect server before it can be configured under a traffic class service.

The IP addresses of all the servers configured under a redirect group must be either IPv4 or IPv6. A mix of IPv4 and IPv6 redirect server addresses within the same server group is not supported.

Examples

The following example shows the configuration of a server group named PORTAL that contains two servers, both with an IPv4 address:

redirect server-group PORTAL
 server ip 10.2.36.253 port 80
 server ip 10.76.86.83 port 81

The following example shows the configuration of a server group named PORTAL2 that contains two servers, both with an IPv6 address:

redirect server-group PORTAL2
 server ip 2001:DB8:C003:12::2918 port 8080
 server ip 2001:DB8:1:1::26/64 port 8081

Related Commands

Command

Description

redirect to (ISG)

Redirects ISG Layer 4 traffic to a specified server or server group.

server ip

Adds a server to an ISG Layer 4 redirect server group.

show redirect group

Displays information about ISG Layer 4 redirect server groups.

show redirect translations

Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

redirect session-limit

To set the maximum number of Layer 4 redirects allowed for each Intelligent Services Gateway (ISG) subscriber session, use the redirect session-limit command in global configuration mode. To reset the maximum number to the default, use the no form of this command.

redirect session-limit maximum-number
no redirect session-limit

Syntax Description

maximum-number

The maximum number of Layer 4 redirects allowed. Range: 1 to 256.

Command Default

An unlimited number of redirects are allowed per session.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(33)SB8

This command was introduced.

12.2(33)XNE1

This command was integrated into Cisco IOS Release 12.2(33)XNE1.

12.2(33)SRD4

This command was integrated into Cisco IOS Release 12.2(33)SRD4.

12.2(33)SRE1

This command was integrated into Cisco IOS Release 12.2(33)SRE1.

Cisco IOS XE Release 3.5S

This command was modified. Support for IPv6 sessions was added.

Usage Guidelines

The redirect session-limit command limits the number of redirect translations that can be created by unauthenticated subscribers that are redirected to the server group.

The maximum number applies to both IPv4 and IPv6 single-stack sessions. For dual-stack sessions, this command limits the total translations per subscriber; IPv4 and IPv6 translations are added together.

Examples

The following example limits the number of L4 redirects to five for a single session:

Router(config)# redirect session-limit 5

Related Commands

Command

Description

redirect server-group

Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.

redirect to (ISG)

Redirects ISG Layer 4 traffic to a specified server or server group.

show redirect translations

Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

redirect to (ISG)

To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in service policy-map class configuration mode. To disable redirection, use the no form of this command.

redirect to { group server-group-name | ip server-ip-address [ port port-number ] } [ duration seconds [ frequency seconds ] ]
no redirect to { group server-group-name | ip server-ip-address [ port port-number ] } [ duration seconds [ frequency seconds ] ]

Syntax Description

group server-group-name

Server group to which traffic will be redirected.

ip server-ip-address

IP address of the server to which traffic will be redirected.

port port-number

(Optional) Port number on the server to which traffic will be redirected.

duration seconds

(Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected.

frequency seconds

(Optional) Period of time, in seconds, between redirect activations.

Command Default

Subscriber Layer 4 traffic is not redirected.

Command Modes

Service policy-map class configuration (config-service-policymap-class-traffic)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(33)SRE

This command was modified. It was removed from interface configuration mode.

Cisco IOS XE Release 2.5

This command was modified. It was removed from interface configuration mode.

Cisco IOS XE Release 3.5S

This command was modified. The server-ip-address argument accepts IPv6 addresses.

Usage Guidelines

The redirect to command redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.

A redirect server group is defined with the redirect server-group command. The server group must contain at least one redirect server, defined with the server ip command, before it can be configured under a traffic class service.

The ISG Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:

  • Permanent redirection--Specified traffic is redirected to the specified server all the time.
  • Initial redirection--Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.
  • Periodic redirection--Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.

This command can be configured only once under any traffic class service on the Cisco ASR 1000 Series Router.

Examples

Redirecting Layer 4 Traffic to a Server Group: Example

The following example redirects Layer 4 traffic to the servers specified in server group "ADVT-SERVER":

policy-map type service L4R-SERVICE
  class type traffic L4R-TC
    redirect to group ADVT-SERVER

Redirecting Layer 4 Traffic to a Specific IP Address: Examples

The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.

redirect to ip 10.2.36.253 

The following example configures ISG to redirect all traffic coming from the subscriber interface to 2001:DB8:C003:12::2918 port 80:

redirect to ip 2001:DB8:C003:12::2918 port 80

Initial Redirection: Example

The following example redirects all traffic to the servers configured in the server group "ADVT-SERVER" for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:

redirect to group ADVT-SERVER duration 60

Periodic Redirection: Example

The following example redirects all traffic to server group "ADVT-SERVER" for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.

redirect to group ADVT-SERVER duration 60 frequency 3600

Related Commands

Command

Description

redirect server-group

Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.

server ip

Adds a server to an ISG Layer 4 redirect server group.

show redirect group

Displays information about ISG Layer 4 redirect server groups.

show redirect translations

Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server ip

To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server ip command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.

server ip ip-address [ port port ]
no server ip ip-address [ port port ]

Syntax Description

ip ip-address

IP address of the server to be added to the redirect server group.

port port

(Optional) TCP port of the server to be added to the redirect server group.

Command Default

A server is not added to the redirect server group.

Command Modes

Layer 4 redirect server group configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 3.5S

This command was modified. The ip-address argument accepts IPv6 addresses.

Usage Guidelines

Use the server ip command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server ip command can be entered more than once to add multiple servers to the server group.

ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.

Examples

The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named "ADVT-SERVER":

redirect server-group ADVT-SERVER
 server ip 10.0.0.0 port 8080
 server ip 10.1.2.3 port 8081

Related Commands

Command

Description

redirect server-group

Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.

redirect to (ISG)

Redirects ISG Layer 4 traffic to a specified server or server group.

show redirect group

Displays information about ISG Layer 4 redirect server groups.

show redirect translations

Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server-key

To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.

server-key [ 0 | 7 ] word
no server-key [ 0 | 7 ] word

Syntax Description

0

(Optional) An unencrypted key will follow.

7

(Optional) A hidden key will follow.

word

Unencrypted server key.

Command Default

A server key is not configured.

Command Modes

Dynamic authorization local server configuration (config-locsvr-da-radius)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.

Examples

The following example configures "cisco" as the shared server key:

aaa server radius dynamic-author
 client 10.0.0.1  
 server-key cisco

Related Commands

Command

Description

aaa server radius dynamic-author

Configures a device as a AAA server to facilitate interaction with an external policy server.

service (ISG)

To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number service { disconnect | local | vpdn }
no action-number service { disconnect | local | vpdn }

Syntax Description

action-number

Number of the action. Actions are executed sequentially within the policy rule.

disconnect

Disconnect the session.

local

Locally terminate the session.

VPDN

Virtual Private Dialup Network (VPDN) tunnel service.

Command Default

PPP sessions are locally terminated.

Command Modes

Control policy-map class configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The servicecommand configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows how configure ISG to locally terminate sessions for PPP subscribers:

policy-map type control MY-RULE1
 class type control MY-CONDITION2 event session-start
  1 service local

Related Commands

Command

Description

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

service deny (ISG)

To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.

service deny
no service deny

Syntax Description

The command has no arguments or keywords.

Command Default

Service is not denied to the session.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The service deny command denies network service to subscriber sessions that use the service policy map.

Examples

The following example denies service to subscriber sessions that use the service called "service1":

policy-map type service service1
 service deny

Related Commands

Command

Description

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service local (ISG)

To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.

service local
no service local

Syntax Description

This command has no arguments or keywords.

Command Default

Local termination service is not specified.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.

When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.

Examples

The following example provides local termination service to subscriber sessions for which the "my_service" service policy map is activated:

!
policy-map type service my_service
 service local

Related Commands

Command

Description

ip vrf forwarding (service policy map)

Associates the service with a VRF.

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG service.

service vpdn group

Provides VPDN service.

vpdn-group

Associates a VPDN group with a customer or VPDN profile.

service relay (ISG)

To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relaycommand in service policy-map configuration mode. To disable message relay, use the no form of this command.

service relay pppoe vpdn group vpdn-group-name
no service relay pppoe vpdn group vpdn-group-name

Syntax Description

pppoe

Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay.

vpdn group vpdn-group-name

Provides VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

Relay of PAD messages over an L2TP tunnel is not enabled.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The service relaycommand is configured as part of a service policy-map.

Examples

The following example configures sessions that use the service policy-map "service1" to contain outgoing tunnel information for the relay of PAD messages over an L2TP tunnel:

policy-map type service 
 service relay pppoe vpdn group Sample1.net

Related Commands

Command

Description

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service vpdn group (ISG)

To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn groupcommand in service policy-map configuration mode. To remove VPDN service, use the no form of this command.

service vpdn group vpdn-group-name
no service vpdn group vpdn-group-name

Syntax Description

vpdn-group-name

Provides the VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

VPDN service is not provided for ISG subscriber sessions.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.

A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.

Examples

The following example provides VPDN service to sessions that use the service called "service" and uses VPDN group 1 to obtain VPDN configuration information:

policy-map type service service1
 service vpdn group 1

Related Commands

Command

Description

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service-monitor

To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitorcommand in service policy map configuration mode. To remove service monitoring, use the no form of this command.

service-monitor { enable | disable }
no service-monitor { enable | disable }

Syntax Description

enable

Enables service monitoring.

disable

Disables service monitoring.

Command Default

Service monitoring is not configured.

Command Modes

Service policy map configuration (config-service-policymap)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.

Examples

The following example configures service monitoring for a service policy called "SCE-SERVICE4".

Router(config)# policy-map type service SCE-SERVICE4
Router(config-service-policymap)# sg-service-type external policy
Router(config-service-policymap)# service-monitor enable

Related Commands

Command

Description

policy-name

Configures a subscriber policy name.

sg-service-type external policy

Identifies an ISG service as an external policy.

service-policy

To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.

service-policy [ type access-control ] { input | output } policy-map-name
no service-policy [ type access-control ] { input | output } policy-map-name

Cisco 10000 Series and Cisco 7600 Series Routers

service-policy [ history | { input | output } policy-map-name | type control control-policy-name ]
no service-policy [ history | { input | output } policy-map-name | type control control-policy-name ]

Syntax Description

type access-control

(Optional) Determines the exact pattern to look for in the protocol stack of interest.

input

Attaches the specified policy map to the input interface or input VC.

output

Attaches the specified policy map to the output interface or output VC.

policy-map-name

The name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters in length.

history

(Optional) Maintains a history of quality of service (QoS) metrics.

type control control-policy-name

(Optional) Creates a Class-Based Policy Language (CPL) control policy map that is applied to a context.

Command Default

No service policy is specified. A control policy is not applied to a context. No policy map is attached.

Command Modes

ATM VC bundle configuration (config-atm-bundle)

ATM PVP configuration (config-if-atm-l2trans-pvp)

ATM VC configuration mode (config-if-atm-vc)

Ethernet service configuration (config-if-srv)

Global configuration (config)

Interface configuration (config-if)

Static maps class configuration (config-map-class)

ATM PVC-in-range configuration (cfg-if-atm-range-pvc)

Subinterface configuration (config-subif)

Command History

Release

Modification

12.0(5)T

This command was introduced.

12.0(5)XE

This command was integrated into Cisco IOS Release 12.0(5)XE.

12.0(7)S

This command was integrated into Cisco IOS Release 12.0(7)S.

12.0(17)SL

This command was implemented on the Cisco 10000 series routers.

12.1(1)E

This command was integrated into Cisco IOS Release 12.1(1)E.

12.1(2)T

This command was modified to enable low latency queueing (LLQ) on Frame Relay VCs.

12.2(14)SX

Support for this command was implemented on Cisco 7600 series routers. Support was added for output policy maps.

12.2(15)BX

This command was implemented on the ESR-PRE2.

12.2(17d)SXB

This command was implemented on the Supervisor Engine 2 and integrated into Cisco IOS Release 12.2(17d)SXB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(2)T

This command was modified. Support was added for subinterface configuration mode and for ATM PVC-in-range configuration mode to extend policy map functionality on an ATM VC to the ATM VC range.

12.4(4)T

The type stack and type control keywords were added to support flexible packet matching (FPM).

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

12.3(7)XI2

This command was modified to support subinterface configuration mode and ATM PVC-in-range configuration mode for ATM VCs on the Cisco 10000 series router and the Cisco 7200 series router.

12.2(18)ZY

The type stack and type control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).

12.2(33)SRC

Support for this command was enhanced on Cisco 7600 series routers.

12.2(33)SB

This command was modified. The command was implemented on the Cisco 10000 series router for the PRE3 and PRE4.

Cisco IOS XE Release 2.3

This command was modified to support ATM PVP configuration mode.

12.4(18e)

This command was modified to prevent simultaneous configuration of legacy traffic-shaping and Cisco Modular QoS CLI (MQC) shaping on the same interface.

Cisco IOS XE Release 3.3S

This command was modified to support Ethernet service configuration mode.

Cisco IOS XE Release 3.5S

This command was modified. An error displays if you try to configure the service-policy input or service-policy output command when the ip subscriber interface command is already configured on the interface.

15.2(1)S

This command was modified to allow simultaneous nonqueueing policies to be enabled on subinterfaces.

Usage Guidelines

The table below shows which configuration mode to choose based on the intended use of the command.

Table 1 Configuration Modes Based on Command Application

Application

Mode

Standalone VC

ATM VC submode

ATM VC bundle members

ATM VC Bundle configuration

A range of ATM PVCs

Subinterface configuration

Individual PVC within a PVC range

ATM PVC-in-range configuration

Frame Relay VC

Static maps class configuration

Ethernet services, Ethernet VCs (EVCs)

Ethernet service configuration

You can attach a single policy map to one or more interfaces or to one or more VCs to specify the service policy for those interfaces or VCs.

A service policy specifies class-based weighted fair queueing (CBWFQ). The class policies that make up the policy map are then applied to packets that satisfy the class map match criteria for the class.

Before you can attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent (99 percent on the Cisco 10008 router) of the interface bandwidth or the bandwidth allocated to the VC.

Before you can enable low latency queueing (LLQ) for Frame Relay (priority queueing [PQ]/CBWFQ), you must first enable Frame Relay traffic shaping (FRTS) on the interface using the frame-relay traffic-shaping command in interface configuration mode. You then attach an output service policy to the Frame Relay VC using the service-policy command in Static maps class configuration mode.

To attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent of the interface bandwidth or the bandwidth allocated to the VC. For a Frame Relay VC, the total amount of bandwidth allocated must not exceed the minimum committed information rate (CIR) configured for the VC less any bandwidth reserved by the frame-relay voice bandwidth or frame-relay ip rtp priority Static maps class configuration mode commands. If these values are not configured, the minimum CIR defaults to half of the CIR.

Configuring CBWFQ on a physical interface is possible only if the interface is in the default queueing mode. Serial interfaces at E1 (2.048 Mbps) and below use weighted fair queueing (WFQ) by default. Other interfaces use first-in first-out (FIFO) by default. Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM permanent virtual circuit (PVC) does not override the default queueing method.

When you attach a service policy with CBWFQ enabled to an interface, commands related to fancy queueing such as those pertaining to fair queueing, custom queueing, priority queueing, and Weighted Random Early Detection (WRED) are available using the modular quality of service CLI (MQC). However, you cannot configure these features directly on the interface until you remove the policy map from the interface.


Note


Beginning in Cisco IOS Release 12.4(18e), you cannot configure the traffic-shape rate and MQC shaping on the same interface at the same time. You must remove the traffic-shape rate configured on the interface before you attach the service policy. For example, if you try to enter the service-policy {input | output} policy-map-name command when the traffic-shape rate command is already in effect, this message is displayed:
Remove traffic-shape rate configured on the interface before attaching the service-policy.
If the MQC shaper is attached first, and you enter the legacy traffic-shape rate command on the same interface, the command is rejected and an error message is displayed.

You can modify a policy map attached to an interface or VC, changing the bandwidth of any of the classes that make up the map. Bandwidth changes that you make to an attached policy map are effective only if the aggregate of the bandwidth amount for all classes that make up the policy map, including the modified class bandwidth, is less than or equal to 75 percent of the interface bandwidth or the VC bandwidth. If the new aggregate bandwidth amount exceeds 75 percent of the interface bandwidth or VC bandwidth, the policy map is not modified.

After you apply the service-policy command to set a class of service (CoS) bit to an Ethernet interface, the policy remains active as long as there is a subinterface that is performing 8021.Q or Inter-Switch Link (ISL) trunking. Upon reload, however, the service policy is removed from the configuration with the following error message:

Process "set" action associated with class-map voip failed: Set cos supported only with IEEE 802.1Q/ISL interfaces.

Note


The service-policy input and service-policy output commands cannot be configured if the ip subscriber interface command is already configured on the interface; these commands are mutually exclusive.

Simultaneous Nonqueueing QoS Policies

Beginning in Cisco IOS Release 15.2(1)S, you can configure simultaneous nonqueueing QoS policies on an ATM subinterface and ATM PVC, or on a Frame Relay (FR) subinterface and data-link connection identifier (DLCI). However, simultaneous queueing policies are still not allowed, because they create hierarchical queueing framework layer contention. If you try to configure simultaneous queueing policies, the policies are rejected and the router displays an error message.

Note


If both the PVC or DLCI and subinterface policies are applied under the same subinterface, the policy under the PVC or DLCI takes precedence and the subinterface policy has no effect.

Cisco 10000 Series Router Usage Guidelines

The Cisco 10000 series router does not support applying CBWFQ policies to unspecified bit rate (UBR) VCs.

To attach a policy map to an interface or a VC, the aggregate of the configured minimum bandwidth of the classes that make up the policy map must be less than or equal to 99 percent of the interface bandwidth or the bandwidth allocated to the VC. If you attempt to attach a policy map to an interface when the sum of the bandwidth assigned to classes is greater than 99 percent of the available bandwidth, the router logs a warning message and does not allocate the requested bandwidth to all of the classes. If the policy map is already attached to other interfaces, it is removed from them.

The total bandwidth is the speed (rate) of the ATM layer of the physical interface. The router converts the minimum bandwidth that you specify to the nearest multiple of 1/255 (ESR-PRE1) or 1/65,535 (ESR-PRE2) of the interface speed. When you request a value that is not a multiple of 1/255 or 1/65,535, the router chooses the nearest multiple.

The bandwidth percentage is based on the interface bandwidth. In a hierarchical policy, the bandwidth percentage is based on the nearest parent shape rate.

By default, a minimum bandwidth guaranteed queue has buffers for up to 50 milliseconds of 256-byte packets at line rate, but not less than 32 packets.

For Cisco IOS Release 12.0(22)S and later releases, to enable LLQ for Frame Relay (priority queueing (PQ)/CBWFQ) on the Cisco 10000 series router, first create a policy map and then assign priority to a defined traffic class using the priority command. For example, the following sample configuration shows how to configure a priority queue with a guaranteed bandwidth of 8000 kb/s. In the example, the Business class in the policy map named "map1" is configured as the priority queue. The map1 policy also includes the Non-Business class with a minimum bandwidth guarantee of 48 kb/s. The map1 policy is attached to serial interface 2/0/0 in the outbound direction.

class-map Business
	match ip precedence 3
policy-map map1
	class Business
	priority 
	police 8000
	class Non-Business
	bandwidth 48
interface serial 2/0/0
	frame-relay encapsulation
	service-policy output map1

On the PRE2, you can use the service-policy command to attach a QoS policy to an ATM subinterface or to a PVC. However, on the PRE3, you can attach a QoS policy only to a PVC.

Cisco 7600 Series Routers

The output keyword is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

Do not attach a service policy to a port that is a member of an EtherChannel.

Although the CLI allows you to configure QoS based on policy feature cards (PFCs) on the WAN ports on the OC-12 ATM optical services modules (OSM) and on the WAN ports on the channelized OSMs, PFC-based QoS is not supported on the WAN ports on these OSMs. OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.

PFC QoS supports the optional output keyword only on VLAN interfaces. You can attach both an input policy map and an output-policy map to a VLAN interface.

Cisco 10000 Series Routers Control Policy Maps

Activate a control policy map by applying it to a context. A control policy map can be applied to one or more of the following types of contexts, which are listed in order of precedence:

  1. Global
  2. Interface
  3. Subinterface
  4. Virtual template
  5. VC class
  6. PVC

In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.

Control policies apply to all sessions hosted on the context. Only one control policy map can be applied to a given context.

Abbreviated Form of the service-policy Command

In Cisco IOS Release 12.2(33)SB and later releases, the router does not accept the abbreviated form (ser) of the service-policy command. Instead, you must spell out the command name service- before the router accepts the command. For example, the following error message displays when you attempt to use the abbreviated form of the service-policy command:

interface GigabitEthernet1/1/0
 ser out ?
% Unrecognized command
 ser ?
% Unrecognized command

As shown in the following example, when you enter the command as service- followed by a space, the router parses the command as service-policy. Entering the question mark causes the router to display the command options for the service-policy command.

service- ?
input	Assign policy-map to the input of an interface
output	Assign policy-map to the output of an interface
type	Configure CPL Service Policy

In releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the service-policy command. For example, the router accepts the following commands:

interface GigabitEthernet1/1/0
 ser out test

Examples

The following example shows how to attach a policy map to a Fast Ethernet interface:

interface fastethernet 5/20
 service-policy input pmap1

The following example shows how to attach the service policy map named "policy9" to DLCI 100 on output serial interface 1 and enables LLQ for Frame Relay:

interface Serial1/0.1 point-to-point
 frame-relay interface-dlci 100
 class fragment
 map-class frame-relay fragment
 service-policy output policy9

The following example shows how to attach the service policy map named "policy9" to input serial interface 1:

interface Serial1
 service-policy input policy9

The following example attaches the service policy map named "policy9" to the input PVC named "cisco":

pvc cisco 0/34 
service-policy input policy9
vbr-nt 5000 3000 500
precedence 4-7

The following example shows how to attach the policy named "policy9" to output serial interface 1 to specify the service policy for the interface and enable CBWFQ on it:

interface serial1
 service-policy output policy9

The following example attaches the service policy map named "policy9" to the output PVC named "cisco":

pvc cisco 0/5 
service-policy output policy9
vbr-nt 4000 2000 500
precedence 2-3

Cisco 10000 Series Router Examples

The following example shows how to attach the service policy named "userpolicy" to DLCI 100 on serial subinterface 1/0/0.1 for outbound packets:

interface serial 1/0/0.1 point-to-point
 frame-relay interface-dlci 100
 service-policy output userpolicy

Note


You must be running Cisco IOS Release 12.0(22)S or a later release to attach a policy to a DLCI in this way. If you are running a release prior to Cisco IOS Release 12.0(22)S, attach the service policy as described in the previous configuration examples using the legacy Frame Relay commands, as shown in the example "how to attach the service policy map named "policy9" to DLCI 100 on output serial interface 1 and enable LLQ for Frame Relay".

The following example shows how to attach a QoS service policy named "map2" to PVC 0/101 on the ATM subinterface 3/0/0.1 for inbound traffic:

interface atm 3/0/0
 atm pxf queueing
interface atm 3/0/0.1
 pvc 0/101
 service-policy input map2

Note


The atm pxf queueing command is not supported on the PRE3 or PRE4.

The following example shows how to attach a service policy named "myQoS" to physical Gigabit Ethernet interface 1/0/0 for inbound traffic. VLAN 4, configured on Gigabit Ethernet subinterface 1/0/0.3, inherits the service policy of physical Gigabit Ethernet interface 1/0/0.

interface GigabitEthernet 1/0/0
 service-policy input myQoS
interface GigabitEthernet 1/0/0.3
 encapsulation dot1q 4

The following example shows how to apply the policy map named "policy1" to the virtual template named "virtual-template1" for all inbound traffic. In this example, the virtual template configuration also includes Challenge Handshake Authentication Protocol (CHAP) authentication and PPP authorization and accounting.

interface virtual-template1
 ip unnumbered Loopback1
 no peer default ip address
 ppp authentication chap vpn1
 ppp authorization vpn1
 ppp accounting vpn1
 service-policy input policy1

The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range of a total of three PVCs and enable subinterface configuration mode where a point-to-point subinterface is created for each PVC in the range. Each PVC created as part of the range has the voice service policy attached to it.

configure terminal
 interface atm 2/0/0
 range pvc 1/50 1/52
 service-policy input voice

The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range, where every VC created as part of the range has the voice service policy attached to it. The exception is PVC 1/51, which is configured as an individual PVC within the range and has a different service policy named "data" attached to it in ATM PVC-in-range configuration mode.

configure terminal
 interface atm 2/0/0
 range pvc 1/50 1/52
 service-policy input voice
 pvc-in-range 1/51
 service-policy input data

The following example shows how to configure a service group named "PREMIUM-SERVICE" and apply the input policy named "PREMIUM-MARK-IN" and the output policy named "PREMIUM-OUT" to the service group:

policy-map type service PREMIUM-SERVICE
 service-policy input PREMIUM-MARK-IN
 service-policy output PREMIUM-OUT

The following example shows a policy map and interface configuration that supported simultaneous nonqueueing policies:

 
Policy-map p-map
class c-map
set mpls experimental imposition 4

interface ATM1/0/0.1 multipoint
no atm enable-ilmi-trap
xconnect 10.1.1.1 100001 encapsulation mpls
service-policy input p-map
pvc 1/41 l2transport
no epd
!
pvc 1/42 l2transport
no epd
!
pvc 1/43 l2transport
no epd
interface ATM1/0/0.101 multipoint
no atm enable-ilmi-trap
pvc 9/41 l2transport
xconnect 10.1.1.1 1001011 encapsulation mpls
service-policy input p-map
!
pvc 10/41 l2transport
xconnect 10.1.1.1 1001012 encapsulation mpls
!

The following example shows how to attach simultaneous nonqueueing QoS policies on an ATM subinterface and ATM PVC:

interface atm 1/0/0.101 
pvc 9/41 
service-policy input p-map

Related Commands

Command

Description

class-map

Accesses QoS class-map configuration mode to configure QoS class maps.

frame-relay ip rtp priority

Reserves a strict priority queue on a Frame Relay PVC for a set of RTP packet flows belonging to a range of UDP destination ports,

frame-relay traffic-shaping

Enables both traffic shaping and per-virtual-circuit queueing for all PVCs and SVCs on a Frame Relay interface.

frame-relay voice bandwidth

Specifies the amount of bandwidth to be reserved for voice traffic on a specific DLCI.

ip subscriber interface

Creates an ISG IP interface session.

policy-map

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

priority

Gives priority to a class of traffic belonging to a policy map.

show policy-map

Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.

show policy-map interface

Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface.

traffic-shape rate

Enables traffic shaping for outbound traffic on an interface.

service-policy type control

To apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To unapply the control policy, use the no form of this command.

service-policy type control policy-map-name
no service-policy type control policy-map-name

Syntax Description

policy-map-name

Name of the control policy map.

Command Default

A control policy is not applied to a context.

Command Modes

Global configuration Interface configuration Subinterface configuration Virtual template configuration ATM VC class configuration ATM VC configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:

  1. Global
  2. Interface
  3. Subinterface
  4. Virtual template
  5. VC class
  6. PVC

In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.

Control policies apply to all sessions hosted on the context.

Only one control policy map may be applied to a given context.

Examples

The following example applies the control policy map "RULEA" to Ethernet interface 0:

interface Ethernet 0
 service-policy type control RULEA

Related Commands

Command

Description

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

service-policy type service

To activate an Intelligent Services Gateway (ISG) service, use the service-policy type service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number service-policy type service [ unapply] [ aaa list list-name ] { name service-name | identifier { authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username } }
no action-number service-policy type service [ unapply] [ aaa list list-name ] { name service-name | identifier { authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username } }

Syntax Description

action-number

Number of the action. Actions are executed sequentially within the policy rule.

unapply

(Optional) Deactivates the specified service.

aaa

(Optional) Specifies that a AAA method list will be used to activate the service.

list list-name

(Optional) Activates the service using the specified authentication, authorization, and accounting (AAA) method list.

name service-name

Name of the service.

identifier

Activates a service that has the same name as the specified identifier.

authenticated-domain

Authenticated domain name.

authenticated-username

Authenticated username.

dnis

Dialed Number Identification Service number (also referred to as the called-party number ).

nas-port

Network access server (NAS) port identifier.

tunnel-name

VPDN tunnel name.

unauthenticated-domain

Unauthenticated domain name.

unauthenticated-username

Unauthenticated username.

Command Default

A service is not activated.

Command Modes

Control policy-map class configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The service-policy type servicecommand configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.

Note that if you use the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:

Router(config-control-policymap-class-control)# 1 service-policy type service aaa list default identifier authenticated-domain

the following will display in the output for the show running-config command:

1 service-policy type service identifier authenticated-domain 

Named method lists will display in the show running-config command output.

Services are configured in service profiles on the AAA server or in service policy maps on the router.

Examples

The following example configures an ISG control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber's authenticated domain name:

policy-map type control MY-RULE2
 class type control MY-CONDITION2 event service-start
  1 authenticate aaa list AUTHEN
  2 service-policy type service aaa list SERVICE identifier authenticated-domain

Related Commands

Command

Description

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

session-identifier (ISG)

To correlate RADIUS server requests and identify a session in the Intelligent Services Gateway (ISG) RADIUS proxy, use the session-identifier command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable this function, use the no form of this command.

session-identifier { attribute number | vsa vendor id type number }
no session-identifier { attribute number | vsa vendor id type number }

Syntax Description

attribute

Specifies the calling station attribute of the session to be identified.

number

The attribute number. For example, attribute 1 denotes username.

vsa

Specifies the vendor-specific attribute (VSA) of the session to be identified.

vendor id

Specifies the vendor type and ID.

type number

Specifies the VSA type and number.

Command Default

RADIUS proxy server correlates calling station attributes (attribute 31).

Command Modes

RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)

Command History

Release

Modification

12.2(33)SRE

This command was introduced.

Cisco IOS XE Release 2.5

This command was integrated into Cisco IOS XE Release 2.5.

15.0(1)S

This command was integrated into Cisco IOS Release 15.0(1)S.

Usage Guidelines

The ISG RADIUS proxy identifies a new session based on the calling station attributes. Usually, attribute 31 is used to identify the session for requests. However, it is possible that attribute 31 may not always be unique to identify the session. There are attributes such as username (RADIUS attribute 1), circuit-ID (RADIUS VSA), and so on, that could be used to identify the session and correlate RADIUS requests. By using the session-identifier command, you can configure the RADIUS proxy to accept other attributes or VSAs to identify the session in the RADIUS proxy and correlate requests from the downstream device. A downstream device is a device whose data is logged by a data recorder on a different node.

Examples

The following example shows how to configure the ISG to identify the session using the RADIUS VSA vendor type and correlate the requests for a RADIUS proxy client with IP address 10.0.0.16:

Router(config-locsvr-proxy-radius)# client 10.0.0.l6 255.255.255.0
Router(config-locsvr-radius-client)# session-identifier vsa vendor 12 type 123

Related Commands

Command

Description

aaa server radius proxy

Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.

calling-station-id format

Specifies the format if the attribute of the calling station is attribute 31.

client ( ISG RADIUS proxy )

Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.

set-timer

To start a named policy timer, use the set-timer command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number set-timer name-of-timer minutes
no action-number set-timer name-of-timer minutes

Syntax Description

action-number

Number of the action. Actions are executed sequentially within the policy rule.

name-of-timer

Name of the policy timer.

minutes

Timer interval, in minutes. Range is from 1 to 10100.

Command Default

A named policy timer is not started.

Command Modes

Control policy-map class configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The set-timercommand configures an action in a control policy map.

Expiration of a named policy timer generates the timed-policy-expiry event.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example configures a policy timer called "TIMERA". When TIMERA expires the service will be disconnected.

class-map type control match-all CONDE
 match timer TIMERA
policy-map type type control RULEA
 class type control <some_cond> event session-start
  1 set-timer TIMERA 1 
 class type control CONDE event timed-policy-expiry
  1 service disconnect

Related Commands

Command

Description

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

sgi beep listener

To enable Service Gateway Interface (SGI), use the sgi beep listener command in global configuration mode. To disable SGI, use the no form of this command.

sgi beep listener port acl access-list sasl sasl-profile encrypt trustpoint
no sgi beep listener

Syntax Description

port

(Optional) TCP port on which to listen. The default is assigned by Internet Assigned Numbers Authority (IANA).

acl

(Optional) Applies an access control list (ACL) to restrict incoming client connections.

access-list

Name of the access list that is to be applied.

sasl

(Optional) Configures a Simple Authentication Security Layer (SASL) profile to use during the session establishment.

sasl-profile

Name of SASL profile being used during session establishment.

encrypt

(Optional) Configures transport layer security (TLS) for SGI.

trustpoint

Name of trustpoint being used by the TLS connection.

Command Default

The SGI is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

Examples

Router(config)# sgi beep listener 2089

Related Commands

Command

Description

debug sgi

Enables debugging for SGI.

show sgi

Displays information about current SGI sessions or statistics.

test sgi xml

Allows onboard testing of SGI XML files when an external client is not available.

sg-service-group

To associate an Intelligent Services Gateway (ISG) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.

sg-service-group service-group-name
no sg-service-group service-group-name

Syntax Description

service-group-name

Name of the service group.

Command Default

The service is not part of a service group.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.

Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.

Examples

The following example associates the service called "primarysvc1" with the service group "group1":

policy-map type service primarysvc1
 sg-service-group group1

Related Commands

Command

Description

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

sg-service-type

Identifies an ISG service as primary or secondary.

sg-service-type

To identify an Intelligent Services Gateway (ISG) service as primary or secondary, use the sg-service-type command in service policy-map configuration mode. To remove this specification, use the no form of this command.

sg-service-type { primary | secondary }
no sg-service-type { primary | secondary }

Syntax Description

primary

Identifies the service as a primary service, which is a service that contains a network-forwarding policy.

secondary

Identifies the service as a secondary service, which is a service that does not contain a network-forwarding policy. This is the default.

Command Default

A service is not identified as a primary service.

Command Modes

Service policy-map configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

An ISG primary service is a service that contains a network-forwarding policy, such as a virtual routing or forwarding instance (VRF) or tunnel specification. A service must be identified as a primary service by using the sg-service-type primary command. Any service that is not a primary service is identified as a secondary service by default. In other words, the service policy map for a primary service must include a network-forwarding policy and the sg-service-type primary command. A secondary service must not include a network-forwarding policy, and inclusion of the sg-service-type secondary command is optional.

Examples

The following example identifies a service as a primary service:

policy-map type service service1
 ip vrf forwarding blue
 sg-service-type primary

Related Commands

Command

Description

policy-map type service

Creates or modifies a service policy map, which is used to define an ISG subscriber service.

sg-service-type external policy

To identify an Intelligent Services Gateway (ISG) service as an external policy, use the sg-service-type external policycommand in service policy-map configuration mode. To remove this specification, use the no form of this command.

sg-service-type external policy external-policy
no sg-service-type external policy external-policy

Syntax Description

external-policy

External policy delegation Service Gateway service type.

Command Default

A service is not identified as an external policy.

Command Modes

Service policy-map configuration (config-service-policymap)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

An external policy service type identifies a service as being provided by an external device. The external device is configured in a peering relationship with the ISG device via the aaa server radius policy-device command. The external device handles policies for user sessions that use the service.

Examples

The following example identifies the ISG service as an external policy:

Router(config)# policy-map type service SCE-SERVICE-LOCAL
Router(config-service-policymap)# sg-service-type external-policy

Related Commands

Command

Description

aaa server radius policy-device

Enables ISG RADIUS server configuration mode, in which server parameters can be configured.

policy-name

Configures a subscriber policy name.

service-monitor

Configures service monitoring.

show class-map type control

To display information about Intelligent Services Gateway (ISG) control class maps, use the show class-map type control command in privileged EXEC mode.

show class-map type control

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

Use the show class-map type control command to display information about ISG control class maps, including statistics on the number of times a particular class has been evaluated and what the results were.

Examples

The following example shows sample output for the show class-map type controlcommand:

Router# show class-map type control
Condition                     Action                          Exec Hit Miss Comp
---------                     ------                          ---- --- ---- ----

The table below describes the significant fields shown in the display.

Table 2 show class-map type control Field Descriptions

Field

Description

Exec

Number of times this line was executed.

Hit

Number of times this line evaluated to true.

Miss

Number of times this line evaluated to false.

Comp

Number of times this line completed the execution of its condition without a need to continue on to the end.

Related Commands

Command

Description

class-map type control

Creates an ISG control class map.

class type control

Specifies a control class for which actions may be configured in an ISG control policy map.

clear class-map type control

Clears the ISG control class map counters.

show policy-map type control

Displays information about ISG control policy maps.

show class-map type traffic

To display Intelligent Services Gateway (ISG) traffic class maps and their matching criteria, use the show class-map type traffic command in privileged EXEC mode.

show class-map type traffic

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Examples

The following example shows configuration of a traffic class-map and corresponding sample output for the show class-map type traffic command. The output is self-explanatory.

!
access-list 101 permit ip any any
access-list 102 permit ip any any
!
class-map type traffic match-any PEER_TRAFFIC
 match access-group output 102
 match access-group input 101
!
Router# show class-map type traffic
 
 
Class-map: match-any  PEER_TRAFFIC             
------------------------------------------------------
Output:       
Extended IP access list 102
    10 permit ip any any
Input:        
Extended IP access list 101
    10 permit ip any any

Related Commands

Command

Description

show policy-map type traffic

Displays the contents of ISG service policy maps.

show database data

To display information about an identity manager (IDMGR) database, use the show database datacommand in privileged EXEC mode.

show database data name type

Syntax Description

name

Name of the IDMGR database.

type

Client type. Valid values are from 0 to 2.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

15.1(2)S

This command was introduced.

Usage Guidelines

You can use the show database namescommand to get a list of database names. The show database data command displays information about the IDMGR for the specified database name.

Examples

The following are sample output from the show database data command:

Router# show database data IDMGR-Session-DB 2
Total records = 1
------------------------------
Record 0 (key 1)
session-handle = 88000002
aaa-unique-id = 0000000C
composite-key = 00174574302F303A313A656E63617020646F74317120313030
authen-status = unauthen
Router# show database data IDMGR-Service-DB 2
Total records = 1
------------------------------
Record 0 (key 5)
session-handle = 2E000004
service-name = PBHK
idmgr-svc-key = 2E00000402000001
authen-status = unauthen

The table below describes the significant fields shown in the display.

Table 3 show database data Field Descriptions

Field

Description

Total records

Total number of records in the ISG session.

Record

Record number.

session-handle

Layer 2 (L2) session handling details for the ISG session.

service-name

Name of the ISG service.

idmgr-svc-key

IDMGR key used to identify the service.

authen-status

Status of authentication. Valid values are:

  • unauthen-Indicates that the session is not authenticated.
  • authen-Indicates that the session is authenticated.

Related Commands

Command

Description

debug idmgr

Enables debugging for the IDMGR.

show dwnld_mgr

To display information about the download manager, use the show dwnld_mgrcommand in privileged EXEC mode.

show dwnld_mgr { AAA Unique ID { unique-ID | all } | profiles { all | name profile-name } }

Syntax Description

AAA Unique ID

Specifies the Accounting, Authentication, and Authorization (AAA) unique ID from where the profiles are downloaded.

unique-ID

Unique ID of the AAA server.

all

Specifies all the profiles.

profiles

Specifies the global configuration profile.

name profile-name

Specifies the name of the global configuration profile.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

15.1(2)S

This command was introduced.

Usage Guidelines

You can use the show dwnld_mgr command to view information about the download manager. The download manager is used to download global configuration profiles such as connectivity fault management (CFM) maintenance association (MA) profile for Programmable Ethernet. These profiles contain configuration information that is consumed by the client and then applied at the global level. These profiles are shared, that is, they are applied to multiple sessions. The download manager downloads and adds the shared profiles to the cache.

The download manager serves two primary functions:

  • Common interface to AAA to download profiles for any client
  • Client-independent database that caches the downloaded profiles

Examples

The following is sample output from the show dwnld_mgr profiles all command:

Router# show dwnld_mgr profiles all
*******************************************************
Name: itag:3000
Reference: 1
Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED
Clients Waiting:
F1000003, 0A6AD658, 0000000C
********************************************************

The following is sample output from the show dwnld_mgr profiles namecommand:

Router# show dwnld_mgr profiles name itag:300
*******************************************************
Name: itag:3000
Reference: 1
Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED
Clients Waiting:
F1000003, 0A6AD658, 0000000C
********************************************************

The table below describes the significant fields shown in the displays.

Table 4 show dwnld_mgr Field Descriptions

Field

Description

Name

Name of the global configuration profile.

Notification Type

Notification sent from the client to the download manager.

Clients Waiting

IDs of the clients waiting to complete the download.

Related Commands

Command

Description

debug idmgr

Enables debugging for the IDMGR.

show idmgr

To display information related to the Intelligent Services Gateway (ISG) session identity, use the show idmgr command in privileged EXEC mode.

show idmgr { [ memory detailed component substring ] | service key session-handle session-handle service-key key-value | session key | aaa-unique-id aaa-unique-id-string | domainip-vrf ip-address ip-address vrf-id vrf-id | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-guid session-guid | session-handle session-handle-string | session-id session-id-string | circuit-id circuit-id | pppoe-unique-id pppoe-id | statistics }

Syntax Description

memory

Displays memory-usage information related to ID management.

detailed

(Optional) Displays detailed memory-usage information related to ID management.

component

(Optional) Displays information for the specified ID management component.

substring

(Optional) Substring to match the component name.

service key

Displays ID information for a specific service.

session-handle session-handle-string

Displays the unique identifier for a session.

service-key key-value

Displays ID information for a specific service.

session key

Displays ID information for a specific session and its related services.

aaa-unique-id aaa-unique-id-string

Displays the authentication, authorization, and accounting (AAA) unique ID for a specific session.

domainip-vrf ip-address ip-address

Displays the service-facing IP address for a specific session.

vrf-id vrf-id

Displays the VPN routing and forwarding (VRF) ID for the specific session.

nativeip-vrf ip-address ip-address

Displays the subscriber-facing IP address for a specific session.

portbundle ip ip-address

Displays the port bundle IP address for a specific session.

bundle bundle-number

Displays the bundle number for a specific session.

session-guid session-guid

Displays the global unique identifier for a session.

session-handle session-handle-string

Displays the session identifier for a specific session.

session-id session-id-string

Displays the session identifier used to construct the value for RADIUS attribute 44 (Acct-Session-ID).

circuit-id circuit-id

Displays the user session information in the ID Manager (IDMGR) database when you specify the unique circuit ID tag.

pppoe-unique-id pppoe-id

Displays the PPPoE unique key information in the ID Manager (IDMGR) database when you specify the unique PPPoE unique ID tag

statistics

Displays statistics related to storing and retrieving ID information.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 2.6

The circuit-id keyword and circuit-idargument was added.

Examples

The following sample output for the show idmgr command displays information about the service called "service":

Router# show idmgr service key session-handle 48000002 service-key service
session-handle = 48000002
service-name = service
idmgr-svc-key = 4800000273657276696365
authen-status = authen

The following sample output for the show idmgr command displays information about a session and the service that is related to the session:

Router# show idmgr session key session-handle 48000002
    
session-handle = 48000002
aaa-unique-id = 00000002
authen-status = authen
username = user1
Service 1 information:
session-handle = 48000002
service-name = service
idmgr-svc-key = 4800000273657276696365

The following sample output for the show idmgr command displays information about the global unique identifier of a session:

Router# show idmgr session key session-guid 020202010000000C
session-handle = 18000003
aaa-unique-id = 0000000C
authen-status = authen
interface = nas-port:0.0.0.0:2/0/0/42
authen-status = authen
username = FortyTwo
addr = 100.42.1.1
session-guid = 020202010000000C
The following sample output for the show idmgr
 command displays information about the user session information in the ID Manager (IDMGR) database by specifying the unique circuit ID tag:
Router# show idmgr session key circuit-id Ethernet4/0.100:PPPoE-Tag-1
session-handle = AA000007
aaa-unique-id = 0000000E
circuit-id-tag = Ethernet4/0.100:PPPoE-Tag-1
interface = nas-port:0.0.0.0:0/1/1/100
authen-status = authen
username = user1@cisco.com
addr = 106.1.1.3
session-guid = 650101020000000E
The session hdl AA000007 in the record is valid
The session hdl AA000007 in the record is valid
No service record found

The table below describes the significant fields shown in the display.

Table 5 show idmgr Field Descriptions

Field

Description

session-handle

Unique identifier of the session.

service-name

Service name for this session.

idmgr-svc-key

The ID manager service key of this session.

authen-status

Indicates whether the session has been authenticated or unauthenticated.

aaa-unique-id

AAA unique ID of the session.

username

The username associated with this session.

interface

The interface details of this session.

addr

The IP address of this session.

session-guid

Global unique identifier of this session.

Related Commands

Command

Description

subscriber access pppoe unique-key circuit-id

Specifies a unique circuit ID tag for a PPPoE user session to be tapped on the router.

show interface monitor

To display interface statistics that will be updated at specified intervals, use the show interface monitor command in user EXEC or privileged EXEC mode.

show interface interface-type interface-number monitor [ interval seconds ]

Syntax Description

interface-type

Type of the interface for which statistics will be displayed.

interface-number

Number of the interface for which statistics will be displayed.

interval seconds

(Optional) Interval, in seconds, at which the display will be updated. Range: 5 to 3600. Default: 5.

Command Modes

User EXEC Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The show interface monitor command allows you to monitor an interface by displaying interface statistics and updating those statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display, "C" to clear the counters, or "F" to freeze the display.

Examples

The following example shows sample output for the show interface monitor command. The display will be updated every 10 seconds.

Router# show interface ethernet 0/0 monitor interval 10
Router Name:  Scale3-Router8       Update Secs: 10
Interface Name:   Ethernet 0/0          Interface Status: UP, line is up 
Line Statistics:          Total:        Rate(/s)    Delta
Input Bytes:              123456        123         7890
Input Packets:              3456         56          560
Broadcast:                  1333          6           60
OutputBytes:               75717        123         1230
Output Packets:              733         44          440
Error Statistics:         Total:        Delta:
Input Errors:              0               0
CRC  Errors:               0               0
Frame Errors:              0               0
Ignored:                   0               0
Output Errors:             0               0
Collisions:                0               0
No. Interface Resets:  2
End = e       Clear = c      Freeze = f 
Enter Command:

The table below describes the significant fields shown in the display.

Table 6 show interface monitor Field Descriptions

Field

Description

Line Statistics

Information about the physical line. The delta column indicates the difference between the current display and the display before the last update.

Input Bytes

Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system.

Input Packets

Total number of error-free packets received by the system.

Broadcast

Total number of broadcast or multicast packets received by the interface.

OutputBytes

Total number of bytes sent by the system.

Output Packets

Total number of packets sent by the system.

Error Statistics

Displays statistics about errors. The delta column indicates the difference between the current display and the display before the last update.

Input Errors

Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.

CRC Errors

Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Frame Errors

Number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.

Ignored

Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. Broadcast storms and bursts of noise can cause the ignored count to be increased.

Output Errors

Sum of all errors that prevented the final transmission of datagrams out of the interface from being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories.

Collisions

Number of messages transmitted because of an Ethernet collision. A packet that collides is counted only once in output packets.

No. Interface Resets

Number of times an interface has been completely reset. This can happen if packets queued for transmission were not sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal, or by a cable problem. If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down.

Related Commands

Command

Description

show interfaces

Displays statistics for all interfaces configured on the router or access server.

show ip portbundle ip

To display information about a particular Intelligent Services Gateway (ISG) port bundle, use the show ip portbundle ip command in privileged EXEC mode.

show ip portbundle ip port-bundle-ip-address bundle port-bundle-number

Syntax Description

port-bundle-ip-address

IP address used to identify the port bundle.

bundle port-bundle-number

Port bundle number.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

Use the show ip portbundle ip command to display the port mappings in a port bundle.

Examples

The following example is sample output for the show ip portbundle ip command:

Router# show ip portbundle ip 10.2.81.13 bundle 65
Portbundle IP address: 10.2.81.13  Bundlenumber: 65
Subscriber VRF: VRF2
Subscriber Portmappings:
Subscriber IP: 10.0.0.2 Subscriber Port: 11019  Mapped Port: 1040

The table below describes the significant fields shown in the display.

Table 7 show ip portbundle ip Field Descriptions

Field

Description

Subscriber IP

Subscriber IP address.

Subscriber Port

Subscriber port number.

Mapped Port

Port assigned by the ISG.

Related Commands

Command

Description

ip portbundle (global)

Enters portbundle configuration mode, in which ISG port-bundle host key parameters can be configured.

show ip portbundle status

Displays information about ISG port-bundle groups.

show ip portbundle status

To display a information about Intelligent Services Gateway (ISG) port-bundle groups, use the show ip portbundle status command in privileged EXEC mode.

show ip portbundle status [ free | inuse ]

Syntax Description

free

(Optional) Lists the port bundles that are available in each bundle group.

inuse

(Optional) Lists the port bundles that are in use in each bundle group. Also displays the associated subscriber interface for each port bundle.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

Use the show ip portbundle status command to display a list of port-bundle groups, port-bundle length, and the number of free and in-use port bundles in each group.

Examples

The following example is sample output for the show ip portbundle status command when issued with no keywords:

Router# show ip portbundle status
Bundle-length = 4
Bundle-groups: -
IP Address              Free Bundles            In-use Bundles
10.2.81.13                       4031                    1

The table below describes the significant fields shown in the display.

Table 8 show ip portbundle status Field Descriptions

Field

Description

Bundle-length

Number of ports per bundle and number of bundles per bundle group.

Bundle-groups

List of bundle groups.

IP Address

IP address of a bundle group.

Free Bundles

Number of free bundles in the specified bundle group.

In-use Bundles

Number of in-use bundles in the specified bundle group.

Related Commands

Command

Description

ip portbundle (global)

Enters portbundle configuration mode, in which ISG port-bundle host key parameters can be configured.

show ip portbundle ip

Displays information about a particular ISG port bundle.

show ip subscriber

To display information about Intelligent Services Gateway (ISG) IP subscriber sessions, use the show ip subscriber command in user EXEC or privileged EXEC mode.

show ip subscriber [ interface interface-name [ detail | statistics ] | ip ip-address | mac mac-address | redundancy | static list list-name | statistics { arp | dangling } | [ vrf vrf-name ] [ dangling seconds ] [ detail] ]

Syntax Description

interface interface-name

(Optional) Displays information for IP subscriber sessions associated with the specified interface.

Note    This keyword is available only on the Cisco 7600 series router.

detail

(Optional) Displays detailed information about IP subscriber sessions.

statistics

(Optional) Displays statistical information for IP subscriber sessions.

Note    This keyword is available only on the Cisco 7600 series router.

ip ip-address

(Optional) Displays information about IP subscriber sessions that have the specified IP address.

mac mac-address

(Optional) Displays information about IP subscriber sessions that have the specified MAC address.

redundancy

(Optional) Displays information about IP subscriber redundancy.

static list list-name

(Optional) Displays information for static sessions associated with an IP subscriber list.

Note    This keyword is available only on the Cisco 7600 series router.

arp

(Optional) Displays Address Resolution Protocol (ARP) statistics.

dangling seconds

(Optional) Displays IP subscriber sessions that have remained unestablished for the specified number of seconds. Range: 1 to 3600.

vrf vrf-name

(Optional) Displays IP subscriber sessions associated with the specified virtual routing and forwarding (VRF) instance.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

12.2(33)SRC

Support for this command was added on the Cisco 7600 series router.

Cisco IOS XE Release 2.2

This command was integrated into Cisco IOS XE Release 2.2.

12.2(33)SRE

This command was modified. The static and list keywords were added.

12.2(33)SRE1

This command was modified. The statistics and arp keywords were added.

Cisco IOS XE Release 3.4S

This command was modified. The output was enhanced to include information about IPv6 sessions.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Usage Guidelines

A session that is not fully established within a specified period of time is referred to as a dangling session. The show ip subscriber command can be used with the dangling keyword to display dangling sessions. The seconds argument allows you to specify how long the session can remain unestablished before it is considered dangling.

Examples

The following is sample output from the show ip subscriber command without any keywords:

Router# show ip subscriber

Displaying subscribers in the default service vrf:
Type        Subscriber Identifier    Display UID    Status
---------   ----------------------   ------------   ------
connected   aaaa.1111.cccc           [1]            up 

The following is sample output from the show ip subscriber command using the detail keyword. Detailed information is displayed about all the IP subscriber sessions associated with vrf1.

Router# show ip subscriber vrf vrf1 detail

IP subscriber: 0000.0000.0002, type connected, status up
 display uid: 6, aaa uid: 17
 segment hdl: 0x100A, session hdl: 0x96000005, shdb: 0xBC000005
 session initiator: dhcp discovery
 access address: 10.0.0.3
 service address: vrf1, 10.0.0.3
 conditional debug flag: 0x0
 control plane state: connected, start time: 1d06h
 data plane state: connected, start time: 1d06h
 arp entry: [vrf1] 10.0.0.3, Ethernet0/0
 midchain adj: 10.0.0.3 on multiservice1
forwarding statistics:
 packets total: received 3542, sent 3538
 bytes total: received 2184420, sent 1158510
 packets dropped: 0, bytes dropped: 0

The following is sample output from the show ip subscriber command using the list keyword. Detailed information is displayed about all the IP subscriber static sessions associated with the server list group called l1 on the 7600 series router.

Router# show ip subscriber static list l1

Total static sessions for list l1: 1, Total IF attached: 1
Interface: GigabitEthernet0/3, VRF: 0, 1

The following is sample output from the show ip subscribercommand using the statistics arpkeywords:

Router# show ip subscriber statistics arp

Current IP Subscriber ARP Statistics
  Total number of ARP reqs received    : 27
  ARP reqs received on ISG interfaces  : 25
  IP subscriber ARP reqs replied to    : 1
                Dst on ISG             : 0
                Src/Dst in same subnet : 0
  IP subscriber ARP reqs ignored       : 2
                For route back to CPE  : 2
                For no routes to dest. : 0
                Gratuitous             : 0
                Due to invalid src IP  : 0
                Due to other errors    : 0
  IP sub ARP reqs with default action  : 24

The table below describes the significant fields shown in the displays, in alphabetical order.

Table 9 show ip subscriber Field Descriptions

Field

Description

Dst on ISG

Number of ARP requests that ISG replied to for a destination on ISG.

For route back to CPE

Number of ARP requests that ISG ignored because the destination IP address is on the same VLAN as the customer premises equipment (CPE).

For no routes to dest.

Number of ARP requests ignored by ISG because there was no route to the destination.

Gratuitous

Number of ARP requests ignored by ISG because they are gratuitous. A gratuitous ARP request is issued by a device for the sole purpose of keeping other devices informed of its presence on the network.

IP sub ARP reqs with default action

Number of ARP requests for which ISG performed no special action.

Src/Dst in same subnet

Number of ARP requests that ISG replied to that had a source and destination IP address in the same subnet.

Session initiator

Type of packet that initiated the subscriber session.

Related Commands

Command

Description

clear ip subscriber

Disconnects and removes all or specified ISG IP subscriber sessions.

ip subscriber list

Creates a subscriber list for ISG IP sessions.

show platform isg session

To display the number of active Intelligent Services Gateway (ISG) subscriber sessions for a line card and the features applied on a session, use the show platform isg session command in privileged EXEC mode.

show platform isg session session-id subinteface-number [ detail]

Syntax Description

session-id

Specifies the ID of a particular session.

subinteface-number

Specifies the subinterface number.

detail

(Optional) Displays platform information for the features that are applied on the session.

Command Default

No default behavior or values.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

15.1(1)S

This command was introduced.

Usage Guidelines

The show platform isg session command displays the total number of active subscriber sessions on the line card and information about the features that are configured on a session. For example, QoS or SACL.

Examples

This example shows the output for all installed line cards:

Router# show platform isg session 15 0 detail
if_num 14 va_if_num 0 pid 15 type IPSIP flags 0x0 state BOUND hvlan v1(vc) 1014 v2 1200 0 dbg off
 STATS(pkts, bytes) RX(0, 0) ctrl(0, 0) drop(0, 0) TX(0, 0) ctrl(0, 0) drop(0, 0)
--------------------------------------------------========================================
TenGigabitEthernet4/2.1 - if_number 14 15 policymap pmap-brr1-parent dir Output
 np 1 port 0 pm_num 4 lookuptype 1 flowid 256
---------------------------------------------------
 policymap pmap-brr1-parent classid 0 dfs classid 2
 classmap config:   cmap flags 0x6 feature flags 0x9
  queue config: gqid/pgqid 4/2
  police config: N/A  marking config: N/A
  WRED config: N/A
 classmap instance: cfn statid 0
   node handle: B,4,128   queue: fid0/fid1/sel/spl 128/128/0/0
   statid: commit/excess/drop 1294464/1327232/1360000
 policy pmap-brr1-parent classid 0 dfs classid 2  level 0
---------------------------------------------------------------
  Statistics type      Packet count       Byte count
    queue:
           commit                0                0
           excess                0                0
             drop                0                0
        cur depth                0
---------------------------------------------------
 policymap pmap-brr-child1 classid 1 dfs classid 0
 classmap config:   cmap flags 0x4 feature flags 0x100
  police config:cir/cbs: 50000000/1562500 pir/pbs: 0/1562500 clr/mef/algo: 0/0/1
   0:XMIT, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0  exp_top 0/0 exp_imp 0/0
   1:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0  exp_top 0/0 exp_imp 0/0
   2:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0  exp_top 0/0 exp_imp 0/0  marking config: N/A
  WRED config: N/A
 classmap instance: cfn statid 508327
   node handle: B,4,128   queue: fid0/fid1/sel/spl 128/128/0/0
   statid: commit/excess/drop 1294464/1327232/1360000
   police handle: np/index/type 1/1/fast tb 65697 statid: conform/exceed/violate 115116/115117/115118
   POLICE profile[0] inuse 1 cir/cbs 50000000/1562500 pir/pbs 0/1562500 clr/mef/algo 0/0x0/1
   [D]POLICE - index 0 cir/cbs: 6250000/1559756 pir/pbs: 0/0 clr/mef/algo: 0/0/1
 policy pmap-brr-child1 classid 1 dfs classid 0  level 1
---------------------------------------------------------------
  Statistics type      Packet count       Byte count
   classification                0                0
   police:
          conform                0                0
           exceed                0                0
          violate                0                0
 --
  tcam index table result: 0x30000C001 0x0 0x0 0x0
  flow hash table result: 0x7C1A70301000080 0x100000003
 FLW-07C1A703 01000080 00000001 00000003
  TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128
  Flow Stat:508327, Plcr1 TB/Stat-1/3, Plcr2 TB/Stat-0/0
----------------------------------------------
 Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL       Wf    M.WFQ 1020 QL 2/5-131072 norm
 WFQ level 4 index 0 weight 10 inuse 3
  [D]WFQ - level:4, index:0  Weight Commit/Excess: 10/10
  [D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal
      Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0
 --
 Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL       WfSh  ServProf:1/flags/oh:---/0
 SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264
  [D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408
 WFQ level 3 index 1 weight 81 inuse 1
  [D]WFQ - level:4, index:33  Weight Commit/Excess: 81/1
  [D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal
      Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33
 --
 Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I         Wf
 SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616
  [D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952
 WFQ level 2 index 0 weight 2 inuse 1
  [D]WFQ - level:2, index:0  Weight Commit/Excess: 2/2
  [D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0
  [D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated
      Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0
 --
 Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I         Wf
 ***
---------------------------------------------------
 policymap pmap-brr-child1 classid 0 dfs classid 1
 classmap config:   cmap flags 0x4 feature flags 0x1000
  police config: N/A
  marking config: on  coso 1
  WRED config: N/A
 classmap instance: cfn statid 508328
   node handle: B,4,128   queue: fid0/fid1/sel/spl 128/128/0/0
   statid: commit/excess/drop 1294464/1327232/1360000
 policy pmap-brr-child1 classid 0 dfs classid 1  level 1
---------------------------------------------------------------
  Statistics type      Packet count       Byte count
   classification                0                0
 --
  tcam index table result: 0x101300000000 0x400500000000 0x0 0x0
  flow hash table result: 0x7C1A80301000080 0x0
 FLW-07C1A803 01000080 00000000 00000000
  TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128
  Flow Stat:508328, Plcr1 TB/Stat-0/0, Plcr2 TB/Stat-0/0
----------------------------------------------
 Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL       Wf    M.WFQ 1020 QL 2/5-131072 norm
 WFQ level 4 index 0 weight 10 inuse 3
  [D]WFQ - level:4, index:0  Weight Commit/Excess: 10/10
  [D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal
      Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0
 --
 Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL       WfSh  ServProf:1/flags/oh:---/0
 SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264
  [D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408
 WFQ level 3 index 1 weight 81 inuse 1
  [D]WFQ - level:4, index:33  Weight Commit/Excess: 81/1
  [D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal
      Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33
 --
 Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I         Wf
 SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616
  [D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952
 WFQ level 2 index 0 weight 2 inuse 1
  [D]WFQ - level:2, index:0  Weight Commit/Excess: 2/2
  [D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0
  [D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated
      Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0
 --
 Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I         Wf

Related Commands

Command

Description

show platform isg session-count

Displays the number of active ISG subscriber sessions by line card.

show subscriber session

Displays information about subscriber sessions on the ISG router.

show platform isg session-count

To display the number of active Intelligent Services Gateway (ISG) subscriber sessions by line card, use the show platform isg session-count command in privileged EXEC mode.

show platform isg session-count { all | slot }

Syntax Description

all

Displays information for all line cards on the router.

slot

Displays information for a specific line card.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SRE

This command was introduced.

12.2(33)SRD4

This command was integrated into Cisco IOS Release 12.2(33)SRD4.

12.2(33)SRE1

This command was modified. The maximum session count, maximum session instance, and port group were added to the output.

Usage Guidelines

The show platform isg session-count command displays either the total number of active subscriber sessions on the router, with individual totals by line card, or it displays the details for an individual line card in a specific slot.

The Cisco 7600 router limits the number of supported subscriber sessions per line card and per router chassis. Use this command to monitor the number of currently active sessions to ensure that the following limits are not exceeded:

  • Cisco 7600 chassis--32,000 subscriber sessions
  • ES+ line card--4000 subscriber sessions per port group; 16,000 sessions per line card
  • SIP400 line card--8000 subscriber sessions

Examples

The following example shows the output for all installed line cards:

Router# show platform isg session-count all
Total sessions per chassis : 8000
 Slot   Sess-count  Max Sess-count
 ----   ----------  --------------
    5         8000           16000

The following example shows the output for the ES+ line card in slot 5:

Router# show platform isg session-count 5
ES+ line card
 Sessions on a port-channel are instantiated on all member ports
 Port-group          Sess-instance   Max Sess-instance
 ----------          -------------   -----------------
 Gig5/1-Gig5/5              4000                4000
 Gig5/16-Gig5/20            4000                4000

The table below describes the significant fields shown in the display, in alphabetical order.

Table 10 show platform isg session-count Field Descriptions

Field

Description

Max Sess-count

Maximum number of sessions allowed per line card.

Max Sess-instance

Maximum number of session instances allowed per port group.

Port-group

Port numbers included in each port group.

Sess-count

Total number of active sessions per line card.

Sess-instance

Total number of session instances per port group.

Slot

Number of the router slot in which the card is installed.

Total sessions per chassis

Total number of sessions for all line cards on the router.

Related Commands

Command

Description

show subscriber session

Displays information about subscriber sessions on the ISG router.

show policy-map type control

To display information about Intelligent Services Gateway (ISG) control policy maps, use the show policy-map type control command in privileged EXEC mode.

show policy-map type control

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

Use the show policy-map type control command to display information about ISG control policies, including statistics on the number of times each policy-rule within the policy map has been executed

Examples

The following example shows sample output for the show policy-map type control command:

Router# show policy-map type control
Rule: internal-rule-acct-logon
  Class-map:  always event account-logon
    Action: 1 authenticate aaa list default 
    Executed0
Key:
  "Exec" - The number of times this rule action line was executed

Related Commands

Command

Description

clear policy-map type control

Clears ISG control policy map counters.

policy-map type control

Creates or modifies a control policy map, which defines an ISG control policy.

show class-map type control

Displays information about ISG control class maps.

show policy-map type service

To displays the contents of Intelligent Services Gateway (ISG) service policy maps and service profiles and session-related attributes, use the show policy-map type service command in privileged EXEC mode.

show policy-map type service

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Examples

The following example shows the configuration of a service profile called "prep_service" on a AAA server and the corresponding sample output for the show policy-map type service command.

Service Profile Configuration

Configuration of prep_service on simulator radius subscriber 8
 authentication prep_service pap cisco
 idle-timeout 600
 vsa cisco generic 1 string "traffic-class=input access-group 102"

Sample Output of show policy-map type service Command

Router# show policy-map type service 
Current policy profile DB contents are:
  Profile name: prep_service, 4 references 
    idletime             600 (0x258)
    traffic-class        "input access-group 102"

The table below describes the significant fields shown in the display.

Table 11 show policy-map type service Field Descriptions

Field

Description

Current policy profile DB contents are

Displays all of the service profiles and service policy maps on the system.

Profile name

Name of a service profile or policy map.

Related Commands

Command

Description

show class-map type traffic

Displays ISG traffic class maps and their matching criteria.

show processes cpu monitor

To display CPU utilization statistics that will be updated at specified intervals, use the show processes cpu monitor command in user EXEC or privileged EXEC mode.

show processes cpu monitor [ interval minutes ]

Syntax Description

interval seconds

(Optional) Interval, in minutes, at which the display will be updated. Range: 5 to 3600. Default: 5.

Command Modes

User EXEC
Privileged EXEC

Command History

Release

Modification

12.2(28)SBA

This command was introduced.

Usage Guidelines

The show processes cpu monitor command allows you to monitor CPU utilization statistics by displaying updated statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display or "F" to freeze the display.

Examples

The following example shows sample output for the show processes cpu monitor command:

Router# show processes cpu monitor
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
 PID Runtime(ms)   Invoked      uSecs    5Sec   1Min     5Min    TTY Process 
   3      772          712       1084    0.08%  0.04%    0.02%    0    Exec             
  67      276         4151         66    0.08%  0.03%    0.01%    0 L2TP mgmt daemon 
 116      604         2263        266    0.16%  0.05%    0.01%    0 IDMGR CORE       
End = e    Freeze = f  
Enter Command: 

The table below describes the significant fields shown in the display.

Table 12 show processes cpu monitor Field Descriptions

Field

Description

CPU utilization for five seconds

CPU utilization for the last 5 seconds and the percentage of CPU time spent at the interrupt level.

one minute

CPU utilization for the last minute and the percentage of CPU time spent at the interrupt level.

five minutes

CPU utilization for the last 5 minutes and the percentage of CPU time spent at the interrupt level.

PID

Process ID.

Runtime(ms)

CPU time the process has used (in milliseconds).

Invoked

Number of times the process has been invoked.

uSecs

Microseconds of CPU time for each process invocation.

5Sec

CPU utilization by task in the last 5 seconds.

1Min

CPU utilization by task in the last minute.

5Min

CPU utilization by task in the last 5 minutes.

TTY

Terminal that controls the process.

Process

Name of the process.

Related Commands

Command

Description

show processes cpu

Displays CPU utilization information about the active processes in a device.

show pxf cpu iedge

To display Parallel eXpress Forwarding (PXF) policy and template information, use the show pxf cpu iedgecommand in privileged EXEC mode.

show pxf cpu iedge [detail | policy policy-name | template]

Syntax Description

detail

(Optional) Displays detailed information about policies and templates.

policy policy-name

(Optional) Displays summary policy information.

template

(Optional) Displays summary template information.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2S

This command was introduced.

Examples

The following example shows PXF template information. The fields shown in the display are self-explanatory.

Router# show pxf cpu iedge template 
Super ACL name                   OrigCRC   Class Count    CalcCRC
1sacl_2                         4EA94046   2             00000000
if_info 71BA3F20

Related Commands

Command

Description

show pxf statistics

Displays a summary of PXF statistics.

show pxf cpu isg

To display Parallel eXpress Forwarding (PXF) Intelligent Services Gateway (ISG) policy and template information, use the show pxf cpu isgcommand in privileged EXEC mode.

show pxf cpu isg [ detail | policy policy-name | template ]

Syntax Description

detail

(Optional) Displays detailed information about ISG policies and templates.

policy policy-name

(Optional) Displays summary ISG policy information.

template

(Optional) Displays summary ISG template information.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2SB

This command was introduced.

Examples

The following example shows the ISG template information:

Router# show pxf cpu isg template 
Super ACL name                   OrigCRC   Class Count    CalcCRC
1sacl_2                         4EA94046   2             00000000
if_info 71BA3F20

Related Commands

Command

Description

show pxf statistics

Displays chassis-wide, summary PXF statistics.

show radius-proxy client

To display information about Intelligent Services Gateway (ISG) RADIUS proxy client devices, use the show radius-proxy clientcommand in privileged EXEC mode.

show radius-proxy client ip-address [ vrf vrf-name ]

Syntax Description

ip-address

IP address of the RADIUS proxy client.

vrf vrf-name

(Optional) VRF associated with the RADIUS proxy client.

Note    The vrf vrf-name option is not supported in 12.2(31)SB2.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

Usage Guidelines

The show radius-proxy client command can be used to find out which subscribers are associated with which RADIUS clients.

Examples

The following example shows sample output for the show radius-proxy client command:

Router# show radius-proxy client 10.45.45.3
Configuration details for client 10.45.45.3
 Shared secret:     blue#@!$%&/       Msg Auth Ignore:   No
 Local auth port:   1111                 Local acct port:   2222
 Acct method list: FWDACCT
Session Summary:
      RP ID       IP Address
   1. 687865867   10.1.1.1        

The table below describes the significant fields shown in the display.

Table 13 show radius-proxy client Field Descriptions

Field

Description

Shared secret

Shared secret between ISG RADIUS proxy and the client device.

Msg Auth Ignore

Indicates whether message-authenticator validation is performed for RADIUS packets coming from this client.

Local auth port

Port on which ISG listens for authentication packets from this client.

Local acct port

Port on which ISG listens for accounting packets from this client.

Acct method list

Method list to which ISG RADIUS proxy forwards accounting packets.

Session Summary

Summary of the ISG sessions associated with the specified client device.

RP ID

ISG RADIUS proxy identifier for the session.

IP Address

IP address associated with the session.

Related Commands

Command

Description

show radius-proxy session

Displays information about specific ISG RADIUS proxy sessions.

show radius-proxy session

To display information about specific Intelligent Services Gateway (ISG) RADIUS proxy sessions, use the show radius-proxy session command in privileged EXEC mode.

show radius-proxy session { id radius-proxy-ID | ip ip-address [ vrf vrf-name ] }

Syntax Description

id radius-proxy-ID

ISG RADIUS proxy ID.

ip ip-address

IP address associated with the RADIUS proxy session.

vrf vrf-name

(Optional) Virtual routing and forwarding instance (VRF) associated with the session.

Note    The vrf vrf-name option is not supported in Cisco IOS Release 12.2(31)SB2.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(31)SB2

This command was introduced.

Examples

The following example shows sample output for the show radius-proxy session command:

Router# show radius-proxy session id 1694498816
Session Keys:
  Caller ID:         000b.4691.e2e3
Other Attributes:
  Username:          aash
  User IP:           unassigned
  Called ID:         
Client Information:
  NAS IP:            10.45.45.2
  NAS ID:            localhost
State Details:
  State:             authenticated 
  Timer:             ip-address (timeout: 240s, remaining: 166s)

Related Commands

Command

Description

show radius-proxy client

Displays information about ISG RADIUS proxy client devices.

show redirect group

To display information about Intelligent Services Gateway (ISG) Layer 4 redirect server groups, use the show redirect group command in privileged EXEC mode.

show redirect group [ group-name]

Syntax Description

group-name

(Optional) Specific server group for which to display information.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 3.5S

This command was modified. The output was enhanced to include information about IPv6 redirect groups and servers.

Usage Guidelines

Use the show redirect translations command without the group-name argument to display information about all Layer 4 redirect server groups.

Examples

The following example shows sample output for the show redirect group command:

Router# show redirect group redirect-group-default
Showing all servers of the group redirect-group-default
Server created : using cli
Server Port
10.30.81.22 8090

Related Commands

Command

Description

redirect server-group

Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.

redirect to (ISG)

Redirects ISG Layer 4 traffic to a specified server or server group.

server (ISG)

Adds a server to an ISG Layer 4 redirect server group.

show redirect translations

Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

show redirect translations

To display information about the Intelligent Services Gateway (ISG) Layer 4 redirect mappings for subscriber sessions, use the show redirect translations command in privileged EXEC mode.

show redirect translations [ ip ip-address | ipv4 | ipv6 ] [ verbose]

Syntax Description

ip ip-address

(Optional) Displays all active translations for the specified subscriber source IP address.

ipv4

(Optional) Displays all active IPv4 translations.

ipv6

(Optional) Displays all active IPv6 translations.

verbose

(Optional) Displays detailed information about the translations.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(33)SB8

This command was modified. Information about the number of redirect translations was added to the output.

12.2(33)XNE1

This command was integrated into Cisco IOS Release 12.2(33)XNE1.

12.2(33)SRD4

This command was integrated into Cisco IOS Release 12.2(33)SRD4.

12.2(33)SRE1

This command was integrated into Cisco IOS Release 12.2(33)SRE1.

Cisco IOS XE Release 3.5S

This command was modified. The ipv4, ipv6, and verbose keywords were added.

Usage Guidelines

Use the show redirect translations command without the ip ip-address keyword and argument to display Layer 4 redirect mappings for all subscriber sessions.

Examples

The following is sample output from the show redirect translations command displaying information about each active redirect translation:

Router# show redirect translations

Prot Destination IP/Port                      Server IP/Port
TCP  10.0.1.2 23                              10.0.2.2 23
TCP  10.0.1.2 23                              10.0.2.2 23
TCP  10.0.1.2 23                              10.0.2.2 23
Total Number of Translations: 3

The following is sample output from the show redirect translations ipv6 command displaying information about each active IPv6 redirect translation:

Router# show redirect translations ipv6

Prot Destination IP/Port                      Server IP/Port
TCP  2001:DB8:2222:1044::72 80                2001:DB8:C003:12::2918 8080
TCP  2001:DB8:2222:1044::73 80                2001:DB8:C003:12::2918 8080
Total Number of Translations: 5

The following is sample output from the show redirect translations verbose command displaying additional information about each active redirect translation:

Router# show redirect translations verbose

Prot Destination IP/Port                      Server IP/Port
     Source IP/Port                           InFlags OutFlags Timestamp

TCP  10.1.0.1 80                              10.10.0.1 8080
     10.0.0.1 3881                            -   -   02/28/11 11:48:01

TCP  10.1.0.2 80                              10.10.0.1 8080
     10.0.0.1 3882                            FIN -   02/28/11 11:50:01

TCP  10.1.0.4 80                              10.10.0.1 8080
     10.0.0.2 4002                            -   -   02/28/11 11:55:08

TCP  2001:DB8:2222:1044::72 80                2001:DB8:C003:12::2918 8080
     2001:DB8:C003:13::2928 5001              SYN -   02/28/11 10:25:12

TCP  2001:DB8:2222:1044::73 80                2001:DB8:C003:12::2918 8080
     2001:DB8:C003:13::2928 8002              -   FIN 02/28/11 10:22:15

Total Number of Translations: 5

The table below describes the significant fields shown in the display, in alphabetical order.

Table 14 show redirect translations Field Descriptions

Field

Description

Destination IP/port

IP address and port number of the connection destination.

In Flags, Out Flags

TCP flags. For example, ACK, FIN, SYN, or Null.

Prot

Protocol used, either TCP or User Data Protocol (UDP).

Server IP/port

IP address and port number of the redirect server.

Total Number of Translations

Total number of active translations.

Related Commands

Command

Description

redirect server-group

Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.

redirect session-limit

Sets the maximum number of Layer 4 redirects allowed for each ISG subscriber session.

redirect to (ISG)

Redirects ISG Layer 4 traffic to a specified server or server group.

server ip (ISG)

Adds a server to an ISG Layer 4 redirect server group.

show redirect group

Displays information about ISG Layer 4 redirect server groups.

show sgi

To display information about current Service Gateway Interface (SGI) sessions or statistics, use the show sgi command in privileged EXEC mode.

show sgi { session | statistics }

Syntax Description

session

Displays information about the current SGI session.

statistics

Displays information about the current SGI statistics

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

Examples

The following example shows information about SGI sessions started and currently running, including the running state:

Router# show sgi session
sgi sessions: open 1(max 10, started 15
session id:1;started at 9:08:05; state OPEN

The following example shows statistical information about SGI and the SGI processes that have been started:

Router# show sgi statistics
sgi statistics
total messages received 45
current active messages 5; maximum active messages 7
total isg service requests 4
current active services 2; maximum active services 2
sgi process statistics
process sgi handler 1
pid 95, cpu percent (last minute) 1, cpu runtime 10(msec), memory accocated 4200 (bytes)

Related Commands

Command

Description

debug sgi

Enables debugging for SGI.

sgi beep listener

Enables SGI.

test sgi xml

Allows onboard testing of SGI XML files when an external client is not available.

show ssm

To display Segment Switching Manager (SSM) information for switched Layer 2 segments, use the show ssmcommand in privileged EXEC mode.

show ssm { cdb | feature id [ feature-id] | id | memory [ chunk variable { feature | queue | segment } | detail ] | segment id [ segment-id] | switch id [ switch-id] }

Syntax Description

cdb

Displays information about the SSM capabilities database.

feature id

Displays information about SSM feature settings.

feature-id

(Optional) Displays information for a specific feature ID.

id

Displays information for all SSM IDs.

memory

Displays memory usage information.

chunk variable

(Optional) Displays memory usage information for memory consumed by variable chunks.

feature

Displays information about memory consumed by the feature.

queue

Displays information about memory consumed by the queue.

segment

Displays information about memory consumed by the segment.

detail

(Optional) Displays detailed memory usage information.

segment id

Displays information about SSM segment settings.

segment-id

(Optional) Displays information for a specific SSM segment.

switch id

Displays information about SSM switch settings.

switch-id

(Optional) Displays information for a specific SSM switch ID.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.2(22)S

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

Usage Guidelines

Use the show ssm command to determine the segment ID for an active switched Layer 2 segment. The segment ID can be used with the debug condition xconnect command to filter debug messages by segment.

Examples

The following example shows sample output for the show ssm cdb command. The output for this command varies depending on the type of hardware being used.

Router# show ssm cdb
 
Switching paths active for class SSS:
-------------------------------------
        |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|
--------+---+---+----+---+----+------+----+------+---+----+--------+-------+
FR      | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
Eth     | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
Vlan    | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
ATM     |-/E|-/E|-/E |-/-|-/E | -/E  |-/E | -/E  |-/-|-/- |  -/E   |  -/E  |
HDLC    | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
PPP/AC  | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
L2TP    | E | E | E  |E/-| E  |  E   | E  | -/-  | E | E  |   E    |   E   |
L2TPv3  | E | E | E  |E/-| E  |  E   |-/- |  E   |-/-|-/- |   E    |   E   |
L2F     |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
PPTP    |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
ATM/AAL5| E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
ATM/VCC | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
ATM/VPC | E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
ATM/Cell| E | E | E  |E/-| E  |  E   | E  |  E   |-/-|-/- |   E    |   E   |
AToM    |-/E|-/E|-/E |-/-|-/E | -/E  |-/- | -/E  |-/-|-/- |  -/E   |  -/E  |
PPP     |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
PPPoE   |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
PPPoA   |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
Lterm   |-/-|-/-|-/- |-/-|-/- | -/-  | E  | -/-  | E | E  |  -/-   |  -/-  |
TC      |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
IP-If   |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
IP-SIP  |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
VFI     |-/E|-/E|-/E |-/-|-/E | -/E  |-/- | -/E  |-/-|-/- |  -/E   |  -/E  |
        |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|
--------+--------+----+---+-----+-----+-----+---+-----+------+---+
FR      |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
Eth     |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
Vlan    |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
ATM     |  -/E   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
HDLC    |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
PPP/AC  |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
L2TP    |   E    |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
L2TPv3  |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
L2F     |  -/-   |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
PPTP    |  -/-   |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
ATM/AAL5|   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
ATM/VCC |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
ATM/VPC |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
ATM/Cell|   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
AToM    |  -/E   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
PPP     |  -/-   |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
PPPoE   |  -/-   |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
PPPoA   |  -/-   |-/- | E |  E  |  E  |  E  |-/-| -/- | -/-  |-/-|
Lterm   |  -/-   |-/- | E |  E  |  E  |  E  | E |  E  |  E   |-/-|
TC      |  -/-   |-/- |-/-| -/- | -/- |  E  | E |  E  |  E   |-/-|
IP-If   |  -/-   |-/- |-/-| -/- | -/- |  E  | E |  E  | -/-  |-/-|
IP-SIP  |  -/-   |-/- |-/-| -/- | -/- |  E  | E | -/- |  E   |-/-|
VFI     |  -/E   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
Switching paths active for class ADJ:
-------------------------------------
        |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|
--------+---+---+----+---+----+------+----+------+---+----+--------+-------+
FR      | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
Eth     | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
Vlan    | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
ATM     |-/E|-/E|-/E |-/-|-/E | -/E  |-/- | -/E  |-/-|-/- |  -/E   |  -/E  |
HDLC    | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
PPP/AC  | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
L2TP    |-/E|-/E|-/E |-/-|-/E | -/E  | E  | -/-  |E/-|E/- |  -/E   |  -/E  |
L2TPv3  | E | E | E  |E/-| E  |  E   |-/- |  E   |-/-|-/- |   E    |   E   |
L2F     |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
PPTP    |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
ATM/AAL5| E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
ATM/VCC | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
ATM/VPC | E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
ATM/Cell| E | E | E  |E/-| E  |  E   |E/- |  E   |-/-|-/- |   E    |   E   |
AToM    |-/E|-/E|-/E |-/-|-/E | -/E  |-/- | -/E  |-/-|-/- |  -/E   |  -/E  |
PPP     |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
PPPoE   |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
PPPoA   |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
Lterm   |-/-|-/-|-/- |-/-|-/- | -/-  |-/E | -/-  |-/-|-/- |  -/-   |  -/-  |
TC      |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
IP-If   |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
IP-SIP  |-/-|-/-|-/- |-/-|-/- | -/-  |-/- | -/-  |-/-|-/- |  -/-   |  -/-  |
VFI     |E/-| E | E  |E/-|E/- | E/-  |-/- | -/E  |-/-|-/- |   E    |   E   |
        |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|
--------+--------+----+---+-----+-----+-----+---+-----+------+---+
FR      |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/E|
Eth     |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
Vlan    |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
ATM     |  -/E   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/E|
HDLC    |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/E|
PPP/AC  |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/E|
L2TP    |  -/E   |-/- |E/-| E/- | E/- | E/- |-/-| -/- | -/-  |-/-|
L2TPv3  |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |E/-|
L2F     |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
PPTP    |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
ATM/AAL5|   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
ATM/VCC |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
ATM/VPC |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
ATM/Cell|   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  | E |
AToM    |  -/E   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/E|
PPP     |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
PPPoE   |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
PPPoA   |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
Lterm   |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
TC      |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
IP-If   |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
IP-SIP  |  -/-   |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
VFI     |   E    |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/-  |-/-|
Key:
  '-' - switching type is not available
  'R' - switching type is available but not enabled
  'E' - switching type is enabled
  'D' - switching type is disabled

The following example displays SSM output of the show ssm id command on a device with one active Layer 2 Tunnel Protocol Version 3 (L2TPv3) segment and one active Frame Relay segment. The segment ID field is shown in bold.

Router# show ssm id 
SSM Status: 1 switch
   Switch-ID 4096 State: Open
     Segment-ID: 8193
 Type: L2TPv3[8]
       Switch-ID:                    4096
       Physical intf:                Remote
       Allocated By:                 This CPU
       Class:                        SSS
         State:                        Active
         L2X switching  context:
         Session ID Local 16666 Remote 54742
         TxSeq 0 RxSeq 0
         Tunnel end-point addr Local 10.1.1.2 Remote 10.1.1.1
         SSS Info Switch Handle 0x98000000 Ciruit 0x1B19510
         L2X Encap [24 bytes]
          45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02
          01 01 01 01 00 00 D5 D6
       Class:                        ADJ
         State:                        Active
         L2X H/W Switching Context:
         Session Id Local 16666 Remote 54742
         Tunnel Endpoint Addr Local 10.1.1.2 Remote 10.1.1.1
         Adjacency 0x1513348 [complete] PW IP, Virtual3:16666
         L2X Encap [24 bytes]
          45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02
          01 01 01 01 00 00 D5 D6
     Segment-ID: 4096
 Type: FR[1]
       Switch-ID:                    4096
       Physical intf:                Local
       Allocated By:                 This CPU
       Class:                        SSS
         State:                        Active
         AC Switching Context:         Se2/0:200
         SSS Info - Switch Handle=0x98000000 Ckt=0x1B194B0
         Interworking 0 Encap Len 0 Boardencap Len 0 MTU 1584
       Class:                        ADJ
         State:                        Active
         AC Adjacency context:
         adjacency = 0x1513618 [complete] RAW Serial2/0:200

Additional output displayed by this command is either self-explanatory or used only by Cisco engineers for internal debugging of SSM processes.

The following example shows sample output for the show ssm memory command:

Router# show ssm memory
 
 
  Allocator-Name                  In-use/Allocated            Count
  ----------------------------------------------------------------------------
  SSM CM API large segment  :        208/33600      (  0%) [      1] Chunk
  SSM CM API medium segment :        144/20760      (  0%) [      1] Chunk
  SSM CM API segment info c :        104/160        ( 65%) [      1] 
  SSM CM API small segment  :          0/19040      (  0%) [      0] Chunk
  SSM CM inQ interrupt msgs :          0/20760      (  0%) [      0] Chunk
  SSM CM inQ large chunk ms :          0/33792      (  0%) [      0] Chunk
  SSM CM inQ msgs           :        104/160        ( 65%) [      1] 
  SSM CM inQ small chunk ms :          0/20760      (  0%) [      0] Chunk
  SSM DP inQ msg chunks     :          0/10448      (  0%) [      0] Chunk
  SSM Generic CM Message    :          0/3952       (  0%) [      0] Chunk
  SSM HW Class Context      :         64/10832      (  0%) [      1] Chunk
  SSM ID entries            :        144/11040      (  1%) [      3] Chunk
  SSM ID tree               :         24/80         ( 30%) [      1] 
  SSM INFOTYPE freelist DB  :       1848/2016       ( 91%) [      3] 
  SSM SEG Base              :        240/34064      (  0%) [      2] Chunk
  SSM SEG freelist DB       :       5424/5592       ( 96%) [      3] 
  SSM SH inQ chunk msgs     :          0/5472       (  0%) [      0] Chunk
  SSM SH inQ interrupt chun :          0/5472       (  0%) [      0] Chunk
  SSM SW Base               :         56/10920      (  0%) [      1] Chunk
  SSM SW freelist DB        :       5424/5592       ( 96%) [      3] 
  SSM connection manager    :        816/1320       ( 61%) [      9] 
  SSM seg upd info          :          0/2464       (  0%) [      0] Chunk
  Total allocated: 0.246 Mb, 252 Kb, 258296 bytes

Related Commands

Command

Description

debug condition xconnect

Displays conditional xconnect debug messages.

show subscriber policy dpm statistics

To display statistics for DHCP policy module (DPM) session contexts, use the show subscriber policy dpm statisticscommand in privileged EXEC mode.

show subscriber policy dpm statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SB9

This command was introduced.

Usage Guidelines

The show subscriber policy dpm statistics command displays cumulative information about the event traces that are captured for DPM session contexts. To clear the statistics, use the clear s ubscriber policy dpm statistics command.

Examples

The following is sample output from the show subscriber policy dpm statisticscommand.

Router# show subscriber policy dpm statistics
         Message Received     Duplicate    Ignored      Total
    Discover Notification  :        284          0        291
       Offer Notification  :          0          0          2
 Address Assignment Notif  :          2          0          2
   DHCP Classname request  :          0        290        290
      Input Intf Override  :          0         10        293
  Lease Termination Notif  :          0          0          2
  Session Restart Request  :          0          0          0
Response to DHCP request for classname
Average Time : Max Time : 
MAC address for Max Time : 
Response to DHCP Offer Notification
Average Time : 30ms Max Time : 36ms
MAC address for Max Time : aaaa.2222.cccc
Overall since last clear
Total Discover Init Sessions : 2
Total Restarted Sessions : 0
Average set up time for Discover initiated sessions : 2s26ms
Min set up time among Discover initiated sessions : 2s20ms
Max set up time among Discover initiated sessions : 2s32ms
Current active Sessions
Total Discover Init Sessions : 0
Total Restarted Sessions : 0
Average set up time for Discover initiated sessions : 
Min set up time among Discover initiated sessions: 2s20ms
Max set up time among Discover initiated sessions : 
MAC of session with Max DHCP Setup Time : aaaa.2222.cccc
Total number of DPM contexts allocated : 7
Total number of DPM contexts freed : 6
Total number of DPM contexts currently without session : 1
  Elapsed time since counters last cleared : 2h15m20s  

The table below describes some of the fields shown in the sample output, in alphabetical order.

Table 15 show subscriber policy dpm statistics Field Descriptions

Field

Description

Average set up time for Discover initiated sessions

Average amount of time that it took to set up a Discover initiated session, for overall sessions and currently active sessions.

Elapsed time since counters last cleared

Amount of time that has passed since the clear subscriber policy dpm statistics command was last used.

MAC of session with Max DHCP Setup Time

MAC address of the session with the longest DHCP setup time.

Max set up time among Discover initiated sessions

Amount of time that it took to set up the Discover initiated session with the longest setup time, for overall sessions and currently active sessions.

Message Received

Total number of messages that were received, by message type, and the number of messages that were duplicated or ignored.

Min set up time among Discover initiated sessions

Amount of time that it took to set up the Discover initiated session with the shortest setup time, for overall sessions and currently active sessions.

Overall since last clear

Cumulative statistics for all of the sessions that occurred since the last time the counters were cleared with the clear subscriber policy dpm statistics command.

Total Discover Init Sessions

Total number of Discover initiated sessions, for overall sessions and currently active sessions.

Total Restarted Sessions

Total number of sessions that were restarted, for overall sessions and currently active sessions.

Related Commands

Command

Description

clear subscriber policy dpm statistics

Clears the statistics for DPM session contexts.

show subscriber policy dpm context

Displays event traces for DPM session contexts.

subscriber trace event

Enables event tracing for software modules involved in ISG subscriber sessions.

show subscriber policy peer

To display the details of a subscriber policy peer, use the show subscriber policy peer command in user EXEC or privileged EXEC mode.

show subscriber policy peer { address ip-address | handle connection-handle-id | all }

Syntax Description

address

Displays a specific peer, identified by its IP address.

ip-address

The IP address of the peer to be displayed.

handle

Displays a specific peer, identified by its handle.

connection-handle-id

Handle ID for the peer handle.

all

Displays all peers.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

PUSH mode or PULL mode is established when the peering relationship between the Intelligent Services Gateway (ISG) and Service Control Engine (SCE) devices is initiated. PUSH mode refers to the ISG device pushing out information to the SCE device about a new session. PULL mode refers to the SCE device requesting session identity when it first notices new unidentified traffic.

Only one SCE device in PUSH mode can be integrated with the ISG device. If another SCE device in PUSH mode requests a connection with the ISG device, a disconnect message is sent to the first SCE device that is in PUSH mode.

Examples

The following is sample output from the show subscriber policy peercommand.

Router# show subscriber policy peer all
Peer IP: 10.1.1.3
Conn ID: 105
Mode: PULL
State: ACTIVE
Version: 1.0
Conn up time: 00:01:01
Conf keepalive: 0
Negotiated keepalive: 25
Time since last keepalive: 00:00:11
Inform owner on pull: TRUE
Total number of associated sessions: 2
Associated session details:
 1E010101000000A0
 1E010101000000A1

The table below describes some of the fields shown in the sample output.

Table 16 show subscriber policy peer Field Descriptions

Field

Description

Peer IP

IP address of subscriber policy peer.

Conn ID

Connection identifier.

Mode

Mode of subscriber policy peer: PUSH or PULL.

Conn up time

Connection up time.

Conf keepalive

Configured keepalive value, in seconds.

Related Commands

Command

Description

subscriber-policy

Defines or modifies the forward and filter decisions of the subscriber policy.

show subscriber service

To display information about Intelligent Services Gateway (ISG) subscriber services, use the show subscriber service command in user EXEC or privileged EXEC mode.

show subscriber service [ name service-name ] [ detailed]

Syntax Description

name service-name

(Optional) Displays information about the subscriber service profile with the specific name.

detailed

(Optional) Displays detailed information about subscriber service profiles.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release Modification

12.2(28)SB

This command was introduced.

12.2(33)SRC

This command was modified. Support for this command was implemented on the Cisco 7600 series router.

15.1(2)S

This command was modified. The name keyword and service-name argument were added.

Cisco IOS XE Release 3.3

This command was modified. The name keyword and service-name argument were added.

Usage Guidelines

If you enter the show subscriber service command without any keywords or arguments, information is displayed for all services on the ISG router.

Examples

The following example shows output from the show subscriber service command for a service named platinum:

Router# show subscriber service name platinum

Service "Platinum":
Profile name: Platinum, 4 references 
          traffic-class        "input access-group 102"
          policy-directive     "authenticate aaa list PPP1"

Class Id  In: 00000002
Class Id Out: 00000003

Current Subscriber Information using service "Platinum": 
Total sessions: 1

Codes: lterm - Local Term, fwd - forwarded, unauth - unathenticated, authen - 
authenticated, TC Ct. - Number of Traffic Classes on the main session

Uniq ID Interface State Service Up-time   TC Ct. Identifier 
1        IP       auth   lterm   19:32:05 2       jsmith

The following example shows output from the show subscriber service command using the name and detailed keywords:

Router# show subscriber service name platinum detailed 

Service "Platinum":
    Version 1:
      SVM ID                : DC000001
      Class Id  In: 00000000
      Class Id Out: 00000001
      Locked by             : SVM-Printer            [1]
      Locked by             : PM-Service             [1]
      Locked by             : PM-Info                [1]
      Locked by             : FM-Bind                [1]
      Locked by             : Accounting-Feature     [1]
      Profile               : 07703430
        Profile name: Platinum, 3 references 
          password             <hidden>
          username             "Platinum"
          accounting-list      "default"
      Feature               : Accounting
          Feature IDB type      : Sub-if or not required
          Feature Data          : 24 bytes:
                                : 000000 00 00 DC 00 00 01 07 6F  .......o
                                : 000008 CB C8 00 00 04 0F 00 00  ........
                                : 000010 00 03 00 00 00 00 00 00  ........

Current Subscriber Information using service "Platinum"
Total sessions: 1
          
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
1       IP           authen   Lterm       00:26:02 1      jsmith

The table below describes the significant fields shown in the displays, in alphabetical order.

Table 17 show subscriber service Field Descriptions

Field

Description

accounting-list

AAA method list to which accounting updates are sent.

Child ID

Identifier of the parent session.

Class Id In

Class identifier of the class used by the service in the input direction.

Class Id Out

Class identifier of the class used by the service in the output direction.

Parent ID

Identifier of the parent session.

policy-directive

Directive defined in the service profile to authenticate the service at the specified server.

SVM ID

Service manager identifier.

State

Indicates whether the session has been authenticated or is unauthenticated.

Total sessions

Number of main sessions on the ISG.

traffic-class

Traffic class used by the service.

Uniq ID

Unique session identifier.

Related Commands

Command Description

show subscriber session

Displays information about ISG subscriber sessions.

show subscriber statistics

Displays statistics about ISG subscriber sessions.

show subscriber session

To display information about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber session command in privileged EXEC mode.

show subscriber session [ identifier identifier | uid session-identifier | username username ] [ [ detailed | feature feature-name ] | flow service service-name ]

Syntax Description

identifier identifier

(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are:

  • authen-status--Displays information for sessions with the specified authentication status.
    • authenticated--Displays information for sessions that have been authenticated.
    • unauthenticated--Displays information for sessions that have not been authenticated.
  • authenticated-domain domain-name--Displays information for sessions with the specified authenticated domain name.
  • authenticated-username username--Displays information for sessions with the specified authenticated username.
  • auto-detect--Displays information for sessions using autodetect. (Authorization is performed on the basis of circuit ID or remote ID.)
  • dnis number--Displays information for sessions with the specified Dialed Number Identification Service (DNIS) number.
  • mac-address mac-address--Displays information for sessions with the specified MAC address.
  • media type--Displays information for sessions that use the specified type of access media. Valid values for the type argument are:
    • async--Async
    • atm--ATM
    • ether--Ethernet
    • ip--IP
    • isdn--ISDN
    • mpls--Multiprotocol Label Switching (MPLS)
    • sync--Serial
  • nas-port port-identifier--Displays information for sessions with the specified network access server (NAS) port identifier. Valid keywords and arguments are one or more of the following:
    • adapter adapter-number
    • channel channel-number
    • ipaddr ip-address
    • port port-number
    • shelf shelf-number
    • slot slot number
    • sub-interface subnterface-number
    • type interface type
    • vci virtual-channel-identifier
    • vlan virtual-lan-id
    • vpi virtual-path-identifier
  • protocol--Displays information for sessions that use the specified type of access protocol. Valid values for the type argument are:
    • atom--Any Transport over MPLS (ATOM) access protocol
    • ether--Ethernet access protocol
    • ip--IP access protocol
    • pdsn--Packet Data Serving Node (PDSN) access protocol
    • ppp--PPP access protocol
    • vpdn--Virtual private dialup network (VPDN) access protocol
  • source-ip-address ip-address subnet-mask--Displays information for sessions that are associated with the specified source IP address.
  • timer timer-name--Displays information for sessions that use the specified timer.
  • tunnel-name tunnel-name--Displays information for sessions that are associated with the specified VPDN tunnel.
  • unauthenticated-domain domain-name--Displays information for sessions with the specified unauthenticated domain name.
  • unauthenticated-username username--Displays information for sessions with the specified unauthenticated username.
  • vrf vrf-name--Displays information for sessions with the specified virtual routing and forwarding (VRF) identifier.

uid session-identifier

(Optional) Displays information for sessions with the specified unique identifier.

username username

(Optional) Displays information for sessions associated with the specified username.

detailed

(Optional) Displays detailed information about sessions.

feature feature-name

(Optional) Displays information for specific Layer 2 features installed on the parent session. To display feature names, use the question mark (?) online help function.

Valid keywords and arguments are one or more of the following:

  • access-list Per--Displays per-user ACL feature.
  • accounting--Accounting feature.
  • compression--Compression feature.
  • filter --Per-User Filter feature.
  • idle-timer--Idle Timeout feature.
  • ip-config--IP configuration feature.
  • keepalive--Keepalive feature.
  • l4redirect--L4 redirect feature.
  • modem-on-hold--Modem-on-hold feature.
  • policing--Policing feature.
  • portbundle --Portbundle hostkey feature.
  • prepaid-absolute--Prepaid Absolute Timeout feature.
  • prepaid-idle--Prepaid idle timeout feature.
  • qos-peruser--QoS policy map feature.
  • session-timer--Absolute timeout feature.
  • tariff-switching--Tariff switching feature.
  • time-monitor--Prepaid time monitor feature.
  • volume-monitor--Prepaid volume monitor feature.

flow service service-name

(Optional) Displays detailed information about the specified flow service installed on the parent session.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(33)SRC

This command was modified. Support for this command was implemented on the Cisco 7600 series router.

15.0(1)S

This command replaced the show sss session command.

15.1(2)S

This command was modified. The feature feature-name and flow service service-name keyword-argument pairs were added. The output for the identifier, uid, and username keywords was enhanced to include classifier information.

Cisco IOS XE Release 3.3S

This command was modified. The feature feature-name and flow service service-name keyword-argument pairs were added. The output for the identifier, uid, and username keywords was enhanced to include classifier information.

Cisco IOS XE Release 3.4S

This command was modified. The output was enhanced to include information about IPv6 sessions, and the tariff-switching keyword was added for the feature-name argument.

Cisco IOS XE Release 3.5S

This command was modified. The output for the detailed keyword was enhanced to include the IP address of sessions.

Usage Guidelines

If the show subscriber session command is entered without any keywords or arguments, information is displayed for all sessions on the ISG router. When an identifier is specified, information is displayed for only those sessions that match the identifier.

Examples

The following is sample output from the show subscriber session command:

Router# show subscriber session
 
Current Subscriber Information: Total sessions 1
Uniq ID Interface  State    Service Up-time    TC Ct.   Identifier
1       IP         authen   lterm   00:27:18   1        10.10.10.10 
2       Vi3        authen   lterm   00:09:04   1        rouble-pppoe

The following is sample output from the show subscriber session command with the uid and flow service keywords specifying the service named Gold:

Router# show subscriber session uid 1 flow service Gold

Codes: Class-id - Classification Identifier, Pri. - Priority
--------------------------------------------------
Type: IP, UID: 1, Identity: user1, State: authen
Session Up-time: 00:05:20, Last Changed: 00:04:56
Switch-ID: 4096

Service Name: Gold, Active Time = 00:05:20

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
3           Out   0          0                      0    Match ACL 101
2           In    0          0                      0    Match ACL 101

Features:

L4 Redirect:
Class-id   Rule cfg  Definition                               Source
2          #1   SVC  to ip 10.0.2.2                           Gold

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
2          In   8000        1000          1000         Gold
3          Out  8000        1000          1000         Gold

The following is sample output from the show subscriber session command with the uid and feature keywords specifying the accounting feature:

Router# show subscriber session uid 1 feature accounting

Type: IP, UID: 1, Identity: user1, State: authen
Session Up-time: 00:05:50, Last Changed: 00:05:26
Switch-ID: 4096

Features:

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   1          100                   Platinum
1          Out  0          0                     Platinum

The following is sample output from the show subscriber session command with the detailed keyword.


Note


The Classifiers section does not display in the detailed output on the Cisco 7600 series router.
Router# show subscriber session detailed

Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IP, UID: 1, Identity: user1, State: authen
IPv4 Address: 192.0.2.1
Session Up-time: 00:04:51, Last Changed: 00:04:27
Switch-ID: 4096

Policy information:
  Context 076B8F48: Handle 50000001
  AAA_id 0000000C: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    sub-qos-policy-in    "QoSGold"
    sub-qos-policy-out   "QoSSilver"
    prepaid-config       "default"
  Downloaded User profile, including services:
    accounting-list      "default"
    username             "Gold"
    traffic-class        "output access-group 101"
    traffic-class        "input access-group 101"
    l4redirect           "redirect to ip 10.0.2.2"
    ssg-service-info     "QU;8000;1000;1000;D;8000;1000;1000"
    sub-qos-policy-in    "QoSGold"
    sub-qos-policy-out   "QoSSilver"
    prepaid-config       "default"
  Config history for session (recent to oldest):
    Access-type: Web-service-logon Client: SM
     Policy event: Apply Config Success (Unapplied) (Service)
      Profile name: prep_service, 9 references 
        traffic-class        "input access-group 102"
        traffic-class        "output access-group 102"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: user1, 2 references 
        sub-qos-policy-in    "QoSGold"
        sub-qos-policy-out   "QoSSilver"
        prepaid-config       "default"
    Access-type: Web-service-logon Client: SM
     Policy event: Apply Config Success (Unapplied) (Service)
      Profile name: prep_service, 9 references 
        traffic-class        "input access-group 102"
        traffic-class        "output access-group 102"
    Access-type: Web-service-logon Client: SM
     Policy event: Apply Config Success (Unapplied) (Service)
      Profile name: prep_service, 9 references 
        traffic-class        "input access-group 102"
        traffic-class        "output access-group 102"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: prep_service, 9 references 
        traffic-class        "input access-group 102"
        traffic-class        "output access-group 102"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: Gold, 3 references 
        password             <hidden>
        username             "Gold"
        traffic-class        "output access-group 101"
        traffic-class        "input access-group 101"
        l4redirect           "redirect to ip 10.0.2.2"
        ssg-service-info     "QU;8000;1000;1000;D;8000;1000;1000"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: Platinum, 3 references 
        password             <hidden>
        username             "Platinum"
        accounting-list      "default"
  Active services associated with session:
    name "Gold", applied before account logon
    name "Platinum", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map RULEB
      condition always event session-start
        1 service-policy type service name Platinum
        2 service-policy type service name Gold
        3 service-policy type service name prep_service
    subscriber rule-map RULEB
      condition always event account-logon
        1 authenticate aaa list PPP1 

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1          100                    0    Match Any
1           Out   0          0                      0    Match Any
2           In    0          0                      0    Match ACL 101
3           Out   0          0                      0    Match ACL 101

Features:

IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags  Peer IP Address                  Pool Name                Interface      
       172.16.0.0                          pool2                    Lo0            
       ::                               pppv6_1                  Lo0            

QoS Policy Map:
Class-id    Dir   Policy Name        Source
0           In    QoSGold            Peruser
1           Out   QoSSilver          Peruser

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   1          100                   Platinum
1          Out  0          0                     Platinum

L4 Redirect:
Class-id   Rule cfg  Definition                               Source
2          #1   SVC  to ip 10.0.2.2                           Gold

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
2          In   8000        1000          1000         Gold
3          Out  8000        1000          1000         Gold

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:04:51     -               Gold
USR   00:04:27     -               Peruser
SVC   00:04:51     570425346       Platinum
INT   00:04:51     -               Ethernet0/0

The table below describes the significant fields shown in the displays, in alphabetical order.

Table 18 show subscriber session Field Descriptions

Field

Description

Class-id

Classification identifier in inbound and outbound directions.

Definition

Class definition for match criteria.

Dir

Direction of the class, either in or out.

Identifier

Username that is used for authorization.

Interface

Interface is displayed for main sessions. For traffic flows, the value "Traffic-Cl" is displayed.

Packets

Number of packets classified in a particular class.

Pri.

Configured priority of the class.

Rules, actions and conditions executed

Control policy rules, actions, and control class maps (conditions) that have been executed for the session.

Service

Possible values include:

  • lterm--Indicates that the session is terminated locally.
  • Ltm Internal--Indicates that a flow is created internally.

State

Indicates whether the session is authenticated or unauthenticated.

Total sessions

Number of main sessions on the ISG.

Up-time

Length of time (in hh:mm:ss format) for which the session is running.

Uniq ID

Unique session identifier.

Related Commands

Command

Description

show vpdn session

Displays session information about the L2TP and L2F protocols, and PPPoE tunnels in a VPDN.

show subscriber statistics

To display statistics about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber statistics command in privileged EXEC mode.

show subscriber statistics [ identifier identifier ]

Syntax Description

identifier identifier

(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are:

  • authen-status--Displays information for sessions with the specified authentication status.
    • authenticated--Displays information for sessions that have been authenticated.
    • unauthenticated--Displays information for sessions that have not been authenticated.
  • authenticated-domain domain-name--Displays information for sessions with the specified authenticated domain name.
  • authenticated-username username--Displays information for sessions with the specified authenticated username.
  • auto-detect--Displays information for sessions using auto-detect. (Authorization is performed on the basis of circuit-ID or remote-ID.)
  • dnis number--Displays information for sessions with the specified Dialed Number Identification Service (DNIS) number.
  • mac-address mac-address--Displays information for sessions with the specified MAC address.
  • media type--Displays information for sessions that use the specified type of access media. Valid values for the type argument are:
    • async--Async
    • atm--ATM
    • ether--Ethernet
    • ip--IP
    • isdn--ISDN
    • mpls--Multiprotocol Label Switching (MPLS)
    • sync--Serial
  • nas-port port-identifier--Displays information for sessions with the specified network access server (NAS) port identifier. Valid keywords and arguments are one or more of the following:
    • adapter adapter-number
    • channel channel-number
    • ipaddr ip-address
    • port port-number
    • shelf shelf-number
    • slot slot number
    • sub-interface sub-interface-number
    • type interface type
    • vci virtual-channel-identifier
    • vlan virtual-lan-id
    • vpi virtual-path-identifier
  • protocol--Displays information for sessions that use the specified type of access protocol. Valid values for the type argument are:
    • atom--Any Transport over MPLS (ATOM) access protocol.
    • ether--Ethernet access protocol.
    • ip--IP access protocol.
    • pdsn--Packet Data Serving Node (PDSN) access protocol.
    • ppp--Point-to-Point Protocol (PPP) access protocol.
    • vpdn--Virtual Private Dialup Network (VPDN) access protocol.
  • source-ip-address ip-address subnet-mask--Displays information for sessions associated with the specified source IP address.
  • timer timer-name--Displays information for sessions that use the specified timer.
  • tunnel-name tunnel-name--Displays information for sessions associated with the specified VPDN tunnel.
  • unauthenticated-domain domain-name--Displays information for sessions with the specified unauthenticated domain name.
  • unauthenticated-username username--Displays information for sessions with the specified unauthenticated username.
  • vrf vrf-name--Displays information for sessions with the specified virtual routing and forwarding (VRF) identifier.

Command Modes

Privileged EXEC (#)

Command History

Release Modification

12.2(28)SB

This command was introduced.

12.2(33)SRC

This command was modified. Support for this command was implemented on the Cisco 7600 series router.

15.1(2)S

This command was modified. The output was enhanced to include statistics on flows and features.

Cisco IOS XE Release 3.3

This command was modified. The output was enhanced to include statistics on flows and features.

Usage Guidelines

If you enter the show subscriber statistics command without any keywords or arguments, statistics are displayed for all sessions on the ISG router.

Examples

The following is sample output from the show subscriber statistics command:

Router# show subscriber statistics

Current Subscriber Statistics:
Number of sessions currently up: 1
Number of sessions currently pending: 0
Number of sessions currently authenticated: 1
Number of sessions currently unauthenticated: 0
Highest number of sessions ever up at one time: 1
Mean up-time duration of sessions: 00:06:55
Total number of sessions up so far: 1
Mean call rate per minute: 0, per hour: 1
Number of sessions failed to come up: 0

Current Flow Statistics:
Number of flows currently up: 1
Highest number of flows ever up at one time: 2
Mean up-time duration of flows: 00:03:29
Number of flows failed to come up: 0
Total number of flows up so far: 2

Access type based session count:
IP sessions = 1

Feature Installation Count:
                                    Direction
Feature Name              None       Inbound    Outbound  
QoS Policy Map            0          1          1         
Accounting                0          1          1         
L4 Redirect               0          1          1         
Policing                  0          1          1         

The table below describes the significant fields shown in the displays, in alphabetical order.

Table 19 show subscriber statistics Field Descriptions

Field

Description

Access type based session count

Number of PPPoE and IP sessions.

Current Flow Statistics

Statistics about flows installed on parent sessions.

Feature Installation Count

Names of the features installed on parent sessions and the number of instances of each feature in the inbound, outbound, and non-data path direction.

Mean call rate per minute, per hour

Total number of sessions that have come up per minute, and per hour, since the router has been up or since the last statistics were cleared.

Mean up-time duration of sessions

Mean amount of time that a session is up for all sessions.

Related Commands

Command Description

show subscriber session

Displays information about ISG subscriber sessions.

show subscriber trace statistics

To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statisticscommand in user EXEC or privileged EXEC mode.

show subscriber trace statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SB9

This command was introduced.

Usage Guidelines

The show subscriber trace statisticscommand displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.

Examples

The following is sample output from the show subscriber trace statisticscommand, showing information for both the DPM and the PM.

Router# show subscriber trace statistics
Event Trace History Statistics: DPM
Logging enabled
All time max records: 5
Max records: 5
Current records: 5
Current log size: 200
Proposed log size 200
Oldest, newest index: 0 : 4
Event Trace History Statistics: Policy Manager
Logging enabled
All time max records: 4
Max records: 4
Current records: 4
Current log size: 64
Proposed log size 64
Oldest, newest index: 0 : 3

The table below describes some of the fields shown in the sample output, in the order in which they display.

Table 20 show subscriber trace statistics Field Descriptions

Field

Description

Logging enabled/disabled

Displays whether history logging is enabled with the subscriber trace history command.

All time max records

Maximum number of trace records that were ever saved in this history log.

Max records

Number of trace records that were saved in this history log before it was last cleared.

Current records

Number of trace records that are currently saved in this history log.

Current log size

Number of trace records that can be saved in this history log.

Proposed log size

Number of records that can be saved to the history log as defined by the subscriber trace history command. This value becomes the current log size when the log is cleared with the clear subscriber trace historycommand.

Oldest, newest index

Oldest and newest indexes of the array that is used to store the records saved to the history log.

Related Commands

Command

Description

clear subscriber trace history

Clears the trace history log for ISG subscriber sessions.

show subscriber trace history

Displays the event traces for ISG subscriber sessions that are saved in the trace history log.

subscriber trace event

Enables event tracing for software components involved in ISG subscriber sessions.

subscriber trace history

Enables saving the event traces for ISG subscriber sessions to a history log.

show subscriber trace history

To display the event traces for Intelligent Services Gateway (ISG) subscriber sessions that are saved in the trace history log, use the show subscriber trace historycommand in user EXEC or privileged EXEC mode.

show subscriber trace history { all | dpm | pm } [ all | client-ip-address ip-address | mac-address mac-address | reason number | uid session-id ]

Syntax Description

all

Displays trace information for both the DHCP policy module (DPM) and the policy manager (PM).

dpm

Displays trace information for the DPM.

pm

Displays trace information for the PM.

all

(Optional) Displays all trace information. Output is not filtered based on the specific IP address, MAC address, reason, or unique ID.

client-ip-address ip-address

(Optional) Displays trace information for sessions that match the specified client IP address.

mac-address mac-address

(Optional) Displays trace information for sessions that match the specified client MAC address.

reason number

(Optional) Displays trace information for sessions that match the specified logging reason. Range: 1 to 6.

  • 1--Dangling session cleared.
  • 2--PM callback to clear.
  • 3--Discover IDMGR required failure.
  • 4--Get class IDMGR required failure.
  • 5--Session termination error.
  • 6--Restart error.

uid session-id

(Optional) Displays trace information for sessions that match the specified unique ID of the subscriber session. Range: 1 to 4294967295.

Command Default

Displays all session traces saved in the respective history log.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SB9

This command was introduced.

Usage Guidelines

Use the show subscriber trace history command, without any optional keywords, to display all session traces that are saved in the respective history log. To display the trace data for specific sessions, use one of the optional keywords for the IP address, MAC address, logging reason, or unique ID (UID). The router filters the output based on the keyword and displays only those traces that match the selected keyword.

Sessions that are marked as interesting, either because of an error or because the session failed, are saved to the trace history buffer if the subscriber trace history command is enabled. To clear the trace history logs, use the clear subscriber trace history command.

Examples

The following is sample output from the show subscriber trace historycommand with the client-ip-address keyword.

Router# show subscriber trace history dpm client-ip-address 10.0.0.2
DPM session info: 5CC14D0
MAC: aaaa.2222.cccc  IP: 10.0.0.2 
UID: 2  reason: PM callback to clear
=========================
ET  11:46:03.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Start
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,No Sess,sess alloc,sess-start OK
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  11:46:03.975 PST Mon Aug 30 2010  PM callback
        Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS
ET  11:46:05.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Update
ET  11:46:05.959 PST Mon Aug 30 2010  dhcp offer
        rc OK w delay,acc.if ret
ET  11:46:05.983 PST Mon Aug 30 2010  PM callback
        Session Update Succes, rc offer cb no-err,notify stdby,Case:               \
UPDATE_SUCCESS
ET  11:46:05.987 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:05.991 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  11:46:05.995 PST Mon Aug 30 2010  dhcp assign OK
        rc same IP
ET  11:56:52.743 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Stop
ET  11:56:52.743 PST Mon Aug 30 2010  dhcp lease term
        rsn 4, rc OK
ET  11:56:52.759 PST Mon Aug 30 2010  PM callback
        Terminate, rc end sess,Case: REQ_TERMINATE

The following is sample output from the show subscriber trace historycommand with the reason keyword.

Router# show subscriber trace history dpm reason 2
DPM session info: 5CC14D0
MAC: aaaa.2222.cccc  IP: 10.0.0.2 
UID: 2  reason: PM callback to clear
=========================
ET  11:46:03.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Start
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,No Sess,sess alloc,sess-start OK
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  11:46:03.975 PST Mon Aug 30 2010  PM callback
        Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS
ET  11:46:05.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Update
ET  11:46:05.959 PST Mon Aug 30 2010  dhcp offer
        rc OK w delay,acc.if ret
ET  11:46:05.983 PST Mon Aug 30 2010  PM callback
        Session Update Succes, rc offer cb no-err,notify stdby,Case:               \
UPDATE_SUCCESS
ET  11:46:05.987 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:05.991 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  11:46:05.995 PST Mon Aug 30 2010  dhcp assign OK
        rc same IP
ET  11:56:52.743 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Stop
ET  11:56:52.743 PST Mon Aug 30 2010  dhcp lease term
        rsn 4, rc OK
ET  11:56:52.759 PST Mon Aug 30 2010  PM callback
        Terminate, rc end sess,Case: REQ_TERMINATE

The following is sample output from the show subscriber trace history command with the all keyword. Note that this is the same output that displays if you use the show subscriber trace history dpm command, without any of the optional keywords.

Router# show subscriber trace history dpm all
DPM session info: 5CC14D0
MAC: aaaa.2222.cccc  IP: 10.0.0.2 
UID: 2  reason: PM callback to clear
=========================
ET  11:46:03.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Start
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,No Sess,sess alloc,sess-start OK
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:03.959 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  11:46:03.975 PST Mon Aug 30 2010  PM callback
        Got Keys, rc dhcp wait no cb,upd msi vrf=0,Case: GOT_KEYS
ET  11:46:05.959 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Update
ET  11:46:05.959 PST Mon Aug 30 2010  dhcp offer
        rc OK w delay,acc.if ret
ET  11:46:05.983 PST Mon Aug 30 2010  PM callback
        Session Update Succes, rc offer cb no-err,notify stdby,Case:               \
UPDATE_SUCCESS
ET  11:46:05.987 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  11:46:05.991 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  11:46:05.995 PST Mon Aug 30 2010  dhcp assign OK
        rc same IP
ET  11:56:52.743 PST Mon Aug 30 2010  PM invoke
        rc OK, Session-Stop
ET  11:56:52.743 PST Mon Aug 30 2010  dhcp lease term
        rsn 4, rc OK
ET  11:56:52.759 PST Mon Aug 30 2010  PM callback
        Terminate, rc end sess,Case: REQ_TERMINATE
DPM session info: 5CC1708
MAC: aaaa.2222.cccc  IP: 0.0.0.0 
UID: 3  reason: PM callback to clear
=========================
ET  12:11:04.279 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:12:17.351 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:12:17.351 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:12:17.351 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:12:20.487 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:12:20.487 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:12:20.487 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:12:24.503 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:12:24.503 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:12:24.503 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:13:38.383 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:13:38.383 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:13:38.383 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:13:41.719 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:13:41.719 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:13:41.719 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:13:45.727 PST Mon Aug 30 2010  i-if change
        ,MAC ok,ignore: same i/f
ET  12:13:45.727 PST Mon Aug 30 2010  dhcp discover
        rc OK,proc prev req
ET  12:13:45.727 PST Mon Aug 30 2010  dhcp get class
        rc no c-aware cfg
ET  12:13:59.475 PST Mon Aug 30 2010  PM callback
        Terminate, rc end sess,Case: REQ_TERMINATE
DPM session info: 5CC1940
MAC: aaaa.2222.cccc  IP: 0.0.0.0 
UID: 4  reason: PM callback to clear
=========================
.
.
.
DPM session info: 5CC1B78
MAC: aaaa.2222.cccc  IP: 0.0.0.0 
UID: 5  reason: PM callback to clear
=========================
.
.
.
DPM session info: 5CC1DB0
MAC: aaaa.2222.cccc  IP: 0.0.0.0 
UID: 6  reason: PM callback to clear
=========================
.
.
.
PM session info: 5CBCE98
MAC: aaaa.2222.cccc  IP: 0.0.0.0
UID: 3  reason: dangling session cleared
=========================
ET  11:57:31.531 PST Mon Aug 30 2010  init request
        OLDST[0]:initial-req
        NEWST[0]:initial-req
        fxn[0]:sss_policy_invoke_service_sel  FLAGS:0
ET  11:57:31.535 PST Mon Aug 30 2010  got apply config success
        OLDST[8]:wait-for-events
        NEWST[8]:wait-for-events
        fxn[3]:sss_pm_action_sm_req_apply_config_success  FLAGS:2B7
PM session info: 5CBCFB0
MAC: aaaa.2222.cccc  IP: 0.0.0.0
UID: 4  reason: dangling session cleared
=========================
ET  12:14:59.467 PST Mon Aug 30 2010  init request
        OLDST[0]:initial-req
        NEWST[0]:initial-req
        fxn[0]:sss_policy_invoke_service_sel  FLAGS:0
ET  12:14:59.475 PST Mon Aug 30 2010  got apply config success
        OLDST[8]:wait-for-events
        NEWST[8]:wait-for-events
        fxn[3]:sss_pm_action_sm_req_apply_config_success  FLAGS:2B7
PM session info: 5CBD0C8
MAC: aaaa.2222.cccc  IP: 0.0.0.0
UID: 5  reason: dangling session cleared
=========================
ET  12:44:42.127 PST Mon Aug 30 2010  init request
        OLDST[0]:initial-req
        NEWST[0]:initial-req
        fxn[0]:sss_policy_invoke_service_sel  FLAGS:0
ET  12:44:42.135 PST Mon Aug 30 2010  got apply config success
        OLDST[8]:wait-for-events
        NEWST[8]:wait-for-events
        fxn[3]:sss_pm_action_sm_req_apply_config_success  FLAGS:2B7
PM session info: 5CBD1E0
MAC: aaaa.2222.cccc  IP: 0.0.0.0
UID: 6  reason: dangling session cleared
=========================
          
ET  13:14:24.983 PST Mon Aug 30 2010  init request
        OLDST[0]:initial-req
        NEWST[0]:initial-req
        fxn[0]:sss_policy_invoke_service_sel  FLAGS:0
ET  13:14:24.991 PST Mon Aug 30 2010  got apply config success
        OLDST[8]:wait-for-events
        NEWST[8]:wait-for-events
        fxn[3]:sss_pm_action_sm_req_apply_config_success  FLAGS:2B7

The table below describes some of the significant fields shown in the sample output.

Table 21 show subscriber trace history Field Descriptions

Field

Description

DPM session info

Unique identifier for the DPM context.

PM session info

Unique identifier for the PM context.

MAC

MAC address of the subscriber session.

IP

IP address of the subscriber session.

UID

Unique ID of the subscriber session.

reason

Reason that the event trace was logged to the history buffer.

Related Commands

Command

Description

clear subscriber trace history

Clears the trace history log for ISG subscriber sessions.

show subscriber trace statistics

Displays statistics about the event traces for ISG subscriber sessions that were saved to the history log.

subscriber trace history

Enables saving the event traces for ISG subscriber sessions to a history log.

show subscriber trace statistics

To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statisticscommand in user EXEC or privileged EXEC mode.

show subscriber trace statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SB9

This command was introduced.

Usage Guidelines

The show subscriber trace statisticscommand displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.

Examples

The following is sample output from the show subscriber trace statisticscommand, showing information for both the DPM and the PM.

Router# show subscriber trace statistics
Event Trace History Statistics: DPM
Logging enabled
All time max records: 5
Max records: 5
Current records: 5
Current log size: 200
Proposed log size 200
Oldest, newest index: 0 : 4
Event Trace History Statistics: Policy Manager
Logging enabled
All time max records: 4
Max records: 4
Current records: 4
Current log size: 64
Proposed log size 64
Oldest, newest index: 0 : 3

The table below describes some of the fields shown in the sample output, in the order in which they display.

Table 22 show subscriber trace statistics Field Descriptions

Field

Description

Logging enabled/disabled

Displays whether history logging is enabled with the subscriber trace history command.

All time max records

Maximum number of trace records that were ever saved in this history log.

Max records

Number of trace records that were saved in this history log before it was last cleared.

Current records

Number of trace records that are currently saved in this history log.

Current log size

Number of trace records that can be saved in this history log.

Proposed log size

Number of records that can be saved to the history log as defined by the subscriber trace history command. This value becomes the current log size when the log is cleared with the clear subscriber trace historycommand.

Oldest, newest index

Oldest and newest indexes of the array that is used to store the records saved to the history log.

Related Commands

Command

Description

clear subscriber trace history

Clears the trace history log for ISG subscriber sessions.

show subscriber trace history

Displays the event traces for ISG subscriber sessions that are saved in the trace history log.

subscriber trace event

Enables event tracing for software components involved in ISG subscriber sessions.

subscriber trace history

Enables saving the event traces for ISG subscriber sessions to a history log.

source

To specify the interface for which the main IP address will be mapped by the Intelligent Services Gateway (ISG) to the destination IP addresses in subscriber traffic, use the sourcecommand in IP portbundle configuration mode. To remove this specification, use the no form of this command.

source interface-type interface-number
no source interface-type interface-number

Syntax Description

interface-type interface-number

Interface whose main IP address is used as the ISG source IP address.

Command Default

An interface is not specified.

Command Modes

IP portbundle configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Usage Guidelines

The ISG Port-Bundle Host Key feature enables an ISG to map the destination IP addresses in subscriber traffic to the IP address of a specified ISG interface.

All ISG source IP addresses specified with the sourcecommand must be routable in the management network in which the portal resides.

If the interface for the source IP address is deleted, the port-map translations will not work correctly.

Because a subscriber can have several simultaneous TCP sessions when accessing a web page, ISG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple ISG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.

Examples

In the following example, the ISG will map the destination IP addresses in subscriber traffic to the main IP address of Ethernet interface 0/0/0:

ip portbundle
 source ethernet 0/0/0

Related Commands

Command

Description

ip portbundle (service)

Enables the ISG Port-Bundle Host Key feature for a service.

length

Specifies the ISG port-bundle length.

show ip portbundle ip

Displays information about a particular ISG port bundle.

show ip portbundle status

Displays information about ISG port-bundle groups.

subscriber accounting accuracy

To guarantee Input/Ouput Packet/Byte statistics in the accounting Stop record are accurate within 1 second, use the subscriberaccountingaccuracy command in privileged EXEC mode. To disable this statistics setting, use the no form of this command.

subscriber accounting accuracy value
no subscriber accounting accuracy

Syntax Description

value

Value for the Subscriber Accounting Accuracy feature in milliseconds. The range is 1,000 to 10,000.

Command Default

The default value is 1000 milliseconds.

Command Modes


User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS Release XE 3.2S

This command was introduced on the ASR 1000 Series Routers.

Examples

This section shows an example of the subscriberaccountingaccuracycommand set to its default value:

Router# subscriber accounting accuracy 1000

subscriber accounting ssg

To display the subscriber inbound and outbound data in accounting records in Service Selection Gateway (SSG) format, use the subscriber accounting ssgcommand in global configuration mode. To disable the SSG accounting format, use the no form of this command.

subscriber accounting ssg
no subscriber accounting ssg

Syntax Description

This command has no arguments or keywords.

Command Default

SSG accounting format is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.0(1)S1

This command was introduced.

Usage Guidelines

The subscriber accounting ssgcommand allows Intelligent Services Gateway (ISG) to use the same format as SSG for the subscriber inbound and outbound byte counts in the ssg-control-info accounting attribute. By default, ISG reverses the inbound and outbound values in the ssg-control-info attribute. This command makes ISG compatible with SSG accounting.

Examples

The following example shows how to enable ISG to use the SSG accounting format:

subscriber accounting ssg

Related Commands