The following example shows the configuration of an ISG policy that provides services to PPP subscribers. This example configures ISG to perform the following actions:
ISG will provide local termination by activating the service “ispa” for subscribers matching the domain “ispa”. The system will authenticate the subscriber using method-list “list1”. For local termination services, the global VRF is applied by default unless another VRF is specified in the service profile, on the interface, or in the virtual template.
PPP authentication before forwarding
ISG will locally authenticate subscribers matching domain “ispb” before forwarding the sessions to an LNS. (Sessions are forwarded to an LNS because service policy map “ispb” specifies a VPDN group). The system will authenticate the subscribers using method-list “list2”.
PPP forwarding without local authentication
ISG will forward sessions to an LNS without local authentication for subscribers matching domain “ispc”.
ISG will deny service to and disconnect the session for subscribers matching domain “ispd”.
PPP domain-based service activation
For subscribers matching all other domains, ISG will activate a service that has the same name as the specified domain.
Configure control class maps, which define the conditions that must be met before a control policy rule will be executed.
class-map type control match-all PPP_SESSION
match protocol ppp
class-map type control match-all NAS_PORT_CONDITION
class type control match identifier name PPP_SESSION
less-than identifier nas-port type atm vpi 200 vci 100
class-map type control match-all ISPA
match unauthenticated-domain ispa
class-map type control match-all ISPB
match unauthenticated-domain ispb
class-map type control match-all ISPC
match unauthenticated-domain ispc
class-map type control match-all ISPD
match unauthenticated-domain ispd
Define the top-level control policy map.
policy-map type control L2_ACCESS
Define a control policy rule that activates a forwarding service on the basis of the ATM VPI/VCI on which the call came in.
class type control NAS_PORT_CONDITION event session-start
1 service-policy type service xconnect
Define a control policy rule that collects the domain name from the protocol. The domain name is available from a structured user name (e.g., user@domain).
class type control PPP_SESSION event session-start
1 collect identifier unauthenticated-domain
2 service-policy type control DOMAIN_BASED_ACCESS
Define the nested control policy.
policy-map type control DOMAIN_BASED_ACCESS
Define a control policy rule that provides local termination by activating the service “ispa”.
class type control ISPA event session-start
1 authenticate aaa list list1
2 service-policy type service ispa
Define a control policy rule that configures the system to authenticate the subscriber locally before activating service “ispb”. The service “ispb” specifies forwarding the session to an LNS.
class type control ISPB event session-start
1 authenticate aaa list list2
2 service-policy type service ispb
Define a control policy rule that activates service “ispc”, which specifies forwarding.
class type control ISPC event session-start
1 service-policy type service ispc
Define a control policy rule that results in session disconnection for subscribers that match service “ispd”.
class type control ISPD event session-start
Define a control policy rule that defines the default for all other domains, which is to activate a service having the same name as the specified domain.
class type control always event session-start
service-policy type service identifier unauthenticated-domain
Configure the service policy maps.
policy-map type service xconnect
service vpdn group 1
policy-map type service ispa
ip vrf forwarding red
policy-map type service ispb
service vpdn group 2
policy-map type service ispc
service vpdn group 3
Apply the control policy map globally.
service-policy type control L2_ACCESS