Guest

Cisco IOS Software Releases 12.2 SB

Subscriber Service Switch

  • Viewing Options

  • PDF (442.6 KB)
  • Feedback
Subcriber Service Switch

Table Of Contents

Subcriber Service Switch

atm pppatm passive

clear pppatm interface atm

clear pppoe

debug pppatm

debug sss aaa authorization event

debug sss aaa authorization fsm

debug sss error

debug sss event

debug sss fsm

multihop-hostname

show pppatm summary

show pppatm trace

show sss session

show vpdn session

subscriber access

subscriber authorization enable

vpdn authorize domain

vpn service


Subcriber Service Switch


The Subscriber Service Switch feature directs PPP between points using a Layer 2 subscriber policy. It also provides the following features for Internet service provides (ISPs):

Flexible connection options for subscribers seeking available services

Flexible number of subscribers

Flexible definition of services

Configuration Information

Configuration information is included in the "How to Configure a Subscriber Service Switch Policy" module in the "Configuring Cisco Subscriber Service Switch Policies" chapter of the Cisco IOS Broadband and DSL Configuration Guide, Release 12.4.

Command Reference Information

This section documents modified commands.

atm pppatm passive

clear pppatm interface atm

clear pppoe

debug pppatm

debug sss aaa authorization event

debug sss aaa authorization fsm

debug sss error

debug sss event

debug sss fsm

multihop-hostname

show pppatm summary

show pppatm trace

show sss session

show vpdn session

subscriber access

subscriber authorization enable

vpdn authorize domain

vpn service

atm pppatm passive

To place an ATM subinterface in passive mode, use the atm pppatm passive command in ATM subinterface configuration mode. To change the configuration back to the default (active) mode, use the no form of this command.

atm pppatm passive

no atm pppatm passive

Syntax Description

This command has no arguments or keywords.

Defaults

Active mode

Command Modes

ATM subinterface configuration

Command History

Release
Modification

12.2(13)T

This feature was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

The atm pppatm passive command places PPP over ATM (PPPoA) sessions on an ATM subinterface in "listening" mode. Rather than trying to establish the sessions actively by sending out Link Control Protocol (LCP) packets, these sessions listen to the incoming LCP packets and become active only after they have received their first LCP packet. This feature is useful for L2TP access concentrators (LACs) in the broadband access deployments where thousands of PPPoA sessions are configured on LACs. When PPPoA is in the passive mode, the LAC will bring up the sessions only when the subscribers become active and not waste its processing power on polling all the sessions.

For better scalability and faster convergence of PPP sessions, Cisco recommends setting the PPPoA sessions to passive mode at the LAC.

Examples

The following example configures the passive mode for the PPPoA sessions on an ATM subinterface:

interface atm 1/0.1 multipoint
 atm pppatm passive
 range range-pppoa-1 pvc 100 199
  protocol ppp virtual-template 1

clear pppatm interface atm

To clear PPP ATM sessions on an ATM interface, use the clear pppatm interface atm command in privileged EXEC mode.

clear pppatm interface atm interface-number[.subinterface-number] [vc {[vpi/]vci | virtual-circuit-name}]

Syntax Description

interface-number

ATM interface number.

.subinterface-number

(Optional) ATM subinterface number. A period must precede the number.

vc [vpi/]vci

(Optional) Specifies virtual circuit (VC) by virtual path identifier (VPI) and virtual channel identifier (VCI). A slash must follow the VPI.

vc virtual-circuit-name

(Optional) Specifies VC by name.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

This command clears the PPP over ATM (PPPoA) sessions in an interface, or in a VC when the VC is specified.

When the clear pppatm interface atm command is used to clear sessions on an interface, PPP keepalives continue to work and can be used to detect a broken link.

Examples

The following example clears a PPP ATM session on ATM interface 1/0.10:

Router# clear pppatm interface atm 1/0.10

Related Commands

Command
Description

debug pppatm

Enables reports for PPPoA events, errors, and states either globally or conditionally on an interface or VC.

show pppatm summary

Displays PPPoA session counts.


clear pppoe

To clear PPP over Ethernet (PPPoE) sessions, use the clear pppoe command in privileged EXEC mode.

clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id] | rmac mac-address [sid session-id] | all}

Syntax Description

interface type number

Interface keyword followed by the interface type and number.

vc [vpi/]vci

(Optional) Virtual circuit (VC) keyword followed by a virtual path identifier (VPI), virtual channel identifier (VCI). A slash (/) follows the VPI.

vc vc-name

(Optional) Name of the VC.

vlan vlan-id

(Optional) VLAN identifier.

rmac mac-address

(Optional) Remote MAC address.

sid session-id

(Optional) Session identifier.

all

(Optional) Specifies that all PPPoE sessions will be cleared.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.3(2)T

The vlan vlan-id keyword and argument were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use the clear pppoe all command to clear all PPPoE sessions.

Use the interface keyword and arguments and the vlan keyword and argument to clear PPPoE sessions on a specific Ethernet 802.1Q VLAN.

Use the interface, vc, and vlan keywords and arguments to clear PPPoE over 802.1Q VLAN sessions on an ATM PVC.

Examples

The following example clears all PPPoE sessions:

Router# clear pppoe all

debug pppatm

To enable debug reports for PPP over ATM (PPPoA) events, errors, and states, either globally or conditionally, on an interface or virtual circuit (VC), use the debug pppatm command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug pppatm {event | error | state} [interface atm interface-number [subinterface-number]] vc {[vpi/vci]vci | virtual-circuit-name}

no debug pppatm {event | error | state} [interface atm interface-number [subinterface-number] vc {[vpi/]vci | virtual-circuit-name}

Syntax Description

event

PPPoA events.

error

PPPoA errors.

state

PPPoA state.

interface atm interface-number [subinterface-number]

(Optional) Specifies a particular ATM interface by interface number and optionally a subinterface number separated by a period.

vc [vpi/]vci virtual-circuit-name

(Optional) Virtual circuit (VC) keyword followed by a virtual path identifier (VPI), virtual channel identifier (VCI), and VC name. A slash mark is required after the VPI.


Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Each specific PPPoA debug report must be requested on a separate command line; see the "Examples" section.

Examples

The following is example output of a PPPoA session with event, error, and state debug reports enabled on ATM interface 1/0.10:

Router# debug pppatm event interface atm1/0.10
Router# debug pppatm error interface atm1/0.10
Router# debug pppatm state interface atm1/0.10

00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = Clear Session
00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = Disconnecting
00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = AAA gets dynamic attrs
00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = AAA gets dynamic attrs
00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = SSS Cleanup
00:03:08: PPPATM: ATM1/0.10 0/101 [0], State = DOWN
00:03:08: PPPATM: ATM1/0.10 0/101 [0], Event = Up Pending
00:03:16: PPPATM: ATM1/0.10 0/101 [0], Event = Up Dequeued
00:03:16: PPPATM: ATM1/0.10 0/101 [0], Event = Processing Up
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = Access IE allocated
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = Set Pkts to SSS
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets retrived attrs
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets nas port details
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA unique id allocated
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = No AAA method list set
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = SSS Request
00:03:16: PPPATM: ATM1/0.10 0/101 [2], State = NAS_PORT_POLICY_INQUIRY
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = SSS Msg Received = 1
00:03:16: PPPATM: ATM1/0.10 0/101 [2], State = PPP_START
00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 1
00:03:16: PPPATM: ATM1/0.10 0/101 [2], State = LCP_NEGOTIATION
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 4
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = HW Switch support FORW = 0
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = Access IE get nas port
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 5
00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = Set Pkts to SSS
00:03:27: PPPATM: ATM1/0.10 0/101 [2], State = FORWARDED

Table 1 describes the significant fields shown in the display.

Table 1 debug pppatm Field Descriptions

Field
Description

Event

Reports PPPoA events for use by Cisco engineering technical assistance personnel.

State

Reports PPPoA states for use by Cisco engineering technical assistance personnel.


Related Commands

Command
Description

atm pppatm passive

Places an ATM subinterface into passive mode.

show pppatm summary

Displays PPPoA session counts.


debug sss aaa authorization event

To display messages about authentication, authorization, and accounting (AAA) authorization events that are part of normal call establishment, use the debug sss aaa authorization event command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sss aaa authorization event

no debug sss aaa authorization event

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Examples

The following is sample output of several Subscriber Service Switch (SSS) debug commands including the debug sss aaa authorization event command. The reports from these commands should be sent to technical personnel at Cisco Systems for evaluation.

Router# debug sss event
Router# debug sss error
Router# debug sss state
Router# debug sss aaa authorization event
Router# debug sss aaa authorization fsm

SSS:
  SSS events debugging is on
  SSS error debugging is on
  SSS fsm debugging is on
  SSS AAA authorization event debugging is on
  SSS AAA authorization FSM debugging is on

*Mar  4 21:33:18.248: SSS INFO: Element type is Access-Type, long value is 3
*Mar  4 21:33:18.248: SSS INFO: Element type is Switch-Id, long value is -1509949436
*Mar  4 21:33:18.248: SSS INFO: Element type is Nasport, ptr value is 6396882C
*Mar  4 21:33:18.248: SSS INFO: Element type is AAA-Id, long value is 7
*Mar  4 21:33:18.248: SSS INFO: Element type is AAA-ACCT_ENBL, long value is 1
*Mar  4 21:33:18.248: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006
*Mar  4 21:33:18.248: SSS MGR [uid:7]: Event service-request, state changed from 
wait-for-req to wait-for-auth
*Mar  4 21:33:18.248: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)
*Mar  4 21:33:18.248: SSS PM [uid:7]: Need the following key: Unauth-User
*Mar  4 21:33:18.248: SSS PM [uid:7]: Received Service Request
*Mar  4 21:33:18.248: SSS PM [uid:7]: Event <need keys>, State: initial-req to 
need-init-keys
*Mar  4 21:33:18.248: SSS PM [uid:7]: Policy reply - Need more keys
*Mar  4 21:33:18.248: SSS MGR [uid:7]: Got reply Need-More-Keys from PM
*Mar  4 21:33:18.248: SSS MGR [uid:7]: Event policy-or-mgr-more-keys, state changed from 
wait-for-auth to wait-for-req
*Mar  4 21:33:18.248: SSS MGR [uid:7]: Handling More-Keys event
*Mar  4 21:33:20.256: SSS INFO: Element type is Unauth-User, string value is 
nobody2@xyz.com
*Mar  4 21:33:20.256: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006
*Mar  4 21:33:20.256: SSS INFO: Element type is AAA-Id, long value is 7
*Mar  4 21:33:20.256: SSS INFO: Element type is Access-Type, long value is 0
*Mar  4 21:33:20.256: SSS MGR [uid:7]: Event service-request, state changed from 
wait-for-req to wait-for-auth
*Mar  4 21:33:20.256: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)
*Mar  4 21:33:20.256: SSS PM [uid:7]: Received More Initial Keys
*Mar  4 21:33:20.256: SSS PM [uid:7]: Event <rcvd keys>, State: need-init-keys to 
check-auth-needed
*Mar  4 21:33:20.256: SSS PM [uid:7]: Handling Authorization Check
*Mar  4 21:33:20.256: SSS PM [uid:7]: Event <send auth>, State: check-auth-needed to 
authorizing
*Mar  4 21:33:20.256: SSS PM [uid:7]: Handling AAA service Authorization
*Mar  4 21:33:20.256: SSS PM [uid:7]: Sending authorization request for 'xyz.com'
*Mar  4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Event <make request>, state changed from idle 
to authorizing
*Mar  4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Authorizing key xyz.com
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:AAA request sent for key xyz.com
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Received an AAA pass
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <found service>, state changed from 
authorizing to complete
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Found service info for key xyz.com
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <free request>, state changed from 
complete to terminal
*Mar  4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Free request
*Mar  4 21:33:20.264: SSS PM [uid:7]: Event <found>, State: authorizing to end
*Mar  4 21:33:20.264: SSS PM [uid:7]: Handling Service Direction
*Mar  4 21:33:20.264: SSS PM [uid:7]: Policy reply - Forwarding
*Mar  4 21:33:20.264: SSS MGR [uid:7]: Got reply Forwarding from PM
*Mar  4 21:33:20.264: SSS MGR [uid:7]: Event policy-start-service-fsp, state changed from 
wait-for-auth to wait-for-service
*Mar  4 21:33:20.264: SSS MGR [uid:7]: Handling Connect-Forwarding-Service event
*Mar  4 21:33:20.272: SSS MGR [uid:7]: Event service-fsp-connected, state changed from 
wait-for-service to connected
*Mar  4 21:33:20.272: SSS MGR [uid:7]: Handling Forwarding-Service-Connected event

Related Commands

Command
Description

debug sss aaa authorization fsm

Displays information about AAA authorization state changes.

debug sss error

Displays diagnostic information about errors that may occur during Subscriber Service Switch call setup.

debug sss event

Displays diagnostic information about Subscriber Service Switch call setup events.

debug sss fsm

Displays diagnostic information about the Subscriber Service Switch call setup state.


debug sss aaa authorization fsm

To display information about authentication, authorization, and accounting (AAA) authorization state changes, use the debug sss aaa authorization fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sss aaa authorization fsm

no debug sss aaa authorization fsm

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Examples

The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.

Router# debug sss aaa authorization fsm

Related Commands

Command
Description

debug sss aaa authorization event

Displays messages about AAA authorization events that are part of normal call establishment.

debug sss error

Displays diagnostic information about errors that may occur during Subscriber Service Switch call setup.

debug sss event

Displays diagnostic information about Subscriber Service Switch call setup events.

debug sss fsm

Displays diagnostic information about the Subscriber Service Switch call setup state.


debug sss error

To display diagnostic information about errors that may occur during Subscriber Service Switch (SSS) call setup, use the debug sss error command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sss error

no debug sss error

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Examples

The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.

Router# debug sss error

Related Commands

Command
Description

debug sss aaa authorization event

Displays messages about AAA authorization events that are part of normal call establishment.

debug sss aaa authorization fsm

Displays information about AAA authorization state changes.

debug sss event

Displays diagnostic information about Subscriber Service Switch call setup events.

debug sss fsm

Displays diagnostic information about the Subscriber Service Switch call setup state.


debug sss event

To display diagnostic information about Subscriber Service Switch (SSS) call setup events, use the debug sss event command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sss event

no debug sss event

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Examples

The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization eventcommand page for an example of output.

Router# debug sss event

Related Commands

Command
Description

debug sss aaa authorization event

Displays messages about AAA authorization events that are part of normal call establishment.

debug sss aaa authorization fsm

Displays information about AAA authorization state changes.

debug sss error

Displays diagnostic information about errors that may occur during Subscriber Service Switch call setup.

debug sss fsm

Displays diagnostic information about the Subscriber Service Switch call setup state.


debug sss fsm

To display diagnostic information about the Subscriber Service Switch (SSS) call setup state, use the debug sss fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug sss fsm

no debug sss fsm

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Examples

The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.

Router# debug sss fsm

multihop-hostname

To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command.

multihop-hostname ingress-tunnel-name

no multihop-hostname ingress-tunnel-name

Syntax Description

ingress-tunnel-name

Network access server (NAS) hostname or ingress tunnel ID.


Command Default

No multihop hostname is configured.

Command Modes

VPDN request-dialin subgroup configuration

Command History

Release
Modification

12.1(1)DC1

This command was introduced on the Cisco 6400 node route processor (NRP).

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use the multihop-hostname command only on a device configured as a tunnel switch.

The ingress-tunnel-name argument must specify either the hostname of the device initiating the tunnel that is to be to be switched, or the tunnel ID of the ingress tunnel that is to be switched.

Removing the request-dialin subgroup configuration will remove the multihop-hostname configuration.

Examples

The following example configures a Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN) group on a tunnel switch to forward ingress sessions from the host named LAC-1 through an outgoing tunnel to IP address 10.3.3.3:

vpdn-group 11
 request-dialin
  protocol l2tp
  multihop-hostname LAC-1
 initiate-to ip 10.3.3.3 
 local name tunnel-switch

Related Commands

Command
Description

dnis

Configures a VPDN group to tunnel calls from the specified DNIS, and supports additional domain names for a specific VPDN group.

domain

Requests that PPP calls from a specific domain name be tunneled, and supports additional domain names for a specific VPDN group.

request-dialin

Creates a request dial-in VPDN subgroup that configures a NAS to request the establishment of a dial-in tunnel to a tunnel server, and enters request dial-in VPDN subgroup configuration mode.

vpdn multihop

Enables VPDN multihop.

vpdn search order

Specifies how the NAS is to perform VPDN tunnel authorization searches.


show pppatm summary

To display PPP over ATM (PPPoA) session counts, use the show pppatm summary command in privileged EXEC mode.

show pppatm summary [interface atm interface-number[.subinterface-number]]

Syntax Description

interface atm interface-number.subinterface-number

(Optional) Specifies a particular ATM interface by interface number and possibly a subinterface number. A period (.) must precede the optional subinterface number.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

This command is useful for obtaining session counts, the state of the PPPoA sessions, and the interfaces on which they are running.

This command gives a summary of the number of PPPoA sessions in each state and the session information of each individual session. If a subinterface number is given in the command, the output is a summary report of the PPPoA sessions in the subinterface. If a main interface number is given, the output will have the summary reports for each individual subinterface of that main interface as shown in the Examples section. If no interface is given, the output will contain the summary reports for each ATM interface on the router.

Examples

The following example displays PPPoA session counts and states for ATM interface 5/0:

Router# show pppatm summary interface atm 5/0

ATM5/0.3:

       0 sessions total

ATM5/0.6:
       1 in PTA (PTA) State

       1 sessions total

VPI     VCI     Conn ID         PPPoA ID        SSS ID          PPP ID        AAA ID   VT      
VA/SID  State
  6     101       11            DA000009       BB000013       E5000017        C        1       
1.1     PTA

Most of the fields displayed by the show pppatm summary command are self-explanatory. Table 2 describes the significant fields shown in the displays. Any data not described in Table 2 is used for internal debugging purposes.

Table 2 show pppatm summary Field Descriptions

Field
Description

VPI

Virtual path identifier of the permanent virtual circuit (PVC).

VCI

Virtual channel identifier of the PVC.

Conn ID

Unique connection identifier for the PPPoA session. This ID can be correlated with the unique ID in the show vpdn session command output for the forwarded sessions.

PPPoA ID

Internal identifier for the PPPoA session.

SSS ID

Internal identifier in the Subscriber Service Switch.

PPP ID

Internal identifier in PPP.

AAA ID

Authentication, authorization, and accounting (AAA) unique identifier for accounting records.

VT

Virtual template number used by the session.

VA/SID

PPPoA virtual access number for PPP Termination Aggregation (PTA) sessions, and switch identifier for forwarded sessions.

State

PPPoA state of the session.


Related Commands

Command
Description

clear pppatm interface atm

Clears PPP ATM sessions on an ATM interface.

debug pppatm

Enables reports for PPPoA events, errors, and states either globally or conditionally on an interface or VC.

show pppatm trace

Displays a sequence of PPPoA events, errors, and state changes when the debug pppatm command is enabled.


show pppatm trace

To display a sequence of PPP over ATM (PPPoA) events, errors, and state changes when the debug pppatm command is enabled, use the show pppatm trace command in privileged EXEC mode.

show pppatm trace [error | event | state] interface atm interface-number[.subinterface-number] vc {[vpi/]vci | virtual-circuit-name}

Syntax Description

error

(Optional) PPPoA events.

event

(Optional) PPPoA errors.

state

(Optional) PPPoA state.

interface atm interface-number

Specifies a particular ATM interface by interface number.

.subinterface-number

(Optional) Specifies a subinterface number preceded by a period.

vc [vpi/]vci

Virtual circuit (VC) keyword followed by a virtual path identifier (VPI) and virtual channel identifier (VCI). The absence of the "/" and a vpi causes the vpi value to default to 0.

virtual-circuit-name

Name of the VC.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

When the debug pppatm command has been enabled, this command displays messages from the specified permanent virtual circuit (PVC). If only one debug pppatm command keyword is supplied in the command, the report will display only the sequence of events for that particular debug type.

Examples

The following example traces the debugging messages supplied by the debug pppatm command on PVC 101. The report is used by Cisco technical personnel for diagnosing system problems.

Router# debug pppatm trace interface atm 1/0.10 vc 101
Router# debug pppatm state interface atm 1/0.10 vc 101
Router# debug pppatm event interface atm 1/0.10 vc 101
Router# show pppatm trace interface atm 1/0.10 vc 101

Event = Disconnecting
Event = AAA gets dynamic attrs
Event = AAA gets dynamic attrs
Event = SSS Cleanup
State = DOWN
Event = Up Pending
Event = Up Dequeued
Event = Processing Up
Event = Access IE allocated
Event = Set Pkts to SSS
Event = AAA gets retrieved attrs
Event = AAA gets nas port details
Event = AAA gets dynamic attrs
Event = AAA gets dynamic attrs
Event = AAA unique id allocated
Event = No AAA method list set
Event = SSS Request
State = NAS_PORT_POLICY_INQUIRY
Event = SSS Msg
State = PPP_START
Event = PPP Msg
State = LCP_NEGOTIATION
Event = PPP Msg
Event = Access IE get nas port
Event = AAA gets dynamic attrs
Event = AAA gets dynamic attrs
Event = PPP Msg
Event = Set Pkts to SSS
State = FORWARDED

Related Commands

Command
Description

clear pppatm interface atm

Clears PPP ATM sessions on an ATM interface.

debug pppatm

Enables reports for PPPoA events, errors, and states either globally or conditionally on an interface or VC.

show pppatm summary

Displays PPPoA session counts.


show sss session

To display Subscriber Service Switch session status, use the show sss session command in privileged EXEC mode.

show sss session [all]

Syntax Description

all

(Optional) Provides an extensive report about the Subscriber Service Switch sessions.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use this command to verify correct operation of PPP connections in the Subscriber Service Switch environment.

Examples

The following sample output from the show sss session command provides a basic report of Subscriber Service Switch session activity:

Router# show sss session

Current SSS Information: Total sessions 9

Uniq ID Type       State         Service      Identifier           Last Chg
9       PPPoE/PPP  connected     VPDN         nobody3@cisco.com        00:02:36
10      PPPoE/PPP  connected     VPDN         nobody3@cisco.com        00:01:52
11      PPPoE/PPP  connected     VPDN         nobody3@cisco.com        00:01:52
3       PPPoE/PPP  connected     VPDN         user3@cisco.com          2d21h   
6       PPPoE/PPP  connected     Local Term   user1                    00:03:35 
7       PPPoE/PPP  connected     Local Term   user2                    00:03:35
8       PPPoE/PPP  connected     VPDN         nobody3@cisco.com        00:02:36
2       PPP        connected     Local Term   user5                    00:05:06
4       PPP        connected     VPDN         nobody2@cisco.com        00:06:52

The following sample output from the show sss session all command provides a more extensive report of Subscriber Service Switch session activity:

Router# show sss session all

Current SSS Information: Total sessions 9

SSS session handle is 40000013, state is connected, service is VPDN
Unique ID is 9
SIP subscriber access type(s) are PPPoE/PPP
Identifier is nobody3@cisco.com
Last Changed 00:02:49
Root SIP Handle is DF000010, PID is 49
AAA unique ID is 10
Current SIP options are Req Fwding/Req Fwded

SSS session handle is B0000017, state is connected, service is VPDN
Unique ID is 10
SIP subscriber access type(s) are PPPoE/PPP
Identifier is nobody3@cisco.com
Last Changed 00:02:05
Root SIP Handle is B9000015, PID is 49
AAA unique ID is 11
Current SIP options are Req Fwding/Req Fwded

SSS session handle is D6000019, state is connected, service is VPDN
Unique ID is 11
SIP subscriber access type(s) are PPPoE/PPP
Identifier is nobody3@cisco.com
Last Changed 00:02:13
Root SIP Handle is D0000016, PID is 49
AAA unique ID is 12
Current SIP options are Req Fwding/Req Fwded

SSS session handle is 8C000003, state is connected, service is VPDN
Unique ID is 3
SIP subscriber access type(s) are PPPoE/PPP
Identifier is user3@cisco.com
Last Changed 2d21h   
Root SIP Handle is D3000002, PID is 49
AAA unique ID is 3
Current SIP options are Req Fwding/Req Fwded

SSS session handle is BE00000B, state is connected, service is Local Term
Unique ID is 6
SIP subscriber access type(s) are PPPoE/PPP
Identifier is user1
Last Changed 00:03:56
Root SIP Handle is A9000009, PID is 49
AAA unique ID is 7
Current SIP options are Req Fwding/Req Fwded

SSS session handle is DC00000D, state is connected, service is Local Term
Unique ID is 7
SIP subscriber access type(s) are PPPoE/PPP
Identifier is user2
Last Changed 00:03:57
Root SIP Handle is 2C00000A, PID is 49
AAA unique ID is 8
Current SIP options are Req Fwding/Req Fwded

SSS session handle is DB000011, state is connected, service is VPDN
Unique ID is 8
SIP subscriber access type(s) are PPPoE/PPP
Identifier is nobody3@cisco.com
Last Changed 00:02:58
Root SIP Handle is 1000000F, PID is 49
AAA unique ID is 9
Current SIP options are Req Fwding/Req Fwded

SSS session handle is 3F000007, state is connected, service is Local Term
Unique ID is 2
SIP subscriber access type(s) are PPP
Identifier is user5
Last Changed 00:05:30
Root SIP Handle is 8A000009, PID is 92
AAA unique ID is 1
Current SIP options are Req Fwding/Req Fwded

SSS session handle is 97000005, state is connected, service is VPDN
Unique ID is 4
SIP subscriber access type(s) are PPP
Identifier is nobody2@cisco.com
Last Changed 00:07:16
Root SIP Handle is 32000000, PID is 92
AAA unique ID is 5
Current SIP options are Req Fwding/Req Fwded

Most of the fields displayed by the show sss session and show sss session all commands are self-explanatory. Table 3 describes the significant fields shown in the displays. Any data not described in Table 3 is used for internal debugging purposes.

Table 3 show sss session Field Descriptions

Field
Description

Uniq ID

The unique identifier used to correlate this particular session with the sessions retrieved from other show commands or debug command traces.

Type

Access protocols relevant to this session.

State

Status of the connection, which can be one of the following states:

connected—The session has been established.

wait-for-req—Waiting for request.

wait-for-auth—Waiting for authorization.

wait-for-fwd—Waiting to be forwarded; for example, waiting for virtual private dialup network (VPDN) service.

Service

Type of service given to the user.

Identifier

A string identifying the user. This identifier may either be the username, or the name used to authorize the session.

Last Chg

Time interval in in hh:mm:ss since the service for this session was last changed.


Related Commands

Command
Description

show vpdn session

Displays session information about the L2TP and L2F protocols, and PPPoE tunnels in a VPDN.


show vpdn session

To display session information about active Layer 2 sessions for a virtual private dialup network (VPDN), use the show vpdn session command in privileged EXEC mode.

show vpdn session [l2f | l2tp | pptp] [all | packets | sequence | state [filter]]

Syntax Description

l2f

(Optional) Displays information about Layer 2 Forwarding (L2F) calls only.

l2tp

(Optional) Displays information about Layer 2 Tunnel Protocol (L2TP) calls only.

pptp

(Optional) Displays information about Point-to-Point Tunnel Protocol (PPTP) calls only.

all

(Optional) Displays extensive reports about active sessions.

filter

(Optional) One of the filter parameters defined in Table 4.

packets

(Optional) Displays information about packet and byte counts for sessions.

sequence

(Optional) Displays sequence information for sessions.

state

(Optional) Displays state information for sessions.


Command Modes

Privileged EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.1(1)T

This command was enhanced to display Point-to-Point Protocol over Ethernet (PPPoE) session information. Support was added for the packets and all keywords.

12.1(2)T

This command was enhanced to display PPPoE session information on actual Ethernet interfaces.

12.2(13)T

Reports from this command were enhanced with a unique identifier that can be used to correlate a particular session with the session information retrieved from other show commands or debug command traces.

12.3(2)T

Support was added for the l2f, l2tp, and pptp keywords.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use the show vpdn session command to display information about all active sessions using L2TP, L2F, and PPTP.

The output of the show vpdn session command displays PPPoE session information as well. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.

Reports and options for this command depend upon the configuration in which it is used. Use the command-line question mark (?) help function to display options available with the show vpdn session command.

Table 4 defines the filter parameters available to refine the output of the show vpdn session command. You may use any one of the filter parameters in place of the filter argument.

Table 4 Filter Parameters for the show vpdn session Command

Syntax
Description

interface serial number

Filters the output to display only information for sessions associated with the specified serial interface.

number—The serial interface number.

interface virtual-template number

Filters the output to display only information for sessions associated with the specified virtual template.

number—The virtual template number.

tunnel id tunnel-id session-id

Filters the output to display only information for sessions associated with the specified tunnel ID and session ID.

tunnel-id—The local tunnel ID. Valid values range from 1 to 65535.

session-id—The local session ID. Valid values range from 1 to 65535.

tunnel remote-name remote-name local-name

Filters the output to display only information for sessions associated with the tunnel with the specified names.

remote-name—The remote tunnel name.

local-name—The local tunnel name.

username username

Filters the output to display only information for sessions associated with the specified username.

username—The username.


Examples

The show vpdn session command provides reports on call activity for all active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:

Router# show vpdn session

L2TP Session Information Total tunnels 1 sessions 4

LocID RemID TunID Intf          Username             State    Last Chg Uniq ID
4     691   13695 Se0/0         nobody2@cisco.com        est    00:06:00  4      
5     692   13695 SSS Circuit   nobody1@cisco.com        est    00:01:43  8      
6     693   13695 SSS Circuit   nobody1@cisco.com        est    00:01:43  9      
3     690   13695 SSS Circuit   nobody3@cisco.com        est    2d21h     3      

L2F Session Information Total tunnels 1 sessions 2

 CLID   MID    Username                   Intf          State   Uniq ID
 1      2      nobody@cisco.com              SSS Circuit   open    10     
 1      3      nobody@cisco.com              SSS Circuit   open    11     

%No active PPTP tunnels

PPPoE Session Information Total tunnels 1 sessions 7

PPPoE Session Information
UID    SID    RemMAC         OIntf          Intf      Session
              LocMAC                        VASt      state  
3      1      0030.949b.b4a0 Fa2/0          N/A       CNCT_FWDED
              0010.7b90.0840                         
6      2      0030.949b.b4a0 Fa2/0          Vi1.1     CNCT_PTA
              0010.7b90.0840               UP         
7      3      0030.949b.b4a0 Fa2/0          Vi1.2     CNCT_PTA
              0010.7b90.0840               UP         
8      4      0030.949b.b4a0 Fa2/0          N/A       CNCT_FWDED
              0010.7b90.0840                         
9      5      0030.949b.b4a0 Fa2/0          N/A       CNCT_FWDED
              0010.7b90.0840                         
10     6      0030.949b.b4a0 Fa2/0          N/A       CNCT_FWDED
              0010.7b90.0840                         
11     7      0030.949b.b4a0 Fa2/0          N/A       CNCT_FWDED
              0010.7b90.0840                         

Table 5 describes the significant fields in the show vpdn session display.

Table 5 show vpdn session Field Descriptions 

Field
Description

LocID

Local identifier.

RemID

Remote identifier.

TunID

Tunnel identifier.

Intf

Interface associated with the session.

Username

User domain name.

State

Status for the individual user in the tunnel; can be one of the following states:

est

opening

open

closing

closed

waiting_for_tunnel

The waiting_for_tunnel state means that the user connection is waiting until the main tunnel can be brought up before it moves to the opening state.

Last Chg

Time interval (in hh:mm:ss) since the last change occurred.

Uniq ID

The unique identifier used to correlate this particular session with the sessions retrieved from other show commands or debug command traces.

CLID

A number uniquely identifying the session.

MID

A number uniquely identifying this user in this tunnel.

UID

PPPoE user ID.

SID

PPPoE session ID.

RemMAC

Remote MAC address of the host.

LocMAC

Local MAC address of the router. It is the default MAC address of the router.

OIntf

Outgoing interface.

Intf VASt

Virtual access interface number and state.

Session state

PPPoE session state.


The show vpdn session packets command provides reports on call activity for all the currently active sessions. The following output is from a device carrying an active PPPoE session:

Router# show vpdn session packets
 
%No active L2TP tunnels
%No active L2F tunnels
 
PPPoE Session Information Total tunnels 1 sessions 1
PPPoE Session Information
SID     Pkts-In         Pkts-Out        Bytes-In        Bytes-Out
1       202333          202337          2832652         2832716

Table 6 describes the significant fields shown in the show vpdn session packets command display.

Table 6 show vpdn session packets Field Descriptions 

Field
Description

SID

Session ID for the PPPoE session.

Pkts-In

Number of packets coming into this session.

Pkts-Out

Number of packets going out of this session.

Bytes-In

Number of bytes coming into this session.

Bytes-Out

Number of bytes going out of this session.


The show vpdn session all command provides extensive reports on call activity for all the currently active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:

Router# show vpdn session all

L2TP Session Information Total tunnels 1 sessions 4

Session id 5 is up, tunnel id 13695
Call serial number is 3355500002
Remote tunnel name is User03
  Internet address is 10.0.0.63
  Session state is established, time since change 00:03:53
    52 Packets sent, 52 received
    2080 Bytes sent, 1316 received
  Last clearing of "show vpdn" counters never
  Session MTU is 1464 bytes
  Session username is nobody@cisco.com
    Interface 
    Remote session id is 692, remote tunnel id 58582
  UDP checksums are disabled
  SSS switching enabled
  No FS cached header information available
  Sequencing is off
  Unique ID is 8

Session id 6 is up, tunnel id 13695
Call serial number is 3355500003
Remote tunnel name is User03
  Internet address is 10.0.0.63
  Session state is established, time since change 00:04:22
    52 Packets sent, 52 received
    2080 Bytes sent, 1316 received
  Last clearing of "show vpdn" counters never
  Session MTU is 1464 bytes
  Session username is nobody@cisco.com
    Interface 
    Remote session id is 693, remote tunnel id 58582
  UDP checksums are disabled
  SSS switching enabled
  No FS cached header information available
  Sequencing is off
  Unique ID is 9

Session id 3 is up, tunnel id 13695
Call serial number is 3355500000
Remote tunnel name is User03
  Internet address is 10.0.0.63
  Session state is established, time since change 2d21h
    48693 Packets sent, 48692 received
    1947720 Bytes sent, 1314568 received
  Last clearing of "show vpdn" counters never
  Session MTU is 1464 bytes
  Session username is nobody2@cisco.com
    Interface 
    Remote session id is 690, remote tunnel id 58582
  UDP checksums are disabled
  SSS switching enabled
  No FS cached header information available
  Sequencing is off
  Unique ID is 3

Session id 4 is up, tunnel id 13695
Call serial number is 3355500001
Remote tunnel name is User03
  Internet address is 10.0.0.63
  Session state is established, time since change 00:08:40
    109 Packets sent, 3 received
    1756 Bytes sent, 54 received
  Last clearing of "show vpdn" counters never
  Session MTU is 1464 bytes
  Session username is nobody@cisco.com
    Interface Se0/0
    Remote session id is 691, remote tunnel id 58582
  UDP checksums are disabled
  IDB switching enabled
  FS cached header information:
    encap size = 36 bytes
    4500001C BDDC0000 FF11E977 0A00003E
    0A00003F 06A506A5 00080000 0202E4D6
    02B30000 
  Sequencing is off
  Unique ID is 4

L2F Session Information Total tunnels 1 sessions 2
MID: 2
User:  nobody@cisco.com
Interface:  
State:  open
Packets out: 53
Bytes out: 2264
Packets in: 51
Bytes in: 1274
Unique ID: 10

  Last clearing of "show vpdn" counters never
MID: 3
User:  nobody@cisco.com
Interface:  
State:  open
Packets out: 53
Bytes out: 2264
Packets in: 51
Bytes in: 1274
Unique ID: 11
          
Last clearing of "show vpdn" counters never

%No active PPTP tunnels

PPPoE Session Information Total tunnels 1 sessions 7

PPPoE Session Information
SID     Pkts-In         Pkts-Out        Bytes-In        Bytes-Out
1       48696           48696           681765          1314657   
2       71              73              1019            1043      
3       71              73              1019            1043      
4       61              62              879             1567      
5       61              62              879             1567      
6       55              55              791             1363      
7       55              55              795             1363      

The significant fields shown in the show vpdn session all command display are similar to those defined in Table 5 and Table 6.

Related Commands

Command
Description

show sss session

Displays Subscriber Service Switch session status.

show vpdn

Displays basic information about all active VPDN tunnels.

show vpdn domain

Displays all VPDN domains and DNIS groups configured on the NAS.

show vpdn group

Displays a summary of the relationships among VPDN groups and customer/VPDN profiles, or summarizes the configuration of a VPDN group including DNIS/domain, load sharing information, and current session information.

show vpdn history failure

Displays the content of the failure history table.

show vpdn multilink

Displays the multilink sessions authorized for all VPDN groups.

show vpdn redirect

Displays statistics for L2TP redirects and forwards.

show vpdn tunnel

Displays information about active Layer 2 tunnels for a VPDN.


subscriber access

To configure a network access server (NAS) to enable Subscriber Service Switch (SSS) to preauthorize the NAS port identifier (NAS-Port-ID) string before authorizing the domain name, use the subscriber access command in global configuration mode. To disable SSS preauthorization, use the no form of this command.

subscriber access {pppoe | pppoa} pre-authorize nas-port-id [default | list-name] [send username]

no subscriber access {pppoe | pppoa} pre-authorize nas-port-id

Syntax Description

pppoe

Specifies PPP over Ethernet (PPPoE).

pppoa

Specifies PPP over ATM (PPPoATM).

pre-authorize nas-port-id

Signals SSS to preauthorize the NAS-Port-ID string before authorizing the domain name.

default

(Optional) Uses the default method list name instead of the named list-name argument.

list-name

(Optional) Authentication, authorization, and accounting (AAA) authorization configured on the LAC.

send username

(Optional) Specifies to send the authentication username of the session in the Change_Info attribute (attribute 77).


Defaults

Preauthorization is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)B

This command was introduced on the Cisco 6400 series, the Cisco 7200 series, and the Cisco 7401 Application Specific Router (ASR).

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T, and the pppoe and pppoa keywords were added.

12.4(2)T

The send username keyword was added.

12.3(14)YM2

This command was integrated into Cisco IOS Release 12.3(14)YM2 and implemented on the Cisco 7301, Cisco 7204VXR, and Cisco 7206VXR routers.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

The NAS-Port-ID string is used to locate the first service record, which may contain one of three attributes, as follows:

A restricted set of values for the domain substring of the unauthenticated PPP name.

This filtered service key then locates the final service. See the vpdn authorize domain command for more information.

PPPoE session limit.

The logical line ID (LLID).

Once NAS port authorization has taken place, normal authorization, which is usually the domain authorization, continues.

Logical Line ID

The LLID is an alphanumeric string of from 1 to 253 characters that serves as the logical identification of a subscriber line. LLID is maintained in a RADIUS server customer profile database and enables users to track their customers on the basis of the physical lines on which customer calls originate. Downloading the LLID is also referred to as "preauthorization" because it occurs before normal virtual private dialup network (VPDN) authorization downloads L2TP tunnel information.

This command enables LLID and SSS querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN or Dot1Q) calls; all other calls, such as ISDN, are not supported.

Per-NAS-Port Session Limits for PPPoE

Use this command to configure SSS preauthorization on the LAC so that the PPPoE per-NAS-port session limit can be downloaded from the customer profile database. To use PPPoE per-NAS-port session limits, you must also configure the PPPoE Session-Limit per NAS-Port Cisco attribute-value pair in the user profile.

Examples

The following example signals SSS to preauthorize the NAS-Port-ID string before authorizing the domain name. This policy applies only to sessions that have a PPPoE access type.

aaa new-model
aaa group server radius sg_llid
 server 172.20.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg_group
 server 172.20.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius 
aaa authorization confg-commands
aaa authorization network default group sg_group
aaa authorization network mlist_llid group sg_llid
aaa session-id common
!
username s7200_2 password 0 lab
username s5300 password 0 lab
username sg_group password 0 lab
vpdn enable
!
vpdn-group 2
  request-dialin
  protocol 12tp
 domain example.com
 initiate-to ip 10.1.1.1
 local name s7200_2
!
vpdn-group 3
 accept dialin
  protocol pppoe
  virtual-template 1
!
! Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before
! authorizing the domain name.
subscriber access pppoe pre-authorize nas-port-id mlist_llid
!
interface Loopback0
 ip address 10.1.1.2 255.255.255.0
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1/0
 ip address 10.2.2.2 255.255.255.0 secondary
 ip address 10.0.58.111 255.255.255.0 
 no cdp enable
!
interface ATM4/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
 pvc 1/100
  encapsulation aa15snap
  protocol pppoe
!
interface virtual-template1
 no ip unnumbered Loopback0
 no peer default ip address
 ppp authentication chap
!
radius-server host 172.20.164.120 auth-port 1645 acct-port 1646 key rad123
radius-server host 172.20.164.106 auth-port 1645 acct-port 1646 key rad123
ip radius source-interface Loopback1

The following example is identical to the previous example except that it also adds support for sending the PPP authenticating username with the preauthorization in the Connect-Info attribute. This example also includes command-line interface (CLI) suppression on the LLID if the username that is used to authenticate has a domain that includes #184.

aaa new-model
aaa group server radius sg_llid
 server 172.31.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg_group
 server 172.31.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius 
aaa authorization confg-commands
aaa authorization network default group sg_group
aaa authorization network mlist_llid group sg_llid
aaa session-id common
!
username s7200_2 password 0 lab
username s5300 password 0 lab
username sg_group password 0 lab
vpdn enable
!
vpdn-group 2
 request-dialin
 protocol 12tp
 domain example.com
 domain example.com#184
 initiate-to ip 10.1.1.1
 local name s7200_2
 l2tp attribute clid mask-method right * 255 match #184
!
vpdn-group 3
 accept dialin
 procotol pppoe
 virtual-template 1
!
subscriber access pppoe pre-authorize nas-port-id mlist_llid send username
!

Related Commands

Command
Description

ip radius source-interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

l2tp attribute clid mask-method

Configure a NAS to provide L2TP calling line ID suppression for calls belonging to a VPDN group.

subscriber authorization enable

Enables SSS type authorization.

vpdn authorize domain

Enables domain preauthorization on a NAS.

vpdn l2tp attribute clid mask-method

Configure a NAS to provide L2TP calling line ID suppression globally on the router.


subscriber authorization enable

To enable Subscriber Service Switch type authorization, use the subscriber authorization enable command in global configuration mode. To disable the Subscriber Service Switch authorization, use the no form of this command.

subscriber authorization enable

no subscriber authorization enable

Syntax Description

This command has no arguments or keywords.

Defaults

Authorization is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)T

This feature was introduced.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

The subscriber authorization enable command triggers Subscriber Service Switch type authorization for local termination, even if virtual private dialup network (VPDN) and Stack Group Bidding Protocol (SGBP) are disabled.

Examples

The following example enables Subscriber Service Switch type authorization:

subscriber authorization enable

Related Commands

Command
Description

subscriber access

Enables Subscriber Service Switch preauthorizationof a NAS port identifier (NAS-Port-ID) string before authorizing the domain name.

vpdn authorize domain

Enables domain preauthorization on a NAS.


vpdn authorize domain

To enable domain preauthorization on a network access server (NAS), use the vpdn authorize domain command in global configuration mode. To disable domain preauthorization, use the no form of this command.

vpdn authorize domain

no vpdn authorize domain

Syntax Description

This command has no arguments or keywords.

Defaults

Domain preauthorization is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.1(1)DC1

This command was introduced on the Cisco 6400 NRP.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

A domain preauthorization RADIUS user profile must also be created. See the "Examples" section and refer to the Cisco IOS Security Configuration Guide for information on how to create these profiles.

Examples

Domain Preauthorization Configuration on the LAC Example

The following example shows the configuration necessary for an L2TP access concentrator (LAC) to participate in domain preauthorization:

!
aaa new-model
aaa authorization network default local group radius
!
vpdn authorize domain
!
radius-server host 10.9.9.9 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d
radius-server key MyKey
radius-server vsa send authentication
!

Domain Preauthorization RADIUS User Profile Example

The following example shows a domain preauthorization RADIUS user profile:

user = nas-port:10.9.9.9:0/0/0/30.33{
 profile_id = 826 
 profile_cycle = 1 
 radius=Cisco {
 check_items= {
 2=cisco
 } 
 reply_attributes= {
 9,1="vpdn:vpn-domain-list=net1.com,net2.com"
 6=5
 } 
 } 

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.


vpn service

To configure a static domain name, use the vpn service command in ATM VC, ATM VC class or VC class configuration mode or in PVC range configuration mode. To remove a static domain name, use the no form of this command.

vpn service domain-name [replace-authen-domain]

no vpn service domain-name [replace-authen-domain]

Syntax Description

domain-name

Static domain name.

replace-authen-domain

(Optional) Specifies that when a static name is configured and VPDN preauthentication is configured, the domain name specified for VPN service replaces the domain field in the username for authentication.


Defaults

No default behavior or values

Command Modes

ATM VC configuration
ATM VC class configuration
PVC range configuration

Command History

Release
Modification

12.1(1)DC1

This command was introduced on the Cisco 6400 NRP.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.3(7)XI7

The replace-authen-domain keyword was added and this command was integrated into Cisco IOS Release 12.2(7)XI7.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

Use the vpn service command in a permanent virtual circuit (PVC), VC class configuration, or PVC range configuration so that PPP over ATM (PPPoA) or PPP over Ethernet over ATM (PPPoEoA) sessions in those PVCs will be forwarded according to the domain name supplied, without starting PPP.

To replace the VPN service domain name with the domain name from the username during preauthentication, use this command with the replace-authen-domain keyword, in conjunction with the vpdn authen-before-forward command.

Examples

In the following partial example, VPDN group 1 is selected for PPPoA session forwarding based on the domain name example.com:

vpdn-group 1
 request-dialin
  protocol l2tp
  domain example.com
 initiate-to ip 10.1.1.1 priority 1
.
.
.
interface ATM1/0.1 multipoint
 pvc 101
  encapsulation aal5mux ppp virtual-Template 1
  vpn service example.net

In the following partial example using the replace-authen-domain keyword, the domain field is replaced by the domain name during preauthentication:

vpdn-group 1
 request-dialin
  protocol l2tp
  domain example.net
 authen-before-forward
 initiate-to ip 10.1.1.1 priority 1
.
.
.
interface atm 4/0
 ip address 3.0.0.2 255.255.0.0
 pvc 1/20
encapsulation aal5mux ppp virtual-Template 1
  vpn service example.net replace-authen-domain

Related Commands

Command
Description

vpdn authen-before-forward

Enables authentication of all dial-in L2TP sessions before the sessions are forwarded to the tunnel server (global preauthentication).