Feedback
Contents
- M through Z
- match (radius-filter)
- match access-group (ISG)
- match access-list
- match authen-status
- match authenticated-domain
- match authenticated-username
- match dnis
- match media
- match mlp-negotiated
- match nas-port
- match no-username
- match protocol (ISG)
- match service-name
- match source-ip-address
- match timer
- match tunnel-name
- match unauthenticated-domain
- match unauthenticated-username
- match vrf
- matchnot (radius-filter)
- message-authenticator ignore
- method-list
- passthru downstream ipv6
- password (ISG)
- police (ISG)
- policy-map
- policy-map type control
- policy-map type service
- policy-name
- policy-peer
- port
- prepaid config
- proxy (ISG RADIUS proxy)
- radius filter
- radius-server attribute 31
- radius-server attribute nas-port-id include
- re-authenticate do-not-apply
- redirect log translations
- redirect server-group
- redirect session-limit
- redirect to (ISG)
- server ip
- server-key
- service (ISG)
- service deny (ISG)
- service local (ISG)
- service relay (ISG)
- service vpdn group (ISG)
- service-monitor
- service-policy
- service-policy type control
- service-policy type service
- session-identifier (ISG)
- set-timer
- sgi beep listener
- sg-service-group
- sg-service-type
- sg-service-type external policy
- show class-map type control
- show class-map type traffic
- show database data
- show dwnld_mgr
- show idmgr
- show interface monitor
- show ip portbundle ip
- show ip portbundle status
- show ip subscriber
- show platform isg session
- show platform isg session-count
- show policy-map type control
- show policy-map type service
- show processes cpu monitor
- show pxf cpu iedge
- show pxf cpu isg
- show radius-proxy client
- show radius-proxy session
- show redirect group
- show redirect translations
- show sgi
- show ssm
- show subscriber policy dpm statistics
- show subscriber policy peer
- show subscriber service
- show subscriber session
- show subscriber statistics
- show subscriber trace statistics
- show subscriber trace history
- show subscriber trace statistics
- source
- subscriber accounting accuracy
- subscriber accounting ssg
- subscriber feature prepaid
- subscriber policy recording
- subscriber redundancy
- subscriber trace event
- subscriber trace history
- test sgi xml
- threshold (ISG)
- timeout absolute (ISG)
- timeout idle
- timer (ISG RADIUS proxy)
- trust
M through Z
match (radius-filter)
To configure a condition to check for filter match criteria, use the match command in RADIUS filter configuration mode. To remove filter match criteria, use the no form of this command.
Command Modes
RADIUS filter configuration (config-radius-filter)
Usage Guidelines
Use the match command to check for the attribute to be present in the packet. The vendor-type and ven-type-number keyword-argument pair specifies the attributes associated with a specific vendor. If no attribute is specified, the condition matches the filter for any attribute of the specific vendor:
match access-group (ISG)
To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove the ACL from a class map, use the no form of this command.
Syntax Description
|
input |
Specifies match criteria for input traffic. |
|
output |
Specifies match criteria for output traffic. |
|
access-list-number |
A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. Range is 1 to 2799. |
|
name access-list-name |
A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters |
Usage Guidelines
The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.
The ACL must be defined using the ip access-list command.
After a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class and the default class.
ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.
Examples
The following example shows a class map named "acl144" that is configured to use ACL 144 as the input match criterion for this class:
class-map type traffic match-any acl144 match access-group input 144
Related Commands
|
Command |
Description |
|---|---|
|
class-map type traffic |
Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class. |
|
class type traffic |
Associates a traffic class map with a service policy map. |
| ip access-list |
Defines an IP access list or object group access control list (OGACL). |
match access-list
To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.
Syntax Description
|
access-list-number |
Integer from 100 to 199 that is the number or name of an extended access list. |
Usage Guidelines
You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.
match authen-status
To create a condition that will evaluate true if a subscriber's authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
authenticated |
Subscriber has been authenticated. |
|
unauthenticated |
Subscriber has not been authenticated. |
Command Default
A condition that will evaluate true if a subscriber's authentication status matches the specified authentication status is not created.
Usage Guidelines
The match authen-statuscommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type type control match-all CONDA
match authen-status unauthenticated
match timer TIMERA
policy-map type control RULEA
class type control always event session-start
1 set-timer TIMERA 1 [minutes]
!
class type control CONDA event timed-policy-expiry
1 service disconnect
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match authenticated-domain
To create a condition that will evaluate true if a subscriber's authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
domain-name |
Domain name. |
|
regexp regular-expression |
Regular expression to be matched against subscriber's authenticated domain name. |
Command Default
A condition that will evaluate true if a subscriber's authenticated domain matches the specified domain is not created.
Usage Guidelines
The match authenticated-domaincommand is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that will evaluate true if a subscriber's domain matches the regular expression ".*com".
class-map type control match-all MY-CONDITION1 match authenticated-domain regexp ".*com"
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match authenticated-username
To create a condition that will evaluate true if a subscriber's authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
username |
Username |
|
regexp regular-expression |
Matches the regular expression against the subscriber's authenticated username. |
Usage Guidelines
The match authenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which evaluates to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true for the class as a whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".
class-map type control match-all class3 match authenticated-username regexp "user@.*com" match authenticated-domain regexp ".*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier authenticated-username
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match dnis
To create a condition that will evaluate true if a subscriber's Dialed Number Identification Service number (DNIS number, also referred to as called-party number ) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
dnis |
DNIS number. |
|
regexp regular-expression |
Matches the regular expression against the subscriber's DNIS number. |
Command Default
A condition that will evaluate true if a subscriber's DNIS number matches the specified DNIS is not created.
Usage Guidelines
The match dniscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".
class-map type control match-all class3 match dnis reg-exp 5550100 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier dnis!
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match media
To create a condition that will evaluate true if a subscriber's access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.
Command Default
A condition that will evaluate true if a subscriber's access media type matches the specified media type is not created.
Usage Guidelines
The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERS match media ether match nas-port type ether slot 3
match mlp-negotiated
To create a condition that will evaluate true depending on whether or not a subscriber's session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
no |
The subscriber's session was not multilink PPP negotiated. |
|
yes |
The subscriber's session was multilink PPP negotiated. |
Usage Guidelines
The match mlp-negotiatedcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match mlp-negotiated command:
class-map type control match-all class3 match mlp-negotiated yes ! policy-map type control rule4 class type control class3 event session-start 1 authorize authenticated-username
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match nas-port
To create a condition that will evaluate true if a subscriber's network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
adapter adapter-number |
Interface adapter number. |
|
channel channel-number |
Interface channel number. |
|
circuit-id name |
Circuit ID |
|
ipaddr ip-address |
IP address. |
|
port port-number |
Port number. |
|
remote-id name |
Remote ID. |
|
shelf shelf-number |
Interface shelf number. |
|
slot slot-number |
Slot number. |
|
sub-interface sub-interface-number |
Subinterface number. |
|
type interface-type |
Interface type. |
|
vci vci-number |
Virtual channel identifier. |
|
vlan vlan-id |
VLAN ID. |
|
vpi vpi-number |
Virtual path identifier. |
Command Default
A condition that will evaluate true if a subscriber's NAS port identifier matches the specified value is not created.
Usage Guidelines
The match nas-portcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.
class-map type control match-all MATCHING-USERS class type control name NOT-ATM match media ether match nas-port type ether slot 3
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match no-username
To create a condition that will evaluate true if a subscriber's username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
no |
The subscriber's username is available. |
|
yes |
The subscriber's username is not available. |
Command Default
A condition that will evaluate true if a subscriber's username is available is not created.
Usage Guidelines
The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map configured with the match no-username command:
class-map type control match-all class3 match no-username yes ! policy-map type control rule4 class type control class3 event session-start 1 service local
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match protocol (ISG)
To create a condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
atom |
Any Transport over MPLS (AToM). |
|
ip |
IP. |
|
pdsn |
Packet Data Serving Node (PDSN). |
|
ppp |
Point-to-Point Protocol (PPP). |
|
vpdn |
Virtual Private Dialup Network (VPDN). |
Command Default
A condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type is not created.
Usage Guidelines
The match protocolcommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:
class-map type control match-any MY-CONDITION match protocol vpdn
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match service-name
To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
service-name |
Service name. |
|
regexp regular-expression |
Regular expression to be matched against subscriber's service name. |
Command Default
A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.
Usage Guidelines
The match service-namecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures ISG to authenticate subscribers associated with the service before downloading the service:
aaa authentication login AUTHEN local aaa authorization network SERVICE group radius ! class-map type control match-any MY-CONDITION2 match service-name "gold" match service-name "bronze" match service-name "silver" ! policy-map type control MY-RULE2 class type control MY-CONDITION2 event service-start 1 authenticate aaa list AUTHEN 2 service-policy type service aaa list SERVICE identifier service-name ! service-policy type control MY-RULE2
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match source-ip-address
To create a condition that will evaluate true if a subscriber's source IP address matches the specified IP address, use the match source-ip-addresscommand in control class-map configuration mode. To remove the condition, use the no form of this command.
Command Default
A condition that will evaluate true if a subscriber's source IP address matches the specified IP address is not created.
Usage Guidelines
The match source-ip-addresscommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".
class-map type control match-all class3 match source-ip-address 10.0.0.0 255.255.255.0 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier source-ip-address !
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match timer
To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
timer-name |
Name of the policy timer. |
|
regexp regular-expression |
Regular expression to be matched against the timer name. |
Command Default
A condition that will evaluate true when the specified timer expires is not created.
Usage Guidelines
The match timercommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.
class-map type control match-all CONDA
match authen-status unauthenticated
match timer TIMERA
policy-map type control RULEA
class type control always event session-start
1 set-timer TIMERA 1
!
class type control CONDA event timed-policy-expiry
1 service disconnect
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match tunnel-name
To create a condition that will evaluate true if a subscriber's Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.
Command Default
A condition that will evaluate true if a subscriber's VPDN tunnel name matches the specified tunnel name is not created.
Usage Guidelines
The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".
class-map type control match-all class3 match tunnel-name LAC ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier tunnel-name !
match unauthenticated-domain
To create a condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name, use the match unauthenticated-domaincommand in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
domain-name |
Domain name. |
|
regexp regular-expression |
Regular expression to be matched against subscriber's domain name. |
Command Default
A condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name is not created.
Usage Guidelines
The match unauthenticated-domaincommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain "abc.com":
class-map type control match-all MY-FORWARDED-USERS match unauthenticated-domain "xyz.com"
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match unauthenticated-username
To create a condition that will evaluate true if a subscriber's unauthenticated username matches the specified username, use the match unauthenticated-usernamecommand in control class-map configuration mode. To remove the condition, use the no form of this command.
Syntax Description
|
username |
Username. |
|
regexp regular-expression |
Regular expression to be matched against the subscriber's username. |
Command Default
A condition that will evaluate true if a subscriber's unauthenticated username matches the specified username is not created.
Usage Guidelines
The match unauthenticated-usernamecommand is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type controlcommand is used to associate a control class map with a policy control map.
Examples
The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates "class3" with the control policy map called "rule4".
class-map type control match-all class3 match identifier unauthenticated-username regexp "user@.*com" ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier unauthenticated-username!
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
match vrf
To create a condition that evaluates true if a subscriber's VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.
Syntax Description
|
vrf-name |
Name of the VRF. |
|
regexp regular-expression |
Regular expression to be matched against the subscriber's VRF. |
Command Default
A condition that will evaluate true if a subscriber's VRF matches the specified VRF is not created.
Usage Guidelines
The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.
The class type control command is used to associate a control class map with a policy control map.
matchnot (radius-filter)
To configure a condition to check for a filter criteria that do not match, use the matchnot command in RADIUS filter configuration mode. To remove a filter match criteria for an unsuccessful match, use the no form of this command.
Command Modes
RADIUS filter configuration (config-radius-filter)
Usage Guidelines
Use the matchnot command to check whether an attribute is absent from the packet. The vendor-type and ven-type-number keyword/argument pair specifies the attribute that is associated with a specific vendor. If no attribute option is specified, the condition matches the filter for any attribute of the specific vendor.
message-authenticator ignore
To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignorecommand in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.
Usage Guidelines
Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.
method-list
To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.
Usage Guidelines
The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.
Examples
The following example shows an ISG prepaid feature configuration in which a method list called "ap-mlist" is specified for prepaid accounting and the default method list is specified for prepaid authorization:
subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password cisco
Related Commands
|
Command |
Description |
|---|---|
|
aaa accounting |
Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+. |
|
prepaid config |
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters. |
|
subscriber feature prepaid |
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile |
passthru downstream ipv6
To allow IPv6 downstream traffic from an Intelligent Services Gateway (ISG) interface to pass through to a subscriber without an established subscriber session, use the passthru downstream ipv6 command in IP subscriber configuration mode. To prevent downstream traffic from passing through without a subscriber session, use the no form of this command.
Usage Guidelines
The passthru downstream ipv6 command enables pass through of IPv6 downstream traffic if an IPv6-specific initiator is configured with the initiator unclassified ip-address or initiator unclassified ip-address ipv6 command.
This command enables subscribers to receive services, such as support and security updates, even if a subscriber session is not present.
If an IPv4-specific initiator is configured on the interface with the initiator unclassified ip-address ipv4 command, IPv6 downstream traffic is allowed without the pass through feature but IPv4 downstream traffic is blocked.
Examples
The following example shows that Ethernet interface 0/0 has been configured to allow IPv6 downstream traffic to be forwarded to subscribers even if a subscriber session is not present.
interface GigabitEthernet0/0/0 ip address 192.0.2.1 255.255.255.0 ipv6 address 2001:DB8::1/64 ipv6 enable no cdp enable service-policy type control my-policy2 ip subscriber routed initiator unclassified ip-address passthru downstream ipv6
password (ISG)
To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.
Syntax Description
|
password |
Password that the ISG will use in authorization and reauthorization requests. The default password is cisco. |
Examples
The following example shows an ISG prepaid feature configuration in which the password is "pword" :
subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password pword
Related Commands
|
Command |
Description |
|---|---|
|
prepaid config |
Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters. |
|
subscriber feature prepaid |
Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile. |
police (ISG)
To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.
Syntax Description
|
input |
Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network. |
|
output |
Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber. |
|
committed-rate |
Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 128000000000 (or 128 Gbps). |
|
normal-burst |
(Optional) Normal burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the normal burst size is not specified, it is calculated from the committed rate using the following formula: Normal burst = 1.5 * committed rate (scaled and converted to byte per msec) |
|
excess-burst |
(Optional) Excess burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the excess burst is not specified, it is calculated from the normal burst value using the following formula: Excess burst = 2 * normal burst |
Usage Guidelines
ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.
Session-based policing applies to the aggregate of subscriber traffic for a session.
Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.
Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.
Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.
Examples
The following example shows the configuration of flow-based ISG policing in a service policy map:
class-map type traffic match-any C3 match access-group in 103 match access-group out 203 policy-map type service P3 class type traffic C3 police input 20000 30000 60000 police output 21000 31500 63000
policy-map
To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-mapcommand in global configuration mode. To delete a policy map, use the no form of this command.
Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers
Cisco 10000 Series Router
Cisco CMTS and 7600 Series Router
Syntax Description
|
type |
(Optional) Specifies the policy-map type. |
|
stack |
(Optional) Determines the exact pattern to look for in the protocol stack of interest. |
|
access-control |
(Optional) Enables the policy map for the flexible packet matching feature. |
|
port-filter |
(Optional) Enables the policy map for the port-filter feature. |
|
queue-threshold |
(Optional) Enables the policy map for the queue-threshold feature. |
|
logging |
(Optional) Enables the policy map for the control-plane packet logging feature. |
|
log-policy |
(Optional) Type of log policy for control-plane logging. |
|
policy-map-name |
Name of the policy map. |
|
control |
(Optional) Creates a control policy map. |
|
control-name |
Name of the control policy map. |
|
service |
(Optional) Creates a service policy map. |
|
service-name |
Name of the policy-map service. |
|
class-routing |
Configures the class-routing policy map. |
|
ipv4 |
Configures the class-routing IPv4 policy map. |
|
unicast |
Configures the class-routing IPv4 unicast policy map. |
|
unicast-name |
Unicast policy-map name. |
Command History
Usage Guidelines
Use the policy-map command to specify the name of the policy map to be created, added, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for quality of service (QoS) class maps on Cisco 7600 systems.
 Note | For QoS class maps on Cisco 7600 series routers, the limits are 1024 class maps and 256 classes in a policy map. |
A policy map containing ATM set cell loss priority (CLP) bit QoS cannot be attached to PPP over X (PPPoX) sessions. The policy map is accepted only if you do not specify the set atm-clp command.
A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In such cases, if the policy map is already attached to other interfaces, the map is removed from those interfaces.
Note | This limitation does not apply on Cisco 7600 series routers that have session initiation protocol (SIP)-400 access-facing line cards. |
Whenever you modify a class policy in an attached policy map, class-based weighted fair queuing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.
Class Queues (Cisco 10000 Series Routers Only)
The Performance Routing Engine (PRE)2 allows you to configure 31 class queues in a policy map.
In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.
Control Policies (Cisco 10000 Series Routers Only)
Control policies define the actions that your system will take in response to the specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions are executed.
There are three steps involved in defining a control policy:
- Using the class-map type control command, create one or more control class maps.
- Using the policy-map type control command, create a control policy map.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
Service Policies (Cisco 10000 Series Routers Only)
Service policy maps and service profiles contain a collection of traffic policies and other functions. Traffic policies determine which function is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.
Policy Map Restrictions (Catalyst 6500 Series Switches Only)
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. This release and platform has the following restrictions for using policy maps and match commands:
- You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.
- Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:
Examples
The following example shows how to create a policy map called "policy1" and configure two class policies included in that policy map. The class policy called "class1" specifies a policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy the configured match criteria are directed.
! The following commands create class-map class1 and define its match criteria: class-map class1 match access-group 136 ! The following commands create the policy map, which is defined to contain policy ! specification for class1 and the default class: policy-map policy1 class class1 bandwidth 2000 queue-limit 40 class class-default fair-queue 16 queue-limit 20
The following example shows how to create a policy map called "policy9" and configure three class policies to belong to that map. Of these classes, two specify the policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies a policy for the default class called "class-default" to which packets that do not satisfy the configured match criteria are directed.
policy-map policy9 class acl136 bandwidth 2000 queue-limit 40 class ethernet101 bandwidth 3000 random-detect exponential-weighting-constant 10 class class-default fair-queue 10 queue-limit 20
The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.
Router> enable Router# configure terminal Router(config)# policy-map type control TEST Router(config-control-policymap)# class type control always event session-start Router(config-control-policymap-class-control)# 1 service-policy type service name QoS_Service Router(config-control-policymap-class-control)# end
Examples for Cisco 10000 Series Routers Only
The following example shows the configuration of a control policy map named "rule4". Control policy map rule4 contains one policy rule, which is the association of the control class named "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control rule4 class type control class3 authorize nas-port-id ! service-policy type control rule4
The following example shows the configuration of a service policy map named "redirect-profile":
policy-map type service redirect-profile class type traffic CLASS-ALL redirect to group redirect-sg
Examples for the Cisco CMTS Router
The following example shows how to define a policy map for the 802.1p domain:
enable configure terminal policy-map cos7 class cos7 set cos 2 end
The following example shows how to define a policy map for the MPLS domain:
enable configure terminal policy-map exp7 class exp7 set mpls experimental topmost 2 end
Related Commands
|
Command |
Description |
|---|---|
|
bandwidth (policy-map class) |
Specifies or modifies the bandwidth allocated for a class belonging to a policy map. |
|
class (policy-map) |
Specifies the name of the class whose policy you want to create or change, and its default class before you configure its policy. |
|
class class-default |
Specifies the default class whose bandwidth is to be configured or modified. |
|
class-map |
Creates a class map to be used for matching packets to a specified class. |
|
fair-queue (class-default) |
Specifies the number of dynamic queues to be reserved for use by the class-default class as part of the default class policy. |
|
match access-group |
Configures the match criteria for a class map on the basis of the specified ACL. |
|
queue-limit |
Specifies or modifies the maximum number of packets that the queue can hold for a class policy configured in a policy map. |
|
random-detect (interface) |
Enables WRED or DWRED. |
|
random-detect exponential-weighting-constant |
Configures the WRED and DWRED exponential weight factor for the average queue size calculation. |
|
random-detectservice-policy precedence |
Configures WRED and DWRED parameters for a particular IP precedence. |
|
service-policy |
Attaches a policy map to an input interface or VC or an output interface or VC to be used as the service policy for that interface or VC. |
|
set atm-clp precedence |
Sets the ATM CLP bit when a policy map is configured. |
policy-map type control
To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type controlcommand in global configuration mode. To delete the control policy map, use the no form of this command.
Syntax Description
|
tag |
Network Admission Control (NAC) specific policy type. |
|
policy-map-name |
Name of the control policy map. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SXI |
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI. |
|
Cisco IOS XE 2.3 |
This command was integrated into a release earlier than Cisco IOS XE Release 2.3. |
|
15.0(1)M |
This command was modified in a release earlier than 15.0(1)M. The tag keyword and policy-map-name argument were added. |
Usage Guidelines
Control policies define the actions that your system will take in response to specified events and conditions.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
- Create one or more control class, maps by using the class-map type control command.
- Create a control policy, map by using the policy-map type control command.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
- Apply the control policy map to a context by using the service-policy type control command.
Examples
The following example shows the configuration of a control policy map called "rule4." Control policy map "rule4" contains one policy rule, which is the association of the control class "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.
class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control tag rule4 class type control class3 authorize nas-port-id ! service-policy type control rule4
policy-map type service
To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type servicecommand in global configuration mode. To delete a service policy map, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
Cisco IOS XE Release 2.4 |
This command was integrated into Cisco IOS Release XE 2.4. |
Usage Guidelines
Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.
An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type servicecommand, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.
Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.
policy-name
To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SRC |
This command was introduced. |
|
12.2(33)SB |
This command was integrated into Cisco IOS Release 12.2(33)SB. |
Usage Guidelines
The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.
policy-peer
To configure a subscriber policy peer connection, use the policy-peercommand in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.
Syntax Description
|
address |
(Optional) Configures the IP address of the peer that is to be connected. |
|
ip-address |
Specifies the IP address of the peer to be connected. |
|
keepalive |
Configures the keepalive value to be used to monitor the peering relationship. |
|
seconds |
Keepalive value, in seconds. Range: 5 to 3600. Default: 0. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SRC |
This command was introduced. |
|
12.2(33)SB |
This command was integrated into Cisco Release 12.2(33)SB. |
Usage Guidelines
Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.
port
To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
Cisco IOS XE Release 2.6 |
This command was integrated into Cisco IOS XE Release 2.6. |
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.
prepaid config
To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.
Syntax Description
|
name-of-configuration |
A named configuration of prepaid billing parameters. |
|
default |
The default configuration of prepaid billing parameters. |
Usage Guidelines
ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.
To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:
subscriber feature prepaid default threshold time 0 seconds threshold volume 0 bytes method-list authorization default method-list accounting default password cisco
The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.
The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.
Examples
The following example shows prepaid billing enabled in a service called "mp3". The prepaid billing parameters in the configuration "conf-prepaid" will be used for "mp3" prepaid sessions.
policy-map type service mp3 class type traffic CLASS-ACL-101 authentication method-list cp-mlist accounting method-list cp-mlist prepaid config conf-prepaid subscriber feature prepaid conf-prepaid threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password cisco
proxy (ISG RADIUS proxy)
To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.
Syntax Description
|
action-number |
Number of the action. Actions are executed sequentially within the policy rule. |
|
aaa list |
(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list. |
|
list-name |
Name of the AAA method list to which RADIUS packets are sent. |
|
default |
Specifies that RADIUS packets will be sent to the default RADIUS server. |
|
accounting aaa list |
Defines a method list to which accounting is sent. |
|
acc-list-name |
Name of the accounting AAA method list to which RADIUS packets are sent. |
Usage Guidelines
The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accountingcommand.
Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.
Examples
The following example configures an accounting method list called "LIST-LOCAL". The server group called "AAA-GROUP1" is the method specified in the method list. A control policy called "POLICY-LOCAL" is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list "LIST-LOCAL".
Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1 Router(config)# policy-map type control POLICY-LOCAL Router(config-control-policymap)# class type control always event acct-notification Router(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCAL
radius filter
To filter RADIUS packets that are received by the Intelligent Services Gateway (ISG), use the radius filter command in global configuration mode. To remove the RADIUS packet filter configuration, use the no form of this command.
Usage Guidelines
Use the radius filter command to enable ISG to filter RADIUS packets based on the filter criteria. Use this command along with match , matchnot , and filter commands.Examples
The following example shows how to configure a RADIUS packet filter with the match-all keyword.
Device(config)# radius filter match-all filter1
Related Commands
| Command | Description |
|---|---|
|
filter (ISG RADIUS proxy) |
Applies ISG RADIUS packet filters to the RADIUS proxy server or client. |
|
match (radius-filter) |
Configures a condition to check for a filter match criterion. |
|
matchnot (radius-filter) |
Configures a condition to check for a filter criterion that does not match. |
radius-server attribute 31
To configure Calling-Station-ID (attribute 31) options, use the radius-server attribute 31command in global configuration mode. To disable the Calling-Station-ID (attribute 31) options, use the no form of this command.
Syntax Description
|
append-circuit-id |
Appends the PPPoE tag circuit-id and the nas-port-id to the calling-station-id. |
|
mac format |
Specifies the format of the MAC address in the Calling Station ID. Select one of the following three options:
|
|
remote-id |
Sends the remote ID as the Calling Station ID in the accounting records and access requests. |
|
send nas-port-detail |
Includes all NAS port details in the Calling Station ID. |
|
mac-only |
(Optional) Includes the MAC address only, if available, in the Calling Station ID. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(31)SB2 |
The mac format default ,the mac format ietf ,the mac format unformatted ,and the send nas-port-detail [mac-only] keyword options were added. |
|
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC. |
|
15.0(1)M |
This command was integrated into Cisco IOS Release 15.0(1)M. |
Usage Guidelines
- For PPP over Ethernet over ATM (PPPoEoA) sessions:
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
host.domain:vp_descr:vpi:vci
- For PPP over Ethernet over Ethernet (PPPoEoE) sessions:
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
mac_addr
- For PPP over ATM sessions:
When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:
host.domain:vp_descr:vpi:vci
- For Intelligent Services Gateway RADIUS Proxy sessions:
When DHCP lease query is used, ISG RADIUS proxy recieves MAC address as well as MSISDN as the Calling-Station-ID (attribute 31) from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose one of them as the Calling Station ID and send it to the ISG accounting records.
The following example shows how to specify the MAC address in the Calling Station ID to be displayed in IETF format:
Router(config)# radius-server attribute 31 mac format ietf
The following example shows how to allow the remote ID to be sent as the Calling Station ID:
Router(config)# radius-server attribute 31 remote-id
The following example shows how to allow the NAS port details to be included in the Calling Station ID:
Router(config)# radius-server attribute 31 send nas-port-detail
The following example shows how to allow only the MAC address, if available, to be included in the Calling-Station-ID:
Router(config)# radius-server attribute 31 send nas-port-detail mac-onl
radius-server attribute nas-port-id include
To include DHCP option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) in the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To return to the default behavior, use the no form of this command.
Syntax Description
|
identifier1,2,3 |
Identifier for authorization. Valid keywords are:
|
|
plus |
(Optional) Separates identifiers if more than one is specified. |
|
separator separator |
(Optional) Symbol to be used for separating identifiers in accounting records and authentication requests. The symbol can be any alphanumeric character. The colon (:) is the default separator. |
Command Default
The NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SRD |
This command was introduced. |
|
Cisco IOS XE Release 3.1S |
This command was integrated into Cisco IOS XE Release 3.1S. |
Usage Guidelines
When you use the radius-server attribute nas-port-id include command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the pluskeyword between each pair as a separator.
The NAS-Port-ID is shown in the accounting records as it is specified in this command, with the plus keyword replaced by a separator. The colon (:) is the default separator.
When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in this command, preceded by the string "nas-port:".
Examples
The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:
Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id
If the circuit ID is "xyz", the remote ID is "abc", and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "abc:xyz:123" and the username will be sent as "nas-port:abc:xyz:123" in the authentication request.
The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, "#":
Router(config)# radius-server attribute nas-port-id include circuit-id plus vendor-class-id separator #
If the circuit ID is "xyz" and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "xyz#123" and the username will be sent as "nas-port:xyz#123" in the authentication request.
re-authenticate do-not-apply
To prevent Intelligent Services Gateway (ISG) from applying data from reauthentication profiles to subscriber sessions, use the re-authenticate do-not-applycommand in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command.
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)
Usage Guidelines
The re-authenticate do-not-apply command prevents ISG from updating the subscriber session with data from a reauthentication profile. During the Extensible Authentication Protocol (EAP) authentication process, for example, ISG will not update the subscriber session with the user-name from the reauthentication profile if this command is configured.
This command can be configured globally for all RADIUS proxy clients, or it can be configured for specific clients. The client-specific configuration of this command overrides the global configuration.
Examples
The following example shows how to prevent ISG from applying reauthentication data to subscriber sessions, for all RADIUS proxy clients:
aaa server radius proxy re-authenticate do-not-apply
redirect log translations
To enable the Layer 4 Redirect Logging feature for Intelligent Services Gateway (ISG), use the redirect log translations command in global configuration mode. To disable Layer 4 redirect logging, use the no form of this command.
Syntax Description
| basic |
Exports Layer 4 redirect translation event information using the basic template format. |
| extended |
Exports Layer 4 translation event information using the extended template format, which includes additional debugging information. |
| exporter-name |
Name of the flow exporter to use for exporting the logging information, as defined by the flow exporter command. |
Usage Guidelines
The redirect log translations command allows ISG to export records for Layer 4 redirect translation events to an external collector. These records can be used to identify users with applications that do not react to HTTP redirect.
The name of the flow exporter specified for the exporter-name argument must be configured with the flow exporter command before using the redirect log translations command.
For a description of the fields included in the basic and extended template formats, see the "Configuring Layer 4 Redirect Logging" chapter in the Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S.
Examples
The following example shows that the flow exporter named L4R-EXPORTER is assigned as the exporter to use for logging redirect translations. There are two types of export templates for Layer 4 redirect logging: IPv4 and IPv6.
flow exporter L4R-EXPORTER destination 172.16.10.3 transport udp 90 ! ! redirect log translations basic exporter L4R-EXPORTER
redirect server-group
To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.
Usage Guidelines
Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.
After defining a redirect server group with the redirect server-group command, add individual servers to the server group by using the server ip command. The server group must contain at least one redirect server before it can be configured under a traffic class service.
The IP addresses of all the servers configured under a redirect group must be either IPv4 or IPv6. A mix of IPv4 and IPv6 redirect server addresses within the same server group is not supported.
Examples
The following example shows the configuration of a server group named PORTAL that contains two servers, both with an IPv4 address:
redirect server-group PORTAL server ip 10.2.36.253 port 80 server ip 10.76.86.83 port 81
The following example shows the configuration of a server group named PORTAL2 that contains two servers, both with an IPv6 address:
redirect server-group PORTAL2 server ip 2001:DB8:C003:12::2918 port 8080 server ip 2001:DB8:1:1::26/64 port 8081
Related Commands
|
Command |
Description |
|---|---|
|
redirect to (ISG) |
Redirects ISG Layer 4 traffic to a specified server or server group. |
|
server ip |
Adds a server to an ISG Layer 4 redirect server group. |
|
show redirect group |
Displays information about ISG Layer 4 redirect server groups. |
|
show redirect translations |
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions. |
redirect session-limit
To set the maximum number of Layer 4 redirects allowed for each Intelligent Services Gateway (ISG) subscriber session, use the redirect session-limit command in global configuration mode. To reset the maximum number to the default, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SB8 |
This command was introduced. |
|
12.2(33)XNE1 |
This command was integrated into Cisco IOS Release 12.2(33)XNE1. |
|
12.2(33)SRD4 |
This command was integrated into Cisco IOS Release 12.2(33)SRD4. |
|
12.2(33)SRE1 |
This command was integrated into Cisco IOS Release 12.2(33)SRE1. |
|
Cisco IOS XE Release 3.5S |
This command was modified. Support for IPv6 sessions was added. |
Usage Guidelines
The redirect session-limit command limits the number of redirect translations that can be created by unauthenticated subscribers that are redirected to the server group.
The maximum number applies to both IPv4 and IPv6 single-stack sessions. For dual-stack sessions, this command limits the total translations per subscriber; IPv4 and IPv6 translations are added together.
Examples
The following example limits the number of L4 redirects to five for a single session:
Router(config)# redirect session-limit 5
Related Commands
|
Command |
Description |
|---|---|
|
redirect server-group |
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group. |
|
redirect to (ISG) |
Redirects ISG Layer 4 traffic to a specified server or server group. |
|
show redirect translations |
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions. |
redirect to (ISG)
To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in service policy-map class configuration mode. To disable redirection, use the no form of this command.
Syntax Description
|
group server-group-name |
Server group to which traffic will be redirected. |
|
ip server-ip-address |
IP address of the server to which traffic will be redirected. |
|
port port-number |
(Optional) Port number on the server to which traffic will be redirected. |
|
duration seconds |
(Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected. |
|
frequency seconds |
(Optional) Period of time, in seconds, between redirect activations. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SRE |
This command was modified. It was removed from interface configuration mode. |
|
Cisco IOS XE Release 2.5 |
This command was modified. It was removed from interface configuration mode. |
|
Cisco IOS XE Release 3.5S |
This command was modified. The server-ip-address argument accepts IPv6 addresses. |
Usage Guidelines
The redirect to command redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.
A redirect server group is defined with the redirect server-group command. The server group must contain at least one redirect server, defined with the server ip command, before it can be configured under a traffic class service.
The ISG Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:
- Permanent redirection--Specified traffic is redirected to the specified server all the time.
- Initial redirection--Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.
- Periodic redirection--Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.
This command can be configured only once under any traffic class service on the Cisco ASR 1000 Series Router.
Redirecting Layer 4 Traffic to a Server Group: Example
The following example redirects Layer 4 traffic to the servers specified in server group "ADVT-SERVER":
policy-map type service L4R-SERVICE
class type traffic L4R-TC
redirect to group ADVT-SERVER
Redirecting Layer 4 Traffic to a Specific IP Address: Examples
The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.
redirect to ip 10.2.36.253
The following example configures ISG to redirect all traffic coming from the subscriber interface to 2001:DB8:C003:12::2918 port 80:
redirect to ip 2001:DB8:C003:12::2918 port 80
Initial Redirection: Example
The following example redirects all traffic to the servers configured in the server group "ADVT-SERVER" for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:
redirect to group ADVT-SERVER duration 60
Periodic Redirection: Example
The following example redirects all traffic to server group "ADVT-SERVER" for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.
redirect to group ADVT-SERVER duration 60 frequency 3600
Related Commands
|
Command |
Description |
|---|---|
|
redirect server-group |
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group. |
|
server ip |
Adds a server to an ISG Layer 4 redirect server group. |
|
show redirect group |
Displays information about ISG Layer 4 redirect server groups. |
|
show redirect translations |
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions. |
server ip
To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server ip command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.
Usage Guidelines
Use the server ip command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server ip command can be entered more than once to add multiple servers to the server group.
ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named "ADVT-SERVER":
redirect server-group ADVT-SERVER server ip 10.0.0.0 port 8080 server ip 10.1.2.3 port 8081
Related Commands
|
Command |
Description |
|---|---|
|
redirect server-group |
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group. |
|
redirect to (ISG) |
Redirects ISG Layer 4 traffic to a specified server or server group. |
|
show redirect group |
Displays information about ISG Layer 4 redirect server groups. |
|
show redirect translations |
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions. |
server-key
To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.
Syntax Description
|
0 |
(Optional) An unencrypted key will follow. |
|
7 |
(Optional) A hidden key will follow. |
|
word |
Unencrypted server key. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
Cisco IOS XE Release 2.6 |
This command was integrated into Cisco IOS XE Release 2.6. |
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.
service (ISG)
To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
Syntax Description
|
action-number |
Number of the action. Actions are executed sequentially within the policy rule. |
|
disconnect |
Disconnect the session. |
|
local |
Locally terminate the session. |
|
VPDN |
Virtual Private Dialup Network (VPDN) tunnel service. |
Usage Guidelines
The servicecommand configures an action in a control policy map.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
service deny (ISG)
To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.
Usage Guidelines
The service deny command denies network service to subscriber sessions that use the service policy map.
service local (ISG)
To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.
Usage Guidelines
The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.
When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.
Examples
The following example provides local termination service to subscriber sessions for which the "my_service" service policy map is activated:
! policy-map type service my_service service local
Related Commands
|
Command |
Description |
|---|---|
|
ip vrf forwarding (service policy map) |
Associates the service with a VRF. |
|
policy-map type service |
Creates or modifies a service policy map, which is used to define an ISG service. |
|
service vpdn group |
Provides VPDN service. |
|
vpdn-group |
Associates a VPDN group with a customer or VPDN profile. |
service relay (ISG)
To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relaycommand in service policy-map configuration mode. To disable message relay, use the no form of this command.
Syntax Description
|
pppoe |
Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay. |
|
vpdn group vpdn-group-name |
Provides VPDN service by obtaining the configuration from a predefined VPDN group. |
service vpdn group (ISG)
To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn groupcommand in service policy-map configuration mode. To remove VPDN service, use the no form of this command.
Syntax Description
|
vpdn-group-name |
Provides the VPDN service by obtaining the configuration from a predefined VPDN group. |
Usage Guidelines
The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.
A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.
service-monitor
To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitorcommand in service policy map configuration mode. To remove service monitoring, use the no form of this command.
Usage Guidelines
The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.
service-policy
To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.
Cisco 10000 Series and Cisco 7600 Series Routers
Syntax Description
|
type access-control |
(Optional) Determines the exact pattern to look for in the protocol stack of interest. |
|
input |
Attaches the specified policy map to the input interface or input VC. |
|
output |
Attaches the specified policy map to the output interface or output VC. |
|
policy-map-name |
The name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters in length. |
|
history |
(Optional) Maintains a history of quality of service (QoS) metrics. |
|
type control control-policy-name |
(Optional) Creates a Class-Based Policy Language (CPL) control policy map that is applied to a context. |
Command Default
No service policy is specified. A control policy is not applied to a context. No policy map is attached.
Command Modes
ATM VC bundle configuration (config-atm-bundle)
ATM PVP configuration (config-if-atm-l2trans-pvp)
ATM VC configuration mode (config-if-atm-vc)
Ethernet service configuration (config-if-srv)
Global configuration (config)
Interface configuration (config-if)
Static maps class configuration (config-map-class)
ATM PVC-in-range configuration (cfg-if-atm-range-pvc)
Subinterface configuration (config-subif)
Command History
|
Release |
Modification |
|---|---|
|
12.0(5)T |
This command was introduced. |
|
12.0(5)XE |
This command was integrated into Cisco IOS Release 12.0(5)XE. |
|
12.0(7)S |
This command was integrated into Cisco IOS Release 12.0(7)S. |
|
12.0(17)SL |
This command was implemented on the Cisco 10000 series routers. |
|
12.1(1)E |
This command was integrated into Cisco IOS Release 12.1(1)E. |
|
12.1(2)T |
This command was modified to enable low latency queueing (LLQ) on Frame Relay VCs. |
|
12.2(14)SX |
Support for this command was implemented on Cisco 7600 series routers. Support was added for output policy maps. |
|
12.2(15)BX |
This command was implemented on the ESR-PRE2. |
|
12.2(17d)SXB |
This command was implemented on the Supervisor Engine 2 and integrated into Cisco IOS Release 12.2(17d)SXB. |
|
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
|
12.4(2)T |
This command was modified. Support was added for subinterface configuration mode and for ATM PVC-in-range configuration mode to extend policy map functionality on an ATM VC to the ATM VC range. |
|
12.4(4)T |
The type stack and type control keywords were added to support flexible packet matching (FPM). |
|
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router. |
|
12.2(31)SB2 |
This command was integrated into Cisco IOS Release 12.2(31)SB2. |
|
12.3(7)XI2 |
This command was modified to support subinterface configuration mode and ATM PVC-in-range configuration mode for ATM VCs on the Cisco 10000 series router and the Cisco 7200 series router. |
|
12.2(18)ZY |
The type stack and type control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA). |
|
12.2(33)SRC |
Support for this command was enhanced on Cisco 7600 series routers. |
|
12.2(33)SB |
This command was modified. The command was implemented on the Cisco 10000 series router for the PRE3 and PRE4. |
|
Cisco IOS XE Release 2.3 |
This command was modified to support ATM PVP configuration mode. |
|
12.4(18e) |
This command was modified to prevent simultaneous configuration of legacy traffic-shaping and Cisco Modular QoS CLI (MQC) shaping on the same interface. |
|
Cisco IOS XE Release 3.3S |
This command was modified to support Ethernet service configuration mode. |
|
Cisco IOS XE Release 3.5S |
This command was modified. An error displays if you try to configure the service-policy input or service-policy output command when the ip subscriber interface command is already configured on the interface. |
|
15.2(1)S |
This command was modified to allow simultaneous nonqueueing policies to be enabled on subinterfaces. |
Usage Guidelines
The table below shows which configuration mode to choose based on the intended use of the command.
| Table 1 | Configuration Modes Based on Command Application |
|
Application |
Mode |
|---|---|
|
Standalone VC |
ATM VC submode |
|
ATM VC bundle members |
ATM VC Bundle configuration |
|
A range of ATM PVCs |
Subinterface configuration |
|
Individual PVC within a PVC range |
ATM PVC-in-range configuration |
|
Frame Relay VC |
Static maps class configuration |
|
Ethernet services, Ethernet VCs (EVCs) |
Ethernet service configuration |
You can attach a single policy map to one or more interfaces or to one or more VCs to specify the service policy for those interfaces or VCs.
A service policy specifies class-based weighted fair queueing (CBWFQ). The class policies that make up the policy map are then applied to packets that satisfy the class map match criteria for the class.
Before you can attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent (99 percent on the Cisco 10008 router) of the interface bandwidth or the bandwidth allocated to the VC.
Before you can enable low latency queueing (LLQ) for Frame Relay (priority queueing [PQ]/CBWFQ), you must first enable Frame Relay traffic shaping (FRTS) on the interface using the frame-relay traffic-shaping command in interface configuration mode. You then attach an output service policy to the Frame Relay VC using the service-policy command in Static maps class configuration mode.
To attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent of the interface bandwidth or the bandwidth allocated to the VC. For a Frame Relay VC, the total amount of bandwidth allocated must not exceed the minimum committed information rate (CIR) configured for the VC less any bandwidth reserved by the frame-relay voice bandwidth or frame-relay ip rtp priority Static maps class configuration mode commands. If these values are not configured, the minimum CIR defaults to half of the CIR.
Configuring CBWFQ on a physical interface is possible only if the interface is in the default queueing mode. Serial interfaces at E1 (2.048 Mbps) and below use weighted fair queueing (WFQ) by default. Other interfaces use first-in first-out (FIFO) by default. Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM permanent virtual circuit (PVC) does not override the default queueing method.
When you attach a service policy with CBWFQ enabled to an interface, commands related to fancy queueing such as those pertaining to fair queueing, custom queueing, priority queueing, and Weighted Random Early Detection (WRED) are available using the modular quality of service CLI (MQC). However, you cannot configure these features directly on the interface until you remove the policy map from the interface.
You can modify a policy map attached to an interface or VC, changing the bandwidth of any of the classes that make up the map. Bandwidth changes that you make to an attached policy map are effective only if the aggregate of the bandwidth amount for all classes that make up the policy map, including the modified class bandwidth, is less than or equal to 75 percent of the interface bandwidth or the VC bandwidth. If the new aggregate bandwidth amount exceeds 75 percent of the interface bandwidth or VC bandwidth, the policy map is not modified.
After you apply the service-policy command to set a class of service (CoS) bit to an Ethernet interface, the policy remains active as long as there is a subinterface that is performing 8021.Q or Inter-Switch Link (ISL) trunking. Upon reload, however, the service policy is removed from the configuration with the following error message:
Process "set" action associated with class-map voip failed: Set cos supported only with IEEE 802.1Q/ISL interfaces.
Simultaneous Nonqueueing QoS Policies
Note | If both the PVC or DLCI and subinterface policies are applied under the same subinterface, the policy under the PVC or DLCI takes precedence and the subinterface policy has no effect. |
Cisco 10000 Series Router Usage Guidelines
The Cisco 10000 series router does not support applying CBWFQ policies to unspecified bit rate (UBR) VCs.
To attach a policy map to an interface or a VC, the aggregate of the configured minimum bandwidth of the classes that make up the policy map must be less than or equal to 99 percent of the interface bandwidth or the bandwidth allocated to the VC. If you attempt to attach a policy map to an interface when the sum of the bandwidth assigned to classes is greater than 99 percent of the available bandwidth, the router logs a warning message and does not allocate the requested bandwidth to all of the classes. If the policy map is already attached to other interfaces, it is removed from them.
The total bandwidth is the speed (rate) of the ATM layer of the physical interface. The router converts the minimum bandwidth that you specify to the nearest multiple of 1/255 (ESR-PRE1) or 1/65,535 (ESR-PRE2) of the interface speed. When you request a value that is not a multiple of 1/255 or 1/65,535, the router chooses the nearest multiple.
The bandwidth percentage is based on the interface bandwidth. In a hierarchical policy, the bandwidth percentage is based on the nearest parent shape rate.
By default, a minimum bandwidth guaranteed queue has buffers for up to 50 milliseconds of 256-byte packets at line rate, but not less than 32 packets.
For Cisco IOS Release 12.0(22)S and later releases, to enable LLQ for Frame Relay (priority queueing (PQ)/CBWFQ) on the Cisco 10000 series router, first create a policy map and then assign priority to a defined traffic class using the priority command. For example, the following sample configuration shows how to configure a priority queue with a guaranteed bandwidth of 8000 kb/s. In the example, the Business class in the policy map named "map1" is configured as the priority queue. The map1 policy also includes the Non-Business class with a minimum bandwidth guarantee of 48 kb/s. The map1 policy is attached to serial interface 2/0/0 in the outbound direction.
class-map Business match ip precedence 3 policy-map map1 class Business priority police 8000 class Non-Business bandwidth 48 interface serial 2/0/0 frame-relay encapsulation service-policy output map1
On the PRE2, you can use the service-policy command to attach a QoS policy to an ATM subinterface or to a PVC. However, on the PRE3, you can attach a QoS policy only to a PVC.
Cisco 7600 Series Routers
The output keyword is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Do not attach a service policy to a port that is a member of an EtherChannel.
Although the CLI allows you to configure QoS based on policy feature cards (PFCs) on the WAN ports on the OC-12 ATM optical services modules (OSM) and on the WAN ports on the channelized OSMs, PFC-based QoS is not supported on the WAN ports on these OSMs. OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.
PFC QoS supports the optional output keyword only on VLAN interfaces. You can attach both an input policy map and an output-policy map to a VLAN interface.
Cisco 10000 Series Routers Control Policy Maps
Activate a control policy map by applying it to a context. A control policy map can be applied to one or more of the following types of contexts, which are listed in order of precedence:
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context. Only one control policy map can be applied to a given context.
Abbreviated Form of the service-policy Command
In Cisco IOS Release 12.2(33)SB and later releases, the router does not accept the abbreviated form (ser) of the service-policy command. Instead, you must spell out the command name service- before the router accepts the command. For example, the following error message displays when you attempt to use the abbreviated form of the service-policy command:
interface GigabitEthernet1/1/0 ser out ? % Unrecognized command ser ? % Unrecognized command
As shown in the following example, when you enter the command as service- followed by a space, the router parses the command as service-policy. Entering the question mark causes the router to display the command options for the service-policy command.
service- ? input Assign policy-map to the input of an interface output Assign policy-map to the output of an interface type Configure CPL Service Policy
In releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the service-policy command. For example, the router accepts the following commands:
interface GigabitEthernet1/1/0 ser out test
Examples
The following example shows how to attach a policy map to a Fast Ethernet interface:
interface fastethernet 5/20 service-policy input pmap1
The following example shows how to attach the service policy map named "policy9" to DLCI 100 on output serial interface 1 and enables LLQ for Frame Relay:
interface Serial1/0.1 point-to-point frame-relay interface-dlci 100 class fragment map-class frame-relay fragment service-policy output policy9
The following example shows how to attach the service policy map named "policy9" to input serial interface 1:
interface Serial1 service-policy input policy9
The following example attaches the service policy map named "policy9" to the input PVC named "cisco":
pvc cisco 0/34 service-policy input policy9 vbr-nt 5000 3000 500 precedence 4-7
The following example shows how to attach the policy named "policy9" to output serial interface 1 to specify the service policy for the interface and enable CBWFQ on it:
interface serial1 service-policy output policy9
The following example attaches the service policy map named "policy9" to the output PVC named "cisco":
pvc cisco 0/5 service-policy output policy9 vbr-nt 4000 2000 500 precedence 2-3
Cisco 10000 Series Router Examples
The following example shows how to attach the service policy named "userpolicy" to DLCI 100 on serial subinterface 1/0/0.1 for outbound packets:
interface serial 1/0/0.1 point-to-point frame-relay interface-dlci 100 service-policy output userpolicy
The following example shows how to attach a QoS service policy named "map2" to PVC 0/101 on the ATM subinterface 3/0/0.1 for inbound traffic:
interface atm 3/0/0 atm pxf queueing interface atm 3/0/0.1 pvc 0/101 service-policy input map2
Note | The atm pxf queueing command is not supported on the PRE3 or PRE4. |
The following example shows how to attach a service policy named "myQoS" to physical Gigabit Ethernet interface 1/0/0 for inbound traffic. VLAN 4, configured on Gigabit Ethernet subinterface 1/0/0.3, inherits the service policy of physical Gigabit Ethernet interface 1/0/0.
interface GigabitEthernet 1/0/0 service-policy input myQoS interface GigabitEthernet 1/0/0.3 encapsulation dot1q 4
The following example shows how to apply the policy map named "policy1" to the virtual template named "virtual-template1" for all inbound traffic. In this example, the virtual template configuration also includes Challenge Handshake Authentication Protocol (CHAP) authentication and PPP authorization and accounting.
interface virtual-template1 ip unnumbered Loopback1 no peer default ip address ppp authentication chap vpn1 ppp authorization vpn1 ppp accounting vpn1 service-policy input policy1
The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range of a total of three PVCs and enable subinterface configuration mode where a point-to-point subinterface is created for each PVC in the range. Each PVC created as part of the range has the voice service policy attached to it.
configure terminal interface atm 2/0/0 range pvc 1/50 1/52 service-policy input voice
The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range, where every VC created as part of the range has the voice service policy attached to it. The exception is PVC 1/51, which is configured as an individual PVC within the range and has a different service policy named "data" attached to it in ATM PVC-in-range configuration mode.
configure terminal interface atm 2/0/0 range pvc 1/50 1/52 service-policy input voice pvc-in-range 1/51 service-policy input data
The following example shows how to configure a service group named "PREMIUM-SERVICE" and apply the input policy named "PREMIUM-MARK-IN" and the output policy named "PREMIUM-OUT" to the service group:
policy-map type service PREMIUM-SERVICE service-policy input PREMIUM-MARK-IN service-policy output PREMIUM-OUT
The following example shows a policy map and interface configuration that supported simultaneous nonqueueing policies:
Policy-map p-map class c-map set mpls experimental imposition 4 interface ATM1/0/0.1 multipoint no atm enable-ilmi-trap xconnect 10.1.1.1 100001 encapsulation mpls service-policy input p-map pvc 1/41 l2transport no epd ! pvc 1/42 l2transport no epd ! pvc 1/43 l2transport no epd interface ATM1/0/0.101 multipoint no atm enable-ilmi-trap pvc 9/41 l2transport xconnect 10.1.1.1 1001011 encapsulation mpls service-policy input p-map ! pvc 10/41 l2transport xconnect 10.1.1.1 1001012 encapsulation mpls !
The following example shows how to attach simultaneous nonqueueing QoS policies on an ATM subinterface and ATM PVC:
interface atm 1/0/0.101 pvc 9/41 service-policy input p-map
Related Commands
|
Command |
Description |
|---|---|
|
class-map |
Accesses QoS class-map configuration mode to configure QoS class maps. |
|
frame-relay ip rtp priority |
Reserves a strict priority queue on a Frame Relay PVC for a set of RTP packet flows belonging to a range of UDP destination ports, |
|
frame-relay traffic-shaping |
Enables both traffic shaping and per-virtual-circuit queueing for all PVCs and SVCs on a Frame Relay interface. |
|
frame-relay voice bandwidth |
Specifies the amount of bandwidth to be reserved for voice traffic on a specific DLCI. |
|
ip subscriber interface |
Creates an ISG IP interface session. |
|
policy-map |
Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy. |
|
priority |
Gives priority to a class of traffic belonging to a policy map. |
|
show policy-map |
Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps. |
|
show policy-map interface |
Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface. |
|
traffic-shape rate |
Enables traffic shaping for outbound traffic on an interface. |
service-policy type control
To apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To unapply the control policy, use the no form of this command.
Command Modes
Global configuration Interface configuration Subinterface configuration Virtual template configuration ATM VC class configuration ATM VC configuration
Usage Guidelines
A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:
- Global
- Interface
- Subinterface
- Virtual template
- VC class
- PVC
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.
Control policies apply to all sessions hosted on the context.
Only one control policy map may be applied to a given context.
service-policy type service
To activate an Intelligent Services Gateway (ISG) service, use the service-policy type service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
Syntax Description
|
action-number |
Number of the action. Actions are executed sequentially within the policy rule. |
|
unapply |
(Optional) Deactivates the specified service. |
|
aaa |
(Optional) Specifies that a AAA method list will be used to activate the service. |
|
list list-name |
(Optional) Activates the service using the specified authentication, authorization, and accounting (AAA) method list. |
|
name service-name |
Name of the service. |
|
identifier |
Activates a service that has the same name as the specified identifier. |
|
authenticated-domain |
Authenticated domain name. |
|
authenticated-username |
Authenticated username. |
|
dnis |
Dialed Number Identification Service number (also referred to as the called-party number ). |
|
nas-port |
Network access server (NAS) port identifier. |
|
tunnel-name |
VPDN tunnel name. |
|
unauthenticated-domain |
Unauthenticated domain name. |
|
unauthenticated-username |
Unauthenticated username. |
Usage Guidelines
The service-policy type servicecommand configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.
Note that if you use the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 service-policy type service aaa list default identifier authenticated-domain
the following will display in the output for the show running-config command:
1 service-policy type service identifier authenticated-domain
Named method lists will display in the show running-config command output.
Services are configured in service profiles on the AAA server or in service policy maps on the router.
Examples
The following example configures an ISG control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber's authenticated domain name:
policy-map type control MY-RULE2 class type control MY-CONDITION2 event service-start 1 authenticate aaa list AUTHEN 2 service-policy type service aaa list SERVICE identifier authenticated-domain
Related Commands
|
Command |
Description |
|---|---|
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
policy-map type control |
Creates or modifies a control policy map, which defines an ISG control policy. |
|
policy-map type service |
Creates or modifies a service policy map, which is used to define an ISG subscriber service. |
session-identifier (ISG)
To correlate RADIUS server requests and identify a session in the Intelligent Services Gateway (ISG) RADIUS proxy, use the session-identifier command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable this function, use the no form of this command.
Syntax Description
|
attribute |
Specifies the calling station attribute of the session to be identified. |
|
number |
The attribute number. For example, attribute 1 denotes username. |
|
vsa |
Specifies the vendor-specific attribute (VSA) of the session to be identified. |
|
vendor id |
Specifies the vendor type and ID. |
|
type number |
Specifies the VSA type and number. |
Command Modes
RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)
Usage Guidelines
The ISG RADIUS proxy identifies a new session based on the calling station attributes. Usually, attribute 31 is used to identify the session for requests. However, it is possible that attribute 31 may not always be unique to identify the session. There are attributes such as username (RADIUS attribute 1), circuit-ID (RADIUS VSA), and so on, that could be used to identify the session and correlate RADIUS requests. By using the session-identifier command, you can configure the RADIUS proxy to accept other attributes or VSAs to identify the session in the RADIUS proxy and correlate requests from the downstream device. A downstream device is a device whose data is logged by a data recorder on a different node.
Examples
The following example shows how to configure the ISG to identify the session using the RADIUS VSA vendor type and correlate the requests for a RADIUS proxy client with IP address 10.0.0.16:
Router(config-locsvr-proxy-radius)# client 10.0.0.l6 255.255.255.0 Router(config-locsvr-radius-client)# session-identifier vsa vendor 12 type 123
Related Commands
|
Command |
Description |
|---|---|
|
aaa server radius proxy |
Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured. |
|
calling-station-id format |
Specifies the format if the attribute of the calling station is attribute 31. |
|
client ( ISG RADIUS proxy ) |
Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified. |
set-timer
To start a named policy timer, use the set-timer command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
Syntax Description
|
action-number |
Number of the action. Actions are executed sequentially within the policy rule. |
|
name-of-timer |
Name of the policy timer. |
|
minutes |
Timer interval, in minutes. Range is from 1 to 10100. |
Usage Guidelines
The set-timercommand configures an action in a control policy map.
Expiration of a named policy timer generates the timed-policy-expiry event.
Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.
Examples
The following example configures a policy timer called "TIMERA". When TIMERA expires the service will be disconnected.
class-map type control match-all CONDE match timer TIMERA policy-map type type control RULEA class type control <some_cond> event session-start 1 set-timer TIMERA 1 class type control CONDE event timed-policy-expiry 1 service disconnect
sgi beep listener
To enable Service Gateway Interface (SGI), use the sgi beep listener command in global configuration mode. To disable SGI, use the no form of this command.
Syntax Description
|
port |
(Optional) TCP port on which to listen. The default is assigned by Internet Assigned Numbers Authority (IANA). |
|
acl |
(Optional) Applies an access control list (ACL) to restrict incoming client connections. |
|
access-list |
Name of the access list that is to be applied. |
|
sasl |
(Optional) Configures a Simple Authentication Security Layer (SASL) profile to use during the session establishment. |
|
sasl-profile |
Name of SASL profile being used during session establishment. |
|
encrypt |
(Optional) Configures transport layer security (TLS) for SGI. |
|
trustpoint |
Name of trustpoint being used by the TLS connection. |
sg-service-group
To associate an Intelligent Services Gateway (ISG) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.
Usage Guidelines
A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.
Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.
sg-service-type
To identify an Intelligent Services Gateway (ISG) service as primary or secondary, use the sg-service-type command in service policy-map configuration mode. To remove this specification, use the no form of this command.
Syntax Description
|
primary |
Identifies the service as a primary service, which is a service that contains a network-forwarding policy. |
|
secondary |
Identifies the service as a secondary service, which is a service that does not contain a network-forwarding policy. This is the default. |
Usage Guidelines
An ISG primary service is a service that contains a network-forwarding policy, such as a virtual routing or forwarding instance (VRF) or tunnel specification. A service must be identified as a primary service by using the sg-service-type primary command. Any service that is not a primary service is identified as a secondary service by default. In other words, the service policy map for a primary service must include a network-forwarding policy and the sg-service-type primary command. A secondary service must not include a network-forwarding policy, and inclusion of the sg-service-type secondary command is optional.
sg-service-type external policy
To identify an Intelligent Services Gateway (ISG) service as an external policy, use the sg-service-type external policycommand in service policy-map configuration mode. To remove this specification, use the no form of this command.
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SRC |
This command was introduced. |
|
12.2(33)SB |
This command was integrated into Cisco IOS Release 12.2(33)SB. |
Usage Guidelines
An external policy service type identifies a service as being provided by an external device. The external device is configured in a peering relationship with the ISG device via the aaa server radius policy-device command. The external device handles policies for user sessions that use the service.
show class-map type control
To display information about Intelligent Services Gateway (ISG) control class maps, use the show class-map type control command in privileged EXEC mode.
Usage Guidelines
Use the show class-map type control command to display information about ISG control class maps, including statistics on the number of times a particular class has been evaluated and what the results were.
Examples
The following example shows sample output for the show class-map type controlcommand:
Router# show class-map type control
Condition Action Exec Hit Miss Comp
--------- ------ ---- --- ---- ----
The table below describes the significant fields shown in the display.
| Table 2 | show class-map type control Field Descriptions |
|
Field |
Description |
|---|---|
|
Exec |
Number of times this line was executed. |
|
Hit |
Number of times this line evaluated to true. |
|
Miss |
Number of times this line evaluated to false. |
|
Comp |
Number of times this line completed the execution of its condition without a need to continue on to the end. |
Related Commands
|
Command |
Description |
|---|---|
|
class-map type control |
Creates an ISG control class map. |
|
class type control |
Specifies a control class for which actions may be configured in an ISG control policy map. |
|
clear class-map type control |
Clears the ISG control class map counters. |
|
show policy-map type control |
Displays information about ISG control policy maps. |
show class-map type traffic
To display Intelligent Services Gateway (ISG) traffic class maps and their matching criteria, use the show class-map type traffic command in privileged EXEC mode.
Examples
The following example shows configuration of a traffic class-map and corresponding sample output for the show class-map type traffic command. The output is self-explanatory.
!
access-list 101 permit ip any any
access-list 102 permit ip any any
!
class-map type traffic match-any PEER_TRAFFIC
match access-group output 102
match access-group input 101
!
Router# show class-map type traffic
Class-map: match-any PEER_TRAFFIC
------------------------------------------------------
Output:
Extended IP access list 102
10 permit ip any any
Input:
Extended IP access list 101
10 permit ip any any
show database data
To display information about an identity manager (IDMGR) database, use the show database datacommand in privileged EXEC mode.
Usage Guidelines
You can use the show database namescommand to get a list of database names. The show database data command displays information about the IDMGR for the specified database name.
Examples
The following are sample output from the show database data command:
Router# show database data IDMGR-Session-DB 2 Total records = 1 ------------------------------ Record 0 (key 1) session-handle = 88000002 aaa-unique-id = 0000000C composite-key = 00174574302F303A313A656E63617020646F74317120313030 authen-status = unauthen Router# show database data IDMGR-Service-DB 2 Total records = 1 ------------------------------ Record 0 (key 5) session-handle = 2E000004 service-name = PBHK idmgr-svc-key = 2E00000402000001 authen-status = unauthen
The table below describes the significant fields shown in the display.
| Table 3 | show database data Field Descriptions |
show dwnld_mgr
To display information about the download manager, use the show dwnld_mgrcommand in privileged EXEC mode.
Syntax Description
|
AAA Unique ID |
Specifies the Accounting, Authentication, and Authorization (AAA) unique ID from where the profiles are downloaded. |
|
unique-ID |
Unique ID of the AAA server. |
|
all |
Specifies all the profiles. |
|
profiles |
Specifies the global configuration profile. |
|
name profile-name |
Specifies the name of the global configuration profile. |
Usage Guidelines
You can use the show dwnld_mgr command to view information about the download manager. The download manager is used to download global configuration profiles such as connectivity fault management (CFM) maintenance association (MA) profile for Programmable Ethernet. These profiles contain configuration information that is consumed by the client and then applied at the global level. These profiles are shared, that is, they are applied to multiple sessions. The download manager downloads and adds the shared profiles to the cache.
The download manager serves two primary functions:
Examples
The following is sample output from the show dwnld_mgr profiles all command:
Router# show dwnld_mgr profiles all
*******************************************************
Name: itag:3000
Reference: 1
Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED
Clients Waiting:
F1000003, 0A6AD658, 0000000C
********************************************************
The following is sample output from the show dwnld_mgr profiles namecommand:
Router# show dwnld_mgr profiles name itag:300
*******************************************************
Name: itag:3000
Reference: 1
Notification Type: DM_NOTIFICATION_PER_REQUEST_NOT_CACHED
Clients Waiting:
F1000003, 0A6AD658, 0000000C
********************************************************
The table below describes the significant fields shown in the displays.
show idmgr
To display information related to the Intelligent Services Gateway (ISG) session identity, use the show idmgr command in privileged EXEC mode.
Syntax Description
|
memory |
Displays memory-usage information related to ID management. |
|
detailed |
(Optional) Displays detailed memory-usage information related to ID management. |
|
component |
(Optional) Displays information for the specified ID management component. |
|
substring |
(Optional) Substring to match the component name. |
|
service key |
Displays ID information for a specific service. |
|
session-handle session-handle-string |
Displays the unique identifier for a session. |
|
service-key key-value |
Displays ID information for a specific service. |
|
session key |
Displays ID information for a specific session and its related services. |
|
aaa-unique-id aaa-unique-id-string |
Displays the authentication, authorization, and accounting (AAA) unique ID for a specific session. |
|
domainip-vrf ip-address ip-address |
Displays the service-facing IP address for a specific session. |
|
vrf-id vrf-id |
Displays the VPN routing and forwarding (VRF) ID for the specific session. |
|
nativeip-vrf ip-address ip-address |
Displays the subscriber-facing IP address for a specific session. |
|
portbundle ip ip-address |
Displays the port bundle IP address for a specific session. |
|
bundle bundle-number |
Displays the bundle number for a specific session. |
|
session-guid session-guid |
Displays the global unique identifier for a session. |
|
session-handle session-handle-string |
Displays the session identifier for a specific session. |
|
session-id session-id-string |
Displays the session identifier used to construct the value for RADIUS attribute 44 (Acct-Session-ID). |
|
circuit-id circuit-id |
Displays the user session information in the ID Manager (IDMGR) database when you specify the unique circuit ID tag. |
|
pppoe-unique-id pppoe-id |
Displays the PPPoE unique key information in the ID Manager (IDMGR) database when you specify the unique PPPoE unique ID tag |
|
statistics |
Displays statistics related to storing and retrieving ID information. |
Examples
The following sample output for the show idmgr command displays information about the service called "service":
Router# show idmgr service key session-handle 48000002 service-key service
session-handle = 48000002
service-name = service
idmgr-svc-key = 4800000273657276696365
authen-status = authen
The following sample output for the show idmgr command displays information about a session and the service that is related to the session:
Router# show idmgr session key session-handle 48000002
session-handle = 48000002
aaa-unique-id = 00000002
authen-status = authen
username = user1
Service 1 information:
session-handle = 48000002
service-name = service
idmgr-svc-key = 4800000273657276696365
The following sample output for the show idmgr command displays information about the global unique identifier of a session:
Router# show idmgr session key session-guid 020202010000000C session-handle = 18000003 aaa-unique-id = 0000000C authen-status = authen interface = nas-port:0.0.0.0:2/0/0/42 authen-status = authen username = FortyTwo addr = 100.42.1.1 session-guid = 020202010000000C The following sample output for the show idmgr command displays information about the user session information in the ID Manager (IDMGR) database by specifying the unique circuit ID tag: Router# show idmgr session key circuit-id Ethernet4/0.100:PPPoE-Tag-1 session-handle = AA000007 aaa-unique-id = 0000000E circuit-id-tag = Ethernet4/0.100:PPPoE-Tag-1 interface = nas-port:0.0.0.0:0/1/1/100 authen-status = authen username = user1@cisco.com addr = 106.1.1.3 session-guid = 650101020000000E The session hdl AA000007 in the record is valid The session hdl AA000007 in the record is valid No service record found
The table below describes the significant fields shown in the display.
| Table 5 | show idmgr Field Descriptions |
|
Field |
Description |
|---|---|
|
session-handle |
Unique identifier of the session. |
|
service-name |
Service name for this session. |
|
idmgr-svc-key |
The ID manager service key of this session. |
|
authen-status |
Indicates whether the session has been authenticated or unauthenticated. |
|
aaa-unique-id |
AAA unique ID of the session. |
|
username |
The username associated with this session. |
|
interface |
The interface details of this session. |
|
addr |
The IP address of this session. |
|
session-guid |
Global unique identifier of this session. |
show interface monitor
To display interface statistics that will be updated at specified intervals, use the show interface monitor command in user EXEC or privileged EXEC mode.
Usage Guidelines
The show interface monitor command allows you to monitor an interface by displaying interface statistics and updating those statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display, "C" to clear the counters, or "F" to freeze the display.
Examples
The following example shows sample output for the show interface monitor command. The display will be updated every 10 seconds.
Router# show interface ethernet 0/0 monitor interval 10
Router Name: Scale3-Router8 Update Secs: 10
Interface Name: Ethernet 0/0 Interface Status: UP, line is up
Line Statistics: Total: Rate(/s) Delta
Input Bytes: 123456 123 7890
Input Packets: 3456 56 560
Broadcast: 1333 6 60
OutputBytes: 75717 123 1230
Output Packets: 733 44 440
Error Statistics: Total: Delta:
Input Errors: 0 0
CRC Errors: 0 0
Frame Errors: 0 0
Ignored: 0 0
Output Errors: 0 0
Collisions: 0 0
No. Interface Resets: 2
End = e Clear = c Freeze = f
Enter Command:
The table below describes the significant fields shown in the display.
| Table 6 | show interface monitor Field Descriptions |
|
Field |
Description |
|---|---|
|
Line Statistics |
Information about the physical line. The delta column indicates the difference between the current display and the display before the last update. |
|
Input Bytes |
Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system. |
|
Input Packets |
Total number of error-free packets received by the system. |
|
Broadcast |
Total number of broadcast or multicast packets received by the interface. |
|
OutputBytes |
Total number of bytes sent by the system. |
|
Output Packets |
Total number of packets sent by the system. |
|
Error Statistics |
Displays statistics about errors. The delta column indicates the difference between the current display and the display before the last update. |
|
Input Errors |
Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts. |
|
CRC Errors |
Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data. |
|
Frame Errors |
Number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device. |
|
Ignored |
Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. Broadcast storms and bursts of noise can cause the ignored count to be increased. |
|
Output Errors |
Sum of all errors that prevented the final transmission of datagrams out of the interface from being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories. |
|
Collisions |
Number of messages transmitted because of an Ethernet collision. A packet that collides is counted only once in output packets. |
|
No. Interface Resets |
Number of times an interface has been completely reset. This can happen if packets queued for transmission were not sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal, or by a cable problem. If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down. |
show ip portbundle ip
To display information about a particular Intelligent Services Gateway (ISG) port bundle, use the show ip portbundle ip command in privileged EXEC mode.
Usage Guidelines
Use the show ip portbundle ip command to display the port mappings in a port bundle.
Examples
The following example is sample output for the show ip portbundle ip command:
Router# show ip portbundle ip 10.2.81.13 bundle 65
Portbundle IP address: 10.2.81.13 Bundlenumber: 65
Subscriber VRF: VRF2
Subscriber Portmappings:
Subscriber IP: 10.0.0.2 Subscriber Port: 11019 Mapped Port: 1040
The table below describes the significant fields shown in the display.
show ip portbundle status
To display a information about Intelligent Services Gateway (ISG) port-bundle groups, use the show ip portbundle status command in privileged EXEC mode.
Usage Guidelines
Use the show ip portbundle status command to display a list of port-bundle groups, port-bundle length, and the number of free and in-use port bundles in each group.
Examples
The following example is sample output for the show ip portbundle status command when issued with no keywords:
Router# show ip portbundle status
Bundle-length = 4
Bundle-groups: -
IP Address Free Bundles In-use Bundles
10.2.81.13 4031 1
The table below describes the significant fields shown in the display.
| Table 8 | show ip portbundle status Field Descriptions |
|
Field |
Description |
|---|---|
|
Bundle-length |
Number of ports per bundle and number of bundles per bundle group. |
|
Bundle-groups |
List of bundle groups. |
|
IP Address |
IP address of a bundle group. |
|
Free Bundles |
Number of free bundles in the specified bundle group. |
|
In-use Bundles |
Number of in-use bundles in the specified bundle group. |
show ip subscriber
To display information about Intelligent Services Gateway (ISG) IP subscriber sessions, use the show ip subscriber command in user EXEC or privileged EXEC mode.
Syntax Description
Command History
|
Release |
Modification |
|---|---|
|
12.2(31)SB2 |
This command was introduced. |
|
12.2(33)SRC |
Support for this command was added on the Cisco 7600 series router. |
|
Cisco IOS XE Release 2.2 |
This command was integrated into Cisco IOS XE Release 2.2. |
|
12.2(33)SRE |
This command was modified. The static and list keywords were added. |
|
12.2(33)SRE1 |
This command was modified. The statistics and arp keywords were added. |
|
Cisco IOS XE Release 3.4S |
This command was modified. The output was enhanced to include information about IPv6 sessions. |
Usage Guidelines
A session that is not fully established within a specified period of time is referred to as a dangling session. The show ip subscriber command can be used with the dangling keyword to display dangling sessions. The seconds argument allows you to specify how long the session can remain unestablished before it is considered dangling.
Examples
The following is sample output from the show ip subscriber command without any keywords:
Router# show ip subscriber
Displaying subscribers in the default service vrf:
Type Subscriber Identifier Display UID Status
--------- ---------------------- ------------ ------
connected aaaa.1111.cccc [1] up
The following is sample output from the show ip subscriber command using the detail keyword. Detailed information is displayed about all the IP subscriber sessions associated with vrf1.
Router# show ip subscriber vrf vrf1 detail
IP subscriber: 0000.0000.0002, type connected, status up
display uid: 6, aaa uid: 17
segment hdl: 0x100A, session hdl: 0x96000005, shdb: 0xBC000005
session initiator: dhcp discovery
access address: 10.0.0.3
service address: vrf1, 10.0.0.3
conditional debug flag: 0x0
control plane state: connected, start time: 1d06h
data plane state: connected, start time: 1d06h
arp entry: [vrf1] 10.0.0.3, Ethernet0/0
midchain adj: 10.0.0.3 on multiservice1
forwarding statistics:
packets total: received 3542, sent 3538
bytes total: received 2184420, sent 1158510
packets dropped: 0, bytes dropped: 0
The following is sample output from the show ip subscriber command using the list keyword. Detailed information is displayed about all the IP subscriber static sessions associated with the server list group called l1 on the 7600 series router.
Router# show ip subscriber static list l1
Total static sessions for list l1: 1, Total IF attached: 1
Interface: GigabitEthernet0/3, VRF: 0, 1
The following is sample output from the show ip subscribercommand using the statistics arpkeywords:
Router# show ip subscriber statistics arp
Current IP Subscriber ARP Statistics
Total number of ARP reqs received : 27
ARP reqs received on ISG interfaces : 25
IP subscriber ARP reqs replied to : 1
Dst on ISG : 0
Src/Dst in same subnet : 0
IP subscriber ARP reqs ignored : 2
For route back to CPE : 2
For no routes to dest. : 0
Gratuitous : 0
Due to invalid src IP : 0
Due to other errors : 0
IP sub ARP reqs with default action : 24
The table below describes the significant fields shown in the displays, in alphabetical order.
| Table 9 | show ip subscriber Field Descriptions |
|
Field |
Description |
|---|---|
|
Dst on ISG |
Number of ARP requests that ISG replied to for a destination on ISG. |
|
For route back to CPE |
Number of ARP requests that ISG ignored because the destination IP address is on the same VLAN as the customer premises equipment (CPE). |
|
For no routes to dest. |
Number of ARP requests ignored by ISG because there was no route to the destination. |
|
Gratuitous |
Number of ARP requests ignored by ISG because they are gratuitous. A gratuitous ARP request is issued by a device for the sole purpose of keeping other devices informed of its presence on the network. |
|
IP sub ARP reqs with default action |
Number of ARP requests for which ISG performed no special action. |
|
Src/Dst in same subnet |
Number of ARP requests that ISG replied to that had a source and destination IP address in the same subnet. |
|
Session initiator |
Type of packet that initiated the subscriber session. |
show platform isg session
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions for a line card and the features applied on a session, use the show platform isg session command in privileged EXEC mode.
Usage Guidelines
The show platform isg session command displays the total number of active subscriber sessions on the line card and information about the features that are configured on a session. For example, QoS or SACL.
Examples
This example shows the output for all installed line cards:
Router# show platform isg session 15 0 detail
if_num 14 va_if_num 0 pid 15 type IPSIP flags 0x0 state BOUND hvlan v1(vc) 1014 v2 1200 0 dbg off
STATS(pkts, bytes) RX(0, 0) ctrl(0, 0) drop(0, 0) TX(0, 0) ctrl(0, 0) drop(0, 0)
--------------------------------------------------========================================
TenGigabitEthernet4/2.1 - if_number 14 15 policymap pmap-brr1-parent dir Output
np 1 port 0 pm_num 4 lookuptype 1 flowid 256
---------------------------------------------------
policymap pmap-brr1-parent classid 0 dfs classid 2
classmap config: cmap flags 0x6 feature flags 0x9
queue config: gqid/pgqid 4/2
police config: N/A marking config: N/A
WRED config: N/A
classmap instance: cfn statid 0
node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0
statid: commit/excess/drop 1294464/1327232/1360000
policy pmap-brr1-parent classid 0 dfs classid 2 level 0
---------------------------------------------------------------
Statistics type Packet count Byte count
queue:
commit 0 0
excess 0 0
drop 0 0
cur depth 0
---------------------------------------------------
policymap pmap-brr-child1 classid 1 dfs classid 0
classmap config: cmap flags 0x4 feature flags 0x100
police config:cir/cbs: 50000000/1562500 pir/pbs: 0/1562500 clr/mef/algo: 0/0/1
0:XMIT, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0
1:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0
2:DROP, Mark , cosi_cos 0 cos_cosi 0 dscp 0/0 cos 0/0 cosi 0/0 exp_top 0/0 exp_imp 0/0 marking config: N/A
WRED config: N/A
classmap instance: cfn statid 508327
node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0
statid: commit/excess/drop 1294464/1327232/1360000
police handle: np/index/type 1/1/fast tb 65697 statid: conform/exceed/violate 115116/115117/115118
POLICE profile[0] inuse 1 cir/cbs 50000000/1562500 pir/pbs 0/1562500 clr/mef/algo 0/0x0/1
[D]POLICE - index 0 cir/cbs: 6250000/1559756 pir/pbs: 0/0 clr/mef/algo: 0/0/1
policy pmap-brr-child1 classid 1 dfs classid 0 level 1
---------------------------------------------------------------
Statistics type Packet count Byte count
classification 0 0
police:
conform 0 0
exceed 0 0
violate 0 0
--
tcam index table result: 0x30000C001 0x0 0x0 0x0
flow hash table result: 0x7C1A70301000080 0x100000003
FLW-07C1A703 01000080 00000001 00000003
TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128
Flow Stat:508327, Plcr1 TB/Stat-1/3, Plcr2 TB/Stat-0/0
----------------------------------------------
Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 norm
WFQ level 4 index 0 weight 10 inuse 3
[D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10
[D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal
Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0
--
Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0
SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264
[D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408
WFQ level 3 index 1 weight 81 inuse 1
[D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1
[D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal
Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33
--
Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I Wf
SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616
[D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952
WFQ level 2 index 0 weight 2 inuse 1
[D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2
[D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0
[D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated
Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0
--
Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I Wf
***
---------------------------------------------------
policymap pmap-brr-child1 classid 0 dfs classid 1
classmap config: cmap flags 0x4 feature flags 0x1000
police config: N/A
marking config: on coso 1
WRED config: N/A
classmap instance: cfn statid 508328
node handle: B,4,128 queue: fid0/fid1/sel/spl 128/128/0/0
statid: commit/excess/drop 1294464/1327232/1360000
policy pmap-brr-child1 classid 0 dfs classid 1 level 1
---------------------------------------------------------------
Statistics type Packet count Byte count
classification 0 0
--
tcam index table result: 0x101300000000 0x400500000000 0x0 0x0
flow hash table result: 0x7C1A80301000080 0x0
FLW-07C1A803 01000080 00000000 00000000
TM - Concat:NO, TMc:NO, Special_Q:NO, FID1:128, FID2:128
Flow Stat:508328, Plcr1 TB/Stat-0/0, Plcr2 TB/Stat-0/0
----------------------------------------------
Level: 4 Index: 128 Child Index/Inuse: 65535/0 Flags: VHC PDL Wf M.WFQ 1020 QL 2/5-131072 norm
WFQ level 4 index 0 weight 10 inuse 3
[D]WFQ - level:4, index:0 Weight Commit/Excess: 10/10
[D]Entity Param - level:4 index:128 Mode/Priority: Enabled/Normal
Shape mode/factor: Unshaped/One Profiles- WRED/Scale:2/5 Shape:0 WFQ:0
--
Level: 3 Index: 16 Child Index/Inuse: 128/1 Flags: RHC PDL WfSh ServProf:1/flags/oh:---/0
SHAPE level 3 index 1 inuse 1 cir 800000000 cbs 80216064 pir 800000000 pbs 3211264
[D]SHAPE - level:3 index:1 bFS:0 cir:100000000 cbs:10027008 pir:100000000 pbs:401408
WFQ level 3 index 1 weight 81 inuse 1
[D]WFQ - level:4, index:33 Weight Commit/Excess: 81/1
[D]Entity Param - level:3 index:16 Mode/Priority: Enabled/Normal
Shape mode/factor: Explicit/One Profiles- WRED/Scale:0/0 Shape:1 WFQ:33
--
Level: 2 Index: 0 Child Index/Inuse: 0/2 Flags: RHC I Wf
SHAPE level 2 index 0 inuse 1 cir 9920000 cbs 1007616 pir 9920000 pbs 1007616
[D]SHAPE - level:2 index:0 bFS:0 cir:1240000 cbs:125952 pir:1240000 pbs:125952
WFQ level 2 index 0 weight 2 inuse 1
[D]WFQ - level:2, index:0 Weight Commit/Excess: 2/2
[D]Entity Topology - level:2 index:0Child First/Total:0/32 L34 mode:0 ServProf:0
[D]Entity Param - level:2 index:0 Mode/Priority: Enabled/Propagated
Shape mode/factor: Unshaped/Half Profiles- WRED/Scale:0/0 Shape:0 WFQ:0
--
Level: 1 Index: 0 Child Index/Inuse: 0/1 Flags: RNC I Wf
show platform isg session-count
To display the number of active Intelligent Services Gateway (ISG) subscriber sessions by line card, use the show platform isg session-count command in privileged EXEC mode.
Usage Guidelines
The show platform isg session-count command displays either the total number of active subscriber sessions on the router, with individual totals by line card, or it displays the details for an individual line card in a specific slot.
The Cisco 7600 router limits the number of supported subscriber sessions per line card and per router chassis. Use this command to monitor the number of currently active sessions to ensure that the following limits are not exceeded:
Examples
The following example shows the output for all installed line cards:
Router# show platform isg session-count all
Total sessions per chassis : 8000
Slot Sess-count Max Sess-count
---- ---------- --------------
5 8000 16000
The following example shows the output for the ES+ line card in slot 5:
Router# show platform isg session-count 5
ES+ line card
Sessions on a port-channel are instantiated on all member ports
Port-group Sess-instance Max Sess-instance
---------- ------------- -----------------
Gig5/1-Gig5/5 4000 4000
Gig5/16-Gig5/20 4000 4000
The table below describes the significant fields shown in the display, in alphabetical order.
| Table 10 | show platform isg session-count Field Descriptions |
|
Field |
Description |
|---|---|
|
Max Sess-count |
Maximum number of sessions allowed per line card. |
|
Max Sess-instance |
Maximum number of session instances allowed per port group. |
|
Port-group |
Port numbers included in each port group. |
|
Sess-count |
Total number of active sessions per line card. |
|
Sess-instance |
Total number of session instances per port group. |
|
Slot |
Number of the router slot in which the card is installed. |
|
Total sessions per chassis |
Total number of sessions for all line cards on the router. |
show policy-map type control
To display information about Intelligent Services Gateway (ISG) control policy maps, use the show policy-map type control command in privileged EXEC mode.
Usage Guidelines
Use the show policy-map type control command to display information about ISG control policies, including statistics on the number of times each policy-rule within the policy map has been executed
Examples
The following example shows sample output for the show policy-map type control command:
Router# show policy-map type control
Rule: internal-rule-acct-logon
Class-map: always event account-logon
Action: 1 authenticate aaa list default
Executed0
Key:
"Exec" - The number of times this rule action line was executed
show policy-map type service
To displays the contents of Intelligent Services Gateway (ISG) service policy maps and service profiles and session-related attributes, use the show policy-map type service command in privileged EXEC mode.
Examples
The following example shows the configuration of a service profile called "prep_service" on a AAA server and the corresponding sample output for the show policy-map type service command.
Service Profile Configuration
Configuration of prep_service on simulator radius subscriber 8 authentication prep_service pap cisco idle-timeout 600 vsa cisco generic 1 string "traffic-class=input access-group 102"
Sample Output of show policy-map type service Command
Router# show policy-map type service
Current policy profile DB contents are:
Profile name: prep_service, 4 references
idletime 600 (0x258)
traffic-class "input access-group 102"
The table below describes the significant fields shown in the display.
show processes cpu monitor
To display CPU utilization statistics that will be updated at specified intervals, use the show processes cpu monitor command in user EXEC or privileged EXEC mode.
Usage Guidelines
The show processes cpu monitor command allows you to monitor CPU utilization statistics by displaying updated statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display or "F" to freeze the display.
Examples
The following example shows sample output for the show processes cpu monitor command:
Router# show processes cpu monitor
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 772 712 1084 0.08% 0.04% 0.02% 0 Exec
67 276 4151 66 0.08% 0.03% 0.01% 0 L2TP mgmt daemon
116 604 2263 266 0.16% 0.05% 0.01% 0 IDMGR CORE
End = e Freeze = f
Enter Command:
The table below describes the significant fields shown in the display.
| Table 12 | show processes cpu monitor Field Descriptions |
|
Field |
Description |
|---|---|
|
CPU utilization for five seconds |
CPU utilization for the last 5 seconds and the percentage of CPU time spent at the interrupt level. |
|
one minute |
CPU utilization for the last minute and the percentage of CPU time spent at the interrupt level. |
|
five minutes |
CPU utilization for the last 5 minutes and the percentage of CPU time spent at the interrupt level. |
|
PID |
Process ID. |
|
Runtime(ms) |
CPU time the process has used (in milliseconds). |
|
Invoked |
Number of times the process has been invoked. |
|
uSecs |
Microseconds of CPU time for each process invocation. |
|
5Sec |
CPU utilization by task in the last 5 seconds. |
|
1Min |
CPU utilization by task in the last minute. |
|
5Min |
CPU utilization by task in the last 5 minutes. |
|
TTY |
Terminal that controls the process. |
|
Process |
Name of the process. |
show pxf cpu iedge
To display Parallel eXpress Forwarding (PXF) policy and template information, use the show pxf cpu iedgecommand in privileged EXEC mode.
show pxf cpu iedge [detail | policy policy-name | template]
Syntax Description
|
detail |
(Optional) Displays detailed information about policies and templates. |
|
policy policy-name |
(Optional) Displays summary policy information. |
|
template |
(Optional) Displays summary template information. |
show pxf cpu isg
To display Parallel eXpress Forwarding (PXF) Intelligent Services Gateway (ISG) policy and template information, use the show pxf cpu isgcommand in privileged EXEC mode.
show radius-proxy client
To display information about Intelligent Services Gateway (ISG) RADIUS proxy client devices, use the show radius-proxy clientcommand in privileged EXEC mode.
Usage Guidelines
The show radius-proxy client command can be used to find out which subscribers are associated with which RADIUS clients.
Examples
The following example shows sample output for the show radius-proxy client command:
Router# show radius-proxy client 10.45.45.3
Configuration details for client 10.45.45.3
Shared secret: blue#@!$%&/ Msg Auth Ignore: No
Local auth port: 1111 Local acct port: 2222
Acct method list: FWDACCT
Session Summary:
RP ID IP Address
1. 687865867 10.1.1.1
The table below describes the significant fields shown in the display.
| Table 13 | show radius-proxy client Field Descriptions |
|
Field |
Description |
|---|---|
|
Shared secret |
Shared secret between ISG RADIUS proxy and the client device. |
|
Msg Auth Ignore |
Indicates whether message-authenticator validation is performed for RADIUS packets coming from this client. |
|
Local auth port |
Port on which ISG listens for authentication packets from this client. |
|
Local acct port |
Port on which ISG listens for accounting packets from this client. |
|
Acct method list |
Method list to which ISG RADIUS proxy forwards accounting packets. |
|
Session Summary |
Summary of the ISG sessions associated with the specified client device. |
|
RP ID |
ISG RADIUS proxy identifier for the session. |
|
IP Address |
IP address associated with the session. |
show radius-proxy session
To display information about specific Intelligent Services Gateway (ISG) RADIUS proxy sessions, use the show radius-proxy session command in privileged EXEC mode.
Examples
The following example shows sample output for the show radius-proxy session command:
Router# show radius-proxy session id 1694498816
Session Keys:
Caller ID: 000b.4691.e2e3
Other Attributes:
Username: aash
User IP: unassigned
Called ID:
Client Information:
NAS IP: 10.45.45.2
NAS ID: localhost
State Details:
State: authenticated
Timer: ip-address (timeout: 240s, remaining: 166s)
show redirect group
To display information about Intelligent Services Gateway (ISG) Layer 4 redirect server groups, use the show redirect group command in privileged EXEC mode.
Usage Guidelines
Use the show redirect translations command without the group-name argument to display information about all Layer 4 redirect server groups.
Examples
The following example shows sample output for the show redirect group command:
Router# show redirect group redirect-group-default
Showing all servers of the group redirect-group-default
Server created : using cli
Server Port
10.30.81.22 8090
Related Commands
|
Command |
Description |
|---|---|
|
redirect server-group |
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group. |
|
redirect to (ISG) |
Redirects ISG Layer 4 traffic to a specified server or server group. |
|
server (ISG) |
Adds a server to an ISG Layer 4 redirect server group. |
|
show redirect translations |
Displays information about the ISG Layer 4 redirect mappings for subscriber sessions. |
show redirect translations
To display information about the Intelligent Services Gateway (ISG) Layer 4 redirect mappings for subscriber sessions, use the show redirect translations command in privileged EXEC mode.
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SB8 |
This command was modified. Information about the number of redirect translations was added to the output. |
|
12.2(33)XNE1 |
This command was integrated into Cisco IOS Release 12.2(33)XNE1. |
|
12.2(33)SRD4 |
This command was integrated into Cisco IOS Release 12.2(33)SRD4. |
|
12.2(33)SRE1 |
This command was integrated into Cisco IOS Release 12.2(33)SRE1. |
|
Cisco IOS XE Release 3.5S |
This command was modified. The ipv4, ipv6, and verbose keywords were added. |
Usage Guidelines
Use the show redirect translations command without the ip ip-address keyword and argument to display Layer 4 redirect mappings for all subscriber sessions.
Examples
The following is sample output from the show redirect translations command displaying information about each active redirect translation:
Router# show redirect translations
Prot Destination IP/Port Server IP/Port
TCP 10.0.1.2 23 10.0.2.2 23
TCP 10.0.1.2 23 10.0.2.2 23
TCP 10.0.1.2 23 10.0.2.2 23
Total Number of Translations: 3
The following is sample output from the show redirect translations ipv6 command displaying information about each active IPv6 redirect translation:
Router# show redirect translations ipv6
Prot Destination IP/Port Server IP/Port
TCP 2001:DB8:2222:1044::72 80 2001:DB8:C003:12::2918 8080
TCP 2001:DB8:2222:1044::73 80 2001:DB8:C003:12::2918 8080
Total Number of Translations: 5
The following is sample output from the show redirect translations verbose command displaying additional information about each active redirect translation:
Router# show redirect translations verbose
Prot Destination IP/Port Server IP/Port
Source IP/Port InFlags OutFlags Timestamp
TCP 10.1.0.1 80 10.10.0.1 8080
10.0.0.1 3881 - - 02/28/11 11:48:01
TCP 10.1.0.2 80 10.10.0.1 8080
10.0.0.1 3882 FIN - 02/28/11 11:50:01
TCP 10.1.0.4 80 10.10.0.1 8080
10.0.0.2 4002 - - 02/28/11 11:55:08
TCP 2001:DB8:2222:1044::72 80 2001:DB8:C003:12::2918 8080
2001:DB8:C003:13::2928 5001 SYN - 02/28/11 10:25:12
TCP 2001:DB8:2222:1044::73 80 2001:DB8:C003:12::2918 8080
2001:DB8:C003:13::2928 8002 - FIN 02/28/11 10:22:15
Total Number of Translations: 5
The table below describes the significant fields shown in the display, in alphabetical order.
| Table 14 | show redirect translations Field Descriptions |
|
Field |
Description |
|---|---|
|
Destination IP/port |
IP address and port number of the connection destination. |
|
In Flags, Out Flags |
TCP flags. For example, ACK, FIN, SYN, or Null. |
|
Prot |
Protocol used, either TCP or User Data Protocol (UDP). |
|
Server IP/port |
IP address and port number of the redirect server. |
|
Total Number of Translations |
Total number of active translations. |
Related Commands
|
Command |
Description |
|---|---|
|
redirect server-group |
Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group. |
|
redirect session-limit |
Sets the maximum number of Layer 4 redirects allowed for each ISG subscriber session. |
|
redirect to (ISG) |
Redirects ISG Layer 4 traffic to a specified server or server group. |
|
server ip (ISG) |
Adds a server to an ISG Layer 4 redirect server group. |
|
show redirect group |
Displays information about ISG Layer 4 redirect server groups. |
show sgi
To display information about current Service Gateway Interface (SGI) sessions or statistics, use the show sgi command in privileged EXEC mode.
Syntax Description
|
session |
Displays information about the current SGI session. |
|
statistics |
Displays information about the current SGI statistics |
Examples
The following example shows information about SGI sessions started and currently running, including the running state:
Router# show sgi session sgi sessions: open 1(max 10, started 15 session id:1;started at 9:08:05; state OPEN
The following example shows statistical information about SGI and the SGI processes that have been started:
Router# show sgi statistics sgi statistics total messages received 45 current active messages 5; maximum active messages 7 total isg service requests 4 current active services 2; maximum active services 2 sgi process statistics process sgi handler 1 pid 95, cpu percent (last minute) 1, cpu runtime 10(msec), memory accocated 4200 (bytes)
show ssm
To display Segment Switching Manager (SSM) information for switched Layer 2 segments, use the show ssmcommand in privileged EXEC mode.
Syntax Description
|
cdb |
Displays information about the SSM capabilities database. |
|
feature id |
Displays information about SSM feature settings. |
|
feature-id |
(Optional) Displays information for a specific feature ID. |
|
id |
Displays information for all SSM IDs. |
|
memory |
Displays memory usage information. |
|
chunk variable |
(Optional) Displays memory usage information for memory consumed by variable chunks. |
|
feature |
Displays information about memory consumed by the feature. |
|
queue |
Displays information about memory consumed by the queue. |
|
segment |
Displays information about memory consumed by the segment. |
|
detail |
(Optional) Displays detailed memory usage information. |
|
segment id |
Displays information about SSM segment settings. |
|
segment-id |
(Optional) Displays information for a specific SSM segment. |
|
switch id |
Displays information about SSM switch settings. |
|
switch-id |
(Optional) Displays information for a specific SSM switch ID. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(22)S |
This command was introduced. |
|
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
Usage Guidelines
Use the show ssm command to determine the segment ID for an active switched Layer 2 segment. The segment ID can be used with the debug condition xconnect command to filter debug messages by segment.
Examples
The following example shows sample output for the show ssm cdb command. The output for this command varies depending on the type of hardware being used.
Router# show ssm cdb Switching paths active for class SSS: ------------------------------------- |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC| --------+---+---+----+---+----+------+----+------+---+----+--------+-------+ FR | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | Eth | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | Vlan | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/E | -/E |-/-|-/- | -/E | -/E | HDLC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | PPP/AC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | L2TP | E | E | E |E/-| E | E | E | -/- | E | E | E | E | L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E | L2F |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPTP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | ATM/AAL5| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/VCC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/VPC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | ATM/Cell| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E | AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | PPP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPPoE |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | PPPoA |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | Lterm |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- | TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | VFI |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI| --------+--------+----+---+-----+-----+-----+---+-----+------+---+ FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2TP | E |-/- | E | E | E | E |-/-| -/- | -/- |-/-| L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2F | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPTP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPPoE | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| PPPoA | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-| Lterm | -/- |-/- | E | E | E | E | E | E | E |-/-| TC | -/- |-/- |-/-| -/- | -/- | E | E | E | E |-/-| IP-If | -/- |-/- |-/-| -/- | -/- | E | E | E | -/- |-/-| IP-SIP | -/- |-/- |-/-| -/- | -/- | E | E | -/- | E |-/-| VFI | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Switching paths active for class ADJ: ------------------------------------- |FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC| --------+---+---+----+---+----+------+----+------+---+----+--------+-------+ FR | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | Eth | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | Vlan | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | HDLC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | PPP/AC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | L2TP |-/E|-/E|-/E |-/-|-/E | -/E | E | -/- |E/-|E/- | -/E | -/E | L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E | L2F |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPTP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | ATM/AAL5| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/VCC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/VPC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | ATM/Cell| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E | AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E | PPP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPPoE |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | PPPoA |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | Lterm |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- | TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- | VFI |E/-| E | E |E/-|E/- | E/- |-/- | -/E |-/-|-/- | E | E | |ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI| --------+--------+----+---+-----+-----+-----+---+-----+------+---+ FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| L2TP | -/E |-/- |E/-| E/- | E/- | E/- |-/-| -/- | -/- |-/-| L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-| L2F | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPTP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E | AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E| PPP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPPoE | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| PPPoA | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Lterm | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| TC | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| IP-If | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| IP-SIP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| VFI | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-| Key: '-' - switching type is not available 'R' - switching type is available but not enabled 'E' - switching type is enabled 'D' - switching type is disabled
The following example displays SSM output of the show ssm id command on a device with one active Layer 2 Tunnel Protocol Version 3 (L2TPv3) segment and one active Frame Relay segment. The segment ID field is shown in bold.
Router# show ssm id SSM Status: 1 switch Switch-ID 4096 State: Open Segment-ID: 8193 Type: L2TPv3[8] Switch-ID: 4096 Physical intf: Remote Allocated By: This CPU Class: SSS State: Active L2X switching context: Session ID Local 16666 Remote 54742 TxSeq 0 RxSeq 0 Tunnel end-point addr Local 10.1.1.2 Remote 10.1.1.1 SSS Info Switch Handle 0x98000000 Ciruit 0x1B19510 L2X Encap [24 bytes] 45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02 01 01 01 01 00 00 D5 D6 Class: ADJ State: Active L2X H/W Switching Context: Session Id Local 16666 Remote 54742 Tunnel Endpoint Addr Local 10.1.1.2 Remote 10.1.1.1 Adjacency 0x1513348 [complete] PW IP, Virtual3:16666 L2X Encap [24 bytes] 45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 02 01 01 01 01 00 00 D5 D6 Segment-ID: 4096 Type: FR[1] Switch-ID: 4096 Physical intf: Local Allocated By: This CPU Class: SSS State: Active AC Switching Context: Se2/0:200 SSS Info - Switch Handle=0x98000000 Ckt=0x1B194B0 Interworking 0 Encap Len 0 Boardencap Len 0 MTU 1584 Class: ADJ State: Active AC Adjacency context: adjacency = 0x1513618 [complete] RAW Serial2/0:200
Additional output displayed by this command is either self-explanatory or used only by Cisco engineers for internal debugging of SSM processes.
The following example shows sample output for the show ssm memory command:
Router# show ssm memory Allocator-Name In-use/Allocated Count ---------------------------------------------------------------------------- SSM CM API large segment : 208/33600 ( 0%) [ 1] Chunk SSM CM API medium segment : 144/20760 ( 0%) [ 1] Chunk SSM CM API segment info c : 104/160 ( 65%) [ 1] SSM CM API small segment : 0/19040 ( 0%) [ 0] Chunk SSM CM inQ interrupt msgs : 0/20760 ( 0%) [ 0] Chunk SSM CM inQ large chunk ms : 0/33792 ( 0%) [ 0] Chunk SSM CM inQ msgs : 104/160 ( 65%) [ 1] SSM CM inQ small chunk ms : 0/20760 ( 0%) [ 0] Chunk SSM DP inQ msg chunks : 0/10448 ( 0%) [ 0] Chunk SSM Generic CM Message : 0/3952 ( 0%) [ 0] Chunk SSM HW Class Context : 64/10832 ( 0%) [ 1] Chunk SSM ID entries : 144/11040 ( 1%) [ 3] Chunk SSM ID tree : 24/80 ( 30%) [ 1] SSM INFOTYPE freelist DB : 1848/2016 ( 91%) [ 3] SSM SEG Base : 240/34064 ( 0%) [ 2] Chunk SSM SEG freelist DB : 5424/5592 ( 96%) [ 3] SSM SH inQ chunk msgs : 0/5472 ( 0%) [ 0] Chunk SSM SH inQ interrupt chun : 0/5472 ( 0%) [ 0] Chunk SSM SW Base : 56/10920 ( 0%) [ 1] Chunk SSM SW freelist DB : 5424/5592 ( 96%) [ 3] SSM connection manager : 816/1320 ( 61%) [ 9] SSM seg upd info : 0/2464 ( 0%) [ 0] Chunk Total allocated: 0.246 Mb, 252 Kb, 258296 bytes
show subscriber policy dpm statistics
To display statistics for DHCP policy module (DPM) session contexts, use the show subscriber policy dpm statisticscommand in privileged EXEC mode.
Usage Guidelines
The show subscriber policy dpm statistics command displays cumulative information about the event traces that are captured for DPM session contexts. To clear the statistics, use the clear s ubscriber policy dpm statistics command.
Examples
The following is sample output from the show subscriber policy dpm statisticscommand.
Router# show subscriber policy dpm statistics
Message Received Duplicate Ignored Total
Discover Notification : 284 0 291
Offer Notification : 0 0 2
Address Assignment Notif : 2 0 2
DHCP Classname request : 0 290 290
Input Intf Override : 0 10 293
Lease Termination Notif : 0 0 2
Session Restart Request : 0 0 0
Response to DHCP request for classname
Average Time : Max Time :
MAC address for Max Time :
Response to DHCP Offer Notification
Average Time : 30ms Max Time : 36ms
MAC address for Max Time : aaaa.2222.cccc
Overall since last clear
Total Discover Init Sessions : 2
Total Restarted Sessions : 0
Average set up time for Discover initiated sessions : 2s26ms
Min set up time among Discover initiated sessions : 2s20ms
Max set up time among Discover initiated sessions : 2s32ms
Current active Sessions
Total Discover Init Sessions : 0
Total Restarted Sessions : 0
Average set up time for Discover initiated sessions :
Min set up time among Discover initiated sessions: 2s20ms
Max set up time among Discover initiated sessions :
MAC of session with Max DHCP Setup Time : aaaa.2222.cccc
Total number of DPM contexts allocated : 7
Total number of DPM contexts freed : 6
Total number of DPM contexts currently without session : 1
Elapsed time since counters last cleared : 2h15m20s
The table below describes some of the fields shown in the sample output, in alphabetical order.
| Table 15 | show subscriber policy dpm statistics Field Descriptions |
|
Field |
Description |
|---|---|
|
Average set up time for Discover initiated sessions |
Average amount of time that it took to set up a Discover initiated session, for overall sessions and currently active sessions. |
|
Elapsed time since counters last cleared |
Amount of time that has passed since the clear subscriber policy dpm statistics command was last used. |
|
MAC of session with Max DHCP Setup Time |
MAC address of the session with the longest DHCP setup time. |
|
Max set up time among Discover initiated sessions |
Amount of time that it took to set up the Discover initiated session with the longest setup time, for overall sessions and currently active sessions. |
|
Message Received |
Total number of messages that were received, by message type, and the number of messages that were duplicated or ignored. |
|
Min set up time among Discover initiated sessions |
Amount of time that it took to set up the Discover initiated session with the shortest setup time, for overall sessions and currently active sessions. |
|
Overall since last clear |
Cumulative statistics for all of the sessions that occurred since the last time the counters were cleared with the clear subscriber policy dpm statistics command. |
|
Total Discover Init Sessions |
Total number of Discover initiated sessions, for overall sessions and currently active sessions. |
|
Total Restarted Sessions |
Total number of sessions that were restarted, for overall sessions and currently active sessions. |
show subscriber policy peer
To display the details of a subscriber policy peer, use the show subscriber policy peer command in user EXEC or privileged EXEC mode.
Usage Guidelines
PUSH mode or PULL mode is established when the peering relationship between the Intelligent Services Gateway (ISG) and Service Control Engine (SCE) devices is initiated. PUSH mode refers to the ISG device pushing out information to the SCE device about a new session. PULL mode refers to the SCE device requesting session identity when it first notices new unidentified traffic.
Only one SCE device in PUSH mode can be integrated with the ISG device. If another SCE device in PUSH mode requests a connection with the ISG device, a disconnect message is sent to the first SCE device that is in PUSH mode.
Examples
The following is sample output from the show subscriber policy peercommand.
Router# show subscriber policy peer all Peer IP: 10.1.1.3 Conn ID: 105 Mode: PULL State: ACTIVE Version: 1.0 Conn up time: 00:01:01 Conf keepalive: 0 Negotiated keepalive: 25 Time since last keepalive: 00:00:11 Inform owner on pull: TRUE Total number of associated sessions: 2 Associated session details: 1E010101000000A0 1E010101000000A1
The table below describes some of the fields shown in the sample output.
show subscriber service
To display information about Intelligent Services Gateway (ISG) subscriber services, use the show subscriber service command in user EXEC or privileged EXEC mode.
Command History
| Release | Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SRC |
This command was modified. Support for this command was implemented on the Cisco 7600 series router. |
|
15.1(2)S |
This command was modified. The name keyword and service-name argument were added. |
|
Cisco IOS XE Release 3.3 |
This command was modified. The name keyword and service-name argument were added. |
Usage Guidelines
If you enter the show subscriber service command without any keywords or arguments, information is displayed for all services on the ISG router.
Examples
The following example shows output from the show subscriber service command for a service named platinum:
Router# show subscriber service name platinum
Service "Platinum":
Profile name: Platinum, 4 references
traffic-class "input access-group 102"
policy-directive "authenticate aaa list PPP1"
Class Id In: 00000002
Class Id Out: 00000003
Current Subscriber Information using service "Platinum":
Total sessions: 1
Codes: lterm - Local Term, fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session
Uniq ID Interface State Service Up-time TC Ct. Identifier
1 IP auth lterm 19:32:05 2 jsmith
The following example shows output from the show subscriber service command using the name and detailed keywords:
Router# show subscriber service name platinum detailed
Service "Platinum":
Version 1:
SVM ID : DC000001
Class Id In: 00000000
Class Id Out: 00000001
Locked by : SVM-Printer [1]
Locked by : PM-Service [1]
Locked by : PM-Info [1]
Locked by : FM-Bind [1]
Locked by : Accounting-Feature [1]
Profile : 07703430
Profile name: Platinum, 3 references
password <hidden>
username "Platinum"
accounting-list "default"
Feature : Accounting
Feature IDB type : Sub-if or not required
Feature Data : 24 bytes:
: 000000 00 00 DC 00 00 01 07 6F .......o
: 000008 CB C8 00 00 04 0F 00 00 ........
: 000010 00 03 00 00 00 00 00 00 ........
Current Subscriber Information using service "Platinum"
Total sessions: 1
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session
Uniq ID Interface State Service Up-time TC Ct. Identifier
1 IP authen Lterm 00:26:02 1 jsmith
The table below describes the significant fields shown in the displays, in alphabetical order.
| Table 17 | show subscriber service Field Descriptions |
|
Field |
Description |
|---|---|
|
accounting-list |
AAA method list to which accounting updates are sent. |
|
Child ID |
Identifier of the parent session. |
|
Class Id In |
Class identifier of the class used by the service in the input direction. |
|
Class Id Out |
Class identifier of the class used by the service in the output direction. |
|
Parent ID |
Identifier of the parent session. |
|
policy-directive |
Directive defined in the service profile to authenticate the service at the specified server. |
|
SVM ID |
Service manager identifier. |
|
State |
Indicates whether the session has been authenticated or is unauthenticated. |
|
Total sessions |
Number of main sessions on the ISG. |
|
traffic-class |
Traffic class used by the service. |
|
Uniq ID |
Unique session identifier. |
show subscriber session
To display information about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber session command in privileged EXEC mode.
Syntax Description
|
identifier identifier |
(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are:
|
|
|
|
uid session-identifier |
(Optional) Displays information for sessions with the specified unique identifier. |
|
username username |
(Optional) Displays information for sessions associated with the specified username. |
|
detailed |
(Optional) Displays detailed information about sessions. |
|
feature feature-name |
(Optional) Displays information for specific Layer 2 features installed on the parent session. To display feature names, use the question mark (?) online help function. Valid keywords and arguments are one or more of the following:
|
|
flow service service-name |
(Optional) Displays detailed information about the specified flow service installed on the parent session. |
Command History
|
Release |
Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SRC |
This command was modified. Support for this command was implemented on the Cisco 7600 series router. |
|
15.0(1)S |
This command replaced the show sss session command. |
|
15.1(2)S |
This command was modified. The feature feature-name and flow service service-name keyword-argument pairs were added. The output for the identifier, uid, and username keywords was enhanced to include classifier information. |
|
Cisco IOS XE Release 3.3S |
This command was modified. The feature feature-name and flow service service-name keyword-argument pairs were added. The output for the identifier, uid, and username keywords was enhanced to include classifier information. |
|
Cisco IOS XE Release 3.4S |
This command was modified. The output was enhanced to include information about IPv6 sessions, and the tariff-switching keyword was added for the feature-name argument. |
|
Cisco IOS XE Release 3.5S |
This command was modified. The output for the detailed keyword was enhanced to include the IP address of sessions. |
Usage Guidelines
If the show subscriber session command is entered without any keywords or arguments, information is displayed for all sessions on the ISG router. When an identifier is specified, information is displayed for only those sessions that match the identifier.
Examples
The following is sample output from the show subscriber session command:
Router# show subscriber session
Current Subscriber Information: Total sessions 1
Uniq ID Interface State Service Up-time TC Ct. Identifier
1 IP authen lterm 00:27:18 1 10.10.10.10
2 Vi3 authen lterm 00:09:04 1 rouble-pppoe
The following is sample output from the show subscriber session command with the uid and flow service keywords specifying the service named Gold:
Router# show subscriber session uid 1 flow service Gold
Codes: Class-id - Classification Identifier, Pri. - Priority
--------------------------------------------------
Type: IP, UID: 1, Identity: user1, State: authen
Session Up-time: 00:05:20, Last Changed: 00:04:56
Switch-ID: 4096
Service Name: Gold, Active Time = 00:05:20
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
3 Out 0 0 0 Match ACL 101
2 In 0 0 0 Match ACL 101
Features:
L4 Redirect:
Class-id Rule cfg Definition Source
2 #1 SVC to ip 10.0.2.2 Gold
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
2 In 8000 1000 1000 Gold
3 Out 8000 1000 1000 Gold
The following is sample output from the show subscriber session command with the uid and feature keywords specifying the accounting feature:
Router# show subscriber session uid 1 feature accounting
Type: IP, UID: 1, Identity: user1, State: authen
Session Up-time: 00:05:50, Last Changed: 00:05:26
Switch-ID: 4096
Features:
Accounting:
Class-id Dir Packets Bytes Source
0 In 1 100 Platinum
1 Out 0 0 Platinum
The following is sample output from the show subscriber session command with the detailed keyword.
Note | The Classifiers section does not display in the detailed output on the Cisco 7600 series router. |
Router# show subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IP, UID: 1, Identity: user1, State: authen
IPv4 Address: 192.0.2.1
Session Up-time: 00:04:51, Last Changed: 00:04:27
Switch-ID: 4096
Policy information:
Context 076B8F48: Handle 50000001
AAA_id 0000000C: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
sub-qos-policy-in "QoSGold"
sub-qos-policy-out "QoSSilver"
prepaid-config "default"
Downloaded User profile, including services:
accounting-list "default"
username "Gold"
traffic-class "output access-group 101"
traffic-class "input access-group 101"
l4redirect "redirect to ip 10.0.2.2"
ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000"
sub-qos-policy-in "QoSGold"
sub-qos-policy-out "QoSSilver"
prepaid-config "default"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Unapplied) (Service)
Profile name: prep_service, 9 references
traffic-class "input access-group 102"
traffic-class "output access-group 102"
Access-type: Web-user-logon Client: Account Command-Handler
Policy event: Got More Keys
Profile name: user1, 2 references
sub-qos-policy-in "QoSGold"
sub-qos-policy-out "QoSSilver"
prepaid-config "default"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Unapplied) (Service)
Profile name: prep_service, 9 references
traffic-class "input access-group 102"
traffic-class "output access-group 102"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Unapplied) (Service)
Profile name: prep_service, 9 references
traffic-class "input access-group 102"
traffic-class "output access-group 102"
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: prep_service, 9 references
traffic-class "input access-group 102"
traffic-class "output access-group 102"
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: Gold, 3 references
password <hidden>
username "Gold"
traffic-class "output access-group 101"
traffic-class "input access-group 101"
l4redirect "redirect to ip 10.0.2.2"
ssg-service-info "QU;8000;1000;1000;D;8000;1000;1000"
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: Platinum, 3 references
password <hidden>
username "Platinum"
accounting-list "default"
Active services associated with session:
name "Gold", applied before account logon
name "Platinum", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map RULEB
condition always event session-start
1 service-policy type service name Platinum
2 service-policy type service name Gold
3 service-policy type service name prep_service
subscriber rule-map RULEB
condition always event account-logon
1 authenticate aaa list PPP1
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 1 100 0 Match Any
1 Out 0 0 0 Match Any
2 In 0 0 0 Match ACL 101
3 Out 0 0 0 Match ACL 101
Features:
IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags Peer IP Address Pool Name Interface
172.16.0.0 pool2 Lo0
:: pppv6_1 Lo0
QoS Policy Map:
Class-id Dir Policy Name Source
0 In QoSGold Peruser
1 Out QoSSilver Peruser
Accounting:
Class-id Dir Packets Bytes Source
0 In 1 100 Platinum
1 Out 0 0 Platinum
L4 Redirect:
Class-id Rule cfg Definition Source
2 #1 SVC to ip 10.0.2.2 Gold
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
2 In 8000 1000 1000 Gold
3 Out 8000 1000 1000 Gold
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:04:51 - Gold
USR 00:04:27 - Peruser
SVC 00:04:51 570425346 Platinum
INT 00:04:51 - Ethernet0/0
The table below describes the significant fields shown in the displays, in alphabetical order.
| Table 18 | show subscriber session Field Descriptions |
|
Field |
Description |
|---|---|
|
Class-id |
Classification identifier in inbound and outbound directions. |
|
Definition |
Class definition for match criteria. |
|
Dir |
Direction of the class, either in or out. |
|
Identifier |
Username that is used for authorization. |
|
Interface |
Interface is displayed for main sessions. For traffic flows, the value "Traffic-Cl" is displayed. |
|
Packets |
Number of packets classified in a particular class. |
|
Pri. |
Configured priority of the class. |
|
Rules, actions and conditions executed |
Control policy rules, actions, and control class maps (conditions) that have been executed for the session. |
|
Service |
Possible values include: |
|
State |
Indicates whether the session is authenticated or unauthenticated. |
|
Total sessions |
Number of main sessions on the ISG. |
|
Up-time |
Length of time (in hh:mm:ss format) for which the session is running. |
|
Uniq ID |
Unique session identifier. |
show subscriber statistics
To display statistics about Intelligent Services Gateway (ISG) subscriber sessions, use the show subscriber statistics command in privileged EXEC mode.
Syntax Description
|
identifier identifier |
(Optional) Displays information about subscriber sessions that match the specified identifier. Valid keywords and arguments are:
|
Command History
| Release | Modification |
|---|---|
|
12.2(28)SB |
This command was introduced. |
|
12.2(33)SRC |
This command was modified. Support for this command was implemented on the Cisco 7600 series router. |
|
15.1(2)S |
This command was modified. The output was enhanced to include statistics on flows and features. |
|
Cisco IOS XE Release 3.3 |
This command was modified. The output was enhanced to include statistics on flows and features. |
Usage Guidelines
If you enter the show subscriber statistics command without any keywords or arguments, statistics are displayed for all sessions on the ISG router.
Examples
The following is sample output from the show subscriber statistics command:
Router# show subscriber statistics
Current Subscriber Statistics:
Number of sessions currently up: 1
Number of sessions currently pending: 0
Number of sessions currently authenticated: 1
Number of sessions currently unauthenticated: 0
Highest number of sessions ever up at one time: 1
Mean up-time duration of sessions: 00:06:55
Total number of sessions up so far: 1
Mean call rate per minute: 0, per hour: 1
Number of sessions failed to come up: 0
Current Flow Statistics:
Number of flows currently up: 1
Highest number of flows ever up at one time: 2
Mean up-time duration of flows: 00:03:29
Number of flows failed to come up: 0
Total number of flows up so far: 2
Access type based session count:
IP sessions = 1
Feature Installation Count:
Direction
Feature Name None Inbound Outbound
QoS Policy Map 0 1 1
Accounting 0 1 1
L4 Redirect 0 1 1
Policing 0 1 1
The table below describes the significant fields shown in the displays, in alphabetical order.
| Table 19 | show subscriber statistics Field Descriptions |
|
Field |
Description |
|---|---|
|
Access type based session count |
Number of PPPoE and IP sessions. |
|
Current Flow Statistics |
Statistics about flows installed on parent sessions. |
|
Feature Installation Count |
Names of the features installed on parent sessions and the number of instances of each feature in the inbound, outbound, and non-data path direction. |
|
Mean call rate per minute, per hour |
Total number of sessions that have come up per minute, and per hour, since the router has been up or since the last statistics were cleared. |
|
Mean up-time duration of sessions |
Mean amount of time that a session is up for all sessions. |
show subscriber trace statistics
To display statistics about the event traces for Intelligent Services Gateway (ISG) subscriber sessions that were saved to the history log, use the show subscriber trace statisticscommand in user EXEC or privileged EXEC mode.
Usage Guidelines
The show subscriber trace statisticscommand displays cumulative statistics about the event traces that were saved to the history log when the subscriber trace history command is enabled. Individual statistics display for each of the modules. To clear the trace history logs, use the clear subscriber trace history command.
Examples
The following is sample output from the show subscriber trace statisticscommand, showing information for both the DPM and the PM.
Router# show subscriber trace statistics
Event Trace History Statistics: DPM
Logging enabled
All time max records: 5
Max records: 5
Current records: 5
Current log size: 200
Proposed log size 200
Oldest, newest index: 0 : 4
Event Trace History Statistics: Policy Manager
Logging enabled
All time max records: 4
Max records: 4
Current records: 4
Current log size: 64
Proposed log size 64
Oldest, newest index: 0 : 3
The table below describes some of the fields shown in the sample output, in the order in which they display.
| Table 20 | show subscriber trace statistics Field Descriptions |
|
Field |
Description |
|---|---|
|
Logging enabled/disabled |
Displays whether history logging is enabled with the subscriber trace history command. |
|
All time max records |
Maximum number of trace records that were ever saved in this history log. |
|
Max records |
Number of trace records that were saved in this history log before it was last cleared. |
|
Current records |
Number of trace records that are currently saved in this history log. |
|
Current log size |
Number of trace records that can be saved in this history log. |
|
Proposed log size |
Number of records that can be saved to the history log as defined by the subscriber trace history command. This value becomes the current log size when the log is cleared with the clear subscriber trace historycommand. |
|
Oldest, newest index |
Oldest and newest indexes of the array that is used to store the records saved to the history log. |
Related Commands
|
Command |
Description |
|---|---|
|
clear subscriber trace history |
Clears the trace history log for ISG subscriber sessions. |
|
show subscriber trace history |
Displays the event traces for ISG subscriber sessions that are saved in the trace history log. |
|
subscriber trace event |
Enables event tracing for software components involved in ISG subscriber sessions. |
|
subscriber trace history |
Enables saving the event traces for ISG subscriber sessions to a history log. |