Table Of Contents

match access-group (ISG)

match access-list

match authen-status

match authenticated-domain

match authenticated-username

match dnis

match media

match mlp-negotiated

match nas-port

match no-username

match protocol (ISG)

match service-name

match source-ip-address

match timer

match tunnel-name

match unauthenticated-domain

match unauthenticated-username

match vrf

message-authenticator ignore

method-list

password (ISG)

police (ISG)

policy-map

policy-map type control

policy-map type service

policy-name

policy-peer

port

prepaid config

proxy (ISG RADIUS proxy)

proxy (RADIUS proxy)

radius-server attribute 31

radius-server attribute nas-port-id include

redirect server-group

redirect to (ISG)

server

server-key

service (ISG)

service deny (ISG)

service local (ISG)

service relay (ISG)

service vpdn group (ISG)

service-monitor

service-policy

service-policy type control

service-policy type service

session-identifier (ISG)

set-timer

sg-service-group

sg-service-type

sg-service-type external policy

show ccm clients

show ccm queues

show ccm sessions

show class-map type control

show class-map type traffic

show idmgr

show interface monitor

show ip portbundle ip

show ip portbundle status

show ip subscriber

show policy-map type control

show policy-map type service

show processes cpu monitor

show pxf cpu isg

show radius-proxy client

show radius-proxy session

show redirect group

show redirect translations

show ssm

show subscriber policy peer

show subscriber session

source

subscriber feature prepaid

subscriber redundancy

threshold (ISG)

timeout absolute (ISG)

timeout idle

timer (ISG RADIUS proxy)

match access-group (ISG)

To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove ACL match criteria from a class map, use the no form of this command.

match access-group {input | output} {access-group | name access-group-name}

no match access-group {input | output} {access-group | name access-group-name}

Syntax Description

input	Specifies match criteria for input traffic.
output	Specifies match criteria for output traffic.
access-group	A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. An ACL number can be a number from 1 to 2799.
name access-group-name	A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters

Command Default

No match criteria are configured.

Command Modes

Traffic class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.

To use the match access-group command for traffic classes, you must first enter the class-map type traffic command to specify the name of the traffic class whose match criteria you want to establish.

Once a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class, and the default class.

ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.

Examples

The following example configures a class map called "acl144" and specifies the ACL numbered 144 to be used as the input match criterion for this class:

class-map type traffic match-any acl144 

 match access-group input 144 

Related Commands

Command	Description
class-map type traffic	Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class
class type traffic	Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.

match access-list

To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.

match access-list access-list-number

no match access-list access-list-number

Syntax Description

access-list-number

Integer from 100 to 199 that is the number or name of an extended access list.

Command Default

The Intelligent Services Gateway (ISG) port-maps all TCP traffic.

Command Modes

IP portbundle configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.

Examples

In the following example, the ISG will port-map packets that are permitted by access list 100:

ip portbundle

 match access-list 100

 source ip Ethernet0/0/0

!

.

.

.

!

access-list 100 permit ip 10.0.0.0 0.255.255.255 host 10.13.6.100

access-list 100 deny   ip any any

Related Commands

Command	Description
ip portbundle (service)	Enables the ISG Port-Bundle Host Key feature for a service.
show ip portbundle ip	Displays information about a particular ISG port bundle.
show ip portbundle status	Displays information about ISG port-bundle groups.

match authen-status

To create a condition that will evaluate true if a subscriber's authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authen-status {authenticated | unauthenticated}

no match authen-status {authenticated | unauthenticated}

Syntax Description

authenticated	Subscriber has been authenticated.
unauthenticated	Subscriber has not been authenticated.

Command Default

A condition that will evaluate true if a subscriber's authentication status matches the specified authentication status is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authen-status command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.

class-map type type control match-all CONDA

 match authen-status unauthenticated

 match timer TIMERA

policy-map type control RULEA

 class type control always event session-start     

  1 set-timer TIMERA 1 [minutes]

!

class type control CONDA event timed-policy-expiry

 1 service disconnect

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-domain

To create a condition that will evaluate true if a subscriber's authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-domain {domain-name | regexp regular-expression}

no match authenticated-domain

Syntax Description

domain-name	Domain name.
regexp regular-expression	Regular expression to be matched against subscriber's authenticated domain name.

Command Default

A condition that will evaluate true if a subscriber's authenticated domain matches the specified domain is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authenticated-domain command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that will evaluate true if a subscriber's domain matches the regular expression ".*com".

class-map type control match-all MY-CONDITION1

 match authenticated-domain regexp ".*com"

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-username

To create a condition that will evaluate true if a subscriber's authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-username {username | regexp regular-expression}

no match authenticated-username {username | regexp regular-expression}

Syntax Description

username	Username
regexp regular-expression	Matches the regular expression against the subscriber's authenticated username.

Command Default

A condition is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

   match identifier authenticated-username regexp "user@.*com" 

   match identifier authenticated-domain regexp ".*com" 

! 

policy-map type control rule4

  class type control class3 event session-start

   1 authorize identifier authenticated-username

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match dnis

To create a condition that will evaluate true if a subscriber's Dialed Number Identification Service number (DNIS number, also referred to as called-party number) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.

match dnis {dnis | regexp regular-expression}

no match dnis {dnis | regexp regular-expression}

Syntax Description

dnis	DNIS number.
regexp regular-expression	Matches the regular expression against the subscriber's DNIS number.

Command Default

A condition that will evaluate true if a subscriber's DNIS number matches the specified DNIS is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match dnis command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

   match dnis reg-exp 5550100 

! 

policy-map type control rule4

  class type control class3 event session-start

   1 authorize identifier dnis!

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match media

To create a condition that will evaluate true if a subscriber's access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.

match media {async | atm | ether | ip | isdn | mpls | serial}

no match media {async | atm | ether | ip | isdn | mpls | serial}

Syntax Description

async	Asynchronous media.
atm	ATM.
ether	Ethernet.
ip	IP.
isdn	ISDN.
mpls	Multiprotocol Label Switching (MPLS).
serial	Serial.

Command Default

A condition that will evaluate true if a subscriber's access media type matches the specified media type is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.

class-map type control match-all MATCHING-USERS

 match media ether

 match nas-port type ether slot 3

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match mlp-negotiated

To create a condition that will evaluate true depending on whether or not a subscriber's session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.

match mlp-negotiated {no | yes}

no match mlp-negotiated {no | yes}

Syntax Description

no	The subscriber's session was not multilink PPP negotiated.
yes	The subscriber's session was multilink PPP negotiated.

Command Default

A condition is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match mlp-negotiated command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match mlp-negotiated command:

class-map type control match-all class3

   match mlp-negotiated yes

 !

 policy-map type control rule4

  class type control class3 event session-start

   1 authorize authenticated-username

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match nas-port

To create a condition that will evaluate true if a subscriber's network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.

match nas-port {adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description

adapter adapter-number	Interface adapter number.
channel channel-number	Interface channel number.
circuit-id name	Circuit ID
ipaddr ip-address	IP address.
port port-number	Port number.
remote-id name	Remote ID.
shelf shelf-number	Interface shelf number.
slot slot-number	Slot number.
sub-interface sub-interface-number	Subinterface number.
type interface-type	Interface type.
vci vci-number	Virtual channel identifier.
vlan vlan-id	VLAN ID.
vpi vpi-number	Virtual path identifier.

Command Default

A condition that will evaluate true if a subscriber's NAS port identifier matches the specified value is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match nas-port command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.

class-map type control match-all MATCHING-USERS

 class type control name NOT-ATM

 match media ether

 match nas-port type ether slot 3

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match no-username

To create a condition that will evaluate true if a subscriber's username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match no-username {no | yes}

no match no-username {no | yes}

Syntax Description

no	The subscriber's username is available.
yes	The subscriber's username is not available.

Command Default

A condition that will evaluate true if a subscriber's username is available is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match no-username command:

class-map type control match-all class3

   match no-username yes

 !

 policy-map type control rule4

  class type control class3 event session-start

   1 service local

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match protocol (ISG)

To create a condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.

match protocol {atom | ip | pdsn | ppp | vpdn}

no match protocol {atom | ip | pdsn | ppp | vpdn}

Syntax Description

atom	Any Transport over MPLS (AToM).
ip	IP.
pdsn	Packet Data Serving Node (PDSN).
ppp	Point-to-Point Protocol (PPP).
vpdn	Virtual Private Dialup Network (VPDN).

Command Default

A condition that will evaluate true if a subscriber's access protocol type matches the specified protocol type is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match protocol command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:

 class-map type control match-any MY-CONDITION

  match protocol vpdn

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match service-name

To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match service-name {service-name | regexp regular-expression}

no service-name {service-name | regexp regular-expression}

Syntax Description

service-name	Service name.
regexp regular-expression	Regular expression to be matched against subscriber's service name.

Command Default

A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match service-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures ISG to authenticate subscribers associated with the service before downloading the service:

aaa authentication login AUTHEN local

aaa authorization network SERVICE group radius

!

class-map type control match-any MY-CONDITION2

 match service-name "gold"

 match service-name "bronze"

 match service-name "silver"

!

policy-map type control MY-RULE2

 class type control MY-CONDITION2 event service-start

  1 authenticate aaa list AUTHEN

  2 service-policy type service aaa list SERVICE identifier service-name

!

service-policy type control MY-RULE2

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match source-ip-address

To create a condition that will evaluate true if a subscriber's source IP address matches the specified IP address, use the match source-ip-address command in control class-map configuration mode. To remove the condition, use the no form of this command.

match source-ip-address ip-address subnet-mask

no match source-ip-address ip-address subnet-mask

Syntax Description

ip-address	IP address.
subnet-mask	Subnet mask.

Command Default

A condition that will evaluate true if a subscriber's source IP address matches the specified IP address is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match source-ip-address command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

 match source-ip-address 10.0.0.0 255.255.255.0 

!

policy-map type control rule4

 class type control class3 event session-start

  1 authorize identifier source-ip-address

!

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match timer

To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.

match timer {timer-name | regexp regular-expression}

no match timer {timer-name | regexp regular-expression}

Syntax Description

timer-name	Name of the policy timer.
regexp regular-expression	Regular expression to be matched against the timer name.

Command Default

A condition that will evaluate true when the specified timer expires is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match timer command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.

class-map type control match-all CONDA

 match authen-status unauthenticated

 match timer TIMERA

policy-map type control RULEA

 class type control always event session-start     

  1 set-timer TIMERA 1

!

class type control CONDA event timed-policy-expiry

 1 service disconnect

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match tunnel-name

To create a condition that will evaluate true if a subscriber's Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match tunnel-name {tunnel-name | regexp regular-expression}

no match tunnel-name {tunnel-name | regexp regular-expression}

Syntax Description

tunnel-name	VPDN tunnel name.
regexp regular-expression	Regular expression to be matched against the subscriber's tunnel name.

Command Default

A condition that will evaluate true if a subscriber's VPDN tunnel name matches the specified tunnel name is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

  match tunnel-name LAC

!

policy-map type control rule4

 class type control class3 event session-start

  1 authorize identifier tunnel-name

!

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-domain

To create a condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name, use the match unauthenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-domain {domain-name | regexp regular-expression}

no match unauthenticated-domain {domain-name | regexp regular-expression}

Syntax Description

domain-name	Domain name.
regexp regular-expression	Regular expression to be matched against subscriber's domain name.

Command Default

A condition that will evaluate true if a subscriber's unauthenticated domain name matches the specified domain name is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match unauthenticated-domain command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain "abc.com":

class-map type control match-all MY-FORWARDED-USERS        

 match unauthenticated-domain "xyz.com"        

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-username

To create a condition that will evaluate true if a subscriber's unauthenticated username matches the specified username, use the match unauthenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-username {username | regexp regular-expression}

no match unauthenticated-username {username | regexp regular-expression}

Syntax Description

username	Username.
regexp regular-expression	Regular expression to be matched against the subscriber's username.

Command Default

A condition that will evaluate true if a subscriber's unauthenticated username matches the specified username is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match unauthenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

   match identifier unauthenticated-username regexp "user@.*com" 

! 

policy-map type control rule4

  class type control class3 event session-start

   1 authorize identifier unauthenticated-username!

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match vrf

To create a condition that evaluates true if a subscriber's VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.

match vrf {vrf-name | regexp regular-expression}

no match vrf {vrf-name | regexp regular-expression}

Syntax Description

vrf-name	Name of the VRF.
regexp regular-expression	Regular expression to be matched against the subscriber's VRF.

Command Default

A condition that will evaluate true if a subscriber's VRF matches the specified VRF is not created.

Command Modes

Control class-map configuration

Command History

Release	Modification
12.2(31)SB2	This command was introduced.

Usage Guidelines

The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a policy that will be applied to subscribers who belong to the VRF "FIRST".

class-map type control TEST

 match vrf FIRST

policy-map type control GLOBAL

 class type control TEST event session-start

  1 service-policy type service name FIRST-SERVICE

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.

message-authenticator ignore

To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignore command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.

message-authenticator ignore

no message-authenticator ignore

Syntax Description

This command has no arguments or keywords.

Command Default

Message-authenticator validation is performed.

Command Modes

RADIUS proxy server configuration
RADIUS proxy client configuration

Command History

Release	Modification
12.2(31)SB2	This command was introduced.

Usage Guidelines

Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.

Examples

The following example disables message-authenticator validation:

aaa server radius proxy 

 message-authenticator ignore 

Related Commands

Command	Description
aaa server radius proxy	Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.

method-list

To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.

method-list {accounting | authorization} name-of-method-list

no method-list {accounting | authorization}name-of-method-list

Syntax Description

accounting	Specifies the AAA method list for ISG prepaid accounting.
authorization	Specifies the AAA method list for ISG prepaid authorization.
name-of-method-list	Name of the AAA method list to which ISG will send accounting updates or authorization requests.

Command Default

A method list is not specified.

Command Modes

Prepaid configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.

Examples

The following example shows an ISG prepaid feature configuration in which a method list called "ap-mlist" is specified for prepaid accounting and the default method list is specified for prepaid authorization:

subscriber feature prepaid conf-prepaid

 interim-interval 5

 threshold time 20

 threshold volume 0

 method-list accounting ap-mlist

 method-list authorization default

 password cisco

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
prepaid config	Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile

password (ISG)

To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.

password password

no password password

Syntax Description

password

Password that the ISG will use in authorization and reauthorization requests. The default password is cisco.

Command Default

ISG uses the default password (cisco).

Command Modes

Prepaid configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Examples

The following example shows an ISG prepaid feature configuration in which the password is "pword" :

subscriber feature prepaid conf-prepaid

 interim-interval 5

 threshold time 20

 threshold volume 0

 method-list accounting ap-mlist

 method-list authorization default

 password pword

Related Commands

Command	Description
prepaid config	Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

police (ISG)

To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.

police {input | output} committed-rate [normal-burst excess-burst]

no police {input | output} committed-rate [normal-burst excess-burst]

Syntax Description

input	Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network.
output	Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber.
committed-rate	Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 1000000000.
normal-burst	(Optional) Normal burst size, in bytes. Range is from 1000 to 512000000. If the normal burst size is not specified, it is calculated from the committed rate using the following formula: Normal burst = 1.5 * committed rate (scaled and converted to byte per msec)
excess-burst	(Optional) Excess burst size, in bytes. Range is from 1000 to 512000000. If the excess burst is not specified, it is calculated from the normal burst value using the following formula: Excess burst = 2 * normal burst

Command Default

ISG policing is not enabled.

Command Modes

Service policy-map class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.

Session-based policing applies to the aggregate of subscriber traffic for a session.

Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.

Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.

Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.

Examples

The following example shows the configuration of flow-based ISG policing in a service policy map:

class-map type traffic match-any C3

 match access-group in 103

 match access-group out 203 

policy-map type service P3

 class type traffic C3

  police input 20000 30000 60000

  police output 21000 31500 63000

Related Commands

Command	Description
class type traffic	Associates a previously configured traffic class to a service policy map.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG service.

policy-map

To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command.

Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers

policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

no policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

Cisco 10000 Series Router

policy-map [type {control | service}] policy-map-name

no policy-map [type {control | service}] policy-map-name

Cisco 7600 Series Router

policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name

no policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name

Syntax Description

type	Specifies the policy-map type.
stack	(Optional) Determines the exact pattern to look for in the protocol stack of interest.
access-control	(Optional) Enables the policy map for the flexible packet matching feature.
port-filter	(Optional) Enables the policy map for the port-filter feature.
queue-threshold	(Optional) Enables the policy map for the queue-threshold feature.
logging	(Optional) Enables the policy map for the control-plane packet logging feature.
log-policy	Type of log policy for control-plane logging.
policy-map-name	Name of the policy map. The name can be a maximum of 40 alphanumeric characters.
control	(Optional) Creates a control policy map.
control-name	Specifies the name of the control policy map.
service	(Optional) Creates a service policy map.
service-name	Specifies the policy-map service name.
class-routing	Configures the class-routing policy map.
ipv4	Configures the class-routing IPv4 policy map.
unicast	Configures the class-routing IPv4 unicast policy map.
unicast-name	Unicast policy-map name.

Command Default

The policy map is not configured.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.4(4)T	The type access-control keywords were added to support flexible packet matching. The type port-filter and type queue-threshold keywords were added to support control-plane protection.
12.4(6)T	The type logging keywords were added to support control-plane packet logging.
12.2(31)SB	The type control and type service keywords were added to support the Cisco 10000 series router.
12.2(18)ZY	The following modifications were made to the policy-map command: •The type access-control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine. •The command was modified to enhance Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/PISA engine.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SRC	Support for this command was implemented on Cisco 7600 series routers.
Cisco IOS XE Release 2.1	This command was implemented on Cisco ASR 1000 series routers.

Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure the match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for Quality of Service (QoS) class maps on Cisco 7600 systems.

---

Note For QoS class maps on Cisco 7600 systems, the limits are 1024 class maps and 256 classes in a policy map.

---

A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In this case, if the policy map is already attached to other interfaces, it is removed from them.

---

Note This limitation does not apply on Cisco 7600 systems that have SIP-400 access-facing line cards.

---

Whenever you modify class policy in an attached policy map, class-based weighted fair queueing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.

---

Note Policy-map installation via subscriber-profile is not supported. If you configure an unsupported policy map and there are a large number of sessions, then an equally large number of messages print on the console. For example, if there are 32,000 sessions, then 32,000 messages print on the console at 9,600 baud.

---

Class Queues (Cisco 10000 Series Routers Only)

The PRE2 allows you to configure 31 class queues in a policy map.

In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.

Control Policies (Cisco 10000 Series Routers Only)

Control policies define the actions that your system will take in response to specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.

There are three steps involved in defining a control policy:

1. Using the class-map type control command, create one or more control class maps.

2. Using the policy-map type control command, create a control policy map.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

3. Using the service-policy type control command, apply the control policy map to a context.

Service Policies (Cisco 10000 Series Routers Only)

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Policy Map Restrictions (Catalyst 6500 Series Switches Only)

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match commands:

•You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.

•Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:

–A single traffic class can be configured to match a maximum of 8 protocols or applications.

–Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example creates a policy map called "policy1" and configures two class policies included in that policy map. The class policy called "class1" specifies policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy configured match criteria are directed.

! The following commands create class-map class1 and define its match criteria:

class-map class1

 match access-group 136

! The following commands create the policy map, which is defined to contain policy

! specification for class1 and the default class:

policy-map policy1

class class1

 bandwidth 2000

 queue-limit 40

class class-default

 fair-queue 16

 queue-limit 20

The following example creates a policy map called "policy9" and configures three class policies to belong to that map. Of these classes, two specify policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies policy for the default class called "class-default" to which packets that do not satisfy configured match criteria are directed.

policy-map policy9

class acl136

 bandwidth 2000

 queue-limit 40

class ethernet101

 bandwidth 3000

 random-detect exponential-weighting-constant 10

class class-default

 fair-queue 10

 queue-limit 20

The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.

Router> enable

Router# configure terminal

Router(config)# policy-map type control TEST

Router(config-control-policymap)# class type control always event session-start

Router(config-control-policymap-class-control)# 1 service-policy type service name 
QoS_Service

Router(config-control-policymap-class-control)# end

Examples for Cisco 10000 Series Routers Only

The following example shows the configuration of a control policy map named "rule4". Control policy map rule4 contains one policy rule, which is the association of the control class named "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.

class-map type control match-all class3

 match access-type pppoe

 match domain cisco.com

 available nas-port-id

!

policy-map type control rule4

 class type control class3

  authorize nas-port-id

!

service-policy type control rule4

The following example shows the configuration of a service policy map named "redirect-profile":

policy-map type service redirect-profile

 class type traffic CLASS-ALL

  redirect to group redirect-sg 

policy-map type control

To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type control command in global configuration mode. To delete the control policy map, use the no form of this command.

policy-map type control policy-map-name

no policy-map type control policy-map-name

Syntax Description

policy-map-name

Name of the control policy map.

Command Default

A control policy map is not created.

Command Modes

Global configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Control policies define the actions that your system will take in response to specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.

There are three steps involved in defining a control policy:

1. Create one or more control class maps, by using the class-map type control command.

2. Create a control policy map, using the policy-map type control command.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

3. Apply the control policy map to a context, using the service-policy type control command.

Examples

The following example shows the configuration of a control policy map called "rule4." Control policy map "rule4" contains one policy rule, which is the association of the control class "class3" with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.

class-map type control match-all class3

 match access-type pppoe

 match domain cisco.com

 available nas-port-id

!

policy-map type control rule4

 class type control class3

  authorize nas-port-id

!

service-policy type control rule4

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
service-policy type control	Applies a control policy to a context.

policy-map type service

To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type service command in global configuration mode. To delete a service policy map, use the no form of this command.

policy-map type service policy-map-name

no policy-map type service policy-map-name

Syntax Description

policy-map-name

Name of the service policy map.

Command Default

A service policy map is not created.

Command Modes

Global configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.

An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Examples

The following example shows the configuration of a service policy map called "redirect-profile":

policy-map type service redirect-profile

 class type traffic CLASS-ALL

  redirect to group redirect-sg

Related Commands

Command	Description
class type traffic	Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
show policy-map type service	Displays the contents of all service policy maps.

policy-name

To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.

policy-name policy

no policy-name policy

Syntax Description

policy

Name of policy configured on the Service Control Engine (SCE) device.

Command Default

The default policy is used for all subscribers.

Command Modes

Service policy map configuration (config-service-policymap)

Command History

Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.

Examples

The following example shows how to configure the subscriber policy name "SCE-SERVICE".

Router(config)#policy-map type service SCE-SERVICE

Router(config-service-policymap)# sg-service-type external-policy

Router(config-service-policymap)# policy-name GOLD

Related Commands

Command	Description
sg-service-type external-policy	Identifies a service as an external policy.

policy-peer

To configure a subscriber policy peer connection, use the policy-peer command in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.

policy-peer [address ip-address] {keepalive seconds}

no policy-peer [address ip-address] {keepalive seconds}

Syntax Description

address	(Optional) Configures the IP address of the peer that is to be connected.
ip-address	Specifies the IP address of the peer to be connected.
keepalive	Configures the keepalive value to be used to monitor the peering relationship.
seconds	Keepalive value, in seconds. Range: 5 to 3600. Default: 0.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco Release 12.2(33)SB.

Usage Guidelines

Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.

Examples:

The following example configures a subscriber policy peer connection with a keepalive value of 5 seconds.

Router(config)# policy-peer address 10.0.0.100 keepalive 5

Related Commands

Command	Description
aaa server radius policy-device	Enables ISG RADIUS server configuration mode.
show subscriber policy peer	Displays the details of a subscriber policy peer.
subscriber-policy	Defines or modifies the forward and filter decisions of the subscriber policy.

port

To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.

port port-number

no port port-number

Syntax Description

port-number

Port number. The default value is port 1700.

Command Default

The device listens for RADIUS requests on the default port (port 1700).

Command Modes

Dynamic authorization local server configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.

Examples

The following example specifies port 1650 as the port on which the device listens for RADIUS requests:

aaa server radius dynamic-author

 client 10.0.0.1

 port 1650

Related Commands

Command	Description
aaa server radius dynamic-author	Configures a device as a AAA server to facilitate interaction with an external policy server.

prepaid config

To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.

prepaid config {name-of-configuration | default}

no prepaid config {name-of-configuration | default}

Syntax Description

name-of-configuration	A named configuration of prepaid billing parameters.
default	The default configuration of prepaid billing parameters.

Command Default

Prepaid billing is not enabled.

Command Modes

Service policy traffic class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.

To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:

subscriber feature prepaid default

 threshold time 0 seconds

 threshold volume 0 bytes

 method-list authorization default

 method-list accounting default

 password cisco

The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.

The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.

Examples

The following example shows prepaid billing enabled in a service called "mp3". The prepaid billing parameters in the configuration "conf-prepaid" will be used for "mp3" prepaid sessions.

policy-map type service mp3

 class type traffic CLASS-ACL-101

  authentication method-list cp-mlist

  accounting method-list cp-mlist

  prepaid config conf-prepaid 

subscriber feature prepaid conf-prepaid

 threshold time 20

 threshold volume 0

 method-list accounting ap-mlist

 method-list authorization default

 password cisco

Related Commands

Command	Description
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

proxy (ISG RADIUS proxy)

To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.

action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]

no action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
aaa list	(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list.
list-name	Name of the AAA method list to which RADIUS packets are sent.
default	Specifies that RADIUS packets will be sent to the default RADIUS server.
accounting aaa list	Defines a method list to which accounting is sent.
acc-list-name	Name of the accounting AAA method list to which RADIUS packets are sent.

Command Default

RADIUS packets are sent to the default method list.

Command Modes

Control policy-map class configuration (config-control-policymap-class-control)

Command History

Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	The accounting aaa list keyword was added.
12.2(33)SB	This command was implemented on the Cisco 10000 series.

Usage Guidelines

The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accounting command.

Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.

Examples

The following example configures an accounting method list called "LIST-LOCAL". The server group called "AAA-GROUP1" is the method specified in the method list. A control policy called "POLICY-LOCAL" is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list "LIST-LOCAL".

Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1

Router(config)# policy-map type control POLICY-LOCAL

Router(config-control-policymap)# class type control always event acct-notification

Router(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCAL

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

proxy (RADIUS proxy)

To configure Intelligent Services Gateway (ISG) to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.

action-number proxy [aaa list {list-name | default}]

no action-number proxy [aaa list {list-name | default}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
aaa list	(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list.
list-name	Name of the AAA method list to which RADIUS packets are sent.
default	Specifies that RADIUS packets will be sent to the default RADIUS server.

Command Default

RADIUS packets are sent to the default method list.

Command Modes

Control policy-map class configuration

Command History

Release	Modification
12.2(31)SB2	This command was introduced.

Usage Guidelines

The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa authorization radius-proxy command.

Control policies define the actions the system takes in response to specified events and conditions. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example configures an ISG RADIUS proxy authorization method list called "RP". The server group called "EAP" is the method specified in that method list. A control policy called "PROXYRULE" is configured with a policy rule that causes ISG to forward RADIUS packets to the method list "RP".

aaa authorization radius-proxy RP group EAP 

.

.

.

policy-map type control PROXYRULE

 class type control always event session-start

  1 proxy aaa list RP

Related Commands

Command	Description
aaa authorization radius-proxy	Configures AAA authorization methods for ISG RADIUS proxy subscribers.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

radius-server attribute 31

To configure Calling-Station-ID (attribute 31) options, use the radius-server attribute 31 command in global configuration mode. To disable the Calling-Station-ID (attribute 31) options, use the no form of this command.

radius-server attribute 31 {mac format {default | ietf | unformatted} | remote-id | send nas-port-detail [mac-only]}

no radius-server attribute 31 {mac format {default | ietf | unformatted} | remote-id | send nas-port-detail [mac-only]}

Syntax Description

mac format	Specifies the format of the MAC address in the Calling Station ID. Select one of the following three options: •default (Example: 0000.4096.3e4a) •ietf (Example: 00-00-40-96-3E-4A) •unformatted (Example: 000040963e4a)
remote-id	Sends the remote ID as the Calling Station ID in the accounting records and access requests.
send nas-port-detail	Includes all NAS port details in the Calling Station ID.
mac-only	(Optional) Includes the MAC address only, if available, in the Calling Station ID.

Command Default

The Calling-Station-ID (attribute 31) is not sent.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(28)SB	This command was introduced.
12.2(31)SB2	The mac format default, the mac format ietf, the mac format unformatted, and the send nas-port-detail [mac-only] keyword options were added.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.
15.0(1)M	This command was integrated into Cisco IOS Release 15.0(1)M.

Usage Guidelines

•For PPP over Ethernet over ATM (PPPoEoA) sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

host.domain:vp_descr:vpi:vci

•For PPP over Ethernet over Ethernet (PPPoEoE) sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

mac_addr

•For PPP over ATM sessions:

When the send nas-port-detail keyword and the mac-only option are configured, the Calling-Station-ID (attribute 31) information is sent in Access and Accounting requests in the following format:

host.domain:vp_descr:vpi:vci

•For Intelligent Services Gateway RADIUS Proxy sessions:

When DHCP lease query is used, ISG RADIUS proxy recieves MAC address as well as MSISDN as the Calling-Station-ID (attribute 31) from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose one of them as the Calling Station ID and send it to the ISG accounting records.

Examples

The following example shows how to specify the MAC address in the Calling Station ID to be displayed in IETF format:

Router(config)# radius-server attribute 31 mac format ietf

The following example shows how to allow the remote ID to be sent as the Calling Station ID:

Router(config)# radius-server attribute 31 remote-id

The following example shows how to allow the NAS port details to be included in the Calling Station ID:

Router(config)# radius-server attribute 31 send nas-port-detail

The following example shows how to allow only the MAC address, if available, to be included in the Calling-Station-ID:

Router(config)# radius-server attribute 31 send nas-port-detail mac-onl

Related Commands

Command	Description
radius-server attribute nas-port-id include	Uses the DHCP relay agent information option 60 and option 82 and configures the NAS-Port-ID to authenticate a user.

radius-server attribute nas-port-id include

To use DHCP relay agent information option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) to configure the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To disable NAS-Port-ID configuration, use the no form of this command.

radius-server attribute nas-port-id include {[circuit-id] [plus] [remote-id] [plus] [vendor-class-id]} [separator separator]

no radius-server attribute nas-port-id include {[circuit-id] [plus] [remote-id] [plus] [vendor-class-id]} [separator separator]

Syntax Description

circuit-id	(Optional) Specifies the circuit ID as the identifier for authorization.
plus	(Optional) Separates identifiers if more than one is specified.
remote-id	(Optional) Specifies the remote ID as the identifier for authorization.
vendor-class-id	(Optional) Specifies the vendor-class ID as the identifier for authorization.
separator	(Optional) Specifies the symbol to be used for separating identifiers in accounting records and authentication requests.
separator	The symbol can be any alphanumeric character. The colon (:) is the default separator.

Command Default

If you do not configure the command, the NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(33)SRD	This command was introduced.

Usage Guidelines

When you use this command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the plus keyword between each pair as a separator.

The NAS-Port-ID is shown in the accounting records as it is specified in the command-line interface (CLI), with the plus keyword replaced by a separator. The colon (:) is the default separator.

When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in the CLI, preceded by the string "nas-port:".

Examples

The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:

Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus 
vendor-class-id 

If the circuit ID is "xyz", the remote ID is "abc", and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "abc:xyz:123" and the username will be sent as "nas-port:abc:xyz:123" in the authentication request.

The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, "#":

Router(config)# radius-server attribute nas-port-id include circuit-id plus 
vendor-class-id separator #

If the circuit ID is "xyz" and the vendor-class ID is "123", the NAS-Port-ID will be sent to the accounting records as "xyz#123" and the username will be sent as "nas-port:xyz#123" in the authentication request.

redirect server-group

To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.

redirect server-group group-name

no server-group group-name

Syntax Description

group-name

Name of the server group.

Command Default

A redirect server group is not defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.

After defining a redirect server group with the redirect server-group command, identify individual servers for inclusion in the server group using the server command in Layer 4 redirect server group configuration mode.

Examples

The following example shows the configuration of a server group called "PORTAL":

redirect server-group PORTAL

 server ip 10.2.36.253 port 80

Related Commands

Command	Description
redirect to (ISG)	Redirects ISG Layer 4 traffic to a specified server or server group.
server	Adds a server to an ISG Layer 4 redirect server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

redirect to (ISG)

To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in interface configuration or service policy-map class configuration mode. To disable redirection, use the no form of this command.

redirect to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]

no redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds [frequency seconds]]

Syntax Description

group server-group-name	Server group to which traffic will be redirected.
ip ip-address	IP address of the server to which traffic will be redirected.
port port-number	(Optional) Port number on the server to which traffic will be redirected.
duration seconds	(Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected.
frequency seconds	(Optional) Period of time, in seconds, between activations of redirection.

Command Default

Subscriber Layer 4 traffic is not redirected.

Command Modes

Interface configuration
Service policy-map class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The ISG Layer 4 Redirect feature redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.

The Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:

•Permanent redirection—Specified traffic is redirected to the specified server all the time.

•Initial redirection—Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.

•Periodic redirection—Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.

Examples

Redirecting Layer 4 Traffic to a Server Group: Example

The following example redirects Layer 4 traffic to the servers specified in server group "ADVT-SERVER":

redirect to group ADVT-SERVER

Redirecting Layer 4 Traffic to a Specific IP Address: Examples

The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.

redirect list 100 to ip 10.2.36.253 

The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253 port 80:

redirect list 100 to ip 10.2.36.253 port 80

Initial Redirection: Example

The following example redirects all traffic to the servers configured in the server group "ADVT-SERVER" for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:

redirect to group ADVT-SERVER duration 60

Periodic Redirection: Example

The following example redirects all traffic to server group "ADVT-SERVER" for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.

redirect to group ADVT-SERVER duration 60 frequency 3600

Interface Configuration: Example

The following example shows ISG Layer 4 redirection configured on Fast Ethernet interface 0/0.505:

interface FastEthernet0/0.505

 encapsulation dot1Q 505

 ip address 10.0.0.1 255.255.255.0

 ip subscriber

 identifier interface

 redirect to group ADVT-SERVER duration 30 frequency 3600 

 no cdp enable

!

Related Commands

Command	Description
redirect server-group	Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
server (ISG)	Adds a server to an ISG Layer 4 redirect server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server

To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.

server ip ip-address port port

no server ip ip-address port port

Syntax Description

ip ip-address	IP address of the server to be added to the redirect server group.
port port	TCP port of the server to be added to the redirect server group.

Command Default

A server is not added to the redirect server group.

Command Modes

Layer 4 redirect server group configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the server command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server command can be entered more than once to add multiple servers to the server group.

ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.

Examples

The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named "ADVT-SERVER":

redirect server-group ADVT-SERVER

 server ip 10.0.0.0 port 8080

 server ip 10.1.2.3 port 8081

Related Commands

Command	Description
redirect server-group	Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)	Redirects ISG Layer 4 traffic to a specified server or server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server-key

To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.

server-key [0 | 7] word

no server-key [0 | 7] word

Syntax Description

0	(Optional) An unencrypted key will follow.
7	(Optional) A hidden key will follow.
word	Unencrypted server key.

Command Default

A server key is not configured.

Command Modes

Dynamic authorization local server configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.

Examples

The following example configures "cisco" as the shared server key:

aaa server radius dynamic-author

 client 10.0.0.1  

 server-key cisco

Related Commands

Command	Description
aaa server radius dynamic-author	Configures a device as a AAA server to facilitate interaction with an external policy server.

service (ISG)

To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number service {disconnect | local | vpdn}

no action-number service {disconnect | local | vpdn}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
disconnect	Disconnect the session.
local	Locally terminate the session.
VPDN	Virtual Private Dialup Network (VPDN) tunnel service.

Command Default

PPP sessions are locally terminated.

Command Modes

Control policy-map class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows how configure ISG to locally terminate sessions for PPP subscribers:

policy-map type control MY-RULE1

 class type control MY-CONDITION2 event session-start

  1 service local

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

service deny (ISG)

To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.

service deny

no service deny

Syntax Description

The command has no arguments or keywords.

Command Default

Service is not denied to the session.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service deny command denies network service to subscriber sessions that use the service policy map.

Examples

The following example denies service to subscriber sessions that use the service called "service1":

policy-map type service service1

 service deny

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service local (ISG)

To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.

service local

no service local

Syntax Description

This command has no arguments or keywords.

Command Default

Local termination service is not specified.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.

When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.

Examples

The following example provides local termination service to subscriber sessions for which the "my_service" service policy map is activated:

!

policy-map type service my_service

 service local

Related Commands

Command	Description
ip vrf forwarding (service policy map)	Associates the service with a VRF.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG service.
service vpdn group	Provides VPDN service.
vpdn-group	Associates a VPDN group with a customer or VPDN profile.

service relay (ISG)

To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relay command in service policy-map configuration mode. To disable message relay, use the no form of this command.

service relay pppoe vpdn group vpdn-group-name

no service relay pppoe vpdn group vpdn-group-name

Syntax Description

pppoe	Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay.
vpdn group vpdn-group-name	Provides VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

Relay of PAD messages over an L2TP tunnel is not enabled.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service relay command is configured as part of a service policy-map.

Examples

The following example configures sessions that use the service policy-map "service1" to contain outgoing tunnel information for the relay of PAD messages over an L2TP tunnel:

policy-map type service 

 service relay pppoe vpdn group Sample1.net

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service vpdn group (ISG)

To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn group command in service policy-map configuration mode. To remove VPDN service, use the no form of this command.

service vpdn group vpdn-group-name

no service vpdn group vpdn-group-name

Syntax Description

vpdn-group-name

Provides the VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

VPDN service is not provided for ISG subscriber sessions.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.

A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.

Examples

The following example provides VPDN service to sessions that use the service called "service" and uses VPDN group 1 to obtain VPDN configuration information:

policy-map type service service1

 service vpdn group 1

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service-monitor

To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitor command in service policy map configuration mode. To remove service monitoring, use the no form of this command.

service-monitor {enable | disable}

no service-monitor {enable | disable}

Syntax Description

enable	Enables service monitoring.
disable	Disables service monitoring.

Command Default

Service monitoring is not configured.

Command Modes

Service policy map configuration (config-service-policymap)

Command History

Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.

Examples

The following example configures service monitoring for a service policy called "SCE-SERVICE4".

Router(config)# policy-map type service SCE-SERVICE4

Router(config-service-policymap)# sg-service-type external policy

Router(config-service-policymap)# service-monitor enable

Related Commands

Command	Description
policy-name	Configures a subscriber policy name.
sg-service-type external policy	Identifies an ISG service as an external policy.

service-policy

To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.

service-policy [type access-control] {input | output} policy-map-name

no service-policy [type access-control] {input | output} policy-map-name

Cisco 10000 Series and Cisco 7600 Series Routers

service-policy [history | {input | output} policy-map-name | type control control-policy-name]

no service-policy [history | {input | output} policy-map-name | type control control-policy-name]

Syntax Description

type access-control	Determines the exact pattern to look for in the protocol stack of interest.
input	Attaches the specified policy map to the input interface or input VC.
output	Attaches the specified policy map to the output interface or output VC.
policy-map-name	The name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters.
history	(Optional) Maintains a history of Quality of Service (QoS) metrics.
type control control-policy-name	(Optional) Creates a Class-Based Policy Language (CPL) control policy map that is applied to a context.

Command Default

No service policy is specified.
A control policy is not applied to a context.
No policy map is attached.

Command Modes

ATM bundle-VC configuration (config-atm-bundle)
ATM PVP configuration (config-if-atm-l2trans-pvp)
ATM VC mode (config-if-atm-vc)
Global configuration (config)
Interface configuration (config-if)
Map-class configuration (config-map-class)
PVC-in-range configuration (cfg-if-atm-range-pvc)
PVC range subinterface configuration (config-subif)

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.0(5)XE	This command was integrated into Cisco IOS Release 12.0(5)XE.
12.0(7)S	This command was integrated into Cisco IOS Release 12.0(7)S.
12.0(17)SL	This command was implemented on the Cisco 10000 series routers.
12.1(1)E	This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(2)T	This command was modified to enable low latency queueing (LLQ) on Frame Relay VCs.
12.2(14)SX	Support for this command was implemented on Cisco 7600 series routers. This command was changed to support output policy maps.
12.2(15)BX	This command was implemented on the ESR-PRE2.
12.2(17d)SXB	This command was implemented on the Supervisor Engine 2 and integrated into Cisco IOS Release 12.2(17d)SXB.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(2)T	This command was modified to support PVC range subinterface configuration mode and i PVC-in-range configuration mode to extend policy map functionality on an ATM VC to the ATM VC range.
12.4(4)T	The type stack and the type control keywords were added to support flexible packet matching (FPM).
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.3(7)XI2	This command was modified to support PVC range configuration mode and PVC-in-range configuration mode for ATM VCs on the Cisco 10000 series router and the Cisco 7200 series router.
12.2(18)ZY	The type stack and the type control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).
12.2(33)SRC	Support for this command was enhanced on Cisco 7600 series routers.
12.2(33)SB	This command's behavior was modified and implemented on the Cisco 10000 series router for the PRE3 and PRE4.
Cisco IOS XE Release 2.3	This command was modified to support ATM PVP configuration mode.

Usage Guidelines

Choose the command mode according to the intended use of the command, as follows:

Application	Mode
Standalone VC	VC submode
ATM VC bundle members	Bundle-VC configuration
A range of ATM PVCs	PVC range subinterface configuration
Individual PVC within a PVC range	PVC-in-range configuration
Frame Relay VC	Map-class configuration

You can attach a single policy map to one or more interfaces or to one or more VCs to specify the service policy for those interfaces or VCs.

A service policy specifies class-based weighted fair queueing (CBWFQ). The class policies that make up the policy map are then applied to packets that satisfy the class map match criteria for the class.

To successfully attach a policy map to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent (99 percent on the Cisco 10008 router) of the interface bandwidth or the bandwidth allocated to the VC.

To enable Low Latency queueing (LLQ) for Frame Relay (priority queueing [PQ]/CBWFQ), you must first enable Frame Relay Traffic Shaping (FRTS) on the interface using the frame-relay traffic-shaping command in interface configuration mode. You then attach an output service policy to the Frame Relay VC using the service-policy command in map-class configuration mode.

For a policy map to be successfully attached to an interface or ATM VC, the aggregate of the configured minimum bandwidths of the classes that make up the policy map must be less than or equal to 75 percent of the interface bandwidth or the bandwidth allocated to the VC. For a Frame Relay VC, the total amount of bandwidth allocated must not exceed the minimum committed information rate (CIR) configured for the VC less any bandwidth reserved by the frame-relay voice bandwidth or frame-relay ip rtp priority map-class commands. If these values are not configured, the minimum CIR defaults to half of the CIR.

Configuring CBWFQ on a physical interface is possible only if the interface is in the default queueing mode. Serial interfaces at E1 (2.048 Mbps) and below use weighted fair queueing (WFQ) by default. Other interfaces use first-in first-out (FIFO) by default. Enabling CBWFQ on a physical interface overrides the default interface queueing method. Enabling CBWFQ on an ATM permanent virtual circuit (PVC) does not override the default queueing method.

When you attach a service policy with CBWFQ enabled to an interface, commands related to fancy queueing such as those pertaining to fair queueing, custom queueing, priority queueing, and Weighted Random Early Detection (WRED) are available using the modular quality of service command-line interface (MQC). However, you cannot configure these features directly on the interface until you remove the policy map from the interface.

You can modify a policy map attached to an interface or VC, changing the bandwidth of any of the classes that make up the map. Bandwidth changes that you make to an attached policy map are effective only if the aggregate of the bandwidth amount for all classes that make up the policy map, including the modified class bandwidth, is less than or equal to 75 percent of the interface bandwidth or the VC bandwidth. If the new aggregate bandwidth amount exceeds 75 percent of the interface bandwidth or VC bandwidth, the policy map is not modified.

After you apply the service-policy command to set a class of service (CoS) bit to an Ethernet interface, the policy is set in motion as long as there is a subinterface that is performing 8021.Q or Inter-Switch Link (ISL) trunking. Upon reload, however, the service policy is removed from the configuration with the following error message:

Process `set' action associated with class-map voip failed: Set cos supported only with 
IEEE 802.1Q/ISL interfaces.

Cisco 10000 Series Router Usage Guidelines

The Cisco 10000 series router does not support applying CBWFQ policies to unspecified bit rate (UBR) VCs.

For a policy map to be successfully attached to an interface or a VC, the aggregate of the configured minimum bandwidth of the classes that make up the policy map must be less than or equal to 99 percent of the interface bandwidth or the bandwidth allocated to the VC. If you attempt to attach a policy map to an interface when the sum of the bandwidth assigned to classes is greater than 99 percent of the available bandwidth, the router logs a warning message and does not allocate the requested bandwidth to all of the classes. If the policy map is already attached to other interfaces, it is removed from them.

The total bandwidth is the speed (rate) of the ATM layer of the physical interface. The router converts the minimum bandwidth that you specify to the nearest multiple of 1/255 (ESR-PRE1) or 1/65535 (ESR-PRE2) of the interface speed. When you request a value that is not a multiple of 1/255 or 1/65535, the router chooses the nearest multiple.

The bandwidth percentage is based on the interface bandwidth. In a hierarchical policy, the bandwidth percentage is based on the nearest parent shape rate.

By default, a minimum bandwidth guaranteed queue has buffers for up to 50 milliseconds of 256-byte packets at line rate, but not less than 32 packets.

For Cisco IOS Release 12.0(22)S and later releases, to enable LLQ for Frame Relay (priority queueing (PQ)/CBWFQ) on the Cisco 10000 series router, first create a policy map and then assign priority to a defined traffic class using the priority command. For example, the following sample configuration shows how to configure a priority queue with a guaranteed bandwidth of 8000 kbps. In the example, the Business class in the policy map named "map1" is configured as the priority queue. The map1 policy also includes the Non-Business class with a minimum bandwidth guarantee of 48 kbps. The map1 policy is attached to serial interface 2/0/0 in the outbound direction.

class-map Business

	match ip precedence 3

policy-map map1

	class Business

	priority 

	police 8000

	class Non-Business

	bandwidth 48

interface serial 2/0/0

	frame-relay encapsulation

	service-policy output map1

On the PRE2, you can use the service-policy command to attach a QoS policy to an ATM subinterface or to a PVC. However, on the PRE3, you can attach a QoS policy only to a PVC.

Cisco 7600 Series Routers

The output keyword is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

Do not attach a service policy to a port that is a member of an EtherChannel.

Although the CLI allows you to configure QoS based on policy feature cards (PFCs) on the WAN ports on the OC-12 ATM optical services modules (OSM) and on the WAN ports on the channelized OSMs, PFC-based QoS is not supported on the WAN ports on these OSMs. OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.

PFC QoS supports the optional output keyword only on VLAN interfaces. You can attach both an input policy map and an output-policy map to a VLAN interface.

Cisco 10000 Series Routers Control Policy Maps

A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts, which are listed in order of precedence:

1. Global

2. Interface

3. Subinterface

4. Virtual template

5. VC class

6. PVC

In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.

Control policies apply to all sessions hosted on the context. Only one control policy map can be applied to a given context.

In Cisco IOS Release 12.2(33)SB and later releases, the router no longer accepts the abbreviated form (ser) of the service-policy command. Instead, you must spell out the command name service- before the router accepts the command.

For example, the following error message displays when you attempt to use the abbreviated form of the service-policy command:

interface GigabitEthernet1/1/0

 ser out ?

% Unrecognized command

 ser ?

% Unrecognized command

As shown in the following example, when you enter the command as service- followed by a space, the router parses the command as service-policy. Entering the question mark causes the router to display the command options for the service-policy command.

service- ?

input	Assign policy-map to the input of an interface

output	Assign policy-map to the output of an interface

type	Configure CPL Service Policy

In releases prior to Cisco IOS Release 12.2(33)SB, the router accepts the abbreviated form of the service-policy command. For example, the router accepts the following commands:

interface GigabitEthernet1/1/0

 ser out test

Examples

The following example shows how to attach a policy map to a Fast Ethernet interface:

interface fastethernet 5/20

 service-policy input pmap1

The following example shows how to attach the service policy map named "policy9" to DLCI 100 on output serial interface 1 and enables LLQ for Frame Relay:

interface Serial1/0.1 point-to-point

 frame-relay interface-dlci 100

 class fragment

 map-class frame-relay fragment

 service-policy output policy9

The following example shows how to attach the service policy map named "policy9" to input serial interface 1:

interface Serial1

 service-policy input policy9

The following example attaches the service policy map named "policy9" to the input PVC named "cisco":

pvc cisco 0/34  
service-policy input policy9

vbr-nt 5000 3000 500 
precedence 4-7

The following example shows how to attach the policy named "policy9" to output serial interface 1 to specify the service policy for the interface and enable CBWFQ on it:

interface serial1

 service-policy output policy9

The following example attaches the service policy map named "policy9" to the output PVC named "cisco":

pvc cisco 0/5  
service-policy output policy9 
vbr-nt 4000 2000 500 
precedence 2-3

Cisco 10000 Series Router Examples

The following example shows how to attach the service policy named "userpolicy" to DLCI 100 on serial subinterface 1/0/0.1 for outbound packets:

interface serial 1/0/0.1 point-to-point

 frame-relay interface-dlci 100

 service-policy output userpolicy

---

Note You must be running Cisco IOS Release 12.0(22)S or a later release to attach a policy to a DLCI in this way. If you are running a release prior to Cisco IOS Release 12.0(22)S, attach the service policy as described in the previous configuration examples using the legacy Frame Relay commands.

---

The following example shows how to attach a QoS service policy named "map2" to PVC 0/101 on the ATM subinterface 3/0/0.1 for inbound traffic:

interface atm 3/0/0

 atm pxf queuing

interface atm 3/0/0.1

 pvc 0/101

 service-policy input map2

---

Note The atm pxf queuing command is not supported on the PRE3 or PRE4.

---

The following example shows how to attach a service policy named "myQoS" to physical Gigabit Ethernet interface 1/0/0 for inbound traffic. VLAN 4, configured on Gigabit Ethernet subinterface 1/0/0.3, inherits the service policy of physical Gigabit Ethernet interface 1/0/0.

interface GigabitEthernet 1/0/0

 service-policy input myQoS

interface GigabitEthernet 1/0/0.3

 encapsulation dot1q 4

The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range of a total of three PVCs and enable PVC range configuration mode where a point-to-point subinterface is created for each PVC in the range. Each PVC created as part of the range has the voice service policy attached to it.

configure terminal

 interface atm 2/0/0

 range pvc 1/50 1/52

 service-policy input voice

The following example shows how to attach the service policy map named "voice" to ATM VC 2/0/0 within a PVC range, where every VC created as part of the range has the voice service policy attached to it. The exception is PVC 1/51, which is configured as an individual PVC within the range and has a different service policy named "data" attached to it in PVC-in-range configuration mode.

configure terminal

 interface atm 2/0/0

 range pvc 1/50 1/52

 service-policy input voice

 pvc-in-range 1/51

 service-policy input data

The following example shows how to configure a service group named "PREMIUM-SERVICE" and apply the input policy named "PREMIUM-MARK-IN" and the output policy named "PREMIUM-OUT" to the service group:

policy-map type service PREMIUM-SERVICE

 service-policy input PREMIUM-MARK-IN

 service-policy output PREMIUM-OUT

Related Commands

Command	Description
class-map	Accesses the QoS class map configuration mode to configure QoS class maps.
frame-relay ip rtp priority	Reserves a strict priority queue on a Frame Relay PVC for a set of RTP packet flows belonging to a range of UDP destination ports,
frame-relay traffic-shaping	Enables both traffic shaping and per-virtual-circuit queueing for all PVCs and SVCs on a Frame Relay interface.
frame-relay voice bandwidth	Specifies the amount of bandwidth to be reserved for voice traffic on a specific DLCI.
policy-map	Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.
show policy-map	Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps.
show policy-map interface	Displays the configuration of all classes configured for all service policies on the specified interface or displays the classes for the service policy for a specific PVC on the interface.

service-policy type control

To apply a control policy to a context, use the service-policy type control command in the appropriate configuration mode. To unapply the control policy, use the no form of this command.

service-policy type control policy-map-name

no service-policy type control policy-map-name

Syntax Description

policy-map-name

Name of the control policy map.

Command Default

A control policy is not applied to a context.

Command Modes

Global configuration
Interface configuration
Subinterface configuration
Virtual template configuration
ATM VC class configuration
ATM VC configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

A control policy map must be activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:

1. Global

2. Interface

3. Subinterface

4. Virtual template

5. VC class

6. PVC

In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list, the context types are numbered in order of precedence. For example, a control policy map that is applied to a permanent virtual circuit (PVC) takes precedence over a control policy map that is applied to an interface.

Control policies apply to all sessions hosted on the context.

Only one control policy map may be applied to a given context.

Examples

The following example applies the control policy map "RULEA" to Ethernet interface 0:

interface Ethernet 0

 service-policy type control RULEA

Related Commands

Command	Description
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

service-policy type service

To activate an Intelligent Services Gateway (ISG) service, use the service-policy type service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

no action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
unapply	(Optional) Deactivates the specified service.
aaa	(Optional) Specifies that a AAA method list will be used to activate the service.
list list-name	(Optional) Activates the service using the specified authentication, authorization, and accounting (AAA) method list.
name service-name	Name of the service.
identifier	Activates a service that has the same name as the specified identifier.
authenticated-domain	Authenticated domain name.
authenticated-username	Authenticated username.
dnis	Dialed Number Identification Service number (also referred to as the called-party number).
nas-port	Network access server (NAS) port identifier.
tunnel-name	VPDN tunnel name.
unauthenticated-domain	Unauthenticated domain name.
unauthenticated-username	Unauthenticated username.

Command Default

A service is not activated.

Command Modes

Control policy-map class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service-policy type service command configures an action in a control policy map. If you do not specify the AAA method list, the default method list will be used.

Note that if you use the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:

Router(config-control-policymap-class-control)# 1 service-policy type service aaa list 
default identifier authenticated-domain

the following will display in the output for the show running-config command:

1 service-policy type service identifier authenticated-domain 

Named method lists will display in the show running-config command output.

Services are configured in service profiles on the AAA server or in service policy maps on the router.

Examples

The following example configures an ISG control policy that will initiate authentication of the subscriber and then apply a service that has a name matching the subscriber's authenticated domain name:

policy-map type control MY-RULE2

 class type control MY-CONDITION2 event service-start

  1 authenticate aaa list AUTHEN

  2 service-policy type service aaa list SERVICE identifier authenticated-domain

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

session-identifier (ISG)

To correlate the radius server requests and identify the session in Intelligent Services Gateway RADIUS proxy, use the session-identifier command in the RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable this function, use the no form of this command.

session-identifier {attribute number | vsa vendor id type number}

no session-identifier {attribute number | vsa vendor id type number}

Syntax Description

attribute	The calling station attribute of the session to be identified.
number	The attribute number. For example, attribute 1 denotes username.
vsa	The Vendor-specific Attribute (VSA) of the session to be identified.
vendor ID	The vendor type and ID.
type number	VSA type.

Command Default

RADIUS proxy does not correlate requests other than Calling-Station-ID (attribute 31).

Command Modes

Radius proxy server configuration mode (config-locsvr-proxy-radius)
Radius proxy client configuration mode (config-locsvr-radius-client)

Command History

Release	Modification
12.2(33)SRE	This command was introduced.

Usage Guidelines

Intelligent Services Gateway RADIUS proxy identifies a new session based on the calling station attributes of the requests. Usually, attribute 31 is used to identify the session for requests. However, it is possible that attribute 31 may not always be unique to identify the session. There are attributes such as username (RADIUS attribute 1), circuit-ID (RADIUS VSA), and so on. that could be used to identify the session and correlate radius requests. Using this command, you can configure the RADIUS proxy to accept other attributes or VSA to identify the session in RADIUS proxy and correlate requests from the downstream device.

Examples

The following example shows how to configure Intelligent Services Gateway to identify the session using RADIUS VSA vendor type and correlate the requests for a RADIUS proxy client with an IP address 10.0.0.16:

Router(config-locsvr-proxy-radius)# client 10.0.0.l6 255.255.255.0

Router(config-locsvr-radius-client)# session-identifier vsa vendor 12 type 123

Related Commands

Command	Description
aaa server radius proxy	Enables Intelligent Services Gateway RADIUS proxy configuration mode, in which Intelligent Services Gateway RADIUS proxy parameters can be configured.
calling-station-id format	Specify the format if the attribute of the calling station is attribute 31.
client (ISG RADIUS proxy)	Enters Intelligent Services Gateway RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.

set-timer

To start a named policy timer, use the set-timer command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number set-timer name-of-timer minutes

no action-number set-timer name-of-timer minutes

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
name-of-timer	Name of the policy timer.
minutes	Timer interval, in minutes. Range is from 1 to 10100.

Command Default

A named policy timer is not started.

Command Modes

Control policy-map class configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The set-timer command configures an action in a control policy map.

Expiration of a named policy timer generates the timed-policy-expiry event.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example configures a policy timer called "TIMERA". When TIMERA expires the service will be disconnected.

class-map type control match-all CONDE

 match timer TIMERA

policy-map type type control RULEA

 class type control <some_cond> event session-start

  1 set-timer TIMERA 1 

 class type control CONDE event timed-policy-expiry

  1 service disconnect

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

sg-service-group

To associate an Intelligent Services Gateway (ISG) service with a service group, use the sg-service-group command in service policy-map configuration mode. To remove the association, use the no form of this command.

sg-service-group service-group-name

no sg-service-group service-group-name

Syntax Description

service-group-name

Name of the service group.

Command Default

The service is not part of a service group.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.

Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, can be activated only if they are primary. If a primary service from another service group is activated, all services in the current service-group will also be deactivated because they have a dependency on the previous primary service.

Examples

The following example associates the service called "primarysvc1" with the service group "group1":

policy-map type service primarysvc1

 sg-service-group group1

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.
sg-service-type	Identifies an ISG service as primary or secondary.

sg-service-type

To identify an Intelligent Services Gateway (ISG) service as primary or secondary, use the sg-service-type command in service policy-map configuration mode. To remove this specification, use the no form of this command.

sg-service-type {primary | secondary}

no sg-service-type {primary | secondary}

Syntax Description

primary	Identifies the service as a primary service, which is a service that contains a network-forwarding policy.
secondary	Identifies the service as a secondary service, which is a service that does not contain a network-forwarding policy. This is the default.

Command Default

A service is not identified as a primary service.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

An ISG primary service is a service that contains a network-forwarding policy, such as a virtual routing or forwarding instance (VRF) or tunnel specification. A service must be identified as a primary service by using the sg-service-type primary command. Any service that is not a primary service is identified as a secondary service by default. In other words, the service policy map for a primary service must include a network-forwarding policy and the sg-service-type primary command. A secondary service must not include a network-forwarding policy, and inclusion of the sg-service-type secondary command is optional.

Examples

The following example identifies a service as a primary service:

policy-map type service service1

 ip vrf forwarding blue

 sg-service-type primary

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

sg-service-type external policy

To identify an Intelligent Services Gateway (ISG) service as an external policy, use the sg-service-type external policy command in service policy-map configuration mode. To remove this specification, use the no form of this command.

sg-service-type external policy external-policy

no sg-service-type external policy external-policy

Syntax Description

external-policy

External policy delegation Service Gateway service type.

Command Default

A service is not identified as an external policy.

Command Modes

Service policy-map configuration (config-service-policymap)

Command History

Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

An external policy service type identifies a service as being provided by an external device. The external device is configured in a peering relationship with the ISG device via the aaa server radius policy-device command. The external device handles policies for user sessions that use the service.

Examples

The following example identifies the ISG service as an external policy:

Router(config)#policy-map type service SCE-SERVICE-LOCAL

Router(config-service-policymap)# sg-service-type external-policy

Related Commands

Command	Description
aaa server radius policy-device	Enables ISG RADIUS server configuration mode, in which server parameters can be configured.
policy-name	Configures a subscriber policy name.
service-monitor	Configures service monitoring.

show ccm clients

To display information about cluster control manager (CCM) clients on high availability (HA), dual Route Processor systems, use the show ccm clients command in privileged EXEC mode.

show ccm clients

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.

Usage Guidelines

The CCM manages the capability to synchronize session initiation on the standby processor of a dual Route Processor HA system. Use the show ccm clients command to display information about CCM clients.

Examples

The following is sample output from the show ccm clients command on a router's active processor:

Router# show ccm clients

CCM bundles sent since peer up:

                                        Sent            Queued for flow control

    Sync Session                        10              1

    Update Session                      6               1

    Active Bulk Sync End                1               0

    Session Down                        10              0

    ISSU client msgs                    115             0

    Dynamic Session Sync                0               0

    Unknown msgs                        0               0

Client events sent since peer up:

    PPP                                 66

    PPPoE                               0

    PPPoA                               0

    AAA                                 44

    PPP SIP                             11

    LTERM                               11

    AC                                  0

    SSS FM                              0

    IP SIP                              0

    IP IF                               0

    DPM                                 0

    COA                                 0

The following is sample output from the show ccm clients command on a router's standby processor:

Router# show ccm clients

CCM bundles rcvd since last boot:

    Sync Session                8

    Update Session              0

    Active Bulk Sync            1

    Session Down                8

    ISSU client msgs            59

    Dynamic Session Sync        0

    Unknown msgs                0

Client events extracted since last boot:

    PPP                         72

    PPPoE                       50

    PPPoA                       0

    AAA                         32

    PPP SIP                     0

    LTERM                       8

    AC                          0

    SSS FM                      0

    IP SIP                      0

    IP IF                       0

    DPM                         0

    COA                         0

    Auto Svc                    0

Table 10 describes the significant fields shown in the display. Any data not described in Table 10 is used for Cisco internal debugging purposes.

c

Table 10 show ccm clients Field Descriptions 

Field	Description
Sent	Number of CCM bundles sent by the active processor since initiation on the standby processor.
Queued for flow control	Number of the following types of CCM bundles queued on the active processor when flow control is OFF since initiation on the standby processor: •Sync Session—Synchronization session bundles. •Update Session—Individual client update to session bundles. •Active Bulk Sync—Active processor bulk synchronization bundles. •Session Down—Session down bundles. •ISSU client msgs—In service software upgrade (ISSU) bundles. •Dynamic Session Sync—Dynamic cluster update to session bundles. •Unknown msgs—Unknown message bundles. . The queued bundles will be sent when flow control is ON again.
Client events sent since peer up	Number of client events sent since initiation on the standby processor.
CCM bundles rcvd since last boot	Number of the following types of CCM bundles received by the standby processor since initiation: •Sync Session—Synchronization session bundles. •Update Session—Individual client update to session bundles. •Active Bulk Sync—Active processor bulk synchronization bundles. •Session Down—Session down bundles. •ISSU client msgs—ISSU bundles. •Dynamic Session Sync—Dynamic cluster update to session bundles. •Unknown msgs—Unknown message bundles.
Client events extracted since last boot	Number of client events extracted since initiation on the standby processor.

Related Commands

Command	Description
show ccm queues	Displays CCM queue statistics.
show ccm sessions	Displays CCM session information.

show ccm queues

To display cluster control manager (CCM) queue statistics for high availability (HA) dual Route Processor systems, use the show ccm queues command in privileged EXEC mode.

show ccm queues

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.

Usage Guidelines

The CCM manages the capability to synchronize session initiation on the standby processor of a redundant processor HA system. Use the show ccm queues command to display queue statistics for CCM sessions on active and standby processors. This command is generally used only by Cisco engineers for internal debugging of CCM processes.

Examples

The following is sample output from the show ccm queues command. No field descriptions are provided because command output is used for Cisco internal debugging purposes only.

Router# show ccm queues

8 Event Queues

                 size   max      kicks     starts    false   suspends  ticks(ms)

 4 CCM              0     7      16167      16168        1          0        20

 Event Names

                          Events  Queued  MaxQueued  Suspends  usec/evt max/evt

 1  4 Sync Session              0        0        0        0         0         0

 2  4 Sync Client               0        0        0        0         0         0

 3  4 Update                    0        0        0        0         0         0

 4  4 Session Down              0        0        0        0         0         0

 5  4 Bulk Sync Begi            1        0        1        0         0         0

 6  4 Bulk Sync Cont            2        0        2        0         0         0

 7  4 Bulk Sync End             1        0        1        0         0         0

 8  4 Rcv Bulk End              0        0        0        0         0         0

 9  4 Dynamic Sync C            0        0        0        0         0         0

10  4 Going Active              0        0        0        0         0         0

11  4 Going Standby             0        0        0        0         0         0

12  4 Standby Presen            1        0        1        0         0         0

13  4 Standby Gone              0        0        0        0         0         0

15  4 CP Message              188        0        7        0         0         0

16  4 Recr Session              0        0        0        0         0         0

17  4 Recr Update               0        0        0        0         0         0

18  4 Recr Sess Down            0        0        0        0         0         0

19  4 ISSU Session N            1        0        1        0         0         0

20  4 ISSU Peer Comm            0        0        0        0         0         0

21  4 Free Session          16103        0        1        0         0         0

22  4 Sync Dyn Sessi            0        0        0        0         0         0

23  4 Recr Dyn Sessi            0        0        0        0         0         0

24  4 Session Ready             0        0        0        0         0         0

FSM Event Names           Events

 0    Invalid                   0

 1    All Ready                 0

 2    Required Not Re           0

 3    Update                    0

 4    Down                  16103

 5    Error                     0

 6    Ready                     0

 7    Not Syncable              0

 8    Recreate Down             0

Related Commands

Command	Description
show ccm clients	Displays CCM client information.
show ccm sessions	Displays CCM session information.

show ccm sessions

To display information about cluster control manager (CCM) sessions on high availability (HA) dual Route Processor systems, use the show ccm sessions command in privileged EXEC mode.

show ccm sessions

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.

Usage Guidelines

The CCM manages the capability to synchronize session initiation on the standby processor of a redundant processor HA system. Use the show ccm sessions command to display information on CCM sessions on active and standby processors, and also to display information on subscriber redundancy policies configured using the subscriber redundancy command.

Examples

The following is sample output from the show ccm sessions command on a Cisco 10000 series router active processor:

Router# show ccm sessions

Global CCM state:                                CCM HA Active - Dynamic Sync

Global ISSU state:                               Compatible, Clients Cap 0x0

	Number of sessions in state Down:                0

	Number of sessions in state Not Ready:           0

	Number of sessions in state Ready:               0

	Number of sessions in state Dyn Sync:            0

Timeout: Timer Type   Delay    Remaining Starts    CPU Limit CPU Last

		------------ -------- --------- --------- --------- --------

		Rate         00:00:01 	-         2         -         -       

		Dynamic CPU  00:00:10 	-         0         90        0 

The following is sample output from the show ccm sessions command on a Cisco 10000 series router standby processor:

Router# show ccm sessions

Global CCM state:                        CCM HA Standby - Collecting

Global ISSU state:                       Compatible, Clients Cap 0xFFE

                                         Current     Bulk Sent   Bulk Rcvd

                                         ----------- ----------- -----------

Number of sessions in state Down:        0           0           0          

Number of sessions in state Not Ready:   0           0           0          

Number of sessions in state Ready:       0           0           0          

Number of sessions in state Dyn Sync:    0           0           0          

Timeout: Timer Type   Delay    Remaining Starts      CPU Limit CPU Last

         ------------ -------- --------- ----------- --------- --------

         Rate         00:00:01 -         0           -         -       

         Dynamic CPU  00:00:10 -         0           90        0       

         Bulk Time Li 00:08:00 -         0           -         -       

         RF Notif Ext 00:00:20 -         0           -         -       

The following is sample output from the show ccm sessions command on a Cisco 7600 series router active processor:

Router# show ccm sessions

Global CCM state:                                CCM HA Active - Dynamic Sync

Global ISSU state:                               Compatible, Clients Cap 0xFFFE

										Current     Bulk Sent   Bulk Rcvd

                                         ----------- ----------- -----------

Number of sessions in state Down:        0           0           0          

Number of sessions in state Not Ready:   7424        0           0          

Number of sessions in state Ready:       0           0           0          

Number of sessions in state Dyn Sync:    20002       28001       0 

Timeout: Timer Type   Delay    Remaining Starts      CPU Limit CPU Last

         ------------ -------- --------- ----------- --------- --------

Rate         00:00:01 -         924         -         -       

         Dynamic CPU  00:00:10 -         0           90        2       

         Bulk Time Li 00:08:00 -         0           -         -       

         RF Notif Ext 00:00:20 -         18          -         - 

The following is sample output from the show ccm sessions command on a Cisco 7600 series router standby processor:

Router# show ccm sessions

Global CCM state:                        CCM HA Standby - Collecting

Global ISSU state:                       Compatible, Clients Cap 0xFFE

                                         Current     Bulk Sent   Bulk Rcvd

                                         ----------- ----------- -----------

Number of sessions in state Down:        0           0           0          

Number of sessions in state Not Ready:   8038        0           0          

Number of sessions in state Ready:       20002       0           28001      

Number of sessions in state Dyn Sync:    0           0           0 

Timeout: Timer Type   Delay    Remaining Starts      CPU Limit CPU Last

         ------------ -------- --------- ----------- --------- --------

Rate         00:00:01 -         0           -         -       

         Dynamic CPU  00:00:10 -         0           90        0       

         Bulk Time Li 00:08:00 -         1           -         -       

         RF Notif Ext 00:00:20 -         0           -         - 

Table 11 describes the significant fields shown in the display. Any data not described in the table is used for Cisco internal debugging.

Table 11 show ccm sessions Field Descriptions 

Field	Description
Global CCM state	Displays the processor's active or standby status and its CCM state. For example: •CCM HA Active - Dynamic Sync means that this is the active processor, standby is in STANDBY_HOT state, and CCM is ready to synchronize sessions. •CCM HA Active - Collecting means that this is the active processor and there is no standby processor. CCM can collect sessions but cannot synchronize them to a standby processor. •CCM HA Active - Bulk Sync means that this is the active processor and a standby processor is booting up. CCM is doing a bulk synchronization of sessions. •CCM HA Standby- Collecting means that this is the standby processor and is in STANDBY_HOT state. CCM is collecting sessions for synchronizing if a switchover happens.
Global ISSU state	Compatible, Clients Cap 0xFFFE0 indicates that CCM is compatible for in-service software upgrade (ISSU) clients—that is, ISSU-compatible Cisco IOS versions are running on both processors. It also means that CCM has the client capability for the clients in the bitmask 0xFFFE.
Current	CCM sessions currently ready for synchronization.
Bulk Sent	CCM sessions sent during bulk synchronization.
Bulk Rcvd	CCM sessions received during bulk synchronization.
Number of sessions in state Down	Sessions in the down state.
Number of sessions in state Not Ready	Sessions in the not ready state.
Number of sessions in state Ready	Sessions in the ready state.
Number of sessions in state Dyn Sync	Sessions in the dynamic synchronization state.
Timeout	Displays statistics for the following timers: •Rate—Monitors the number of sessions to be synchronized per configured time period. •Dynamic CPU—Monitors CPU limit, number of sessions, delay, and allowed calls configured for dynamic synchronization parameters. •Bulk Time Li—Monitors the time limit configured for bulk synchronization. •RF Notif Ext—Monitors redundancy facility (RF) active and standby state progressions and events. Use the subscriber redundancy command to modify parameters that these timers monitor.
Delay	Timer delay (in hh:mm:ss) for bulk and dynamic synchronization for subscriber sessions.
Remaining	Indicates remaining time in seconds before the timer expires.
Starts	Indicates the number of times the timer started.
CPU Limit	CPU usage percentage, a configurable value; default is 90 percent.
CPU Last	Indicates the last time that the CPU limit timer was running.

Related Commands

Command	Description
show ccm clients	Displays CCM client information.
show ccm queues	Displays CCM queue information.
subscriber redundancy	Configures subscriber session redundancy policies.

show class-map type control

To display information about Intelligent Services Gateway (ISG) control class maps, use the show class-map type control command in privileged EXEC mode.

show class-map type control

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the show class-map type control command to display information about ISG control class maps, including statistics on the number of times a particular class has been evaluated and what the results were.

Examples

The following example shows sample output for the show class-map type control command:

Router# show class-map type control

Condition                     Action                          Exec Hit Miss Comp

---------                     ------                          ---- --- ---- ----

Table 12 describes the significant fields shown in the display.

Table 12 show class-map type control Field Descriptions

Field	Description
Exec	Number of times this line was executed.
Hit	Number of times this line evaluated to true.
Miss	Number of times this line evaluated to false.
Comp	Number of times this line completed the execution of its condition without a need to continue on to the end.

Related Commands

Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
clear class-map type control	Clears the ISG control class map counters.
show policy-map type control	Displays information about ISG control policy maps.

show class-map type traffic

To display Intelligent Services Gateway (ISG) traffic class maps and their matching criteria, use the show class-map type traffic command in privileged EXEC mode.

show class-map type traffic

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Examples

The following example shows configuration of a traffic class-map and corresponding sample output for the show class-map type traffic command. The output is self-explanatory.

!

access-list 101 permit ip any any

access-list 102 permit ip any any

!

class-map type traffic match-any PEER_TRAFFIC

 match access-group output 102

 match access-group input 101

!

Router# show class-map type traffic 

Class-map: match-any  PEER_TRAFFIC             

------------------------------------------------------

Output:       

Extended IP access list 102

    10 permit ip any any

Input:        

Extended IP access list 101

    10 permit ip any any

Related Commands

Command	Description
show policy-map type traffic	Displays the contents of ISG service policy maps.

show idmgr

To display information related to Intelligent Services Gateway (ISG) session identity, use the show idmgr command in privileged EXEC mode.

show idmgr {memory [detailed [component [substring]]] | service key session-handle session-handle-string service-key key-value | session key {aaa-unique-id aaa-unique-id-string | domainip-vrf ip-address ip-address vrf-id vrf-id | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-guid session-guid | session-handle session-handle-string | session-id session-id-string} | statistics}

Syntax Description

memory	Displays memory-usage information related to ID management.
detailed	(Optional) Displays detailed memory-usage information related to ID management.
component	(Optional) Displays information for the specified ID management component.
substring	(Optional) Substring to match the component name.
service key	Displays ID information for a specific service.
session-handle session-handle-string	Displays the unique identifier for a session.
service-key key-value	Displays ID information for a specific service.
session key	Displays ID information for a specific session and its related services.
aaa-unique-id aaa-unique-id-string	Displays the authentication, authorization, and accounting (AAA) unique ID for a specific session.
domainip-vrf ip-address ip-address	Displays the service-facing IP address for a specific session.
vrf-id vrf-id	Displays the VPN routing and forwarding (VRF) ID for the specific session.
nativeip-vrf ip-address ip-address	Displays the subscriber-facing IP address for a specific session.
portbundle ip ip-address	Displays the port bundle IP address for a specific session.
bundle bundle-number	Displays the bundle number for a specific session.
session-guid session-guid	Displays the global unique identifier for a session.
session-handle session-handle-string	Displays the session identifier for a specific session.
session-id session-id-string	Displays the session identifier used to construct the value for RADIUS attribute 44 (Acct-Session-ID).
statistics	Displays statistics related to storing and retrieving ID information.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Examples

The following sample output for the show idmgr command displays information about the service called "service":

Router# show idmgr service key session-handle 48000002 service-key service

session-handle = 48000002

service-name = service

idmgr-svc-key = 4800000273657276696365

authen-status = authen

The following sample output for the show idmgr command displays information about a session and the service that is related to the session:

Router# show idmgr session key session-handle 48000002    

session-handle = 48000002

aaa-unique-id = 00000002

authen-status = authen

username = user1

Service 1 information:

session-handle = 48000002

service-name = service

idmgr-svc-key = 4800000273657276696365

The following sample output for the show idmgr command displays information about the global unique identifier of a session:

Router# show idmgr session key session-guid 020202010000000C

session-handle = 18000003

aaa-unique-id = 0000000C

authen-status = authen

interface = nas-port:0.0.0.0:2/0/0/42

authen-status = authen

username = FortyTwo

addr = 100.42.1.1

session-guid = 020202010000000C

Table 13 describes the significant fields shown in the display.

Table 13 show idmgr Field Descriptions  

Field	Description
session-handle	Unique identifier of the session.
service-name	Service name for this session.
idmgr-svc-key	The ID manager service key of this session.
authen-status	Indicates whether the session has been authenticated or unauthenticated.
aaa-unique-id	AAA unique ID of the session.
username	The username associated with this session.
interface	The interface details of this session.
addr	The IP address of this session.
session-guid	Global unique identifier of this session.

show interface monitor

To display interface statistics that will be updated at specified intervals, use the show interface monitor command in user EXEC or privileged EXEC mode.

show interface interface-type interface-number monitor [interval seconds]

Syntax Description

interface-type	Type of the interface for which statistics will be displayed.
interface-number	Number of the interface for which statistics will be displayed.
interval seconds	(Optional) Interval, in seconds, at which the display will be updated. Range: 5 to 3600. Default: 5.

Command Modes

User EXEC
Privileged EXEC

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The show interface monitor command allows you to monitor an interface by displaying interface statistics and updating those statistics at regular intervals. While the statistics are being displayed, the command-line interface will prompt you to enter "E" to end the display, "C" to clear the counters, or "F" to freeze the display.

Examples

The following example shows sample output for the show interface monitor command. The display will be updated every 10 seconds.

Router# show interface ethernet 0/0 monitor interval 10

Router Name:  Scale3-Router8       Update Secs: 10

Interface Name:   Ethernet 0/0          Interface Status: UP, line is up 

Line Statistics:          Total:        Rate(/s)    Delta

Input Bytes:              123456        123         7890

Input Packets:              3456         56          560

Broadcast:                  1333          6           60

OutputBytes:               75717        123         1230

Output Packets:              733         44          440

Error Statistics:         Total:        Delta:

Input Errors:              0               0

CRC  Errors:               0               0

Frame Errors:              0               0

Ignored:                   0               0

Output Errors:             0               0

Collisions:                0               0

No. Interface Resets:  2

End = e       Clear = c      Freeze = f 

Enter Command:

Table 14 describes the significant fields shown in the display.

Table 14 show interface monitor Field Descriptions 

Field	Description
Line Statistics	Information about the physical line. The delta column indicates the difference between the current display and the display before the last update.
Input Bytes	Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system.
Input Packets	Total number of error-free packets received by the system.
Broadcast	Total number of broadcast or multicast packets received by the interface.
OutputBytes	Total number of bytes sent by the system.
Output Packets	Total number of packets sent by the system.
Error Statistics	Displays statistics about errors. The delta column indicates the difference between the current display and the display before the last update.
Input Errors	Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.
CRC Errors	Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.
Frame Errors	Number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.
Ignored	Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. Broadcast storms and bursts of noise can cause the ignored count to be increased.
Output Errors	Sum of all errors that prevented the final transmission of datagrams out of the interface from being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories.
Collisions	Number of messages transmitted because of an Ethernet collision. A packet that collides is counted only once in output packets.
No. Interface Resets	Number of times an interface has been completely reset. This can happen if packets queued for transmission were not sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal, or by a cable problem. If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down.

Related Commands

Command	Description
show interfaces	Displays statistics for all interfaces configured on the router or access server.

show ip portbundle ip

To display information about a particular Intelligent Services Gateway (ISG) port bundle, use the show ip portbundle ip command in privileged EXEC mode.

show ip portbundle ip port-bundle-ip-address bundle port-bundle-number

Syntax Description

port-bundle-ip-address	IP address used to identify the port bundle.
bundle port-bundle-number	Port bundle number.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the show ip portbundle ip command to display the port mappings in a port bundle.

Examples

The following example is sample output for the show ip portbundle ip command:

Router# show ip portbundle ip 10.2.81.13 bundle 65

Portbundle IP address: 10.2.81.13  Bundlenumber: 65

Subscriber VRF: VRF2

Subscriber Portmappings:

Subscriber IP: 10.0.0.2 Subscriber Port: 11019  Mapped Port: 1040

Table 15 describes the significant fields shown in the display.

Table 15 show ip portbundle ip Field Descriptions

Field	Description
Subscriber IP	Subscriber IP address.
Subscriber Port	Subscriber port number.
Mapped Port	Port assigned by the ISG.

Related Commands

Command	Description
ip portbundle (global)	Enters portbundle configuration mode, in which ISG port-bundle host key parameters can be configured.
show ip portbundle status	Displays information about ISG port-bundle groups.

show ip portbundle status

To display a information about Intelligent Services Gateway (ISG) port-bundle groups, use the show ip portbundle status command in privileged EXEC mode.

show ip portbundle status [free | inuse]

Syntax Description

free	(Optional) Lists the port bundles that are available in each bundle group.
inuse	(Optional) Lists the port bundles that are in use in each bundle group. Also displays the associated subscriber interface for each port bundle.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

Use the show ip portbundle status command to display a list of port-bundle groups, port-bundle length, and the number of free and in-use port bundles in each group.

Examples

The following example is sample output for the show ip portbundle status command when issued with no keywords:

Router# show ip portbundle status

Bundle-length = 4

Bundle-groups: -

IP Address              Free Bundles            In-use Bundles

10.2.81.13                       4031                    1

Table 16 describes the significant fields shown in the display.

Table 16 show ip portbundle status Field Descriptions 

Field	Description
Bundle-length	Number of ports per bundle and number of bundles per bundle group.
Bundle-groups	List of bundle groups.
IP Address	IP address of a bundle group.
Free Bundles	Number of free bundles in the specified bundle group.
In-use Bundles	Number of in-use bundles in the specified bundle group.

Related Commands

Command	Description
ip portbundle (global)	Enters portbundle configuration mode, in which ISG port-bundle host key parameters can be configured.
show ip portbundle ip	Displays information about a particular ISG port bundle.

show ip subscriber

To display information about Intelligent Services Gateway (ISG) IP subscriber sessions, use the show ip subscriber command in privileged EXEC mode.

show ip subscriber [dangling seconds | detail | ip ip-address | mac mac-address | vrf vrf-name | static list listname [dangling seconds | detail | ip ip-address] | [interface interface-name [statistics interface-name | detail]]]

Syntax Description

dangling seconds	(Optional) Displays IP subscriber sessions that have remained unestablished for the specified number of seconds. Range: 1 to 3600.
detail	(Optional) Displays detailed information about IP subscriber sessions.
ip ip-address	(Optional) Displays information about IP subscriber sessions that have the specified IP address.
mac mac-address	(Optional) Displays information about IP subscriber sessions that have the specified MAC address.
vrf vrf-name	(Optional) Displays IP subscriber sessions associated with the specified virtual routing and forwarding (VRF) instance.
interface interface-name	(Optional) Displays information for IP subscriber sessions associated with the specified interface on the Cisco 7600 router.
statistics interface-name	(Optional) Displays statistical information for IP subscriber sessions associated with the specified interface on Cisco 7600 series routers.
static	(Optional) Displays information for static sessions associated with a IP subscriber list.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	Support was added for this command on Cisco 7600 series routers.
12.2(33)SRE	This command was modified. The keyword static was added.

Usage Guidelines

A session that has not been fully established within a specified period of time is referred to as a dangling session. The show ip subscriber command can be used with the dangling keyword to display dangling sessions. The seconds argument allows you to specify how long the session has to remain unestablished before it is considered dangling.

The interface, statistics, and static command options are available only on Cisco 7600 series routers.

Examples

The following example shows sample output from the show ip subscriber command. Detailed information is displayed about all the IP subscriber sessions associated with VRF1.

Router# show ip subscriber vrf1 detail

IP subscriber: 0000.0000.0002, type connected, status up

 display uid: 6, aaa uid: 17

 segment hdl: 0x100A, session hdl: 0x96000005, shdb: 0xBC000005

 session initiator: dhcp discovery

 access address: 10.0.0.3

 service address: vrf1, 10.0.0.3

 conditional debug flag: 0x0

 control plane state: connected, start time: 1d06h

 data plane state: connected, start time: 1d06h

 arp entry: [vrf1] 10.0.0.3, Ethernet0/0

 midchain adj: 10.0.0.3 on multiservice1

forwarding statistics: