Table Of Contents
Configuring ISG Control Policies
Finding Feature Information
Contents
Prerequisites for Configuring ISG Control Policies
Restrictions for Configuring ISG Control Policies
Information About ISG Control Policies
Control Policies
Differentiated Initial Policy Control
Uses of Control Policies
How to Configure an ISG Control Policy
Configuring a Control Class Map
Configuring a Control Policy Map
Default Method Lists
Applying the Control Policy Map
Applying a Control Policy Map Globally on the Router
Applying an ISG Control Policy Map to an Interface or Subinterface
Applying an ISG Control Policy Map to a Virtual Template
Applying an ISG Control Policy Map to an ATM VC Class
Applying a Control Policy Map to an ATM PVC
Monitoring and Maintaining ISG Control Policies
Configuration Examples for ISG Control Policies
Control Policy for Layer 2 Access and Service Provisioning: Example
Control Policy for Restricting Access on the Basis of Interface and Access Media: Example
Control Policy for ISG Prepaid Billing Support: Example
Control Policies for Automatic Subscriber Login: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Feature Information for ISG Control Policies
Configuring ISG Control Policies
First Published: March 20, 2006
Last Updated: November 25, 2009
Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG control policies are a means of defining the actions the system will take in response to specified conditions and events. A wide variety of system actions, conditions, and events can be combined using a consistent policy language, providing a flexible and precise way of configuring ISG. This module provides information about how to configure ISG control policies.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG Control Policies" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring ISG Control Policies
•Restrictions for Configuring ISG Control Policies
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
•Configuration Examples for ISG Control Policies
•Additional References
•Feature Information for ISG Control Policies
Prerequisites for Configuring ISG Control Policies
For information about release and platform support, see the "Feature Information for ISG Control Policies" section.
Authentication, authorization, and accounting (AAA) method lists must be configured prior to defining authentication and authorization actions.
Restrictions for Configuring ISG Control Policies
Control policies are activated for specific contexts, not directly on sessions. Control policies apply to all sessions hosted on the context.
Only one control policy map may be applied to a given context.
Control policies can be defined only through the router's command-line interface (CLI).
Not all actions may be associated with all events.
A new control class may not be inserted between existing control classes once a control policy map has been defined.
Information About ISG Control Policies
Before you configure ISG control policies, you should understand the following concepts:
•Control Policies
•Uses of Control Policies
Control Policies
Control policies define the actions that the system will take in response to specified events and conditions. For example, a control policy can be configured to authenticate specific subscribers and then provide them with access to specific services.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
Three steps are involved in defining a control policy:
1. Create one or more control class maps.
A control class map specifies the conditions that must be met for a policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map may contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the individual conditions must evaluate true in order for the class to evaluate true.
2. Create a control policy map.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3. Apply the control policy map.
A control policy map is activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts. In the following list, the context types are listed in order of precedence. For example, a control policy map that is applied to a PVC takes precedence over a control policy map that is applied to an interface.
–Permanent virtual circuit (PVC)
–Virtual circuit (VC) class
–Virtual template
–Subinterface
–Interface
–Global
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts.
Note Traffic policies are another type of policy used by ISG. Traffic policies define the handling of data packets and are configured in service policy maps or service profiles. For more information about traffic policies, see the "Configuring ISG Subscriber Services" module.
Differentiated Initial Policy Control
Authentication failure for a subscriber may happen for an access-reject (which means a RADIUS server responded with a Reject) or due to an access request timeout (RADIUS server is unreachable).
Using ISG control policies, and actions configured for the 'radius-timeout' and 'access-reject' events, the system can distinguish between the different reasons for an authentication failure. Different events are thrown by the system (for example, a received authentication reject or an unavailable RADIUS server event). This allows the control policy to specify different actions for each type of authentication failure. For example, if the RADIUS server is down or unreachable, temporary access can be given to subscribers.
This feature is available only for IP-based sessions for subscriber authentication. This feature does not support the Point-to-Point Protocol over Ethernet (PPPoE) sessions.
Uses of Control Policies
Use control policies to configure an ISG to perform specific actions in response to specific events and conditions. For example, control policies could be used for the following purposes:
•To activate a default service when a subscriber session is first detected
•To sequence the gathering of subscriber identity, where a control protocol exists on the access side
•To determine how the system responds to an idle timeout or to a subscriber who has run out of credit
•To enable transparent automatic login, which enables authorization on the basis of an IP address or MAC address
•To configure the maximum amount of time a session can remain unauthenticated
•To send periodic session state information to other devices
How to Configure an ISG Control Policy
Perform the following tasks to configure an ISG control policy:
•Configuring a Control Class Map (required)
•Configuring a Control Policy Map (required)
•Applying the Control Policy Map (required)
•Monitoring and Maintaining ISG Control Policies (optional)
Configuring a Control Class Map
A control class map contains conditions that must be met for a control policy to be executed. A control class map can contain one or more conditions. Perform this task to configure a control class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type control [match-all | match-any | match-none] class-map-name
4. available {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
5. greater-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
6. greater-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
7. less-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
8. less-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
9. match authen-status {authenticated | unauthenticated}
10. match authenticated-domain {domain-name | regexp regular-expression}
11. match authenticated-username {username | regexp regular-expression}
12. match dnis {dnis | regexp regular-expression}
13. match media {async | atm | ether | ip | isdn | mpls | serial}
14. match mlp-negotiated {no | yes}
15. match nas-port {adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type {async | atm | basic-rate | enm | ether | fxo | fxs | none | primary-rate | synch | vlan | vty} | vci vci-number | vlan vlan-id | vpi vpi-number}
16. match no-username {no | yes}
17. match protocol {atom | ip | pdsn | ppp | vpdn}
18. match service-name {service-name | regexp regular-expression}
19. match source-ip-address ip-address subnet-mask
20. match timer {timer-name | regexp regular-expression}
21. match tunnel-name {tunnel-name | regexp regular-expression}
22. match unauthenticated-domain {domain-name | regexp regular-expression}
23. match unauthenticated-username {username | regexp regular-expression}
24. match vrf {vrf-name | regexp regular-expression}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type control [match-all | match-any |
match-none] class-map-name
Example:
Router(config)# class-map type control
match-all class1
|
Creates or modifies a control class map, which defines the conditions under which the actions of a control policy map will be executed, and enters control class map mode.
|
Step 4
|
available {authen-status | authenticated-domain
| authenticated-username | dnis | media |
mlp-negotiated | nas-port | no-username |
protocol | service-name | source-ip-address |
timer | tunnel-name | unauthenticated-domain |
unauthenticated-username}
Example:
Router(config-control-classmap)# available
nas-port
|
(Optional) Creates a condition that evaluates true if the specified subscriber identifier is locally available.
|
Step 5
|
greater-than [not] nas-port {adapter
adapter-number | channel channel-number |
ipaddr ip-address | port port-number | shelf
shelf-number | slot slot-number | sub-interface
sub-interface-number | type interface-type |
vci vci-number | vlan vlan-id | vpi vpi-number}
Example:
Router(config-control-classmap)# greater-than
nas-port type atm vpi 200 vci 100
|
(Optional) Creates a condition that evaluates true if the subscriber network access server (NAS) port identifier is greater than the specified value.
|
Step 6
|
greater-than-or-equal [not] nas-port {adapter
adapter-number | channel channel-number |
ipaddr ip-address | port port-number | shelf
shelf-number | slot slot-number | sub-interface
sub-interface-number | type interface-type |
vci vci-number | vlan vlan-id | vpi vpi-number}
Example:
Router(config-control-classmap)#
greater-than-or-equal nas-port vlan 10
|
(Optional) Creates a condition that evaluates true if the specified subscriber NAS port identifier is greater than or equal to the specified value.
|
Step 7
|
less-than [not] nas-port {adapter
adapter-number | channel channel-number |
ipaddr ip-address | port port-number | shelf
shelf-number | slot slot-number | sub-interface
sub-interface-number | type interface-type |
vci vci-number | vlan vlan-id | vpi vpi-number}
Example:
Router(config-control-classmap)# less-than
nas-port type atm vpi 200 vci 105
|
(Optional) Creates a condition that evaluates true if the specified subscriber NAS port identifier is less than the specified value.
|
Step 8
|
less-than-or-equal [not] nas-port {adapter
adapter-number | channel channel-number |
ipaddr ip-address | port port-number | shelf
shelf-number | slot slot-number | sub-interface
sub-interface-number | type interface-type |
vci vci-number | vlan vlan-id | vpi vpi-number}
Example:
Router(config-control-classmap)#
less-than-or-equal nas-port ipaddr 10.10.10.10
|
(Optional) Creates a condition that evaluates true if the specified subscriber NAS port identifier is less than or equal to the specified value.
|
Step 9
|
match authen-status {authenticated |
unauthenticated}
Example:
Router(config-control-classmap)# match
authen-status authenticated
|
(Optional) Creates a condition that evaluates true if a subscriber's authentication status matches the specified authentication status.
|
Step 10
|
match authenticated-domain {domain-name |
regexp regular-expression}
Example:
Router(config-control-classmap)# match
authenticated-domain cisco.com
|
(Optional) Creates a condition that evaluates true if a subscriber's authenticated domain matches the specified domain.
|
Step 11
|
match authenticated-username {username | regexp
regular-expression}
Example:
Router(config-control-classmap)# match
authenticated-username regexp "admin@.*com"
|
(Optional) Creates a condition that evaluates true if a subscriber's authenticated username matches the specified username.
|
Step 12
|
match dnis {dnis | regexp regular-expression}
Example:
Router(config-control-classmap)# match dnis
reg-exp 5551212
|
(Optional) Creates a condition that evaluates true if a subscriber's Dialed Number Identification Service number (DNIS number, also referred to as called-party number) matches the specified DNIS number.
|
Step 13
|
match media {async | atm | ether | ip | isdn |
mpls | serial}
Example:
Router(config-control-classmap)# match media
atm
|
(Optional) Creates a condition that evaluates true if a subscriber's access media type matches the specified media type.
|
Step 14
|
match mlp-negotiated {no | yes}
Example:
Router(config-control-classmap)# match
mlp-negotiated yes
|
(Optional) Creates a condition that evaluates true or false depending on whether the subscriber's session was established using multilink PPP negotiation.
•If the yes keyword is used, the condition evaluates true if the subscriber's session was established using multilink PPP negotiation.
|
Step 15
|
match nas-port {adapter adapter-number |
channel channel-number | circuit-id name |
ipaddr ip-address | port port-number |
remote-id name | shelf shelf-number | slot
slot-number | sub-interface
sub-interface-number | type {async | atm |
basic-rate | enm | ether | fxo | fxs | none |
primary-rate | synch | vlan | vty} | vci
vci-number | vlan vlan-id | vpi vpi-number}
Example:
Router(config-control-classmap)# match nas-port
type ether slot 3
|
(Optional) Creates a condition that evaluates true if a subscriber's NAS port identifier matches the specified value.
|
Step 16
|
match no-username {no | yes}
Example:
Router(config-control-classmap)# match
no-username yes
|
(Optional) Creates a condition that evaluates true or false depending on whether or not a subscriber's username is available.
•If the yes keyword is used, the condition evaluates true if the subscriber's username is not available.
|
Step 17
|
match protocol {atom | ip | pdsn | ppp | vpdn}
Example:
Router(config-control-classmap)# match protocol
ip
|
(Optional) Creates a condition that evaluates true if a subscriber's access protocol type matches the specified protocol type.
|
Step 18
|
match service-name {service-name | regexp
regular-expression}
Example:
Router(config-control-classmap)# match
service-name service1
|
(Optional) Creates a condition that evaluates true if the service name associated with a subscriber matches the specified service name.
|
Step 19
|
match source-ip-address ip-address subnet-mask
Example:
Router(config-control-classmap)# match
source-ip-address 10.10.10.10 255.255.255.255
|
(Optional) Creates a condition that evaluates true if a subscriber's source IP address matches the specified IP address.
|
Step 20
|
match timer {timer-name | regexp
regular-expression}
Example:
Router(config-control-classmap)# match timer
TIMERA
|
(Optional) Creates a condition that evaluates true upon expiry of a specified policy timer.
|
Step 21
|
match tunnel-name {tunnel-name | regexp
regular-expression}
Example:
Router(config-control-classmap)# match
tunnel-name regexp L.*
|
(Optional) Creates a condition that evaluates true if a subscriber's virtual private dialup network (VPDN) tunnel name matches the specified tunnel name.
|
Step 22
|
match unauthenticated-domain {domain-name |
regexp regular-expression}
Example:
Router(config-control-classmap)# match
unauthenticated-domain example.com
|
(Optional) Creates a condition that evaluates true if a subscriber's unauthenticated domain name matches the specified domain name.
|
Step 23
|
match unauthenticated-username {username |
regexp regular-expression}
Example:
Router(config-control-classmap)# match
unauthenticated-username regexp examplename1
|
(Optional) Creates a condition that evaluates true if a subscriber's unauthenticated username matches the specified username.
|
Step 24
|
match vrf {vrf-name | regexp
regular-expression}
Example:
Router(config-control-classmap)# match vrf
regexp examplename2
|
(Optional) Creates a condition that evaluates true if a subscriber's VPN routing and forwarding (VRF) matches the specified VRF.
|
Configuring a Control Policy Map
A control policy map contains one or more control policy rules that associate a control class with one or more actions. Perform this task to configure a control policy map.
Note The actions that can be configured in a policy rule depend on the type of event that is specified by the class type control command. For example, if the account-logoff event is specified, the only action that can be configured in that policy rule is service. The procedure in this section shows all actions that can be configured in a policy map.
Default Method Lists
If you specify the default method list for any of the control policy actions, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 authenticate aaa list default
the following will display in the output for the show running-config command:
Named method lists will display in the show running-config command output.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type control policy-map-name
4. class type control {control-class-name | always} [event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry}]
5. action-number authenticate aaa list list-name
6. action-number authorize use method {aaa | legacy | rm | sgf | ssg | xconnect}[aaa parameter-name] [password password] [upon network-service-found {continue | stop}] identifier {authenticated-domain | authenticated-username | auto-detect | circuit-id| dnis | mac-address | nas-port | remote-id | source-ip-address | tunnel-name | unauthenticated-domain | unauthenticated-username | vendor-class-id}
7. action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | mac-address | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username | vrf}
8. action-number if upon network-service-found {continue | stop}
9. action-number proxy accounting aaa list {list-name | default}
10. action-number service [disconnect | local | vpdn]
11. action-number service-policy type control policy-map-name
12. action-number service-policy type service [unapply] [aaa list list-name] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
13. action-number set name identifier {authen-status | authenticated-domain | authenticated-username | dnis | mac-address | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username | vrf}
14. action-number set-timer name-of-timer minutes
15. action-number substitute name matching-pattern pattern-string
16. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type control policy-map-name
Example:
Router(config)# policy-map type control
MY-POLICY
|
Creates or modifies a control policy map, which is used to define a control policy.
|
Step 4
|
class type control {control-class-name |
always} [event {access-reject | account-logoff
| account-logon | acct-notification |
credit-exhausted | dummy-event | quota-depleted
| radius-timeout | service-failed |
service-start | service-stop |
session-default-service | session-restart |
session-service-found | session-start |
timed-policy-expiry}]
Example:
Router(config-control-policymap)# class type
control always event session-start
|
Specifies a control class for which actions may be configured.
•A policy rule for which the control class is always will always be treated as the lowest priority rule within the control policy map.
|
Step 5
|
action-number authenticate aaa list list-name
Example:
Router(config-control-policymap-class-control)#
1 authenticate aaa list LIST1
|
(Optional) Initiates an authentication request.
|
Step 6
|
action-number authorize use method {aaa |
legacy | rm | sgf | ssg | xconnect}[aaa
parameter-name] [password password] [upon
network-service-found {continue | stop}]
identifier {authenticated-domain |
authenticated-username | auto-detect |
circuit-id | dnis | mac-address | nas-port |
remote-id | source-ip-address | tunnel-name |
unauthenticated-domain |
unauthenticated-username | vendor-class-id}
Example:
Router(config-control-policymap-class-control)#
1 authorize identifier source-ip-address
|
(Optional) Initiates a request for authorization on the basis of the specified identifier.
|
Step 7
|
action-number collect [aaa list list-name]
identifier {authen-status |
authenticated-domain | authenticated-username
| dnis | mac-address | media | mlp-negotiated |
nas-port | no-username | protocol |
service-name | source-ip-address | timer |
tunnel-name | unauthenticated-domain |
unauthenticated-username | vrf}
Example:
Router(config-control-policymap-class-control)#
1 collect identifier authen-status
|
(Optional) Collects the specified subscriber identifier from the access protocol.
|
Step 8
|
action-number if upon network-service-found
{continue | stop}
Example:
Router(config-control-policymap-class-control)#
2 if upon network-service-found stop
|
(Optional) Specifies whether the system should continue processing policy rules once the subscriber's network service has been identified.
|
Step 9
|
action-number proxy accounting aaa list
{list-name | default}
Example:
Router(config-control-policymap-class-control)#
1 proxy accounting aaa list default
|
(Optional) Specifies the list that the request should be proxied to.
|
Step 10
|
action-number service [disconnect | local |
vpdn]
Example:
Router(config-control-policymap-class-control)#
3 service disconnect
|
(Optional) Specifies a network service type for PPP sessions.
|
Step 11
|
action-number service-policy type control
policy-map-name
Example:
Router(config-control-policymap-class-control)#
service-policy type control domain based access
|
(Optional) Nests the specified control policy map within a parent control policy map.
|
Step 12
|
action-number service-policy type service
[unapply] [aaa list list-name] {name
service-name | identifier {authenticated-domain
| authenticated-username | dnis | nas-port |
tunnel-name | unauthenticated-domain |
unauthenticated-username}}
Example:
Router(config-control-policymap-class-control)#
1 service-policy type service aaa list LISTA
name REDIRECT
|
(Optional) Activates an ISG service.
•Specifying an identifier instead of a service name will activate a service that has the same name as the specified identifier.
|
Step 13
|
action-number set name identifier
{authen-status | authenticated-domain |
authenticated-username | dnis | mac-address |
media | mlp-negotiated | nas-port | no-username
| protocol | service-name | source-ip-address |
timer | tunnel-name | unauthenticated-domain |
unauthenticated-username | vrf}
Example:
Router(config-control-policymap-class-control)#
1 set APJ identifier authen-status
|
(Optional) Sets a variable name.
|
Step 14
|
action-number set-timer name-of-timer minutes
Example:
Router(config-control-policymap-class-control)#
1 set-timer TIMERA 5
|
(Optional) Starts a named policy timer.
•Expiration of the timer generates the event timed-policy-expiry.
|
Step 15
|
action-number substitute name matching-pattern
pattern-string
Example:
Router(config-control-policymap-class-control)#
1 substitute TPK SUBA SUBB
|
(Optional) Substitutes a matching pattern in variable content by a rewrite pattern.
|
Step 16
|
end
Example:
Router(config-control-policymap-class-control)#
end
|
(Optional) Ends the current configuration session and returns to privileged EXEC mode.
|
Applying the Control Policy Map
A control policy map must be activated by applying it to a context. Perform one or more of the following tasks to apply a control policy to a context:
•Applying a Control Policy Map Globally on the Router
•Applying an ISG Control Policy Map to an Interface or Subinterface
•Applying an ISG Control Policy Map to a Virtual Template
•Applying an ISG Control Policy Map to an ATM VC Class
•Applying a Control Policy Map to an ATM PVC
Applying a Control Policy Map Globally on the Router
Perform this task to apply a control policy globally.
SUMMARY STEPS
1. enable
2. configure terminal
3. service-policy type control policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
service-policy type control policy-map-name
Example:
Router(config)# service-policy type control
policy1
|
Applies a control policy.
|
Applying an ISG Control Policy Map to an Interface or Subinterface
Perform this task to apply an ISG control policy to an interface or subinterface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [.subinterface number]
4. service-policy type control policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type number[.subinterface-number]
Example:
Router(config)# interface gigabitethernet 0/1.1
|
Specifies an interface and enters interface configuration mode.
|
Step 4
|
service-policy type control policy-map-name
Example:
Router(config-if)# service-policy type control
policy1
|
Applies a control policy.
|
Applying an ISG Control Policy Map to a Virtual Template
Perform this task to apply an ISG control policy map to a virtual template.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface virtual-template number
4. service-policy type control policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface virtual-template number
Example:
Router(config)# interface virtual-template0
|
Creates a virtual template interface and enters interface configuration mode.
|
Step 4
|
service-policy type control policy-map-name
Example:
Router(config-if)# service-policy type control
policy1
|
Applies a control policy.
|
Applying an ISG Control Policy Map to an ATM VC Class
A VC class is a set of preconfigured VC parameters that are configured and applied to a particular VC or ATM interface. Perform this task to apply an ISG control policy map to an ATM VC class.
SUMMARY STEPS
1. enable
2. configure terminal
3. vc-class atm vc-class-name
4. service-policy type control policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
vc-class atm vc-class-name
Example:
Router(config)# vc-class atm class1
|
Creates an ATM VC class and enters ATM VC class configuration mode.
•A VC class can be applied to an ATM interface, subinterface, or VC.
|
Step 4
|
service-policy type control policy-map-name
Example:
Router(config-vc-class)# service-policy type
control policy1
|
Applies a control policy.
|
Applying a Control Policy Map to an ATM PVC
Perform this task to apply an ISG control policy to an ATM PVC.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface atm interface-number[.subinterface-number {mpls | multipoint | point-to-point}]
4. pvc vpi/vci
5. service-policy type control policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface atm
interface-number[.subinterface-number {mpls |
multipoint | point-to-point}]
Example:
Router(config)# interface atm 5/0.1 multipoint
|
Specifies an ATM interface or subinterface and enters interface configuration mode.
|
Step 4
|
pvc vpi/vci
Example:
Router(config-if)# pvc 2/101
|
Creates an ATM PVC and enters ATM virtual circuit configuration mode.
|
Step 5
|
service-policy type control policy-map-name
Example:
Router(config-if-atm-vc)# service-policy type
control policy1
|
Applies a control policy.
|
Monitoring and Maintaining ISG Control Policies
Optionally, you can perform this task to monitor and maintain ISG control policy operation. Steps can be performed in any order.
SUMMARY STEPS
1. enable
2. show class-map type control
3. show policy-map type control
4. clear class-map control
5. clear policy-map control
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
show class-map type control
Example:
Router# show class-map type control
|
Displays information about ISG control class maps.
•The display includes statistics on the number of times a particular class has been evaluated and what the results were.
|
Step 3
|
show policy-map type control
Example:
Router# show policy-map type control
|
Displays information about ISG control policy maps.
•The display includes statistics on the number of times each policy rule within the policy map has been executed.
|
Step 4
|
clear class-map control
Example:
Router# clear class-map control
|
Clears the control class map counters.
|
Step 5
|
clear policy-map control
Example:
Router# clear policy-map control
|
Clears the control policy map counters.
|
Configuration Examples for ISG Control Policies
This section contains the following examples of ISG control policies:
•Control Policy for Layer 2 Access and Service Provisioning: Example
•Control Policy for Restricting Access on the Basis of Interface and Access Media: Example
•Control Policy for ISG Prepaid Billing Support: Example
•Control Policies for Automatic Subscriber Login: Example
Control Policy for Layer 2 Access and Service Provisioning: Example
The following example shows how to configure a control policy that produces the following results:
•VPDN forwarding is applied to anyone dialing in from "example1.com".
•Access to locally terminated Layer 3 network resources is provided to anyone dialing in from "example2.com".
•Anyone else is barred.
! Configure the control class maps.
class-map type control match-all MY-FORWARDED-USERS
match unauthenticated-domain "example1.com"
class-map type control match-all MY-LOCAL-USERS
match unauthenticated-domain "example2.com"
! Configure the control policy map.
policy-map type control MY-POLICY
class type control MY-FORWARDED-USERS event session-start
1 service-policy type service identifier nas-port
class type control MY-LOCAL-USERS event session-start
class type control always event session-start
! Apply the control policy to dialer interface 1.
service-policy type control MY-POLICY
Control Policy for Restricting Access on the Basis of Interface and Access Media: Example
This example shows how to configure a control policy to allow access only to users who enter the router from a particular interface and access type. In this case, only PPPoE users will be allowed; everyone else is barred.
The first condition class map "MATCHING-USERS" evaluates true only if all of the lines within it also evaluate true; however, within "MATCHING-USERS" is a nested class map (second condition), "NOT-ATM". This nested class map represents a subcondition that must also evaluate to true. Note that the class map "NOT-ATM" specifies "match-none". This means that "NOT-ATM" evaluates to true only if every condition line within it evaluates to false.
The third condition specifies matching on the NAS port associated with this subscriber. Specifically, only subscribers that arrive on an Ethernet interface and on slot 3 will evaluate to true.
! Configure the control class maps.
class-map type control match-all MATCHING-USERS
class type control NOT-ATM
match nas-port type ether slot 3
class-map type control match-none NOT-ATM
If the conditions in the class map "MATCHING-USERS" evaluate to true, the first action to be executed is to authenticate the user. If authentication is successful, the service named "service1" will be downloaded and applied. Finally, a Layer 3 service is provided.
If "MATCHING-USERS" is not evaluated as true, the "always" class will apply, which results in barring anyone who does not match "MATCHING-USERS".
! Configure the control policy map.
policy-map type control my-pppoe-rule
class type control MATCHING-USERS event session-start
1 authenticate aaa list XYZ
2 service-policy type service service1
class type control always
! Apply the control policy to an interface.
service-policy type control my-pppoe-rule
Finally, the policy is associated with an interface.
Control Policy for ISG Prepaid Billing Support: Example
The following example shows a control policy configured to redirect subscriber packets to the server group "redirect-sg" when the credit-exhausted event occurs:
service-policy type control RULEA
policy-map type control RULEA
class type control always event credit-exhausted
1 service-policy type service redirectprofile
policy-map type service redirectprofile
class type traffic CLASS-ALL
redirect to group redirect-sg
policy-map type service mp3
class type traffic CLASS-ACL-101
authentication method-list cp-mlist
accounting method-list cp-mlist
subscriber feature prepaid conf-prepaid
method-list accounting ap-mlist
method-list authorization default
password cisco
Control Policies for Automatic Subscriber Login: Example
In the following example, if the client is from the a subnet, automatic subscriber login is applied and an authorization request is sent to the list TAL LIST with the subscriber's source IP address as the username. If the authorization request is successful, any automatic activation services specified in the returned user profile are activated for the session and the execution of rules within the control policy stops. If the authorization is not successful, the rule execution proceeds, and the subscriber is redirected to the policy server to log in. If the subscriber does not log in within five minutes, the session is disconnected.
service-policy type control RULEA
aaa authentication login TAL LIST group radius
aaa authentication login LOCAL local
access-list 100 permit ip any any
class-map type traffic match-any all-traffic
match access-group input 100
match access-group output 100
policy-map type service redirectprofile
class type traffic all-traffic
redirect to ip 10.0.0.148 port 8080
class-map type control match-all CONDA
match source-ip-address 209.165.201.1 255.255.255.0
class-map type control match-all CONDF
match authen-status unauthenticated
policy-map type control RULEA
class type control CONDA event session-start
1 authorize aaa list TAL_LIST password cisco identifier source-ip-address
2 apply aaa list LOCAL service redirectprofile
3 set-timer TIMERB 5 minutes
class type control CONDF event timed-policy-expiry
1 service disconnect
Additional References
The following sections provide references related to ISG control policies.
Related Documents
Standards
Standard
|
Title
|
No new or modified standards are supported by this feature.
|
—
|
MIBs
MIB
|
MIBs Link
|
No new or modified MIBs are supported by this feature.
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
RFCs
Technical Assistance
Description
|
Link
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
|
http://www.cisco.com/techsupport
|
Feature Information for ISG Control Policies
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later appear in the table.
If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for ISG Control Policies
Feature Name
|
Releases
|
Feature Configuration Information
|
ISG: Policy Control: Policy: Domain Based (Autodomain, Proxy)
|
12.2(28)SB
12.2(33)SRC
|
ISG control policies manage the primary services and rules used to enforce particular contracts. These policies include programmable interfaces to dynamic triggers and conditional logic to be applied to flows within a session, or other characteristics of a session, upon meeting the policy criteria. Policies can be configured to interpret the domain as a request to activate the service associated with that domain name, allowing users to automatically receive services in accordance with the domain to which they are attempting to connect.
The following sections provide more information about this feature:
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.
|
ISG: Policy Control: Policy: Triggers
|
12.2(28)SB
12.2(33)SRC
|
ISG control policies can be configured with time-based, volume-based, and duration-based policy triggers. Time-based triggers use an internal clock, allowing policies to be applied at specific times. Volume-based triggers are based on packet count; when the packet count reaches a specified value, the specified policy is applied. Duration-based triggers are based on an internal timer. Upon expiration of the timer, the specified policy is applied.
The following sections provide more information about this feature:
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.
|
ISG: Policy Control: Multidimensional Identity per Session
|
12.2(28)SB
12.2(33)SRC
|
ISG control policies provide a flexible way to collect pieces of subscriber identity information during session establishment. Control policies also allow session policy to be applied iteratively as more elements of identity information become available to the system.
The following sections provide more information about this feature:
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.
|
ISG: Policy Control: Cisco Policy Language
|
12.2(28)SB
12.2(33)SRC
|
ISG control policies are a structured replacement for feature-specific configuration commands and allow configurable functionality to be expressed in terms of an event, a condition, and an action. Control policies provide an intuitive and extensible framework, with a consistent set of CLI commands, for specifying system behavior.
The following sections provide more information about this feature:
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.
|
ISG: Policy Control: Differentiated Initial Policy Control
|
12.2(33)SRE
12.2(33)XNE
|
This features provides the ability to distinguish RADIUS authentication rejects from RADIUS server unavailability. It allows minimal or temporary network access to the subscribers when the RADIUS servers are down or cannot be accessed because of network issues or when an authentication reject is received for a subscriber.
In Cisco IOS Release 12.2(33)XNE, support was added for the Cisco 10000 Series Routers.
The following sections provides more information about this feature:
•Information About ISG Control Policies
•How to Configure an ISG Control Policy
The following command was introduced or modified:
class type control
|
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
