Cisco IOS Intelligent Services Gateway Command Reference

match (radius-filter)

To configure a condition to check for filter match criteria, use the match command in RADIUS filter configuration mode. To remove filter match criteria, use the no form of this command.

match {attribute att-type-number | vendor-type ven-type-number [attribute att-type-number]}

no match {attribute att-type-number | vendor-type ven-type-number [attribute att-type-number]}

Syntax Description


attribute	Specifies the attribute that should be included in the filter.
`att-type-number`	Attribute type number. The range is from 1 to 256.
vendor-type	Specifies the vendor type that should be included in the filter.
`ven-type-number`	Vendor type number. The range is from 1 to 256.

Command Default

Filter match criteria are not configured.

Command Modes

RADIUS filter configuration (config-radius-filter)

Command History


Release	Modification
Cisco IOS XE Release 3.5S	This command was introduced.

Usage Guidelines

Use the match command to check for the attribute to be present in the packet. The vendor-type and ven-type-number keyword-argument pair specifies the attributes associated with a specific vendor. If no attribute is specified, the condition matches the filter for any attribute of the specific vendor:

Examples

The following example shows how to enter the RADIUS filter configuration mode and configure a match attribute and a vendor type.

Device(config)# radius filter match-all filter1
Device (config-radius-filter) match vendor-type 15 attribute 45

Related Commands


Command	Description
matchnot (radius-filter)	Configures a filter criterion for an unsuccessful match.
radius filter	Configures RADIUS packet filters.

match access-group (ISG)

To configure the match criteria for an Intelligent Services Gateway (ISG) traffic class map on the basis of the specified access control list (ACL), use the match access-group command in traffic class-map configuration mode. To remove the ACL from a class map, use the no form of this command.

match access-group {input | output} {access-list-number | name access-list-name}

no match access-group {input | output} {access-list-number | name access-list-name}

Syntax Description


input	Specifies match criteria for input traffic.
output	Specifies match criteria for output traffic.
`access-list-number`	A numbered ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. Range is 1 to 2799.
name `access-list-name`	A named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to this class. The name can be a maximum of 40 alphanumeric characters

Command Default

No match criteria are configured.

Command Modes

Traffic class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match access-group command specifies a numbered or named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. Packets satisfying the match criteria for a class constitute the traffic for that class.

The ACL must be defined using the ip access-list command.

After a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class and the default class.

ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.

Examples

The following example shows a class map named “acl144” that is configured to use ACL 144 as the input match criterion for this class:


class-map type traffic match-any acl144 
 match access-group input 144

Related Commands


Command	Description
class-map type traffic	Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class.
class type traffic	Associates a traffic class map with a service policy map.
ip access-list	Defines an IP access list or object group access control list (OGACL).

match access-list

To specify packets for port-mapping by specifying an access list to compare against the subscriber traffic, use the destination access-list command in portbundle configuration mode. To remove this specification, use the no form of this command.

match access-list access-list-number

no match access-list access-list-number

Syntax Description


`access-list-number`	Integer from 100 to 199 that is the number or name of an extended access list.

Command Default

The Intelligent Services Gateway (ISG) port-maps all TCP traffic.

Command Modes

IP portbundle configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

You can use multiple entries of the match access-list command. The access lists are checked against the subscriber traffic in the order in which they are defined.

Examples

In the following example, the ISG will port-map packets that are permitted by access list 100:


ip portbundle
 match access-list 100
 source ip Ethernet0/0/0
!
.
.
.
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 10.13.6.100
access-list 100 deny   ip any any

Related Commands


Command	Description
ip portbundle (service)	Enables the ISG Port-Bundle Host Key feature for a service.
show ip portbundle ip	Displays information about a particular ISG port bundle.
show ip portbundle status	Displays information about ISG port-bundle groups.

match authen-status

To create a condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status, use the match authen-status command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authen-status {authenticated | unauthenticated}

no match authen-status {authenticated | unauthenticated}

Syntax Description


authenticated	Subscriber has been authenticated.
unauthenticated	Subscriber has not been authenticated.

Command Default

A condition that will evaluate true if a subscriber’s authentication status matches the specified authentication status is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authen-status command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.


class-map type type control match-all CONDA
 match authen-status unauthenticated
 match timer TIMERA
     
policy-map type control RULEA
 class type control always event session-start     
  1 set-timer TIMERA 1 [minutes]
!
class type control CONDA event timed-policy-expiry
 1 service disconnect

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-domain

To create a condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain, use the match authenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-domain {domain-name | regexp regular-expression}

no match authenticated-domain

Syntax Description


`domain-name`	Domain name.
regexp `regular-expression`	Regular expression to be matched against subscriber’s authenticated domain name.

Command Default

A condition that will evaluate true if a subscriber’s authenticated domain matches the specified domain is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authenticated-domain command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that will evaluate true if a subscriber’s domain matches the regular expression “.*com”.


class-map type control match-all MY-CONDITION1
 match authenticated-domain regexp ".*com"

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match authenticated-username

To create a condition that will evaluate true if a subscriber’s authenticated username matches the specified username, use the match authenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match authenticated-username {username | regexp regular-expression}

no match authenticated-username {username | regexp regular-expression}

Syntax Description


`username`	Username
regexp `regular-expression`	Matches the regular expression against the subscriber’s authenticated username.

Command Default

A condition is not created.

Command Modes

Control class-map configuration (config-control-classmap)

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match authenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which evaluates to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true for the class as a whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.


class-map type control match-all class3
   match authenticated-username regexp "user@.*com" 
   match authenticated-domain regexp ".*com" 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier authenticated-username

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match dnis

To create a condition that will evaluate true if a subscriber’s Dialed Number Identification Service number (DNIS number, also referred to as called-party number ) matches the specified DNIS, use the match dnis command in control class-map configuration mode. To remove the condition, use the no form of this command.

match dnis {dnis | regexp regular-expression}

no match dnis {dnis | regexp regular-expression}

Syntax Description


`dnis`	DNIS number.
regexp `regular-expression`	Matches the regular expression against the subscriber’s DNIS number.

Command Default

A condition that will evaluate true if a subscriber’s DNIS number matches the specified DNIS is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match dnis command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.


class-map type control match-all class3
   match dnis reg-exp 5550100 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier dnis!

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match media

To create a condition that will evaluate true if a subscriber’s access media type matches the specified media type, use the match media command in control class-map configuration mode. To remove the condition, use the no form of this command.

match media {async | atm | ether | ip | isdn | mpls | serial}

no match media {async | atm | ether | ip | isdn | mpls | serial}

Syntax Description


async	Asynchronous media.
atm	ATM.
ether	Ethernet.
ip	IP.
isdn	ISDN.
mpls	Multiprotocol Label Switching (MPLS).
serial	Serial.

Command Default

A condition that will evaluate true if a subscriber’s access media type matches the specified media type is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match media command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers that enter the router through Ethernet interface slot 3.


class-map type control match-all MATCHING-USERS
 match media ether
 match nas-port type ether slot 3

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match mlp-negotiated

To create a condition that will evaluate true depending on whether or not a subscriber’s session was established using multilink PPP negotiation, use the match mlp-negotiated command in control class-map configuration mode. To remove the condition, use the no form of this command.

match mlp-negotiated {no | yes}

no match mlp-negotiated {no | yes}

Syntax Description


no	The subscriber’s session was not multilink PPP negotiated.
yes	The subscriber’s session was multilink PPP negotiated.

Command Default

A condition is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match mlp-negotiated command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match mlp-negotiated command:


class-map type control match-all class3
   match mlp-negotiated yes
 !
 policy-map type control rule4
  class type control class3 event session-start
   1 authorize authenticated-username

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match nas-port

To create a condition that will evaluate true if a subscriber’s network access server (NAS) port identifier matches the specified value, use the match nas-port command in control class-map configuration mode. To remove the condition, use the no form of this command.

match nas-port {adapter adapter-number | channel channel-number | circuit-id name | ipaddr ip-address | port port-number | remote-id name | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description


adapter `adapter-number`	Interface adapter number.
channel `channel-number`	Interface channel number.
circuit-id `name`	Circuit ID
ipaddr `ip-address`	IP address.
port `port-number`	Port number.
remote-id `name`	Remote ID.
shelf `shelf-number`	Interface shelf number.
slot `slot-number`	Slot number.
sub-interface `sub-interface-number`	Subinterface number.
type `interface-type`	Interface type.
vci `vci-number`	Virtual channel identifier.
vlan `vlan-id`	VLAN ID.
vpi `vpi-number`	Virtual path identifier.

Command Default

A condition that will evaluate true if a subscriber’s NAS port identifier matches the specified value is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match nas-port command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true on PPPoE subscribers that enter the router through Ethernet interface slot 3.


class-map type control match-all MATCHING-USERS
 class type control name NOT-ATM
 match media ether
 match nas-port type ether slot 3

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match no-username

To create a condition that will evaluate true if a subscriber’s username is available, use the match no-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match no-username {no | yes}

no match no-username {no | yes}

Syntax Description


no	The subscriber’s username is available.
yes	The subscriber’s username is not available.

Command Default

A condition that will evaluate true if a subscriber’s username is available is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match no-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map configured with the match no-username command:


class-map type control match-all class3
   match no-username yes
 !
 policy-map type control rule4
  class type control class3 event session-start
   1 service local

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match protocol (ISG)

To create a condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type, use the match protocol command in control class-map configuration mode. To remove the condition, use the no form of this command.

match protocol {atom | ip | pdsn | ppp | vpdn}

no match protocol {atom | ip | pdsn | ppp | vpdn}

Syntax Description


atom	Any Transport over MPLS (AToM).
ip	IP.
pdsn	Packet Data Serving Node (PDSN).
ppp	Point-to-Point Protocol (PPP).
vpdn	Virtual Private Dialup Network (VPDN).

Command Default

A condition that will evaluate true if a subscriber’s access protocol type matches the specified protocol type is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match protocol command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example creates a control class map that evaluates true if subscribers arrive from a VPDN tunnel:


 class-map type control match-any MY-CONDITION
  match protocol vpdn

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match service-name

To create a condition that will evaluate true if the service name associated with a subscriber matches the specified service name, use the match service-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match service-name {service-name | regexp regular-expression}

no service-name {service-name | regexp regular-expression}

Syntax Description


`service-name`	Service name.
regexp `regular-expression`	Regular expression to be matched against subscriber’s service name.

Command Default

A condition that will evaluate true if the service name associated with a subscriber matches the specified service name is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match service-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures ISG to authenticate subscribers associated with the service before downloading the service:


aaa authentication login AUTHEN local
aaa authorization network SERVICE group radius
!
class-map type control match-any MY-CONDITION2
 match service-name "gold"
 match service-name "bronze"
 match service-name "silver"
!
policy-map type control MY-RULE2
 class type control MY-CONDITION2 event service-start
  1 authenticate aaa list AUTHEN
  2 service-policy type service aaa list SERVICE identifier service-name
!
service-policy type control MY-RULE2

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match source-ip-address

To create a condition that will evaluate true if a subscriber’s source IP address matches the specified IP address, use the match source-ip-address command in control class-map configuration mode. To remove the condition, use the no form of this command.

match source-ip-address ip-address subnet-mask

no match source-ip-address ip-address subnet-mask

Syntax Description


`ip-address`	IP address.
`subnet-mask`	Subnet mask.

Command Default

A condition that will evaluate true if a subscriber’s source IP address matches the specified IP address is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match source-ip-address command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.


class-map type control match-all class3
 match source-ip-address 10.0.0.0 255.255.255.0 
!
policy-map type control rule4
 class type control class3 event session-start
  1 authorize identifier source-ip-address
!

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match timer

To create a condition that will evaluate true when the specified timer expires, use the match timer command in control class-map configuration mode. To remove the condition, use the no form of this command.

match timer {timer-name | regexp regular-expression}

no match timer {timer-name | regexp regular-expression}

Syntax Description


`timer-name`	Name of the policy timer.
regexp regular-expression	Regular expression to be matched against the timer name.

Command Default

A condition that will evaluate true when the specified timer expires is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match timer command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows the configuration of a policy timer that starts at session start for unauthenticated subscribers. When the timer expires, the session is disconnected.


class-map type control match-all CONDA
 match authen-status unauthenticated
 match timer TIMERA
     
policy-map type control RULEA
 class type control always event session-start     
  1 set-timer TIMERA 1
!
class type control CONDA event timed-policy-expiry
 1 service disconnect

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match tunnel-name

To create a condition that will evaluate true if a subscriber’s Virtual Private Dialup Network (VPDN) tunnel name matches the specified tunnel name, use the match tunnel-name command in control class-map configuration mode. To remove the condition, use the no form of this command.

match tunnel-name {tunnel-name | regexp regular-expression}

no match tunnel-name {tunnel-name | regexp regular-expression}

Syntax Description


`tunnel-name`	VPDN tunnel name.
regexp `regular-expression`	Regular expression to be matched against the subscriber’s tunnel name.

Command Default

A condition that will evaluate true if a subscriber’s VPDN tunnel name matches the specified tunnel name is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match tunnel-name command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.


class-map type control match-all class3
  match tunnel-name LAC
!
policy-map type control rule4
 class type control class3 event session-start
  1 authorize identifier tunnel-name
!

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-domain

To create a condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name, use the match unauthenticated-domain command in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-domain {domain-name | regexp regular-expression}

no match unauthenticated-domain {domain-name | regexp regular-expression}

Syntax Description


`domain-name`	Domain name.
regexp `regular-expression`	Regular expression to be matched against subscriber’s domain name.

Command Default

A condition that will evaluate true if a subscriber’s unauthenticated domain name matches the specified domain name is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match unauthenticated-domain command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a control class map that evaluates true for subscribers with the unauthenticated domain “abc.com”:


class-map type control match-all MY-FORWARDED-USERS        
 match unauthenticated-domain "xyz.com"

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match unauthenticated-username

To create a condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username, use the match unauthenticated-username command in control class-map configuration mode. To remove the condition, use the no form of this command.

match unauthenticated-username {username | regexp regular-expression}

no match unauthenticated-username {username | regexp regular-expression}

Syntax Description


`username`	Username.
regexp `regular-expression`	Regular expression to be matched against the subscriber’s username.

Command Default

A condition that will evaluate true if a subscriber’s unauthenticated username matches the specified username is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The match unauthenticated-username command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called “class3” configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates “class3” with the control policy map called “rule4”.


class-map type control match-all class3
   match identifier unauthenticated-username regexp "user@.*com" 
! 
policy-map type control rule4
  class type control class3 event session-start
   1 authorize identifier unauthenticated-username!

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

match vrf

To create a condition that evaluates true if a subscriber’s VPN routing and forwarding instance (VRF) matches the specified VRF, use the match vrf command in control class-map configuration mode. To remove this condition, use the no form of this command.

match vrf {vrf-name | regexp regular-expression}

no match vrf {vrf-name | regexp regular-expression}

Syntax Description


`vrf-name`	Name of the VRF.
regexp `regular-expression`	Regular expression to be matched against the subscriber’s VRF.

Command Default

A condition that will evaluate true if a subscriber’s VRF matches the specified VRF is not created.

Command Modes

Control class-map configuration

Command History


Release	Modification
12.2(31)SB2	This command was introduced.

Usage Guidelines

The match vrf command is used to configure a condition within an Intelligent Services Gateway (ISG) control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example configures a policy that will be applied to subscribers who belong to the VRF “FIRST”.


class-map type control TEST
 match vrf FIRST
policy-map type control GLOBAL
 class type control TEST event session-start
  1 service-policy type service name FIRST-SERVICE

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.

matchnot (radius-filter)

To configure a condition to check for a filter criteria that do not match, use the matchnot command in RADIUS filter configuration mode. To remove a filter match criteria for an unsuccessful match, use the no form of this command.

matchnot {attribute att-type-number | vendor-type ven-type-number [attribute att-type-number]}

no matchnot {attribute att-type-number | vendor-type ven-type-number [attribute att-type-number]}

Syntax Description


attribute	Specifies the attribute that should be included in the filter.
`att-type-number`	Attribute type number. The range is from 1 to 256.
vendor-type	Specifies the vendor type that should be included in the filter.
`ven-type-number`	Vendor type number. The range is from 1 to 256.

Command Default

Filter criteria for an unsuccessful match is not configured.

Command Modes

RADIUS filter configuration (config-radius-filter)

Command History


Release	Modification
Cisco IOS XE Release 3.5S	This command was introduced.

Usage Guidelines

Use the matchnot command to check whether an attribute is absent from the packet. The vendor-type and ven-type-number keyword/argument pair specifies the attribute that is associated with a specific vendor. If no attribute option is specified, the condition matches the filter for any attribute of the specific vendor.

Examples

The following example shows how to enter the RADIUS filter configuration mode and configure a match attribute and a vendor type.

Device(config)# radius filter match-all filter1
Device(config-radius-filter)# matchnot vendor-type 15 attribute 45

Related Commands


Command	Description
match (radius-filter)	Configures a condition to check for a filter match criteria.
radius filter	Configures RADIUS packet filters.

message-authenticator ignore

To disable message-authenticator validation of packets from RADIUS clients, use the message-authenticator ignore command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To reenable message-authenticator validation, use the no form of this command.

message-authenticator ignore

no message-authenticator ignore

Syntax Description

This command has no arguments or keywords.

Command Default

Message-authenticator validation is performed.

Command Modes

RADIUS proxy server configuration
RADIUS proxy client configuration

Command History


Release	Modification
12.2(31)SB2	This command was introduced.

Usage Guidelines

Use the message-authenticator ignore command when validation of the source of RADIUS packets is not required or in situations in which a RADIUS client is not capable of filling the message-authenticator field in the RADIUS packet.

Examples

The following example disables message-authenticator validation:


aaa server radius proxy 
 message-authenticator ignore

Related Commands


Command	Description
aaa server radius proxy	Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.

method-list

To specify the authentication, authorization, and accounting (AAA) method list to which the Intelligent Services Gateway (ISG) will send prepaid accounting updates or prepaid authorization requests, use the method-list command in ISG prepaid configuration mode. To reset to the default value, use the no form of this command.

method-list {accounting | authorization} name-of-method-list

no method-list {accounting | authorization} name-of-method-list

Syntax Description


accounting	Specifies the AAA method list for ISG prepaid accounting.
authorization	Specifies the AAA method list for ISG prepaid authorization.
`name-of-method-list`	Name of the AAA method list to which ISG will send accounting updates or authorization requests.

Command Default

A method list is not specified.

Command Modes

Prepaid configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The AAA method list that is specified by the method-list command must be configured by using the aaa accounting command. See the Cisco IOS Security Configuration Guide for information about configuring AAA method lists, server groups, and servers.

Examples

The following example shows an ISG prepaid feature configuration in which a method list called “ap-mlist” is specified for prepaid accounting and the default method list is specified for prepaid authorization:


subscriber feature prepaid conf-prepaid
 interim-interval 5
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password cisco

Related Commands


Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
prepaid config	Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile

monitor event-trace subscriber

To collect event trace logs in a pre-configured file, use the monitor event-trace subscriber dump-file bootflash:isg_dump_file.txt command in global configuration mode. ISG event traces are enabled to capture the trace logs by default.

monitor event-trace subscriber dump-file bootflash:isg_dump_file.txt

Syntax Description


`dump-file_name`	Specifies the file name where the traces have to be collected.

Command Default

ISG event traces are enabled to collect logs.

Command Modes

Global configuration mode

Command History


Release	Modification
16.9.1	This command was introduced.

Examples

The following example shows how to collect the event trace logs in a text file:

Device #
Device# configure  terminal
Device(config)# monitor event-trace subscriber dump-file bootflash:isg_dump_file.txt”

passthru downstream ipv6

To allow IPv6 downstream traffic from an Intelligent Services Gateway (ISG) interface to pass through to a subscriber without an established subscriber session, use the passthru downstream ipv6 command in IP subscriber configuration mode. To prevent downstream traffic from passing through without a subscriber session, use the no form of this command.

passthru downstream ipv6

Syntax Description

This command has no arguments or keywords.

Command Default

Downstream IPv6 traffic cannot pass through without a subscriber session.

Command Modes

IP subscriber configuration (config-subscriber)

Command History


Release	Modification
Cisco IOS XE Release 3.6S	This command was introduced.

Usage Guidelines

The passthru downstream ipv6 command enables pass through of IPv6 downstream traffic if an IPv6-specific initiator is configured with the initiator unclassified ip-address or initiator unclassified ip-address ipv6 command.

This command enables subscribers to receive services, such as support and security updates, even if a subscriber session is not present.

If an IPv4-specific initiator is configured on the interface with the initiator unclassified ip-address ipv4 command, IPv6 downstream traffic is allowed without the pass through feature but IPv4 downstream traffic is blocked.

Examples

The following example shows that Ethernet interface 0/0 has been configured to allow IPv6 downstream traffic to be forwarded to subscribers even if a subscriber session is not present.


interface GigabitEthernet0/0/0
 ip address 192.0.2.1 255.255.255.0
 ipv6 address 2001:DB8::1/64
 ipv6 enable
 no cdp enable
 service-policy type control my-policy2
 ip subscriber routed
  initiator unclassified ip-address
  passthru downstream ipv6

Related Commands


Command	Description
initiator	Enables ISG to create an IP subscriber session upon receipt of a specified type of packet.

password (ISG)

To specify the password that the Intelligent Services Gateway (ISG) will use in authorization and reauthorization requests, use the password command in prepaid configuration mode. To reset the password to the default, use the no form of this command.

password password

no password password

Syntax Description


`password`	Password that the ISG will use in authorization and reauthorization requests. The default password is cisco.

Command Default

ISG uses the default password (cisco).

Command Modes

Prepaid configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Examples

The following example shows an ISG prepaid feature configuration in which the password is “pword” :


subscriber feature prepaid conf-prepaid
 interim-interval 5
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password pword

Related Commands


Command	Description
prepaid config	Enables prepaid billing for an ISG service and references a configuration of prepaid billing parameters.
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

police (ISG)

To configure Intelligent Services Gateway (ISG) policing, use the police command in service policy-map class configuration mode. To disable upstream policing, use the no form of this command.

police {input | output} committed-rate [normal-burst excess-burst]

no police {input | output} committed-rate [normal-burst excess-burst]

Syntax Description


input	Specifies policing of upstream traffic, which is traffic flowing from the subscriber toward the network.
output	Specifies policing of upstream traffic, which is traffic flowing from the network toward the subscriber.
`committed-rate`	Amount of bandwidth, in bits per second, to which a subscriber is entitled. Range is from 8000 to 128000000000 (or 128 Gbps).
`normal-burst`	(Optional) Normal burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the normal burst size is not specified, it is calculated from the committed rate using the following formula: Normal burst = 1.5 * committed rate (scaled and converted to byte per msec)
`excess-burst`	(Optional) Excess burst size, in bytes. Range is from 1000 to 2000000000 (2 Gb). If the excess burst is not specified, it is calculated from the normal burst value using the following formula: Excess burst = 2 * normal burst

Command Default

ISG policing is not enabled.

Command Modes

Service policy-map class configuration (config-service-policymap)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
15.0(1)SY	This command was modified. The maximum value for the `committed-rate` , `normal-burst` and `excess-burst` arguments was increased.

Usage Guidelines

ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow.

Session-based policing applies to the aggregate of subscriber traffic for a session.

Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map by using the police command. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.

Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class.

Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map by using the police command. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.

Examples

The following example shows the configuration of flow-based ISG policing in a service policy map:


class-map type traffic match-any C3
 match access-group in 103
 match access-group out 203 
policy-map type service P3
 class type traffic C3
  police input 20000 30000 60000
  police output 21000 31500 63000

Related Commands


Command	Description
class type traffic	Associates a previously configured traffic class to a service policy map.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG service.

policy-map

To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces to specify a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command.

Supported Platforms Other Than Cisco 10000 and Cisco 7600 Series Routers

policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

no policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

Cisco 10000 Series Router

policy-map [type {control | service}] policy-map-name

no policy-map [type {control | service}] policy-map-name

Cisco CMTS and 7600 Series Router

policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name

no policy-map [type {class-routing ipv4 unicast unicast-name | control control-name | service service-name}] policy-map-name

Syntax Description


type	(Optional) Specifies the policy-map type.
stack	(Optional) Determines the exact pattern to look for in the protocol stack of interest.
access-control	(Optional) Enables the policy map for the flexible packet matching feature.
port-filter	(Optional) Enables the policy map for the port-filter feature.
queue-threshold	(Optional) Enables the policy map for the queue-threshold feature.
logging	(Optional) Enables the policy map for the control-plane packet logging feature.
`log-policy`	(Optional) Type of log policy for control-plane logging.
`policy-map-name`	Name of the policy map.
control	(Optional) Creates a control policy map.
`control-name`	Name of the control policy map.
service	(Optional) Creates a service policy map.
`service-name`	Name of the policy-map service.
class-routing	Configures the class-routing policy map.
ipv4	Configures the class-routing IPv4 policy map.
unicast	Configures the class-routing IPv4 unicast policy map.
`unicast-name`	Unicast policy-map name.

Command Default

The policy map is not configured.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.0(5)T	This command was introduced.
12.4(4)T	This command was modified. The type andaccess-control keywords were added to support flexible packet matching. The port-filter and queue-threshold keywords were added to support control-plane protection.
12.4(6)T	This command was modified. The logging keyword was added to support control-plane packet logging.
12.2(31)SB	This command was modified. The control and service keywords were added to support the Cisco 10000 series router.
12.2(18)ZY	This command was modified. The type andaccess-control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series switch that is equipped with the Supervisor 32/programmable intelligent services accelerator (PISA) engine. The command was modified to enhance the Network-Based Application Recognition (NBAR) functionality on the Catalyst 6500 series switch that is equipped with the Supervisor 32/PISA engine.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SRC	This command was modified. Support for this command was implemented on Cisco 7600 series routers.
Cisco IOS XE Release 2.1	This command was integrated into Cisco IOS XE Release 2.1 and implemented on Cisco ASR 1000 series routers.
12.2(33)SCF	This command was integrated into Cisco IOS Release 12.2(33)SCF.

Usage Guidelines

Use the policy-map command to specify the name of the policy map to be created, added, or modified before you configure policies for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which you can configure or modify the class policies for a policy map.

You can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure match criteria for a class. Because you can configure a maximum of 64 class maps, a policy map cannot contain more than 64 class policies, except as noted for quality of service (QoS) class maps on Cisco 7600 systems.

Note

For QoS class maps on Cisco 7600 series routers, the limits are 1024 class maps and 256 classes in a policy map.

A policy map containing ATM set cell loss priority (CLP) bit QoS cannot be attached to PPP over X (PPPoX) sessions. The policy map is accepted only if you do not specify the set atm-clp command.

A single policy map can be attached to more than one interface concurrently. Except as noted, when you attempt to attach a policy map to an interface, the attempt is denied if the available bandwidth on the interface cannot accommodate the total bandwidth requested by class policies that make up the policy map. In such cases, if the policy map is already attached to other interfaces, the map is removed from those interfaces.

Note

This limitation does not apply on Cisco 7600 series routers that have session initiation protocol (SIP)-400 access-facing line cards.

Whenever you modify a class policy in an attached policy map, class-based weighted fair queuing (CBWFQ) is notified and the new classes are installed as part of the policy map in the CBWFQ system.

Note

Policy-map installation via subscriber-profile is not supported. If you configure an unsupported policy map and there are a large number of sessions, an equally large number of messages print on the console. For example, if there are 32,000 sessions, then 32,000 messages print on the console at 9,600 baud.

Class Queues (Cisco 10000 Series Routers Only)

The Performance Routing Engine (PRE)2 allows you to configure 31 class queues in a policy map.

In a policy map, the PRE3 allows you to configure one priority level 1 queue, one priority level 2 queue, 12 class queues, and one default queue.

Control Policies (Cisco 10000 Series Routers Only)

Control policies define the actions that your system will take in response to the specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions are executed.

There are three steps involved in defining a control policy:

Using the class-map type control command, create one or more control class maps.
Using the policy-map type control command, create a control policy map.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

Using the service-policy type control command, apply the control policy map to a context.

Service Policies (Cisco 10000 Series Routers Only)

Service policy maps and service profiles contain a collection of traffic policies and other functions. Traffic policies determine which function is applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, which is a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Policy Map Restrictions (Catalyst 6500 Series Switches Only)

Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. This release and platform has the following restrictions for using policy maps and match commands:

You cannot modify an existing policy map if the policy map is attached to an interface. To modify the policy map, remove the policy map from the interface by using the no form of the service-policy command.
Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed. However, the following restrictions apply:
- A single traffic class can be configured to match a maximum of 8 protocols or applications.
- Multiple traffic classes can be configured to match a cumulative maximum of 95 protocols or applications.

Examples

The following example shows how to create a policy map called “policy1” and configure two class policies included in that policy map. The class policy called “class1” specifies a policy for traffic that matches access control list (ACL) 136. The second class is the default class to which packets that do not satisfy the configured match criteria are directed.


! The following commands create class-map class1 and define its match criteria:
class-map class1
 match access-group 136
! The following commands create the policy map, which is defined to contain policy
! specification for class1 and the default class:
policy-map policy1
class class1
 bandwidth 2000
 queue-limit 40
class class-default
 fair-queue 16
 queue-limit 20

The following example shows how to create a policy map called “policy9” and configure three class policies to belong to that map. Of these classes, two specify the policy for classes with class maps that specify match criteria based on either a numbered ACL or an interface name, and one specifies a policy for the default class called “class-default” to which packets that do not satisfy the configured match criteria are directed.


policy-map policy9
 
class acl136
 bandwidth 2000
 queue-limit 40
 
class ethernet101
 bandwidth 3000
 random-detect exponential-weighting-constant 10
class class-default
 fair-queue 10
 queue-limit 20

The following is an example of a modular QoS command-line interface (MQC) policy map configured to initiate the QoS service at the start of a session.


Router> enable
Router# configure terminal
Router(config)# policy-map type control TEST
Router(config-control-policymap)# class type control always event session-start
Router(config-control-policymap-class-control)# 1
 service-policy type service name QoS_Service
Router(config-control-policymap-class-control)# end

Examples

The following example shows the configuration of a control policy map named “rule4”. Control policy map rule4 contains one policy rule, which is the association of the control class named “class3” with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.


class-map type control match-all class3
 match vlan 400 
 match access-type pppoe
 match domain cisco.com
 available nas-port-id
!
policy-map type control rule4
 class type control class3
  authorize nas-port-id
!
service-policy type control rule4

The following example shows the configuration of a service policy map named “redirect-profile”:


policy-map type service redirect-profile
 class type traffic CLASS-ALL
  redirect to group redirect-sg

Examples

The following example shows how to define a policy map for the 802.1p domain:

enable
configure terminal
 policy-map cos7
  class cos7
  set cos 2
  end

The following example shows how to define a policy map for the MPLS domain:

enable
configure terminal
 policy-map exp7
  class exp7
  set mpls experimental topmost 2
  end

Related Commands


Command	Description
bandwidth (policy-map class)	Specifies or modifies the bandwidth allocated for a class belonging to a policy map.
class (policy-map)	Specifies the name of the class whose policy you want to create or change, and its default class before you configure its policy.
class class-default	Specifies the default class whose bandwidth is to be configured or modified.
class-map	Creates a class map to be used for matching packets to a specified class.
fair-queue (class-default)	Specifies the number of dynamic queues to be reserved for use by the class-default class as part of the default class policy.
match access-group	Configures the match criteria for a class map on the basis of the specified ACL.
queue-limit	Specifies or modifies the maximum number of packets that the queue can hold for a class policy configured in a policy map.
random-detect (interface)	Enables WRED or DWRED.
random-detect exponential-weighting-constant	Configures the WRED and DWRED exponential weight factor for the average queue size calculation.
random-detectservice-policy precedence	Configures WRED and DWRED parameters for a particular IP precedence.
service-policy	Attaches a policy map to an input interface or VC or an output interface or VC to be used as the service policy for that interface or VC.
set atm-clp precedence	Sets the ATM CLP bit when a policy map is configured.

policy-map type control

To create or modify a control policy map, which defines an Intelligent Services Gateway (ISG) control policy, use the policy-map type control command in global configuration mode. To delete the control policy map, use the no form of this command.

policy-map type control tag policy-map-name

no policy-map type control tag policy-map-name

Syntax Description


tag	Network Admission Control (NAC) specific policy type.
`policy-map-name`	Name of the control policy map.

Command Default

A control policy map is not created.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
12.2(33)SXI	This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE 2.3	This command was integrated into a release earlier than Cisco IOS XE Release 2.3.
15.0(1)M	This command was modified in a release earlier than 15.0(1)M. The tag keyword and `policy-map-name` argument were added.

Usage Guidelines

Control policies define the actions that your system will take in response to specified events and conditions.

A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.

There are three steps involved in defining a control policy:

Create one or more control class, maps by using the class-map type control command.
Create a control policy, map by using the policy-map type control command.

A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.

Apply the control policy map to a context by using the service-policy type control command.

Examples

The following example shows the configuration of a control policy map called “rule4.” Control policy map “rule4” contains one policy rule, which is the association of the control class “class3” with the action to authorize subscribers using the network access server (NAS) port ID. The service-policy type control command is used to apply the control policy map globally.


class-map type control match-all class3
 match access-type pppoe
 match domain cisco.com
 available nas-port-id
!
policy-map type control tag rule4
 class type control class3
  authorize nas-port-id
!
service-policy type control rule4

Related Commands


Command	Description
class-map type control	Creates an ISG control class map.
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
service-policy type control	Applies a control policy to a context.

policy-map type service

To create or modify a service policy map, which is used to define an Intelligent Services Gateway (ISG) subscriber service, use the policy-map type service command in global configuration mode. To delete a service policy map, use the no form of this command.

policy-map type service policy-map-name

no policy-map type service

Syntax Description


`policy-map-name`	Name of the service policy map.

Command Default

A service policy map is not created.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
Cisco IOS XE Release 2.4	This command was integrated into Cisco IOS Release XE 2.4.

Usage Guidelines

Use the policy-map type service command to create or modify an ISG service policy map. Service policy maps define ISG subscriber services.

An ISG service is a collection of policies that may be applied to a subscriber session. Services can be defined in service policy maps and service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as an authentication, authorization, and accounting (AAA) server.

Service policy maps and service profiles contain a collection of traffic policies and other functionality. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.

Examples

The following example shows how to create a service policy map called redirect-profile:


policy-map type service redirect-profile
 class type traffic CLASS-ALL
  redirect to group redirect-sg

Related Commands


Command	Description
class type traffic	Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
policy-map type service	Displays the contents of all service policy maps.

policy-name

To configure a subscriber policy name, use the policy-name command in service policy map configuration mode. To remove a subscriber policy name, use the no form of this command.

policy-name policy

no policy-name policy

Syntax Description


`policy`	Name of policy configured on the Service Control Engine (SCE) device.

Command Default

The default policy is used for all subscribers.

Command Modes

Service policy map configuration (config-service-policymap)

Command History


Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The policy-name command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command. The policy name configured on the Intelligent Services Gateway (ISG) device must be the name of an existing policy that has already been configured on the SCE device.

Examples

The following example shows how to configure the subscriber policy name “SCE-SERVICE”.


Router(config)# policy-map type service SCE-SERVICE
Router(config-service-policymap)# sg-service-type external-policy
Router(config-service-policymap)# policy-name GOLD

Related Commands


Command	Description
sg-service-type external-policy	Identifies a service as an external policy.

policy-peer

To configure a subscriber policy peer connection, use the policy-peer command in global configuration mode. To remove a subscriber policy peer connection, use the no form of this command.

policy-peer [address ip-address] keepalive seconds

no policy-peer [address ip-address] keepalive seconds

Syntax Description


address	(Optional) Configures the IP address of the peer that is to be connected.
`ip-address`	Specifies the IP address of the peer to be connected.
keepalive	Configures the keepalive value to be used to monitor the peering relationship.
`seconds`	Keepalive value, in seconds. Range: 5 to 3600. Default: 0.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco Release 12.2(33)SB.

Usage Guidelines

Use the keepalive keyword with the policy-peer command to monitor the peering relationship between the Intelligent Services Gateway (ISG) device and the Service Control Engine (SCE). When the ISG and SCE establish a peering relationship, they negotiate the lowest keepalive value between them. If the ISG keepalive value is set to zero (0), the ISG accepts the value proposed by the SCE. The SCE sends keepalive packets at specified intervals. If twice the time specified by the seconds argument goes by without the ISG receiving a keepalive packet from the SCE, the peering relationship is ended. The ISG ignores any messages from the SCE unless they are messages to establish peering.

Examples

The following example configures a subscriber policy peer connection with a keepalive value of 5 seconds.


Router(config)# policy-peer address 10.0.0.100 keepalive 5

Related Commands


Command	Description
aaa server radius policy-device	Enables ISG RADIUS server configuration mode.
show subscriber policy peer	Displays the details of a subscriber policy peer.
subscriber-policy	Defines or modifies the forward and filter decisions of the subscriber policy.

port

To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.

port port-number

no port port-number

Syntax Description


`port-number`	Port number. The default value is port 1700.

Command Default

The device listens for RADIUS requests on the default port (port 1700).

Command Modes

Dynamic authorization local server configuration (config-locsvr-da-radius)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
Cisco IOS XE Release 2.6	This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.

Examples

The following example specifies port 1650 as the port on which the device listens for RADIUS requests:


aaa server radius dynamic-author
 client 10.0.0.1
 port 1650

Related Commands


Command	Description
aaa server radius dynamic-author	Configures a device as a AAA server to facilitate interaction with an external policy server.

prepaid config

To enable prepaid billing for an Intelligent Services Gateway (ISG) service and to reference a configuration of prepaid billing parameters, use the prepaid config command in service policy traffic class configuration mode. To disable prepaid billing for a service, use the no form of this command.

prepaid config {name-of-configuration | default}

no prepaid config {name-of-configuration | default}

Syntax Description


`name-of-configuration`	A named configuration of prepaid billing parameters.
default	The default configuration of prepaid billing parameters.

Command Default

Prepaid billing is not enabled.

Command Modes

Service policy traffic class configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

ISG prepaid billing is enabled in a service policy map on the router by entering the prepaid config command, or in a service profile on the authentication, authorization, and accounting (AAA) server by using the prepaid vendor-specific attribute (VSA). The prepaid config command and prepaid VSA reference a configuration that contains specific prepaid billing parameters.

To create or modify a prepaid billing parameter configuration, use the subscriber feature prepaid command to enter prepaid configuration mode. A default prepaid configuration exists with the following parameters:


subscriber feature prepaid default
 threshold time 0 seconds
 threshold volume 0 bytes
 method-list authorization default
 method-list accounting default
 password cisco

The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.

The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.

Examples

The following example shows prepaid billing enabled in a service called “mp3”. The prepaid billing parameters in the configuration “conf-prepaid” will be used for “mp3” prepaid sessions.


policy-map type service mp3
 class type traffic CLASS-ACL-101
  authentication method-list cp-mlist
  accounting method-list cp-mlist
  prepaid config conf-prepaid 
subscriber feature prepaid conf-prepaid
 threshold time 20
 threshold volume 0
 method-list accounting ap-mlist
 method-list authorization default
 password cisco

Related Commands


Command	Description
subscriber feature prepaid	Creates or modifies a configuration of ISG prepaid billing parameters that can be referenced from a service policy map or service profile.

proxy (ISG RADIUS proxy)

To configure an Intelligent Services Gateway (ISG) device to send RADIUS packets to a method list, use the proxy command in control policy-map class configuration mode. To remove this action from the control policy, use the no form of this command.

action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]

no action-number proxy [aaa list {list-name | default}] [accounting aaa list acc-list-name]

Syntax Description


`action-number`	Number of the action. Actions are executed sequentially within the policy rule.
aaa list	(Optional) Specifies that RADIUS packets will be sent to an authentication, authorization, and accounting (AAA) method list.
`list-name`	Name of the AAA method list to which RADIUS packets are sent.
default	Specifies that RADIUS packets will be sent to the default RADIUS server.
accounting aaa list	Defines a method list to which accounting is sent.
`acc-list-name`	Name of the accounting AAA method list to which RADIUS packets are sent.

Command Default

RADIUS packets are sent to the default method list.

Command Modes

Control policy-map class configuration (config-control-policymap-class-control)

Command History


Release	Modification
12.2(31)SB2	This command was introduced.
12.2(33)SRC	The accounting aaa list keyword was added.
12.2(33)SB	This command was implemented on the Cisco 10000 series.

Usage Guidelines

The proxy command is used to configure a control policy that causes ISG to forward RADIUS packets to a specified AAA method list. The method list must be configured with the aaa accounting command.

Control policies define the actions that the system takes in response to specified events and conditions. A control policy is made up of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

The accounting aaa list keyword is used configure the ISG device to forward incoming accounting requests from the SCE device to the AAA server.

Examples

The following example configures an accounting method list called “LIST-LOCAL”. The server group called “AAA-GROUP1” is the method specified in the method list. A control policy called “POLICY-LOCAL” is configured with a policy rule that causes ISG to forward SCE accounting packets to the server group defined in method list “LIST-LOCAL”.


Router(config)# aaa accounting network LIST-LOCAL start-stop group AAA-GROUP1
Router(config)# policy-map type control POLICY-LOCAL
Router(config-control-policymap)# class type control always event acct-notification
Router(config-control-policymap-class)# 1 proxy accounting aaa list LIST-LOCAL

Related Commands


Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

radius filter

To filter RADIUS packets that are received by the Intelligent Services Gateway (ISG), use the radius filter command in global configuration mode. To remove the RADIUS packet filter configuration, use the no form of this command.

radius filter {match-all | match-any} name

no radius filter {match-all | match-any} name

Syntax Description


match-all	Defines the condition to filter RADIUS packets if all attributes match.
match-any	Defines the condition to filter RADIUS packets if at least one attribute matches.
`name`	Name of the filter. The range is from 1 to 31 characters.

Command Default

RADIUS packet filters are not configured.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Release 3.5S	This command was introduced.

Usage Guidelines

Use the radius filter command to enable ISG to filter RADIUS packets based on the filter criteria. Use this command along with match , matchnot , and filter commands.

Examples

The following example shows how to configure a RADIUS packet filter with the match-all keyword.

Device(config)# radius filter match-all filter1

Related Commands


Command	Description
filter (ISG RADIUS proxy)	Applies ISG RADIUS packet filters to the RADIUS proxy server or client.
match (radius-filter)	Configures a condition to check for a filter match criterion.
matchnot (radius-filter)	Configures a condition to check for a filter criterion that does not match.

radius-server attribute 31

To enable Calling-Station-ID (attribute 31) options, use the radius-server attribute 31 command in global configuration mode. To disable Calling-Station-ID (attribute 31) options, use the no form of this command.

radius-server attribute 31 {append-circuit-id | mac format {default | ietf | {one-byte | three-byte | two-byte} delimiter {colon | dot | hyphen} | unformatted} [lower-case | upper-case] | remote-id | send nas-port-detail [mac-only]}

no radius-server attribute 31 {append-circuit-id | mac format | remote-id | send nas-port-detail [mac-only]}

Syntax Description


append-circuit-id	Appends circuit-id to the Calling-Station-ID (attribute 31).
mac format	Specifies the format used to display the MAC address in the calling station ID.
default	Specifies the MAC address in the default format (0000.4096.3e4a).
ietf	Specifies the MAC address in the IETF format (00-00-40-96-3E-4A).
one-byte	Specifies the MAC address in a one-byte format (00.00.40.96.3e.4a).
three-byte	Specifies the MAC address in a three-byte format (000040.963e4a).
two-byte	Specifies the MAC address in a two-byte format (0000.4096.3e4a).
delimiter	Specifies the delimiter used in the MAC address.
colon	Specifies colon (:) as the delimiter in the MAC address (00:00:40:96:3e:4a).
dot	Specifies dot (.) as the delimiter in the MAC address (00.00.40.96.3e.4a).
hyphen	Specifies hyphen (-) as the delimiter in the MAC address (00-00-40-96-3e-4a).
unformatted	Specifies an unformatted MAC address (000040963e4a).
lower-case	(Optional) Specifies the MAC address in lower case.
upper-case	(Optional) Specifies the MAC address in upper case.
remote-id	Specifies the remote ID as the calling station ID in accounting records and access requests.
send nas-port-detail	Includes all NAS port details in the calling station ID.
mac-only	(Optional) Includes only the MAC address, if available, in the calling station ID.

Command Default

The Calling-Station-ID (attribute 31) information is not sent to the authentication, authorization, and accounting (AAA) server.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
12.2(31)SB2	This command was modified. The mac format , default , ietf , unformatted , send nas-port-detail , and mac-only keywords were added.
12.2(33)SRC	This command was integrated into Cisco IOS Release 12.2(33)SRC.
15.0(1)M	This command was integrated into Cisco IOS Release 15.0(1)M.
Cisco IOS XE Release 3.7S	This command was integrated into Cisco IOS XE Release 3.7S. The one-byte , three-byte , two-byte , delimiter , colon , dot , hyphen , lower-case , and upper-case keywords were added.

Usage Guidelines

Intelligent Services Gateway (ISG) RADIUS Proxy Sessions
When the DHCP lease query is used, ISG RADIUS proxy receives both the MAC address and the Mobile Station Integrated Services Digital Network Number (MSISDN) as the Calling-Station-ID (attribute 31) option from the downstream device. Therefore, ISG RADIUS proxy must be configured to choose either the MAC address or the MSISDN as the calling station ID and send the ID to ISG accounting records.

The following example shows how to specify the MAC address to be displayed in the IETF format:
```
Device(config)# radius-server attribute 31 mac format ietf
```
The following example shows how to allow the remote ID to be sent as the Calling-Station-ID:
```
Device(config)# radius-server attribute 31 remote-id
```
The following example shows how to include NAS port details in the Calling-Station-ID:
```
Device(config)# radius-server attribute 31 send nas-port-detail
```
The following example shows how to include only the MAC address, if available, in the Calling-Station-ID:
```
Device(config)# radius-server attribute 31 send nas-port-detail mac-only
```

PPP over ATM Sessions
When you use the send nas-port-detail mac-only keyword, the calling station ID information is sent through access and accounting requests in the following format:
```
host.domain:vp_descr:vpi:vci
```

PPP over Ethernet over ATM (PPPoEoA) Sessions
When you use the send nas-port-detail mac-only keyword, the calling station ID information is sent through access and accounting requests in the following format:
```
host.domain:vp_descr:vpi:vci
```

PPP over Ethernet over Ethernet (PPPoEoE) Sessions
When you use the send nas-port-detail mac-only keyword, the calling station ID information is sent through access and accounting requests in the following format:
```
mac_addr
```

Related Commands


Command	Description
calling-station-id format	Specifies the format — MAC address or MSISDN — of the Calling-Station-ID (attribute 31).
radius-server attribute nas-port-id include	Uses the DHCP relay agent information (option 60 and option 82) in the NAS port ID to authenticate a user.

radius-server attribute nas-port-id include

To include DHCP option 60 and option 82 (that is, any combination of circuit ID, remote ID, and vendor-class ID) in the NAS-Port-ID to authenticate a user, use the radius-server attribute nas-port-id include command in global configuration mode. To return to the default behavior, use the no form of this command.

radius-server attribute nas-port-id include identifier1 [plus identifier2] [plus identifier3] [separator separator]

no radius-server attribute nas-port-id include

Syntax Description


`identifier1,2,3`	Identifier for authorization. Valid keywords are: circuit-id remote-id vendor-class-id
plus	(Optional) Separates identifiers if more than one is specified.
separator `separator`	(Optional) Symbol to be used for separating identifiers in accounting records and authentication requests. The symbol can be any alphanumeric character. The colon (:) is the default separator.

Command Default

The NAS-Port-ID is populated with the Intelligent Services Gateway (ISG) interface that received the DHCP relay agent information packet; for example, Ethernet1/0.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(33)SRD	This command was introduced.
Cisco IOS XE Release 3.1S	This command was integrated into Cisco IOS XE Release 3.1S.

Usage Guidelines

When you use the radius-server attribute nas-port-id include command, you must specify at least one ID. You can use a single ID or any combination of the three, in any order. If you use more than one ID, use the plus keyword between each pair as a separator.

The NAS-Port-ID is shown in the accounting records as it is specified in this command, with the plus keyword replaced by a separator. The colon (:) is the default separator.

When the NAS-Port-ID is selected as the identifier for authorization, the NAS-Port-ID is sent as part of the username in the authentication request. It is sent as specified in this command, preceded by the string “nas-port:”.

Examples

The following example shows an authentication request that specifies a circuit ID, a remote ID, and a vendor-class ID:


Router(config)# radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id

If the circuit ID is “xyz”, the remote ID is “abc”, and the vendor-class ID is “123”, the NAS-Port-ID will be sent to the accounting records as “abc:xyz:123” and the username will be sent as “nas-port:abc:xyz:123” in the authentication request.

The following example shows an authentication request that specifies a circuit ID and a vendor-class ID and also specifies a separator, “#”:


Router(config)# radius-server attribute nas-port-id include circuit-id plus vendor-class-id
 separator #

If the circuit ID is “xyz” and the vendor-class ID is “123”, the NAS-Port-ID will be sent to the accounting records as “xyz#123” and the username will be sent as “nas-port:xyz#123” in the authentication request.

Related Commands


Command	Description
authorize identifier	Initiates a request for authorization based on a specified identifier in an ISG control policy.

re-authenticate do-not-apply

To prevent Intelligent Services Gateway (ISG) from applying data from reauthentication profiles to subscriber sessions, use the re-authenticate do-not-apply command in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command.

re-authenticate do-not-apply

no re-authenticate do-not-apply

Syntax Description

This command has no arguments or keywords.

Command Default

ISG applies data from the reauthentication profile to subscriber sessions.

Command Modes

RADIUS proxy server configuration (config-locsvr-proxy-radius)
RADIUS proxy client configuration (config-locsvr-radius-client)

Command History


Release	Modification
15.0(1)S2	This command was introduced.

Usage Guidelines

The re-authenticate do-not-apply command prevents ISG from updating the subscriber session with data from a reauthentication profile. During the Extensible Authentication Protocol (EAP) authentication process, for example, ISG will not update the subscriber session with the user-name from the reauthentication profile if this command is configured.

This command can be configured globally for all RADIUS proxy clients, or it can be configured for specific clients. The client-specific configuration of this command overrides the global configuration.

Examples

The following example shows how to prevent ISG from applying reauthentication data to subscriber sessions, for all RADIUS proxy clients:


aaa server radius proxy
 re-authenticate do-not-apply

Related Commands


Command	Description
aaa server radius proxy	Enables ISG RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured.
client (ISG RADIUS proxy)	Enters ISG RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified.

redirect log translations

To enable the Layer 4 Redirect Logging feature for Intelligent Services Gateway (ISG), use the redirect log translations command in global configuration mode. To disable Layer 4 redirect logging, use the no form of this command.

redirect log translations {basic | extended} exporter exporter-name

no redirect log translations

Syntax Description


basic	Exports Layer 4 redirect translation event information using the basic template format.
extended	Exports Layer 4 translation event information using the extended template format, which includes additional debugging information.
`exporter-name`	Name of the flow exporter to use for exporting the logging information, as defined by the flow exporter command.

Command Default

Layer 4 redirect logging is disabled.

Command Modes

Global configuration (config)

Command History


Release	Modification
Cisco IOS XE Release 3.5S	This command was introduced.

Usage Guidelines

The redirect log translations command allows ISG to export records for Layer 4 redirect translation events to an external collector. These records can be used to identify users with applications that do not react to HTTP redirect.

The name of the flow exporter specified for the exporter-name argument must be configured with the flow exporter command before using the redirect log translations command.

For a description of the fields included in the basic and extended template formats, see the “Configuring Layer 4 Redirect Logging” chapter in the Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S.

Examples

The following example shows that the flow exporter named L4R-EXPORTER is assigned as the exporter to use for logging redirect translations. There are two types of export templates for Layer 4 redirect logging: IPv4 and IPv6.


flow exporter L4R-EXPORTER
 destination 172.16.10.3
 transport udp 90
!
!         
redirect log translations basic exporter L4R-EXPORTER

Related Commands


Command	Description
flow exporter	Defines a flow exporter.
show flow exporter statistics	Displays flow exporter statistics.
show flow exporter templates	Displays flow exporter template information.

redirect server-group

To define a group of one or more servers that make up a named Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the redirect server-group command in global configuration mode. To remove a redirect server group and any servers configured within that group, use the no form of this command.

redirect server-group group-name

no redirect server-group group-name

Syntax Description


`group-name`	Name of the server group.

Command Default

A redirect server group is not defined.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
Cisco IOS XE Release 3.5S	This command was modified. Support for IPv6 addresses was added.

Usage Guidelines

Use the redirect server-group command to define and name an ISG Layer 4 redirect server group. Packets sent upstream from an unauthenticated subscriber can be forwarded to the server group, which will deal with the packets in a suitable manner, such as routing them to a logon page. You can also use server groups to handle requests from authorized subscribers who request access to services to which they are not logged in and for advertising captivation.

After defining a redirect server group with the redirect server-group command, add individual servers to the server group by using the server ip command. The server group must contain at least one redirect server before it can be configured under a traffic class service.

The IP addresses of all the servers configured under a redirect group must be either IPv4 or IPv6. A mix of IPv4 and IPv6 redirect server addresses within the same server group is not supported.

Examples

The following example shows the configuration of a server group named PORTAL that contains two servers, both with an IPv4 address:


redirect server-group PORTAL
 server ip 10.2.36.253 port 80
 server ip 10.76.86.83 port 81

The following example shows the configuration of a server group named PORTAL2 that contains two servers, both with an IPv6 address:


redirect server-group PORTAL2
 server ip 2001:DB8:C003:12::2918 port 8080
 server ip 2001:DB8:1:1::26/64 port 8081

Related Commands


Command	Description
redirect to (ISG)	Redirects ISG Layer 4 traffic to a specified server or server group.
server ip	Adds a server to an ISG Layer 4 redirect server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

redirect session-limit

To set the maximum number of Layer 4 redirects allowed for each Intelligent Services Gateway (ISG) subscriber session, use the redirect session-limit command in global configuration mode. To restore the default value, use the no form of this command.

redirect session-limit maximum-number

no redirect session-limit

Syntax Description


`maximum-number`	The maximum number of Layer 4 redirects allowed. The range is from 1 to 512.

Command Default

An unlimited number of redirects are allowed per session.

Command Modes

Global configuration (config)

Command History


Release	Modification
12.2(33)SB8	This command was introduced.
12.2(33)XNE1	This command was integrated into Cisco IOS Release 12.2(33)XNE1.
12.2(33)SRD4	This command was integrated into Cisco IOS Release 12.2(33)SRD4.
12.2(33)SRE1	This command was integrated into Cisco IOS Release 12.2(33)SRE1.
Cisco IOS XE Release 3.5S	This command was modified. Support for IPv6 sessions was added.
Cisco IOS XE Release 3.8S	This command was modified. The `maximum-number` argument was modified to support a maximum of 512 Layer 4 redirects.

Usage Guidelines

The redirect session-limit command limits the number of redirect translations that can be created by unauthenticated subscribers that are redirected to the server group.

The maximum number applies to both IPv4 and IPv6 single-stack sessions. For dual-stack sessions, this command limits the total translations per subscriber; IPv4 and IPv6 translations are added together.

Examples

The following example limits the number of L4 redirects to five for a single session:


Router(config)# redirect session-limit 5

Related Commands


Command	Description
redirect server-group	Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)	Redirects ISG Layer 4 traffic to a specified server or server group.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

redirect to (ISG)

To redirect Intelligent Services Gateway (ISG) Layer 4 traffic to a specified server or server group, use the redirect to command in service policy-map class configuration mode. To disable redirection, use the no form of this command.

redirect to {group server-group-name | ip server-ip-address [port port-number]} [duration seconds [frequency seconds]]

no redirect to {group server-group-name | ip server-ip-address [port port-number]} [duration seconds [frequency seconds]]

Syntax Description


group `server-group-name`	Server group to which traffic will be redirected.
ip `server-ip-address`	IP address of the server to which traffic will be redirected.
port `port-number`	(Optional) Port number on the server to which traffic will be redirected.
duration `seconds`	(Optional) Amount of time, in seconds, for which traffic will be redirected, beginning with the first packet that gets redirected.
frequency `seconds`	(Optional) Period of time, in seconds, between redirect activations.

Command Default

Subscriber Layer 4 traffic is not redirected.

Command Modes

Service policy-map class configuration (config-service-policymap-class-traffic)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
12.2(33)SRE	This command was modified. It was removed from interface configuration mode.
Cisco IOS XE Release 2.5	This command was modified. It was removed from interface configuration mode.
Cisco IOS XE Release 3.5S	This command was modified. The `server-ip-address` argument accepts IPv6 addresses.

Usage Guidelines

The redirect to command redirects specified Layer 4 subscriber packets to servers that handle the packets in a specified manner.

A redirect server group is defined with the redirect server-group command. The server group must contain at least one redirect server, defined with the server ip command, before it can be configured under a traffic class service.

The ISG Layer 4 Redirect feature supports three types of redirection, which can be applied to subscriber sessions or to flows:

Permanent redirection—Specified traffic is redirected to the specified server all the time.
Initial redirection—Specified traffic is redirected for a specific duration of time only, starting from when the feature is applied.
Periodic redirection—Specified traffic is periodically redirected. The traffic is redirected for a specified duration of time. The redirection is then suspended for another specified duration. This cycle is repeated.

This command can be configured only once under any traffic class service on the Cisco ASR 1000 Series Router.

Examples

The following example redirects Layer 4 traffic to the servers specified in server group “ADVT-SERVER”:


policy-map type service L4R-SERVICE
  class type traffic L4R-TC
    redirect to group ADVT-SERVER

Examples

The following example configures ISG to redirect all traffic coming from the subscriber interface to 10.2.36.253. The destination port is left unchanged, so traffic to 10.10.10.10 port 23 is redirected to 10.2.36.253 port 23, and traffic to 10.4.4.4 port 80 is redirected to 10.2.36.253 port 80.


redirect to ip 10.2.36.253

The following example configures ISG to redirect all traffic coming from the subscriber interface to 2001:DB8:C003:12::2918 port 80:


redirect to ip 2001:DB8:C003:12::2918 port 80

Examples

The following example redirects all traffic to the servers configured in the server group “ADVT-SERVER” for the first 60 seconds of the session and then stops redirection for the rest of the lifetime of the session:


redirect to group ADVT-SERVER duration 60

Examples

The following example redirects all traffic to server group “ADVT-SERVER” for 60 seconds, every 3600 seconds. That is, the traffic will be redirected for 60 seconds, and subsequently the redirection is suspended for 3600 seconds, after which redirection resumes again for 60 seconds, and so on.


redirect to group ADVT-SERVER duration 60 frequency 3600

Related Commands


Command	Description
redirect server-group	Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
server ip	Adds a server to an ISG Layer 4 redirect server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server ip

To add a server to an Intelligent Services Gateway (ISG) Layer 4 redirect server group, use the server ip command in Layer 4 redirect server group configuration mode. To remove a server from a redirect server group, use the no form of this command.

server ip ip-address [port port]

no server ip ip-address [port port]

Syntax Description


ip `ip-address`	IP address of the server to be added to the redirect server group.
port `port`	(Optional) TCP port of the server to be added to the redirect server group.

Command Default

A server is not added to the redirect server group.

Command Modes

Layer 4 redirect server group configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.
Cisco IOS XE Release 3.5S	This command was modified. The `ip-address` argument accepts IPv6 addresses.

Usage Guidelines

Use the server ip command in Layer 4 redirect server group configuration mode to add a server, defined by its IP address and TCP port, to a redirect server group. The server ip command can be entered more than once to add multiple servers to the server group.

ISG Layer 4 redirection provides nonauthorized users with access to controlled services. Packets sent upstream from an unauthenticated user are forwarded to the server group, which deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services to which they are not logged in.

Examples

The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a redirect server group named “ADVT-SERVER”:


redirect server-group ADVT-SERVER
 server ip 10.0.0.0 port 8080
 server ip 10.1.2.3 port 8081

Related Commands


Command	Description
redirect server-group	Defines a group of one or more servers that make up a named ISG Layer 4 redirect server group.
redirect to (ISG)	Redirects ISG Layer 4 traffic to a specified server or server group.
show redirect group	Displays information about ISG Layer 4 redirect server groups.
show redirect translations	Displays information about the ISG Layer 4 redirect mappings for subscriber sessions.

server-key

To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.

server-key [0 | 7] word

no server-key [0 | 7] word

Syntax Description


0	(Optional) An unencrypted key will follow.
7	(Optional) A hidden key will follow.
`word`	Unencrypted server key.

Command Default

A server key is not configured.

Command Modes

Dynamic authorization local server configuration (config-locsvr-da-radius)

Command History


Release	Modification
12.2(28)SB	This command was introduced.
Cisco IOS XE Release 2.6	This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the Intelligent Services Gateway (ISG) and RADIUS clients.

Examples

The following example configures “cisco” as the shared server key:


aaa server radius dynamic-author
 client 10.0.0.1  
 server-key cisco

Related Commands


Command	Description
aaa server radius dynamic-author	Configures a device as a AAA server to facilitate interaction with an external policy server.

service (ISG)

To specify a network service type for PPP sessions, use the service command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number service {disconnect | local | vpdn}

no action-number service {disconnect | local | vpdn}

Syntax Description


`action-number`	Number of the action. Actions are executed sequentially within the policy rule.
disconnect	Disconnect the session.
local	Locally terminate the session.
VPDN	Virtual Private Dialup Network (VPDN) tunnel service.

Command Default

PPP sessions are locally terminated.

Command Modes

Control policy-map class configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows how configure ISG to locally terminate sessions for PPP subscribers:


policy-map type control MY-RULE1
 class type control MY-CONDITION2 event session-start
  1 service local

Related Commands


Command	Description
class type control	Specifies a control class for which actions may be configured in an ISG control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISG control policy.

service deny (ISG)

To deny network service to the Intelligent Services Gateway (ISG) subscriber session, use the service deny command in service policy-map configuration mode. To remove the configuration, use the no form of this command.

service deny

no service deny

Syntax Description

The command has no arguments or keywords.

Command Default

Service is not denied to the session.

Command Modes

Service policy-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service deny command denies network service to subscriber sessions that use the service policy map.

Examples

The following example denies service to subscriber sessions that use the service called “service1”:


policy-map type service service1
 service deny

Related Commands


Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service local (ISG)

To specify local termination service in an Intelligent Services Gateway (ISG) service policy map, use the service local command in service policy-map configuration mode. To remove the service, use the no form of this command.

service local

no service local

Syntax Description

This command has no arguments or keywords.

Command Default

Local termination service is not specified.

Command Modes

Service policy-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service local command is used to configure local termination service in a service policy map defined with the policy-map type service command.

When you configure the service local command in a service policy map, you can also use the ip vrf forwarding command to specify the routing domain in which to terminate the session. If you do not specify the routing domain, the global virtual routing and forwarding instance (VRF) will be used.

Examples

The following example provides local termination service to subscriber sessions for which the “my_service” service policy map is activated:


!
policy-map type service my_service
 service local

Related Commands


Command	Description
ip vrf forwarding (service policy map)	Associates the service with a VRF.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG service.
service vpdn group	Provides VPDN service.
vpdn-group	Associates a VPDN group with a customer or VPDN profile.

service relay (ISG)

To enable relay of PPPoE Active Discovery (PAD) messages over a Layer 2 Tunnel Protocol (L2TP) tunnel for an Intelligent Services Gateway (ISG) subscriber session, use the service relay command in service policy-map configuration mode. To disable message relay, use the no form of this command.

service relay pppoe vpdn group vpdn-group-name

no service relay pppoe vpdn group vpdn-group-name

Syntax Description


pppoe	Provides relay service using PPP over Ethernet (PPPoE) using a virtual private dialup network (VPDN) L2TP tunnel for the relay.
vpdn group `vpdn-group-name`	Provides VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

Relay of PAD messages over an L2TP tunnel is not enabled.

Command Modes

Service policy-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service relay command is configured as part of a service policy-map.

Examples

The following example configures sessions that use the service policy-map “service1” to contain outgoing tunnel information for the relay of PAD messages over an L2TP tunnel:


policy-map type service 
 service relay pppoe vpdn group Sample1.net

Related Commands


Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service vpdn group (ISG)

To provide virtual private dialup network (VPDN) service for Intelligent Services Gateway (ISG) subscriber sessions, use the service vpdn group command in service policy-map configuration mode. To remove VPDN service, use the no form of this command.

service vpdn group vpdn-group-name

no service vpdn group vpdn-group-name

Syntax Description


`vpdn-group-name`	Provides the VPDN service by obtaining the configuration from a predefined VPDN group.

Command Default

VPDN service is not provided for ISG subscriber sessions.

Command Modes

Service policy-map configuration

Command History


Release	Modification
12.2(28)SB	This command was introduced.

Usage Guidelines

The service vpdn group command provides VPDN service by obtaining the configuration from a predefined VPDN group.

A service configured with the service vpdn group command (or corresponding RADIUS attribute) is a primary service.

Examples

The following example provides VPDN service to sessions that use the service called “service” and uses VPDN group 1 to obtain VPDN configuration information:


policy-map type service service1
 service vpdn group 1

Related Commands


Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISG subscriber service.

service-monitor

To configure service monitoring for sessions on the Service Control Engine (SCE) that use the configured Intelligent Services Gateway (ISG) service, use the service-monitor command in service policy map configuration mode. To remove service monitoring, use the no form of this command.

service-monitor {enable | disable}

no service-monitor {enable | disable}

Syntax Description


enable	Enables service monitoring.
disable	Disables service monitoring.

Command Default

Service monitoring is not configured.

Command Modes

Service policy map configuration (config-service-policymap)

Command History


Release	Modification
12.2(33)SRC	This command was introduced.
12.2(33)SB	This command was integrated into Cisco IOS Release 12.2(33)SB.

Usage Guidelines

The service-monitor command is used with the policy-map type service command and must be configured together with the sg-service-type external-policy command.

Examples

The following example configures service monitoring for a service policy called “SCE-SERVICE4”.


Router(config)# policy-map type service SCE-SERVICE4
Router(config-service-policymap)# sg-service-type external policy
Router(config-service-policymap)# service-monitor enable

Related Commands


Command	Description
policy-name	Configures a subscriber policy name.
sg-service-type external policy	Identifies an ISG service as an external policy.

service-policy

To attach a policy map to an input interface, a virtual circuit (VC), an output interface, or a VC that will be used as the service policy for the interface or VC, use the service-policy command in the appropriate configuration mode. To remove a service policy from an input or output interface or from an input or output VC, use the no form of this command.

service-policy [type access-control] {input | output} policy-map-name

no service-policy [type access-control] {input | output} policy-map-name

Cisco 10000 Series and Cisco 7600 Series Routers

service-policy [history | {input | output} policy-map-name | type control control-policy-name]

no service-policy [history | {input | output} policy-map-name | type control control-policy-name]

Interface Template Configuration

service-policy [ access-control] {input | output | type control subcriber }policy-map-name

no service-policy [ access-control] {input | output | type control subcriber }policy-map-name

Syntax Description


type access-control	(Optional) Determines the exact pattern to look for in the protocol stack of interest.
input	Attaches the specified policy map to the input interface or input VC.
output	Attaches the specified policy map to the output interface or output VC.
`policy-map-name`	The name of a service policy map (created using the policy-map command) to be attached. The name can be a maximum of 40 alphanumeric characters in length.
history	(Optional) Maintains a history of quality of service (QoS) metrics.
type control `control-policy-name`	(Optional) Creates a Class-Based Policy Language (CPL) control policy map that is applied to a context.
type control subscriber `policy-map-name`	Applies subscriber control policy to the interface.

Command Default

No service policy is specified. A control policy is not applied to a context. No policy map is attached.

Command Modes

ATM VC bundle configuration (config-atm-bundle)

ATM PVP configuration (config-if-atm-l2trans-pvp)

ATM VC configuration mode (config-if-atm-vc)

Ethernet service configuration (config-if-srv)

Global configuration (config)

Interface configuration (config-if)

Static maps class configuration (config-map-class)

ATM PVC-in-range configuration (cfg-if-atm-range-pvc)

Subinterface configuration (config-subif)

Template configuration (config-template)

Command History


Release	Modification
12.0(5)T	This command was introduced.
12.0(5)XE	This command was integrated into Cisco IOS Release 12.0(5)XE.
12.0(7)S	This command was integrated into Cisco IOS Release 12.0(7)S.
12.0(17)SL	This command was implemented on the Cisco 10000 series routers.
12.1(1)E	This command was integrated into Cisco IOS Release 12.1(1)E.
12.1(2)T	This command was modified to enable low latency queueing (LLQ) on Frame Relay VCs.
12.2(14)SX	Support for this command was implemented on Cisco 7600 series routers. Support was added for output policy maps.
12.2(15)BX	This command was implemented on the ESR-PRE2.
12.2(17d)SXB	This command was implemented on the Supervisor Engine 2 and integrated into Cisco IOS Release 12.2(17d)SXB.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(2)T	This command was modified. Support was added for subinterface configuration mode and for ATM PVC-in-range configuration mode to extend policy map functionality on an ATM VC to the ATM VC range.
12.4(4)T	The type stack and type control keywords were added to support flexible packet matching (FPM).
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB and implemented on the Cisco 10000 series router.
12.2(31)SB2	This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.3(7)XI2	This command was modified to support subinterface configuration mode and ATM PVC-in-range configuration mode for ATM VCs on the Cisco 10000 series router and the Cisco 7200 series router.
12.2(18)ZY	The type stack and type control keywords were integrated into Cisco IOS Release 12.2(18)ZY on the Catalyst 6500 series of switches equipped with the Programmable Intelligent Services Accelerator (PISA).
12.2(33)SRC	Support for this command was enhanced on Cisco 7600 series routers.
12.2(33)SB	This command was modified. The command was implemented on the Cisco 10000 series router for the PRE3 and PRE4.
Cisco IOS XE Release 2.3	This command was modified to support ATM PVP configuration mode.
12.4(18e)	This command was modified to prevent simultaneous configuration of legacy traffic-shaping and Cisco Modular QoS CLI (MQC) shaping on the same interface.
Cisco IOS XE Release 3.3S	This command was modified to support Ethernet service configuration mode.
Cisco IOS XE Release 3.5S	This command was modified. An error displays if you try to configure the service-policy input or service-policy output command when the ip subscriber interface command is already configured on the interface.
15.2(1)S	This command was modified to allow simultaneous nonqueueing policies to be enabled on subinterfaces.
15.2(2)E	This command was integrated into Cisco IOS Release 15.2(2)E. This command is supported in template configuration mode.
Cisco IOS XE Release 3.6E	This command was integrated into Cisco IOS XE Release 3.6E. This command is supported in template configuration mode.

Usage Guidelines

The table below shows which configuration mode to choose based on the intended use of the command.

Table 1. Configuration Modes Based on Command Application
Application	Mode
Standalone VC	ATM VC submode
ATM VC bundle members	ATM VC Bundle configuration
A range of ATM PVCs	Subinterface configuration
Individual PVC within a PVC range	ATM PVC-in-range configuration
Frame Relay VC	Static maps class configuration

Bias-Free Language

Results

Chapter: M through Z

M through Z

match (radius-filter)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match access-group (ISG)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match access-list

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match authen-status

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match authenticated-domain

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match authenticated-username

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match dnis

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match media

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match mlp-negotiated

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

match nas-port

Syntax Description

Command Default