Configuring ISA Network-Forwarding Policies

Available Languages

Download Options

  • PDF     (214.7 KB)
    View with Adobe Reader on a variety of devices
Updated:March 10, 2005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configuring ISA Network-Forwarding Policies

Table Of Contents

Configuring ISA Network-Forwarding Policies

Contents

Restrictions for Configuring ISA Network-Forwarding Policies

Information About ISA Network Policies

Network Policies

Configuration Sources for Network Policies

How to Configure ISA Network Policies

Configuring Network Policies for PPP Sessions in Service Policy Maps

Prerequisites

What to Do Next

Configuring Network Policies for IP Sessions in Service Policy Maps

What to Do Next

Configuration Examples for ISA Network Policies

Network-Forwarding Policy for PPP Sessions: Example

Network-Forwarding Policy for IP Sessions: Example

Additional References

Related Documents

Technical Assistance

Feature Information for ISA Network Policies


Configuring ISA Network-Forwarding Policies

Intelligent Service Architecture (ISA) is a core set of Cisco IOS components that provide a structured framework in which edge access devices can deliver flexible and scalable services to subscribers. A Cisco device that is running a Cisco IOS image with ISA is called an Intelligent Service Gateway (ISG). An ISA network-forwarding policy is a type of traffic policy that allows packets to be routed or forwarded to and from an upstream network. This module provides information about how to configure network-forwarding policies.

Module History

This module was first published on April 28, 2005, and last updated on April 28, 2005.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for ISA Network Policies" section.

Contents

Restrictions for Configuring ISA Network-Forwarding Policies

Information About ISA Network Policies

How to Configure ISA Network Policies

Configuration Examples for ISA Network Policies

Additional References

Feature Information for ISA Network Policies

Restrictions for Configuring ISA Network-Forwarding Policies

A service can contain only one network-forwarding policy.

For each subscriber session, only one instance of a network-forwarding policy can be in effiect at any point in time.

Information About ISA Network Policies

Before you configure network-forwarding policies, you should understand the following concepts:

Network Policies

Configuration Sources for Network Policies

Network Policies

For subscriber packets to reach a network, some form of forwarding must be specified for a subscriber session. A traffic policy that allows packets to be routed or forwarded to and from an upstream network is known as a network-forwarding policy.

Where the network-forwarding policy type is routing, forwarding decisions are made at Layer 3, and a VRF (Virtual Routing and Forwarding) identifier must be specified to indicate which routing table should be used to make the routing decision (each VRF represents an independent routing context within a single router). Where the network policy type is forwarding, forwarding decisions are made at Layer 2, which means that all subscriber packets are forwarded to and from a single virtual endpoint within the system. This virtual endpoint represents a Layer 2 tunnel, and a tunnel identifier determines which tunnel should be used.

An ISA service that includes a network-forwarding policy is known as a primary service. Primary services are mutually exclusive and may not be active simultaneously. Upon activation of a new primary service, ISA will deactivate the existing primary service and any other services dependent on the existing primary service through association with a service group.

Configuration Sources for Network Policies

Network policies can be configured in user profiles and service profiles on an external authentication, authorization, and accounting (AAA) server or in service policy maps on the ISG. A network-forwarding policy configured in a user profile takes precedence over a network-forwarding policy specified in a service. If a network-forwarding policy is not specified in a user profile or service, the ISA session will inherit the network service from another source. ISA can inherit a network service from the following sources:

Global

Interface

Subinterface

Virtual template

Virtual circuit (VC) class

Permanent virtual circuit (PVC)

These configuration sources are listed in order of precedence. For example, a network-forwarding policy that is configured for a virtual template takes precedence over a network-forwarding policy that is configured on an interface.

For each subscriber session, only one instance of a network-forwarding policy can be in effect at any point in time.

How to Configure ISA Network Policies

This section contains the following tasks:

Configuring Network Policies for PPP Sessions in Service Policy Maps

Configuring Network Policies for IP Sessions in Service Policy Maps

Configuring Network Policies for PPP Sessions in Service Policy Maps

Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG. For information about how to configure a network-forwarding policy in a user profile or a service profile, see the module "RADIUS Attributes and Profiles for ISA". Perform this task to configure a network-forwarding policy for PPP session in a service policy map on the ISG.

Note If a network-forwarding policy is not specified in a user profile or service, a subscriber session will inherit the network-forwarding policy from another source. See the "Configuration Sources for Network Policies" section for more information.

Prerequisites

This task assumes that virtual private dial-up network (VPDN) groups have been configured.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type service policy-map-name

4. service vpdn group vpdn-group-name

or

service local

or

service relay pppoe vpdn group vpdn-group-name

5. ip vrf forwarding name-of-vrf

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISA service.

Step 4 

service vpdn group vpdn-group-name


or

service local


or

service relay pppoe vpdn group vpdn-group-name

Example:

Router(config-service-policymap)# service vpdn group vpdn1

Example:

Router(config-service-policymap)# service local

Example:

Router(config-service-policymap)# service relay pppoe vpdn group vpdn1

Provides virtual private dialup network (VPDN) service.

or

Provides local termination service.

or

Provides VPDN service by relaying PPPoE over VPDN L2TP tunnels.

If you terminate the service locally by configuring the service local command, you can also specify the routing domain in which to terminate the session by configuring the ip vrf forwarding command.

Step 5 

ip vrf forwarding name-of-vrf

Example:

Router(config-service-policymap)# ip vrf forwarding blue

Associates the service with a VRF.

Perform this step only if you configured the service local command in Step 4. If you configured the service local command, you can use the ip vrf forwarding command to specify the routing domain in which to terminate session. If you do not specify the routing domain, the global VRF will be used.

What to Do Next

You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."

Configuring Network Policies for IP Sessions in Service Policy Maps

Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG. For information about how to configure a network-forwarding policy in a user profile or a service profile, see the module "RADIUS Attributes and Profiles for ISA." Perform this task to configure a network-forwarding policy for IP sessions in a service policy map on the ISG.

Note If a network-forwarding policy is not specified in a user profile or service, a subscriber session will inherit the network-forwarding policy from another source. See the "Configuration Sources for Network Policies" section for more information.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type service policy-map-name

4. ip vrf forwarding name-of-vrf

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISA service.

Step 4 

ip vrf forwarding name-of-vrf

Example:

Router(config-service-policymap)# ip vrf forwarding blue

Associates the service with a VRF.

Step 5 

sg-service-type primary

Example:

Router(config-service-policymap)# sg-service-type primary

Defines the service as a primary.

A primary service is a service that contains a network-forwarding policy. A primary service must be defined as a primary service by using the sg-service-type primary command. Any service that is not a primary service is defined as a secondary service by default.

What to Do Next

You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."

Configuration Examples for ISA Network Policies

This section contains the following examples:

Network-Forwarding Policy for PPP Sessions: Example

Network-Forwarding Policy for IP Sessions: Example

Network-Forwarding Policy for PPP Sessions: Example

The following example shows a service policy map configured with a network-forwarding policy for PPP sessions: 

policy-map type service my_service

 service vpdn group vpdn1

Network-Forwarding Policy for IP Sessions: Example

The following example shows a service policy map configured with a network-forwarding policy for IP sessions: 

policy-map type service my_service

 ip vrf forwarding vrf1

Additional References

The following sections provide references related to ISA network-forwarding policies.

Related Documents

Related Topic
Document Title

ISA commands

Cisco IOS Intelligent Service Architecture Command Reference

PPP and VPDN configuration tasks

Cisco IOS Dial Services Configuration Guide, Release 12.2

PPP and VPDN commands

Cisco IOS Dial Services Command Reference, Release 12.2


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Feature Information for ISA Network Policies

Table 11 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(27)SBA or later appear in the table.

Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.

If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Architecture Features Roadmap."

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Note Table 11 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 11 Feature Information for ISA Network Policies 

Feature Name
Releases
Feature Configuration Information

ISA: Network Interface: IP Routed, VRF-Aware MPLS

12.2(27)SBA

ISA supports multiple forwarding types to connect sessions to networks. These connections can be to Internet, corporate Intranets, ISPs, or walled gardens for content delivery. ISA supports both routed and MPLS-enabled interfaces for network access.

The following sections provide information about this feature:

Information About ISA Network Policies

How to Configure ISA Network Policies

ISA: Network Interface: Tunneled (L2TP)

12.2(27)SBA

ISA is flexible to support multiple interface types to connect sessions to networks. These connections can be to Internet, corporate Intranets, ISPs or walled gardens for content delivery. ISA supports tunnelled interfaces to networks.

The following sections provide information about this feature:

Information About ISA Network Policies

How to Configure ISA Network Policies


Copyright © 2005 Cisco Systems, Inc. All rights reserved.
This module first published April 28, 2005. Last updated April 28, 2005.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products