Intelligent Service Architecture Commands: A through M

Table Of Contents

Intelligent Service Architecture Commands

aaa accounting list

aaa authorization subscriber-service

aaa server radius dynamic-author

authenticate (control policy map class)

authenticate (service policy-map)

authorize identifier

auth-type

available

class-map type control

class-map type traffic

classname

class type control

class type traffic

clear class-map type control

clear policy-map type control

client

collect identifier

drop (ISA)

greater-than

greater-than-or-equal

identifier interface

identifier ip src-addr

if upon network-service-found

ignore

initiator dhcp

interim-interval

ip access-group

ip portbundle (global)

ip portbundle (service policy-map)

ip portbundle outside

ip subscriber

ip vrf forwarding (service policy map)

length (ISA)

less-than

less-than-or-equal

Intelligent Service Architecture Commands

---

The following are Intelligent Service Architecture (ISA) commands. The commands are arranged alphabetically.

aaa accounting list

To enable Intelligent Service Architecture (ISA) accounting and specify an authentication, authorization, and accounting (AAA) method list to which accounting updates will be forwarded, use the aaa accounting list command in service policy map configuration or service policy traffic class configuration mode. To disable ISA accounting, use the no form of this command.

accounting aaa list aaa-method-list

no accounting aaa list aaa-method-list

Syntax Description

aaa-method-list

AAA method list to which Accounting-Start, interim, and Accounting-Stop records will be sent.

Defaults

ISA accounting is not enabled.

Command Modes

Service policy map configuration
Service policy traffic class configuration

Command History

Release	Modification
12.2 SBA	This command was introduced.

Usage Guidelines

An Intelligent Service Gateway (ISG) sends accounting records to the AAA method list specified by the accounting aaa list command. A AAA method list must also be configured by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information.

Use the aaa accounting list command to enable per-session accounting by configuring the command in service policy map configuration mode. Per-session accounting can also be configured on a remote AAA server by adding the ISA accounting attribute to a user profile or to a service profile that does not include a traffic class.

To enable per-flow accounting, enter the accounting aaa list command in Service policy traffic class configuration mode. Per-flow accounting can also be configured on a remote AAA server by adding the ISA accounting attribute to a service profile that includes a traffic class.

Examples

The following example shows ISA per-session accounting configured for a service called "video1":

policy-map service video1

 accounting aaa list mlist1

The following example shows ISA per-flow accounting configured for a service called "video1":

class-map traffic match-any video1

 match access-group output 101

 match access-group input 100

!

policy-map service video1

 class traffic video1

  accounting aaa list mlist1

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.

aaa authorization subscriber-service

To specify one or more authentication, authorization, and accounting (AAA) authorization methods for Intelligent Service Gateway (ISG) to use in providing subscriber service, use the aaa authorization subscriber-service command in global configuration mode. To remove this specification, use the no form of this command.

aaa authorization subscriber-service {default | list-name} method1 [method2...]

no aaa authorization subscriber-service {default | list-name} method1 [method2...]

Syntax Description

default	Uses the listed authorization methods that follow this argument as the default list of methods for authorization.
list-name	Character string used to name the list of authorization methods.
method1 [method2...]	Specifies an authorization method or (optionally) multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in Table 1.

Command Default

A method list is not specified.

Command Modes

Global configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

Table 1 lists the keywords that can be used with the aaa authorization subscriber-service command to specify authorization methods.

Table 1 aaa authorization subscriber-server Keywords

Keyword	Description
cache name	Uses the specified cache, which is located in the profile database, for authorization.
cache radius	Uses the cache for all RADIUS requests for subscriber service authorization.
cache tacacs	Uses the cache for all TACACS+ requests for subscriber service authorization.
group name	Uses a subset of RADIUS or TACACS+ servers for authorization as defined by the server group command.
group radius	Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs	Uses the list of all TACACS+ servers for authorization as defined by the aaa group server tacacs+ command.
local	Uses the local database for authorization.

Cisco IOS software supports the following methods of authorization of ISA subscriber services:

•RADIUS—The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.

•TACACS+—The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.

•Local—The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled via the local database.

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.

Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.

The authorization aaa subscriber-service command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:

•Accept the request as is.

•Make changes to the request.

•Refuse the request and refuse authorization.

Examples

The following example defines the subscriber service authorization method list named "mygroup", which specifies RADIUS authorization. If the RADIUS server fails to respond, local authorization will be performed.

aaa authorization subscriber-service mygroup group radius local

Related Commands

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa group server tacacs+	Groups different TACACS+ server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
radius-server host	Specifies a RADIUS server host.
tacacs-server host	Specifies a TACACS+ host.

aaa server radius dynamic-author

To configure an Intelligent Service Gateway (ISG) as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-author command in global configuration mode. To remove this configuration, use the no form of this command.

aaa server radius dynamic-author

no aaa server radius dynamic-author

Syntax Description

This command has no arguments or keywords.

Command Default

The ISG will not function as a server when interacting with external policy servers.

Command Modes

Global configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

ISA works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISA supports two models of interaction between ISA and external policy servers: initial authorization and dynamic authorization.

The dynamic authorization model allows an external policy server to dynamically send policies to the ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server.

Examples

The following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.76.86.90:

aaa server radius dynamic-author

 client 10.76.86.90 key cisco

 message-authenticator ignore

Related Commands

Command	Description
client	Specifies a RADIUS client from which an ISG will accept CoA and disconnect requests.

authenticate (control policy map class)

To initiate an authentication request for an Intelligent Service Architecture (ISA) subscriber session, use the authenticate command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number authenticate aaa list list-name

no authenticate aaa list list-name

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
aaa list list-name	Specifies the authentication, authorization, and accounting (AAA) method list to which the authentication request will be sent.

Command Default

The control policy will not initiate authentication.

Command Modes

Control policy map class configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The authenticate command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an ISA control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows ISA configured to initiate an authentication request upon account logon. The authentication request will be sent to the AAA method list called "AUTH-LIST".

policy-map type control LOGIN

 class type control always event account-logon

  1 authenticate aaa list AUTH-LIST

  2 service-policy type service unapply BLIND-RDT

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

authenticate (service policy-map)

To specify authentication as a condition of service activation and initiate authentication requests for subscribers accessing a service, use the authenticate command in service policy-map configuration mode. To remove this specification, use the no form of this command.

authenticate aaa list name-of-list

no authenticate aaa list name-of-list

Syntax Description

aaa list name-of-list

Specifies the authentication, authorization, and accounting (AAA) method list to which the authentication request will be sent.

Command Default

Authentication is not specified as a condition of service activation.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The authenticate (service policy-map) command specifies authentication as a condition of service activation in an Intelligent Service Architecture (ISA) service policy map. Service policy maps define ISA subscriber services. Services can also be defined in service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as a AAA server.

Examples

The following example specifies authentication as a condition of service activation in the ISA service called "service1":

policy-map type service service1

 authenticate aaa list mlist

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISA subscriber service.
show policy-map type service	Displays the contents of all service policy maps or a specific service policy map.

authorize identifier

To initiate a request for authorization on the basis of a specified identifier, use the authorize identifier command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number authorize [aaa list list-name] [password password] [upon network-service-found {continue | stop}] identifier {authenticated-domain | authenticated-username | dnis | mac-address | nas-port | source-ip-address | tunnel-name | unauthenticated-domain | unauthenticated-username}

no action-number authorize [aaa list list-name] [password password] [upon network-service-found {contine | stop}] identifier {authenticated-domain | authenticated-username | dnis | mac-address | nas-port | source-ip-address | tunnel-name | unauthenticated-domain | unauthenticated-username}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
aaa list list-name	(Optional) Specifies the authentication, authorization, and accounting (AAA) method list to which the authorization request will be sent.
password password	(Optional) Password to be used for AAA requests.
upon network-service-found continue	Specifies that when a network service for the session is identified, actions in the policy rule will continue to be executed. The network service will be applied later. This is the default.
upon network-service-found stop	Specifies that when a network service for the session is identified, actions in the policy rule will no longer be executed, and the network service will be applied.
authenticated-domain	Authenticated domain name.
authenticated-username	Authenticated username.
dnis	Dialed Number Identification Service number(also referred to as the called-party number)
mac-address	MAC address.
nas-port	Network access server (NAS) port identifier.
source-ip-address	Source IP address.
tunnel-name	Virtual Private Dialup Network (VPDN) tunnel name.
unauthenticated-domain	Unauthenticated domain name.
unauthenticated-username	Unauthenticated username.

Command Default

The control policy will not initiate authorization.

Command Modes

Control policy map class configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The authorize identifier command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Service Architecture (ISA) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

In the following example, ISA is configured to send a request for authorization on the basis of the source IP address. The system will perform this action at session start when the conditions that are defined in control class "CONDA" are met.

policy-map type control RULEA

 class type control CONDA event session-start

  1 authorize aaa list TAL_LIST password cisco identifier source-ip-address

  2 service-policy type service aaa list LOCAL service redirectprofile

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

auth-type

To specify the type of authorization Intelligent Service Gateway (ISG) will use for RADIUS clients, use the auth-type command in dynamic authorization local server configuration mode. To return to the default authorization type, use the no form of this command.

auth-type {all | any | session-key}

no auth-type {all | any | session-key}

Syntax Description

all	All attributes must match for authorization to be successful.
any	Any attribute must match for authorization to be successful.
session-key	The session-key attribute must match for authorization to be successful.

Command Default

All attributes must match for authorization to be successful.

Command Modes

Dynamic authorization local server configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

An ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the auth-type command to specify the type of authorization ISG will use for RADIUS clients.

Examples

The following example configures the ISG authorization type:

aaa server radius dynamic-author

 client 10.0.0.1

 auth-type any

Related Commands

Command	Description
aaa server radius dynamic-author	Configures an ISG as a AAA server to facilitate interaction with an external policy server.

available

To create a condition that will evaluate true if the specified subscriber identifier is locally available, use the available command in control class map configuration mode. To remove this condition, use the no form of this command.

available {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

no available {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

Syntax Description

authen-status	Subscriber authentication status.
authenticated-domain	Authenticated domain name.
authenticated-username	Authenticated username.
dnis	Dialed Number Identification Service number (called-party number).
media	Subscriber access media type.
mlp-negotiated	Identifier indicating that the session was established using multilink PPP negotiation.
nas-port	NAS port identifier.
no-username	Identifier indicating that the username is not available.
protocol	Subscriber access protocol type.
service-name	Service name currently associated with user.
source-ip-address	Source IP address.
timer	Policy timer name.
tunnel-name	Virtual Private Dial-Up Network (VPDN) tunnel name.
unauthenticated-domain	Unauthenticated domain name.
unauthenticated-username	Unauthenticated username.

Command Default

A condition that will evaluate true if the specified subscriber identifier is locally available is not created.

Command Modes

Control class map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The available command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

  match access-type pppoe

  match domain cisco.com

  available nas-port-id

!

policy-map type control rule4

  class type control class3

   authorize nas-port-id

!

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates or modifies an ISA control class map.
policy-map type control	Create or modifies a control policy map, which defines an ISA control policy.

class-map type control

To create an Intelligent Service Architecture (ISA) control class map, which defines the conditions under which the actions of a control policy map will be executed, use the class-map type control command in global configuration mode. To remove a control class map, use the no form of this command.

class-map type control [match-all | match-any | match-none] class-map-name

no class-map type control [match-all | match-any | match-none] class-map-name

Syntax Description

match-all	(Optional) The class map evaluates true if all of the conditions in the class map evaluates true.
match-any	(Optional) The class map evaluates true if any of the conditions in the class map evaluates true.
match-none	(Optional) The class map evaluates true if none of the conditions in the class map evaluates true.
class-map-name	Name of the class map.

Command Default

A control class map is not created.

Command Modes

Global configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

A control class map specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Use the match-any, match-all, and match-none keywords to specify which, if any, conditions must evaluate true before the control policy will be executed.

A control policy map, which is configured with the policy-map type control command, contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Use the class type control command to associate a control class map with a control policy map.

Examples

The following example shows how to configure a control policy in which virtual private dial-up network (VPDN) forwarding is applied to anyone dialing in from "xyz.com":

class-map type control match-all MY-FORWARDED-USERS

 match unauthenticated-domain "xyz.com"

!

policy-map type control MY-POLICY

 class type control MY-FORWARDED-USERS event session-start

  1 apply identifier nas-port

  2 service local

!

interface Dialer1

 service-policy type control MY-POLICY

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

class-map type traffic

To create or modify a traffic class map, which is used for matching packets to a specified Intelligent Service Architecture (ISA) traffic class, use the class-map type traffic command in global configuration mode. To remove a traffic class map, use the no form of this command.

class-map type traffic match-any class-map-name

no class-map type traffic match-any class-map-name

Syntax Description

match-any	Indicates that packets must meet one of the match criteria in order to be considered a member of the class.
class-map-name	Name of the class map.

Command Default

A traffic class map is not created.

Command Modes

Global configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

Use the class-map type traffic command to specify the name of the ISA traffic class for which you want to create or modify traffic class map match criteria. Use of the class-map type traffic command enables traffic class-map configuration mode, in which you can enter match commands to configure the match criteria for this class. Packets are checked against the match criteria configured for a class map to determine if the packet belongs to that traffic class.

ISA traffic classes allow subscriber session traffic to be subclassified so that ISA features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features.

Once a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class, and the default class.

Examples

The following example shows the configuration of a traffic class map called "CLASS-ACL-101". The class map is defined so that input traffic matching access list 101 will match the class. The traffic class map is then referenced in service policy map "mp3".

class-map type traffic CLASS-ACL-101

 match access-group input 101

!

policy-map type service mp3

 class type traffic CLASS-ACL-101

  authentication method-list cp-mlist

  accounting method-list cp-mlist

  prepaid conf-prepaid 

Related Commands

Command	Description
class type traffic	Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
match access-group (ISA)	Configures the match criteria for a class map on the basis of the specified access control list (ACL).

classname

To associate a Dynamic Host Configuration Protocol (DHCP) pool or remote DHCP server with an Intelligent Service Architecture (ISA) service policy map, use the classname command in service policy map configuration mode. To remove this association, use the no form of this command.

classname class-name

no classname class-name

Syntax Description

class-name

Class name associated with a DHCP pool or remote server.

Command Default

An ISA service is not associated with a DHCP pool.

Command Modes

Service policy map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

ISA can influence the IP address pool and the DHCP server that are used to assign subscriber IP addresses. To enable ISA to influence the IP addresses assignedto subscribers, you associate a DHCP address pool class with an address domain. The DHCP address pool class must also be configured in a service policy map, service profile, or user profile, which is associated with a subscriber. When a DHCP request is received from a subscriber, DHCP uses the address pool class that is associated with the subscriber to determine which DHCP address pool should be used to service the request. As a result, on a per-request basis, an IP address is provided by the local DHCP server or relayed to a remote DHCP server that is defined in the selected pool.

Examples

In the following example, the DHCP class "blue" is specified in the service "my_service". When "my_service" is activated, the local DHCP component will provide a new IP address from the pool "blue-pool" because (a) the classes match and (b) the subnet defined in "relay source" corresponds to one of the subnets defined at the interface. Hence the DHCP DISCOVER packet is relayed to the server at address 12.10.2.1, and the local DHCP component acts as a relay.

ip dhcp pool blue-pool

 relay source 20.1.0.0 255.255.0.0

 class blue

  relay destination 12.10.2.1 vrf blue

policy-map type service my_service

 classname blue

Related Commands

Command	Description
policy-map type service	Creates or modifies a service policy map, which is used to define an ISA service.

class type control

To specify a control class for which actions may be configured in an Intelligent Service Architecture (ISA) control policy map, use the class type control command in control policy map configuration mode. To remove the control class from the control policy map, use the no form of this command.

class type control {control-class-name | always} [event {account-logon | credit-exhausted | quota-depleted | service-start | service-stop | session-default-service | session-service-found | session-start | timed-policy-expiry}

no class type control {control-class-name | always} [event {account-logon | credit-exhausted | quota-depleted | service-start | service-stop | session-default-service | session-service-found | session-start | timed-policy-expiry}

Syntax Description

control-class-name	Name of the control class map.
always	Creates a control class that always evaluates true.
event	Causes the control class to be evaluated upon occurrence of a specific event.
account-logon	Event that occurs upon account logon.
credit-exhausted	Event that occurs when the prepaid billing server returns a quota of zero and a prepaid idle timeout greater than zero.
quota-depleted	Event that occurs when the allocated quota has been used up.
service-start	Event that occurs upon receipt of a request to start a service.
service-stop	Event that occurs upon receipt of a request to stop a service.
session-default-service	Event that occurs when ISA has provided a default service.
session-service-found	Event that occurs when a network policy has been determined for the session.
session-start	Event that occurs upon session start.
timed-policy-expiry	Event that occurs when a timed policy expires.

Command Default

A control class is not specified in a control policy map.

Command Modes

Control policy map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

A control class map defines the conditions that must be met and events that must occur before a set of actions will be executed. Use the class type control command to associate a control class map with one or more actions in a control policy map. The association of a control class and a set of actions is called a control policy rule.

Using the class type control command with the always keyword creates a control policy rule that will always be treated as the lowest-priority rule in a control policy map.

To create a named control class map, use the class-map type control command.

Examples

The following example shows the configuration of a class map called "class3". The class type control command adds "class3" to the the control policy map "policy1". When "class3" evaluates true, the action associated with the class will be executed.

class-map type control match-all class3

  match access-type pppoe

  match domain cisco.com

  available nas-port-id

!

policy-map type control policy1

  class type control class3

   authorize nas-port-id

!

service-policy type control rule4

Related Commands

Command	Description
class-map type control	Creates an ISA control class map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.
service-policy type control	Applies a control policy to a context.

class type traffic

To specify the Intelligent Service Architecture (ISA) traffic class whose policy you want to create or change or to specify the default traffic class in order to configure its policy, use the class type traffic command in service policy-map configuration mode. To remove a class from the service policy map, use the no form of this command.

class type traffic {class-map-name | default}

no class type traffic {class-map-name | default}

Syntax Description

class-map-name	Name of a previously configured traffic class map.
default	Specifies the default traffic class.

Command Default

A traffic class is not specified.

Command Modes

Service policy map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

Before you can specify a named traffic class map in a service policy map, the traffic class map must be configured using the class-map type traffic command.

The default traffic class map handles all the traffic that is not handled by other traffic classes in the service. The default policy of the default traffic class is to pass traffic. You can also configure the default traffic class to drop traffic.

Examples

The following example shows the configuration of the traffic class "UNAUTHORIZED_TRAFFIC":

class-map type traffic UNAUTHORIZED_TRAFFIC

 match access-group input 100

policy-map type service UNAUTHORIZED_REDIRECT_SVC

 class type traffic UNAUTHORIZED_TRAFFIC

  redirect to ip 10.0.0.148 port 8080

The following example shows the configuration of the default traffic class:

policy-map type service SERVICE1

 class type traffic CLASS1

  prepaid-config PREPAID

 class type traffic default

  drop

Related Commands

Command	Description
class-map type traffic	Creates or modifies a traffic class map, which is used for matching packets to a specified ISA traffic class
policy-map type service	Creates or modifies a service policy map, which is used to define an ISA subscriber service.
show class-map type traffic	Displays traffic class maps and their matching criteria.

clear class-map type control

To clear the Intelligent Service Architecture (ISA) control class map counters, use the clear class-map type control command in privileged EXEC mode.

clear class-map type control

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Examples

The following example shows how to clear the control class map counters:

Router# clear class-map type control

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates an ISA control class map.
show class-map type control	Displays information about ISA control class maps.

clear policy-map type control

To clear the Intelligent Service Architecture (ISA) control policy map counters, use the clear policy-map type control command in privileged EXEC mode.

clear policy-map type control

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Examples

The following example shows how to clear the control policy map counters:

Router# clear policy-map type control

Related Commands

Command	Description
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.
show class-map type control	Displays information about ISA control class maps.

client

To specify a RADIUS client from which an Intelligent Service Gateway (ISG) will accept Change of Authorization (CoA) and disconnect requests, use the client command in dynamic authorization local server configuration mode. To remove this specification, use the no form of this command.

client {name | ip-address} [key [0 | 7] word] [vrf vrf-id]

no client {name | ip-address} [key {0 | 7 | line}] [vrf vrf-id]

Syntax Description

name	Hostname of the RADIUS client.
ip-address	IP address of the RADIUS client.
key	(Optional) Configures the RADIUS key to be shared between ISA and a RADIUS client.
0	(Optional) Specifies that an unencrypted key will follow.
7	(Optional) Specifies that a hidden key will follow
word	(Optional) Unencrypted server key.
vrf vrf-id	(Optional) VRF ID of the client.

Command Default

CoA and disconnect requests are dropped.

Command Modes

Dynamic authorization local server configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

An Intelligent Service Gateway (ISG) can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the client command to specify the RADIUS clients for which the ISG will act as server.

Examples

The following example configures the ISG to accept requests from the RADIUS client at IP address 10.0.0.1:

aaa server radius dynamic-author

 client 10.0.0.1 key cisco 

Related Commands

Command	Description
aaa server radius dynamic-author	Configures an ISG as a AAA server to facilitate interaction with an external policy server.

collect identifier

To collect the specified subscriber identifier from the access protocol, use the collect identifier command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

no action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
aaa list list-name	(Optional) Specifies the authentication, authorization, and accounting (AAA) method list to which the authorization request will be sent.
authen-status	Subscriber authentication status.
authenticated-domain	Authenticated domain name.
authenticated-username	Authenticated username.
dnis	Dialed Number Identification Service number(also referred to as the called-party number)
media	Subscriber access media type.
mlp-negotiated	Value indicating that the subscriber session was established using multilink PPP negotiation.
nas-port	Network access server (NAS) port identifier.
no-username	No username available.
protocol	Subscriber access protocol type.
service-name	Service name currently associated with user.
source-ip-address	Source IP address.
timer	Timer name.
tunnel-name	Virtual Private Dialup Network (VPDN) tunnel name.
unauthenticated-domain	Unauthenticated domain name.
unauthenticated-username	Unauthenticated username.

Command Default

A control policy will not collect subscriber identifiers.

Command Modes

Control policy map class configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The collect identifier command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an ISA control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows how to configure ISA to collect a subscriber's authentication status at session start:

policy-map type control policy1

 class type control always event session-start

  1 collect identifier authen-status

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

drop (ISA)

To configure an Intelligent Service Gateway (ISG) to discard packets belonging to the default traffic class, use the drop command in service policy-map class configuration mode. To disable the packet-discarding action, use the no form of this command.

drop

no drop

Syntax Description

This command has no arguments or keywords.

Command Default

Packets will be passed.

Command Modes

Service policy map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The drop command can only be configured in the default class of an ISA service policy map. The default traffic class handles all the traffic that is not handled by other traffic classes in a service.

Examples

The following example shows the default class configured to drop traffic for the service "SERVICE1":

policy-map type service SERVICE1

 class type traffic CLASS1

  prepaid-config PREPAID

 class type traffic default

  drop

Related Commands

Command	Description
class type traffic	Specifies a named traffic class whose policy you want to create or change or specifies the default traffic class in order to configure its policy.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISA subscriber service.
show class-map type traffic	Displays traffic class maps and their matching criteria.

greater-than

To create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is greater than the specified value, use the greater-than command in control class map configuration mode. To remove the condition, use the no form of this command.

greater-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no greater-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description

not	(Optional) Negates the sense of the test.
nas-port	NAS port identifier.
adapter adapter-number	Interface adapter number.
channel channel-number	Interface channel number.
ipaddr ip-address	IP address.
port port-number	Port number.
shelf shelf-number	Interface shelf number.
slot slot-number	Slot number.
sub-interface sub-interface-number	Subinterface number.
type interface-type	Interface type.
vci vci-number	Virtual channel identifier (VCI).
vlan vlan-id	VLAN ID.
vpi vpi-number	Virtual path identifier.

Command Default

A condition that will evaluate true if the subscriber NAS port identifier is greater than the specified value is not created.

Command Modes

Control class map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The greater-than command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map that evaluates true for only a specific range of ATM permanent virtual circuit (PVC) VCIs, 101-104 inclusive:

class-map type type control match-any MY-CONDITION

 greater-than nas-port type atm vpi 200 vci 100

 less-than nas-port type atm vpi 200 vci 105

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates an ISA control class map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

greater-than-or-equal

To create a condition that will evaluate true if the subscriber identifier is greater than or equal to the specified value, use the greater-than-or-equal command in control class map configuration mode. To remove the condition, use the no form of this command.

greater-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no greater-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description

not	(Optional) Negates the sense of the test.
nas-port	NAS port identifier.
adapter adapter-number	Interface adapter number.
channel channel-number	Interface channel number.
ipaddr ip-address	IP address.
port port-number	Port number.
shelf shelf-number	Interface shelf number.
slot slot-number	Slot number.
sub-interface sub-interface-number	Subinterface number.
type interface-type	Interface type.
vci vci-number	Virtual channel identifier.
vlan vlan-id	VLAN ID.
vpi vpi-number	Virtual path identifier.

Command Default

A condition that will evaluate true if the subscriber identifier is greater than or equal to the specified value is not created.

Command Modes

Control class map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The greater-than-or-equal command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

 greater-than-or-equal nas-port port 1000  

!         

policy-map type control rule4

  class type control class3 event session-start

   1 authorize identifier nas-port

!

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates an ISA control class map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

identifier interface

To create an Intelligent Service Agent (ISA) IP interface session, use the identifier interface command in IP subscriber configuration mode. To remove the IP interface session, use the no form of this command.

identifier interface

no identifier interface

Syntax Description

This command has no arguments or keywords.

Command Default

An ISA IP interface session is not created.

Command Modes

IP subscriber configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

An IP interface session includes all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the command-line interface (CLI), that is, the session is created when the IP interface session commands are entered.

IP interface sessions might be used in situations in which a subscriber is represented by an interface (with the exception of PPP) and communicates using more than one IP address. For example, a subscriber using routed bridge encapsulation (RBE) access might have a dedicated ATM virtual circuit (VC) to home customer premises equipment (CPE) that is hosting multiple PCs.

Examples

The following example shows an IP interface session configured on Ethernet interface 0/0:

interface ethernet0/0

 ip subscriber

  identifier interface

Related Commands

Command	Description
identifier ip src-addr	Enables an ISG to create an IP session upon detection of the first IP packet from an unidentified subscriber.
ip subscriber	Enables ISA IP subscriber configuration mode.

identifier ip src-addr

To enable an Intelligent Service Gateway (ISG) to create an IP session upon detection of the first IP packet from an unidentified subscriber, use the identifier ip src-addr command in IP subscriber configuration mode. To disable IP session creation upon receipt of IP packets from unidentified subscribers, use the no form of this command.

identifier ip src-addr [match access-list-number]

no identifier ip src-addr [match access-list-number]

Syntax Description

match access-list-number

(Optional) Causes IP sessions to be created only for subscriber traffic matching the access list.

Command Default

An ISG does not create IP sessions upon detection of the first IP packet from an unidentified subscriber.

Command Modes

IP subscriber configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

An ISA subscriber IP session includes all the traffic that is associated with a single subscriber IP address. An IP subnet session includes all the IP traffic that is associated with a single IP subnet.

IP subnet sessions are created the same way as IP sessions, except that when a subscriber is authorized or authenticated and the Framed-IP-Netmask attribute is present in the user or service profile, the ISG converts the source-IP-based session into a subnet session with the subnet value in the Framed-IP-Netmask attribute.

Examples

The followin example shows how to configure an ISG to create IP sessions upon detection of the first IP packet from unidentified subscribers:

interface ethernet0/0

 ip subscriber

  identifier ip src-addr

Related Commands

Command	Description
ip subscriber	Enables ISA IP subscriber configuration mode.
identifier interface	Creates an ISA IP interface session.

if upon network-service-found

To specify whether the system should continue processing policy rules once a subscriber's network service has been identified, use the if upon network-service-found command in control policy map class configuration mode. To remove this action from the control policy map, use the no form of this command.

action-number if upon network-service-found {continue | stop}

no action-number if upon network-service-found {continue | stop}

Syntax Description

action-number	Number of the action. Actions are executed sequentially within the policy rule.
continue	Specifies that when a network service for the session is identified, actions in the policy rule will continue to be executed. This is the default.
stop	Specifies that when a network service for the session is identified, no more actions in the policy rule will be executed.

Command Default

Actions will continue to be executed when a subscriber's network service is identified.

Command Modes

Control policy map class configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The if upon network-service-found command configures an action in a control policy map.

Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Service Architecture (ISA) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule.

Examples

The following example shows how to configure ISA to stop executing actions once the subscriber's network service has been found:

policy-map type control policy1

 class type control always event session-start

  1 if upon network-service-found stop

ignore

To configure an Intelligent Service Gateway (ISG) to ignore specific parameters in requests from RADIUS clients, use the ignore command in dynamic authorization local server configuration mode. To reinstate the default behavior, use the no form of this command.

ignore {session-key | server-key}

no ignore {session-key | server-key}

Syntax Description

session-key	Configures ISG to ignore the session key.
server-key	Configures ISG to ignore the server key.

Command Default

The ISG will not ignore the session key or server key.

Command Modes

Dynamic authorization local server configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

An ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the ignore command to configure the ISG to ignore the server key or session key in requests from RADIUS clients.

Examples

The following example configures ISG to ignore the server key in requests from RADIUS clients:

aaa server radius dynamic-author

 client 10.0.0.1

 ignore server-key

Related Commands

Command	Description
aaa server radius dynamic-author	Configures an ISG as a AAA server to facilitate interaction with an external policy server.

initiator dhcp

To enable an Intelligent Service Gateway (ISG) to create IP sessions upon receipt of DHCP DISCOVER packets, use the initiator dhcp command in IP subscriber configuration mode. To disable IP session creation in response to DHCP DISCOVER packets, use the no form of this command.

initiator dhcp [class-aware]

no initiator dhcp [class-aware]

Syntax Description

class-aware

(Optional) Allows an ISG to influence the IP address assigned by DHCP by providing DHCP with a class name.

Command Default

IP sessions are not created upon receipt of DHCP DISCOVER packets.

Command Modes

IP subscriber configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

DHCP and ISA IP Session Creation

If the following conditions are met, receipt of a DHCP DISCOVER packet will trigger the creation of an IP session:

•ISG serves as a DHCP relay or server for new IP address assignments.

•Subscribers are configured for DHCP.

•The DHCP DISCOVER packet is the first DHCP request received from the subscriber.

DHCP and ISA IP Address Assignment

When ISG is in the path of DHCP requests (either as a DHCP server or relay), the ISG can influence the IP address pool and DHCP server that is used to assign subscriber IP addresses. To enable ISA to influence the IP addresses assigned subscribers, you associate a DHCP address pool class with an address domain. When a DHCP request is received from a subscriber, DHCP uses the address pool class that is associated with the subscriber to determine which DHCP address pool should be used to service the request. As a result, on a per-request basis, an IP address is provided by the local DHCP server or relayed to a remote DHCP server that is defined in the selected pool. The class-aware keyword enables the ISG to provide DHCP with a class name

Examples

The following example shows how to configure ISA to create IP sessions upon receipt of DHCP DISCOVER packets:

interface ethernet0/0

 ip subscriber

  initiator dhcp

Related Commands

Command	Description
ip subscriber	Enables ISA IP subscriber configuration mode.

interim-interval

To specify the interval at which the Intelligent Service Gateway (ISG) sends interim prepaid accounting records, use the interim-interval command in prepaid configuration mode. To disable interim prepaid accounting, use the no form of this command.

interim-interval number-of-minutes

no interim-interval number-of-minutes

Syntax Description

number-of-minutes

Interval, in minutes, between prepaid accounting record updates. Range is from 1 to 1440.

Command Default

Interim prepaid accounting is not enabled.

Command Modes

Prepaid configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

When the interim-interval command is configured, the ISG sends accounting records at the specified interval so there will be written log of accounting events that occurred between the Accounting-Start and Accounting-Stop records.

Examples

The following example shows an Intelligent Service Architecture (ISA) prepaid feature configuration in which the interval for interim prepaid accounting is set to 5 minutes:

subscriber feature prepaid conf-prepaid

 interim-interval 5

 threshold time 20

 threshold volume 0

 method-list accounting ap-mlist

 method-list authorization default

 password cisco

Related Commands

Command	Description
prepaid config	Enables prepaid billing for an ISA service and references a configuration of prepaid billing parameters.
subscriber feature prepaid	Creates or modifies a configuration of ISA prepaid billing parameters that can be referenced from a service policy map or service profile

ip access-group

To apply an access control list to control packet access, use the ip access-group command in the appropriate configuration mode. To remove the specified access group, use the no form of this command.

ip access-group {access-list-number | access-list-name}{in | out}

no ip access-group {access-list-number | access-list-name}{in | out}

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
access-list-name	Name of an IP access list as specified by an ip access-list command.
in	Filters on inbound packets.
out	Filters on outbound packets.

Command Default

An access list is not applied.

Command Modes

Interface configuration
Service policy map configuration

Command History

Release	Modification
10.0	This command was introduced.
11.2	The access-list-name argument was added.
12.2(27)SBA	This command was made available in service policy map configuration mode.

Usage Guidelines

If the specified access list does not exist, all packets are passed.

Applying Access Lists to Interfaces

Access lists can be applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

When you enable outbound access lists, you automatically disable autonomous switching for that interface. When you enable input access lists on any CBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception—an SSE configured with simple access lists can still switch packets, on output only).

Applying Access Lists to Service Policy Maps

You can use the ip access-group command to configure ISA per-subscriber firewalls. Per-subscriber firewalls are Cisco IOS ACLs that are used to prevent subscribers, services, and pass-through traffic from accessing specific IP addresses and ports.

ACLs can be configured in user profiles or service profiles on a AAA server or in service policy maps on an ISG. The ACLs can be numbered or named access lists that are configured on the ISG, or the ACL statements can be included in the profile configuration.

When an ACL is added to a service, all subscribers of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.

Examples

The following example applies list 101 on packets outbound from Ethernet interface 0:

interface ethernet 0

 ip access-group 101 out

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-list (IP standard)	Defines a standard IP access list.
ip access-list	Defines an IP access list by name.
show access-lists	Displays the contents of current IP and rate-limit access lists.

ip portbundle (global)

To enter portbundle configuration mode, in which Intelligent Service Architecture (ISA) port-bundle host key parameters can be configured, use the ip portbundle command in global configuration mode. To remove the configuration of the port-bundle host key parameters and release all the port bundles in use, use the no form of this command.

ip portbundle

no ip portbundle

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

Entering the no ip portbundle command in global configuration mode removes the configuration of port-bundle host key parameters and releases all the port bundles in use by the sessions.

Examples

The following example shows how to configure the ISA Port-Bundle Host Key feature to apply to all sessions:

policy-map type service ISGPBHKService

 ip portbundle 

! 

policy-map type control PBHKRule 

 class type control always event session-start 

  1 service-policy type service ISGPBHKService

! 

service-policy type control PBHKRule 

interface ethernet0/0

 ip address 10.1.1.1 255.255.255.0

 ip portbundle outside

!

ip portbundle

 match access-list 101

 length 5

 source ethernet0/0

Related Commands

Command	Description
ip portbundle (global)	Enters portbundle configuration mode, in which ISA port-bundle host key parameters can be configured.
ip portbundle outside	Configures the ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber.
length	Specifies the ISA port-bundle length.
match access-list	Specifies packets for port-mapping by specifying an access list to compare against the subscriber traffic.
show ip portbundle ip	Displays information about a particular ISA port bundle.
show ip portbundle status	Displays information about ISA port-bundle groups.
source	Specifies the interface for which the main IP address will be mapped by the ISG to the destination IP addresses in subscriber traffic.

ip portbundle (service policy-map)

To enable the Intelligent Service Architecture (ISA) Port-Bundle Host Key feature for a service, use the ip portbundle command in service policy-map configuration mode. To disable the ISA Port-Bundle Host Key feature, use the no form of this command.

ip portbundle

no ip portbundle

Syntax Description

This command has no arguments or keywords.

Command Default

ISA Port-Bundle Host Key feature is not enabled.

Command Modes

Service policy-map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

When the ISA Port-Bundle Host Key feature is configured, TCP packets from subscribers are mapped to a local IP address for the ISG and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.

The ISA Port-Bundle Host Key feature can be enabled in a service policy map on the router by using the ip portbundle command. The feature can also be enabled in a service profile or user profile on a AAA server.

Examples

The following example shows how to configure the ISA Port-Bundle Host Key feature to apply to all sessions. The ISA Port-Bundle Host Key feature is enabled in the service policy map called "ISGPBHKService".

policy-map type service ISGPBHKService

 ip portbundle 

! 

policy-map type control PBHKRule 

 class type control always event session-start 

  1 service-policy type service ISGPBHKService

! 

service-policy type control PBHKRule 

interface ethernet0/0

 ip address 10.1.1.1 255.255.255.0

 ip portbundle outside

!

ip portbundle

 match access-list 101

 length 5

 source ethernet0/0

Related Commands

Command	Description
ip portbundle (global)	Enters portbundle configuration mode, in which ISA port-bundle host key parameters can be configured.
ip portbundle outside	Configures the ISG to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber.
policy-map type service	Create or modifies a service policy map, which is used to define an ISA subscriber service.
show ip portbundle ip	Displays information about a particular ISA port bundle.
show ip portbundle status	Displays information about ISA port-bundle groups.

ip portbundle outside

To configure an Intelligent Service Gateway (ISG) to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber, use the ip portbundle outside command in interface configuration mode. To disable ISA port-bundle host key reverse translation, use the no form of this command.

ip portbundle outside

no ip portbundle outside

Syntax Description

This command has no arguments or keywords.

Command Default

Reverse translation does not occur.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The ip portbundle outside command must be configured on ISA interfaces that reach the portal.

Examples

The following example configures ISA to reverse translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber. Ethernet interface 0/0 is an interface that reaches the portal.

interface ethernet0/0

 ip address 10.1.1.1 255.255.255.0

 ip portbundle outside

Related Commands

Command	Description
ip portbundle (service policy-map)	Enables the ISA Port-Bundle Host Key feature for a service
ip portbundle (global)	Enters portbundle configuration mode, in which ISA port-bundle host key parameters can be configured.
show ip portbundle ip	Displays information about a particular ISA port bundle.
show ip portbundle status	Displays information about ISA port-bundle groups.

ip subscriber

To enable Intelligent Service Agent (ISA) IP subscriber configuration mode, use the ip subscriber command in interface configuration mode. To disable ISA IP session support on an interface, use the no form of this command.

ip subscriber

no ip subscriber

Syntax Description

This command has no arguments or keywords.

Command Default

ISA IP subscriber configuration mode is not enabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The ip subscriber command enables IP subscriber configuration mode, in which you can configure IP session classifiers and enable IP sessions to be created on the interface.

Use the no ip subscriber command to disable IP session support on the interface. Entering the no ip subscriber command removes the commands that were entered in IP subscriber configuration submode from the configuration. It also removes the ip subscriber command from the configuration. After the no ip subscriber command has been entered, no new IP sessions will be created on the interface. IP sessions that were already created will not be brought down, but ISA will not execute any features on those sessions.

Examples

The following example shows an IP interface session configured on Ethernet interface 0/0:

interface ethernet0/0

 ip subscriber

  identifier interface

Related Commands

Command	Description
identifier interface	Creates an ISA IP interface session.
identifier ip src-addr	Enables an ISG to create an IP session upon detection of the first IP packet from an unidentified subscriber.

ip vrf forwarding (service policy map)

To associate a virtual routing/forwarding instance (VRF) with an Intelligent Service Architecture (ISA) service policy map, use the ip vrf forwarding command in service policy map configuration mode. To disassociate a VRF, use the no form of this command.

ip vrf forwarding vrf-name

no ip vrf forwarding vrf-name

Syntax Description

vrf-name

Associates the service with the specified VRF.

Command Default

A VRF is not specified.

Command Modes

Service policy map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

Use the ip vrf forwarding command to configure a network-forwarding policy for IP sessions in an ISA service policy map.

Examples

The following example shows a service policy map configured with a network-forwarding policy for IP sessions:

policy-map type service my_service

 ip vrf forwarding vrf1

Related Commands

Command	Description
ip route vrf	Establishes static routes for a VRF.
ip vrf	Configures a VRF routing table.
policy-map type service	Creates or modifies a service policy map, which is used to define an ISA service.

length (ISA)

To specify the Intelligent Service Architecture (ISA) port-bundle length, which determines the number of bundles per group and the number of ports per bundle, use the length command in portbundle configuration mode. To return the port-bundle length to the default value, use the no form of this command.

length bits

no length bits

Syntax Description

bits	Port-bundle length, in bits. The range is from 0 to 10 bits. The default is 4 bits.

Command Default

The port-bundle length has a default value of 4 bits.

Command Modes

Portbundle configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. The number of ports in a bundle is the number of simultaneous TCP sessions that a subscriber can have. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until ISA next reloads and the portal server restarts.

---

Note You must configure the same port-bundle length on both ISA and the portal.

---

Table 2 Port-Bundle Lengths and Resulting Port-per-Bundle and Bundle-per-Group Values 

Port-Bundle Length (in Bits)	Number of Ports per Bundle	Number of Bundles per Group (and per-SSG Source IP Address)
0	1	64512
1	2	32256
2	4	16128
3	8	8064
4 (default)	16	4032
5	32	2016
6	64	1008
7	128	504
8	256	252
9	512	126
10	1024	63

Examples

The following example results in 64 ports per bundle and 1008 bundles per group:

ip portbundle

 length 6

Related Commands

Command	Description
ip portbundle (global)	Enters portbundle configuration mode, in which ISA port-bundle host key parameters can be configured.
show ip portbundle ip	Displays information about a particular ISA port bundle.
show ip portbundle status	Displays information about ISA port-bundle groups.

less-than

To create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than the specified value, use the less-than command in control class map configuration mode. To remove the condition, use the no form of this command.

less-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no less-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description

not	(Optional) Negates the sense of the test.
nas-port	NAS port identifier.
adapter adapter-number	Interface adapter number.
channel channel-number	Interface channel number.
ipaddr ip-address	IP address.
port port-number	Port number.
shelf shelf-number	Interface shelf number.
slot slot-number	Slot number.
sub-interface sub-interface-number	Subinterface number.
type interface-type	Interface type.
vci vci-number	Virtual channel identifier (VCI).
vlan vlan-id	VLAN ID.
vpi vpi-number	Virtual path identifier.

Command Default

A condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than the specified value is not created.

Command Modes

Control class map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The less-than command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map that evaluates true for only a specific range of ATM permanent virtual circuit (PVC) VCIs, 101-104 inclusive:

class-map type type control match-any MY-CONDITION

 greater-than nas-port type atm vpi 200 vci 100

 less-than nas-port type atm vpi 200 vci 105

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates an ISA control class map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.

less-than-or-equal

To create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than or equal to the specified value, use the less-than-or-equal command in control class map configuration mode. To remove the condition, use the no form of this command.

less-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

no less-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}

Syntax Description

not	(Optional) Negates the sense of the test.
nas-port	NAS port identifier.
adapter adapter-number	Interface adapter number.
channel channel-number	Interface channel number.
ipaddr ip-address	IP address.
port port-number	Port number.
shelf shelf-number	Interface shelf number.
slot slot-number	Slot number.
sub-interface sub-interface-number	Subinterface number.
type interface-type	Interface type.
vci vci-number	Virtual channel identifier.
vlan vlan-id	VLAN ID.
vpi vpi-number	Virtual path identifier.

Command Default

A condition that will evaluate true if the subscriber NAS port identifier is less than or equal to the specified value is not created.

Command Modes

Control class map configuration

Command History

Release	Modification
12.2(27)SBA	This command was introduced.

Usage Guidelines

The less-than-or-equal command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true.

The class type control command is used to associate a control class map with a policy control map.

Examples

The following example shows a control class map called "class3" configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates "class3" with the control policy map called "rule4".

class-map type control match-all class3

 less-than-or-equal nas-port port 1000  

!         

policy-map type control rule4

  class type control class3 event session-start

   1 authorize identifier nas-port

Related Commands

Command	Description
class type control	Specifies a control class for which actions may be configured in an ISA control policy map.
class-map type control	Creates an ISA control class map.
policy-map type control	Creates or modifies a control policy map, which defines an ISA control policy.