Cisco IOS Intelligent Services Gateway Command Reference
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
A through L
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
A through L aaa authorization radius-proxyTo configure authentication, authorization, and accounting (AAA) authorization methods for Intelligent Services Gateway (ISG) RADIUS proxy subscribers, use the aaa authorization radius-proxy command in global configuration mode. To remove authorization methods for ISG RADIUS proxy subscribers, use the no form of this command.
aaa
authorization
radius-proxy
{default | list-name}
method1
[method2 [method3 ...] ]
no
aaa
authorization
radius-proxy
{default | list-name}
method1
[method2 [method3 ...] ]
Syntax DescriptionUsage GuidelinesUse the aaa authorization radius-proxy command to enable authorization and to create named method lists, which define authorization methods that are used to authorize ISG RADIUS proxy subscribers. Method lists for authorization define the ways in which authorization is performed and the sequence in which these methods are performed. A method list is a named list describing the authorization methods to be used, in sequence. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted. ExamplesThe following example configures an ISG RADIUS proxy authorization method list called âRPâ. The server group called âEAPâ is the method specified in that method list. The control policy called âPROXYRULEâ contains a policy rule to send RADIUS proxy packets to the method list âRPâ. aaa group server radius EAP server 10.2.36.253 auth-port 1812 acct-port 1813 aaa authorization radius-proxy RP group EAP policy-map type control PROXYRULE class type control always event session-start 1 proxy aaa list RP aaa authorization subscriber-serviceTo specify one or more authentication, authorization, and accounting (AAA) authorization methods for Intelligent Services Gateway (ISG) to use in providing subscriber service, use the aaa authorization subscriber-service command in global configuration mode. To remove this specification, use the no form of this command.
aaa
authorization
subscriber-service
{default {cache | group | local} | list-name}
method1
[method2 ...]
no
aaa
authorization
subscriber-service
{default {cache | group | local} | list-name}
method1
[method2 ...]
Syntax Description
Usage GuidelinesThe table below lists the keywords that can be used with the aaa authorization subscriber-service command to specify authorization methods.
Cisco IOS software supports the following methods of authorization of ISG subscriber services:
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type. Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The authorization aaa subscriber-service command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following: ExamplesThe following example defines the subscriber service authorization method list named âmygroupâ, which specifies RADIUS authorization. If the RADIUS server fails to respond, local authorization will be performed. aaa authorization subscriber-service mygroup group radius local Related Commands
aaa server radius dynamic-authorTo configure a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-authorcommand in global configuration mode. To remove this configuration, use the no form of this command. Command DefaultThe device will not function as a server when interacting with external policy servers. Usage GuidelinesDynamic authorization allows an external policy server to dynamically send updates to a device. Once the aaa server radius dynamic-author command is configured, dynamic authorization local server configuration mode is entered. Once in this mode, the RADIUS application commands can be configured. Dynamic Authorization for the Intelligent Services Gateway (ISG) ISG works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG device and external policy servers: initial authorization and dynamic authorization. The dynamic authorization model allows an external policy server to dynamically send policies to the ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. ExamplesThe following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.12.12.12: aaa server radius dynamic-author client 10.12.12.12 key cisco message-authenticator ignore Related Commands
aaa server radius policy-deviceTo enable Intelligent Services Gateway (ISG) RADIUS server configuration mode, in which the ISG RADIUS server parameters can be configured, use the aaa server radius policy-devicecommand in global configuration mode. To remove the RADIUS server configuration, use the no form of this command. Command History
Usage GuidelinesThe aaa server radius policy-devicecommand enables ISG RADIUS server configuration mode, in which global ISG RADIUS server parameters can be configured. ExamplesThe following example configures a shared encryption key for the RADIUS client and specifies authentication details. Router(config)#aaa server radius policy-device Router(config-locsvr-policy-device-radius)#key cisco Router(config-locsvr-policy-device-radius)#client 10.1.1.13 Router(config-locsvr-policy-device-radius)#message-authenticator ignore aaa server radius proxyTo enable Intelligent Services Gateway (ISG) RADIUS proxy configuration mode, in which ISG RADIUS proxy parameters can be configured, use the aaa server radius proxy command in global configuration mode. To remove the ISG RADIUS proxy configuration, use the no form of this command. Command DefaultISG RADIUS proxy parameters are not configured, and ISG does not serve as a RADIUS proxy. Usage GuidelinesThe aaa server radius proxycommand enables ISG RADIUS proxy server configuration mode, in which global RADIUS proxy parameters can be configured. The client command can be used in RADIUS proxy server configuration mode to specify a client for which RADIUS proxy parameters can be configured. Client-specific RADIUS proxy configurations take precedence over the global RADIUS proxy server configuration. accounting aaa listTo enable Intelligent Services Gateway (ISG) accounting and specify an authentication, authorization, and accounting (AAA) method list to which accounting updates will be forwarded, use the accounting aaa list command in service policy-map configuration or service policy traffic class configuration mode. To disable ISG accounting, use the no form of this command. Usage GuidelinesAn ISG sends accounting records to the AAA method list specified by the accounting aaa list command. A AAA method list must also be configured by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information. Use the accounting aaa list command to enable per-session accounting by configuring the command in service policy-map configuration mode. Per-session accounting can also be configured on a remote AAA server by adding the ISG accounting attribute to a user profile or to a service profile that does not include a traffic class. To enable per-flow accounting, enter the accounting aaa list command in service policy traffic class configuration mode. Per-flow accounting can also be configured on a remote AAA server by adding the ISG accounting attribute to a service profile that includes a traffic class. ExamplesThe following example shows ISG per-session accounting configured for a service called âvideo1â: policy-map type service video1 accounting aaa list mlist1 The following example shows ISG per-flow accounting configured for a service called âvideo1â: class-map type traffic match-any video1 match access-group output 101 match access-group input 100 ! policy-map type service video1 class type traffic video1 accounting aaa list mlist1 accounting method-listTo configure Intelligent Services Gateway (ISG) to forward accounting packets from RADIUS proxy clients to a specified server, use the accounting method-list command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To disable the forwarding of accounting packets from RADIUS proxy clients, use the no form of this command. Usage GuidelinesBy default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command configures ISG to forward accounting packets from RADIUS proxy clients to a specified method list. Forwarding of accounting packets can be configured globally for all RADIUS proxy clients or on a per-client basis. The per-client configuration of this command overrides the global configuration. The default method list is configured with the aaa accounting command. ExamplesThe following example shows the ISG configured to forward accounting packets from all RADIUS proxy clients to the method list âRP-ACCT-MLISTâ: aaa group server radius RP-BILLING server 10.52.199.147 auth-port 1645 acct-port 1646 server 10.52.199.148 auth-port 1812 acct-port 1813 ! aaa group server radius RP-BILLING-HOTSTANDBY server 10.52.200.20 auth-port 1645 acct-port 1646 server 10.52.200.21 auth-port 1812 acct-port 1813 ! ... aaa accounting network RP-ACCT-MLIST start-stop broadcast group RP-BILLING group RP-BILLING-HOTSTANDBY ... aaa server radius proxy key cisco accounting method-list RP-ACCT-MLIST client 10.52.100.20 ! ... radius-server host 10.52.199.147 auth-port 1645 acct-port 1646 key troy radius-server host 10.52.199.148 auth-port 1812 acct-port 1813 key tempest radius-server host 10.52.200.20 auth-port 1645 acct-port 1646 key captain radius-server host 10.52.200.21 auth-port 1812 acct-port 11813 key scarlet Related Commands
accounting portTo specify the port on which Intelligent Services Gateway (ISG) listens for accounting packets from RADIUS proxy clients, use the accounting port command in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default value, use the no form of this command. Command ModesRADIUS proxy server configuration (config-locsvr-proxy-radius) Usage GuidelinesThe accounting port can be specified globally for all RADIUS proxy clients, or it can be specified per client. The per-client configuration of this command overrides the global configuration. ExamplesThe following example configures ISG to listen for accounting packets on port 1200 for all RADIUS proxy clients: aaa server radius proxy accounting port 1200 The following example configures ISG to listen for accounting packets on port 1200 for the RADIUS proxy client with the IP address 10.10.10.10: aaa server radius proxy client 10.10.10.10 accounting port 1200 arp ignore localTo prevent Intelligent Services Gateway (ISG) from replying to incoming Address Resolution Protocol (ARP) requests for destinations on the same interface, use the arp ignore local command in IP subscriber configuration mode. To reset to the default, use the no form of this command. Usage GuidelinesThe arp ignore local command blocks ISG from replying to ARP requests received on an interface if the source and destination IP addresses for an ARP request are on the same VLAN that the interface is connected to, or if the destination IP address is in a different subnet but is routable from the interface where the ARP is received. ISG does, however, reply to ARP requests when the source and destination IP addresses are in the same subnet if the IP addresses belong to different VLANs. If the arp ignore local command is configured and a subscriber session is in virtual routing and forwarding (VRF) transfer mode, ISG will reply to an ARP request from the customer premises equipment (CPE) if:
When the CPE receives the ARP reply and routes the corresponding IP packets to ISG, ISG routes the packets in the VRF domain. ExamplesThe following example shows how to configure ISG to ignore ARP requests received on Ethernet interface 0/0.1 if the source and destination are in the same subnet: Router(config)# interface ethernet 0/0.1 Router(config-subif)# ip subscriber l2-connected Router(config-subscriber)# arp ignore local authenticate (control policy-map class)To initiate an authentication request for an Intelligent Services Gateway (ISG) subscriber session, use the authenticate command in control policy-map class configuration mode. To remove an authentication request for an ISG subscriber session, use the no form of this command.
action-number
authenticate
[variable varname] [aaa list {list-name | default} ]
no
action-number
authenticate
[variable varname] [aaa list {list-name | default} ]
Syntax Description
Usage GuidelinesThe authenticate command configures an action in a control policy map. Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an ISG control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule. Note that if you specify the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 authenticate aaa list default
the following will display in the output for the show running-config command: 1 authenticate Named method lists will display in the show running-config command output. ExamplesThe following example shows an ISG configured to initiate an authentication request upon account logon. The authentication request will be sent to the AAA method list called AUTH-LIST. policy-map type control LOGIN class type control always event account-logon 1 authenticate aaa list AUTH-LIST 2 service-policy type service unapply BLIND-RDT The following example shows the policy map configured to initiate an authentication request using a name stored in the variable NEWNAME, instead of unauthenticated-username, using the AAA list EXAMPLE. The authenticate statement is shown in bold: policy-map type control REPLACE_WITH_example.com class type control always event session-start 1 collect identifier unauthenticated-username 2 set NEWNAME identifier unauthenticated-username 3 substitute NEWNAME â(.*@).*â â\1example.comâ 4 authenticate variable NEWNAME aaa list EXAMPLE 5 service-policy type service name example policy-map type service abc service vpdn group 1 bba-group pppoe global virtual-template 1 ! interface Virtual-Template1 service-policy type control REPLACE_WITH_example.com Related Commands
authenticate (service policy-map)To specify authentication as a condition of service activation and initiate authentication requests for Intelligent Services Gateway (ISG) subscribers accessing a service, use the authenticate command in service policy-map configuration mode. To remove this specification, use the no form of this command. Usage GuidelinesThe authenticate (service policy-map) command specifies authentication as a condition of service activation in an ISG service policy map. Service policy maps define ISG subscriber services. Services can also be defined in service profiles. Service policy maps and service profiles serve the same purpose; the only difference between them is that a service policy map is defined on the local device using the policy-map type service command, and a service profile is configured on an external device, such as a AAA server. authentication portTo specify the port on which Intelligent Services Gateway (ISG) listens for authentication packets from RADIUS proxy clients, use the authentication port command in RADIUS proxy server configuration or RADIUS proxy client configuration mode. To return to the default setting in which ISG listens for accounting packets on port 1645, use the no form of this command. Usage GuidelinesThe authentication port can be specified globally for all RADIUS proxy clients, or it can be specified per client. The per-client configuration of this command overrides the global configuration. ExamplesThe following example configures ISG to listen for authentication packets on port 1200 for all RADIUS proxy clients: aaa server radius proxy authentication port 1200 The following example configures ISG to listen for authentication packets on port 1200 for the RADIUS proxy client with the IP address 10.10.10.10 : aaa server radius proxy client 10.10.10.10 authentication port 1200 authorize identifierTo initiate a request for authorization based on a specified identifier in an Intelligent Services Gateway (ISG) control policy, use the authorize identifier command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number
authorize
[aaa {list-name | list {list-name | default} } [password password] ]
[upon network-service-found {continue | stop} ]
[use method authorization-type]
identifier
identifier-type
[plus identifier-type]
no
action-number
Syntax DescriptionCommand History
Usage GuidelinesThe authorize identifier command configures an action in a control policy map. A control policy map is used to configure an ISG control policy, which defines the actions the system takes in response to specified events and conditions. For sessions triggered by an unrecognized IP address, the MAC address should be used only when the subscriber is one hop away. The auto-detect keyword allows authorization to be performed on Cisco Catalyst switches with remote-ID:circuit-ID and on DSL Forum switches with circuit-ID only. Note that if you specify the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 authorize aaa list default password ABC identifier nas-port
The following will be displayed in the output for the show running-config command: 1 authorize aaa password ABC identifier nas-port Named method lists will be displayed in the show running-config command output. When ISG automatic subscriber login is configured using the authorize identifier command, the ISG uses specified identifiers instead of the username in authorization requests, thus enabling a user profile to be downloaded from a AAA server as soon as packets are received from a subscriber. ExamplesIn the following example, ISG is configured to send a request for authorization based on the source IP address. The system will perform this action at session start when the conditions that are defined in control class âCONDAâ are met. policy-map type control RULEA class type control CONDA event session-start 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address 2 service-policy type service aaa list LOCAL service redirectprofile ExamplesIn the following example, ISG is configured to send a request for authorization based on the source IP address. The system will perform this action at session start when the conditions that are defined in control class âCONDAâ are met. policy-map type control RULEA class type control CONDA event session-start 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address 2 service-policy type service aaa list LOCAL service redirectprofile ExamplesIn the following example, the ISG is configured to get the authorization data from an Accounting, Authentication, and Authorization (AAA) server. policy-map type control SampleControlPolicyMap2 class type control always event session-start 1 authorize identifier stag-vlanid plus ctag-vlanid auth-type (ISG)To specify the type of authorization Intelligent Services Gateway (ISG) will use for RADIUS clients, use the auth-type command in dynamic authorization local server configuration mode. To return to the default authorization type, use the no form of this command. Syntax DescriptionUsage GuidelinesAn ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the auth-type command to specify the type of authorization ISG will use for RADIUS clients. availableTo create a condition in an Intelligent Services Gateway (ISG) control policy that will evaluate true if the specified subscriber identifier is locally available, use the available command in control class-map configuration mode. To remove this condition, use the no form of this command.
available
{authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
no
available
{authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
Syntax Description
Command DefaultA condition that will evaluate true if the specified subscriber identifier is locally available is not created. Usage GuidelinesThe available command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true. The class type control command is used to associate a control class map with a policy control map. ExamplesThe following example shows a control class map called âclass3â configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type control command associates âclass3â with the control policy map called ârule4â. class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control rule4 class type control class3 authorize nas-port-id ! Related Commands
calling-station-id formatTo specify the format of the Calling-Station-ID in attribute 31, use the calling-station-id format command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To return to the default format, use the no form of this command.
calling-station-id
format
{mac-address | msisdn}
no
calling-station-id
format
{mac-address | msisdn}
Command ModesRADIUS proxy server configuration (config-locsvr-proxy-radius) Usage GuidelinesUse the calling-station-id format command to differentiate and identify the session based on the downstream device type and receive the values in attribute 31. For example, if the downstream device type is Public Wireless LAN (PWLAN), then the Intelligent Services Gateway (ISG) RADIUS proxy identifies the value in attribute 31 as MAC address and MSISDN for the Gateway GPRS Support Node (GGSN) device type. ExamplesThe following example shows how to configure ISG to specify MSISDN as the calling station ID for a RADIUS proxy server: Router(config)# aaa new-model Router(config)# aaa server radius proxy Router(config-locsvr-proxy-radius)# calling-station-id format msisdn Related Commands
class type controlTo specify a control class for which actions may be configured in an Intelligent Services Gateway (ISG) control policy, use the class type control command in control policy-map configuration mode. To remove the control class from the control policy map, use the no form of this command.
class
type
control
{control-class-name | always}
[event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry} ]
no
class
type
control
{control-class-name | always}
[event {access-reject | account-logoff | account-logon | acct-notification | credit-exhausted | dummy-event | quota-depleted | radius-timeout | service-failed | service-start | service-stop | session-default-service | session-restart | session-service-found | session-start | timed-policy-expiry} ]
Syntax Description
Command History
Usage GuidelinesA control class map defines the conditions that must be met and events that must occur before a set of actions will be executed. Use the class type control command to associate a control class map with one or more actions in a control policy map. The association of a control class and a set of actions is called a control policy rule. Using the class type control command with the always keyword creates a control policy rule that will always be treated as the lowest-priority rule in a control policy map. To create a named control class map, use the class-map type control command. The session-restart keyword applies to DHCP-initiated IP sessions only. Using the class type control command with the acct-notification keyword causes the control class to be evaluated upon occurrence of an accounting notification. ExamplesThe following example shows the configuration of a class map called âclass3â. The class type control command adds âclass3â to the control policy map âpolicy1â. When âclass3â evaluates true, the action associated with the class will be executed. class-map type control match-all class3 match access-type pppoe match domain cisco.com available nas-port-id ! policy-map type control policy1 class type control class3 authorize nas-port-id ! service-policy type control rule4 class type trafficTo specify the Intelligent Services Gateway (ISG) traffic class whose policy you want to create or change or to specify the default traffic class in order to configure its policy, use the class type traffic command in service policy-map configuration mode. To remove a class from the service policy map, use the no form of this command.
[priority]
class
type
traffic
{class-map-name | default {in-out | input | output} }
no
[priority]
class
type
traffic
{class-map-name | default {in-out | input | output} }
Syntax Description
Usage GuidelinesBefore you can specify a named traffic class map in a service policy map, the traffic class map must be configured using the class-map type traffic command. The priority of a traffic class determines which class will be used first for a specified match in cases where more than one traffic policy has been activated for a single session. In other words, if a packet matches more than one traffic class, it will be classified to the class with the higher priority. The priority should be specified if packets must match a traffic class based on the order of the service policy. The default traffic class map is applied if none of the other configured classes matches the traffic. At least one other traffic class must be configured. The default traffic class map is not applied if there are no other traffic classes configured. It cannot be assigned a priority because by default it is the lowest priority class. The default policy of the default traffic class is to pass traffic. You can also configure the default traffic class to drop traffic. ExamplesThe following example shows the configuration of the traffic class âUNAUTHORIZED_TRAFFICâ: class-map type traffic UNAUTHORIZED_TRAFFIC match access-group input 100 policy-map type service UNAUTHORIZED_REDIRECT_SVC class type traffic UNAUTHORIZED_TRAFFIC redirect to ip 10.0.0.148 port 8080 The following example shows the configuration of the default traffic class: policy-map type service SERVICE1 class type traffic CLASS1 prepaid-config PREPAID class type traffic default in-out drop Related Commands
class-map type controlTo create an Intelligent Services Gateway (ISG) control class map, which defines the conditions under which the actions of a control policy map will be executed, use the class-map type control command in global configuration mode. To remove a control class map, use the no form of this command.
class-map
type
control
[match-all | match-any | match-none] class-map-name
no
class-map
type
control
[match-all | match-any | match-none]
class-map-name
Syntax Description
Usage GuidelinesA control class map specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Use the match-any, match-all, and match-none keywords to specify which, if any, conditions must evaluate true before the control policy will be executed. A control policy map, which is configured with the policy-map type control command, contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Use the class type controlcommand to associate a control class map with a control policy map. ExamplesThe following example shows how to configure a control policy in which virtual private dial-up network (VPDN) forwarding is applied to anyone dialing in from âxyz.comâ: class-map type control match-all MY-FORWARDED-USERS match unauthenticated-domain "xyz.com" ! policy-map type control MY-POLICY class type control MY-FORWARDED-USERS event session-start 1 apply identifier nas-port 2 service local ! interface Dialer1 service-policy type control MY-POLICY class-map type trafficTo create or modify a traffic class map, which is used for matching packets to a specified Intelligent Services Gateway (ISG) traffic class, use the class-map type traffic command in global configuration mode. To remove a traffic class map, use the no form of this command. Usage GuidelinesUse the class-map type traffic command to specify the name of the ISG traffic class for which you want to create or modify traffic class map match criteria. Use of the class-map type traffic command enables traffic class-map configuration mode, in which you can enter match commands to configure the match criteria for this class. Packets are checked against the match criteria configured for a class map to determine if the packet belongs to that traffic class. ISG traffic classes allow subscriber session traffic to be subclassified so that ISG features can be applied to constituent flows. Traffic policies, which define the handling of data packets, contain a traffic class and one or more features. Once a traffic class map has been defined, use the class type traffic command to associate the traffic class map with a service policy map. A service can contain one traffic class, and the default class. ExamplesThe following example shows the configuration of a traffic class map called âCLASS-ACL-101â. The class map is defined so that input traffic matching access list 101 will match the class. The traffic class map is then referenced in service policy map âmp3â. class-map type traffic match-any CLASS-ACL-101 match access-group input 101 ! policy-map type service mp3 class type traffic CLASS-ACL-101 authentication method-list cp-mlist accounting method-list cp-mlist prepaid conf-prepaid Related Commands
classnameTo associate a Dynamic Host Configuration Protocol (DHCP) pool or remote DHCP server with an Intelligent Services Gateway (ISG) service policy map, use the classname command in service policy-map configuration mode. To remove this association, use the no form of this command. Usage GuidelinesISG can influence the IP address pool and the DHCP server that are used to assign subscriber IP addresses. To enable ISG to influence the IP addresses assigned to subscribers, you associate a DHCP address pool class with an address domain. The DHCP address pool class must also be configured in a service policy map, service profile, or user profile, which is associated with a subscriber. When a DHCP request is received from a subscriber, DHCP uses the address pool class that is associated with the subscriber to determine which DHCP address pool should be used to service the request. As a result, on a per-request basis, an IP address is provided by the local DHCP server or relayed to a remote DHCP server that is defined in the selected pool. ExamplesIn the following example, the DHCP class âblueâ is specified in the service âmy_serviceâ. When âmy_serviceâ is activated, the local DHCP component will provide a new IP address from the pool âblue-poolâ because (a) the classes match and (b) the subnet defined in ârelay sourceâ corresponds to one of the subnets defined at the interface. Hence the DHCP DISCOVER packet is relayed to the server at address 10.10.2.1, and the local DHCP component acts as a relay. ip dhcp pool blue-pool relay source 10.1.0.0 255.255.0.0 class blue relay destination 10.10.2.1 vrf blue policy-map type service my_service classname blue clear class-map controlclear ip subscriberTo disconnect and remove all or specified Intelligent Services Gateway (ISG) IP subscriber sessions, use the clear ip subscriber command in privileged EXEC mode.
clear
ip
subscriber
[interface interface-name | mac mac-address | slot slot-number no-hardware | [vrf vrf-name] [dangling seconds | ip ip-address | statistics] ]
Syntax Description
Usage GuidelinesA session that has not been fully established within a specified period of time is referred to as a dangling session. The clear ip subscriber command can be used with the dangling keyword to disconnect and remove dangling sessions. The seconds argument allows you to specify how long the session has to remain unestablished before it is considered dangling. Session Removal: Cisco 7600 Series Routers Only This command removes only IP sessions (MAC or IP), not IP interface sessions. The interface and slot no-hardware keywords are available only on Cisco 7600 series routers. ExamplesThe following example shows how to clear all dangling sessions that are associated with vrf1:
Router# clear ip subscriber vrf vrf1 dangling 10
ExamplesThe following example shows how to clear sessions that are associated with Gigabit Ethernet interface 0/1 on a Cisco 7600 series router:
Router# clear ip subscriber interface GigabitEthernet 0/1
The following example shows how to clear sessions that are associated with a line card that was removed from slot 1 on a Cisco 7600 series router:
Router# clear ip subscriber slot 1 no-hardware
clear radius-proxy clientTo clear all Intelligent Services Gateway (ISG) RADIUS proxy sessions for a specific client, use the clear radius-proxy client command in privileged EXEC mode. clear radius-proxy sessionTo clear specific Intelligent Services Gateway (ISG) RADIUS proxy sessions, use the clear radius-proxy session command in privileged EXEC mode. Usage GuidelinesThe RADIUS proxy session ID can be identified in the output of the show radius-proxy client command. ExamplesThe following example shows how to identify the RADIUS proxy session ID by using the show radius-proxy client command:
show radius-proxy client 10.45.45.3
Configuration details for client 10.45.45.3
Shared secret: radprxykey Msg Auth Ignore: No
Local auth port: 1111 Local acct port: 1646
Acct method list: FWDACCT
Session Summary:
RP ID IP Address
1. 1694498816 unassigned ----> 1694498816 is the session id
The following example clears the ISG RADIUS proxy session with the ID 1694498816:
clear radius-proxy session id 1694498816
clear subscriber policy dpm statisticsTo clear the statistics for DHCP policy module (DPM) session contexts, use the clear subscriber policy dpm statistics command in privileged EXEC mode. Usage GuidelinesThe clear subscriber policy dpm statistics command resets all DPM event trace counters to zero. To display the cumulative statistics for DPM session contexts, use the show subscriber policy dpm statistics command. clear subscriber policy peerTo clear the display of the details of a subscriber policy peer connection, use the clear subscriber policy peercommand in privileged EXEC mode. Syntax Description
Usage GuidelinesThe clear subscriber policy peer command ends the peering relationship between the Intelligent Services Gateway (ISG) device and selected Service Control Engine (SCE) devices. However, the SCE will attempt to reconnect with the ISG device after a configured amount of time. The clear subscriber policy peer command can remove select session associations from a particular SCE device. clear subscriber policy peer sessionTo clear the display of the details of a subscriber policy peer session, use the clear subscriber policy peer sessioncommand in privileged EXEC mode.
clear
subscriber
policy
peer
session
{guid guid-value | all}
[address ip-address | handle connection-handle-id | all]
Syntax Description
Usage GuidelinesThe clear subscriber policy peer session command ends the peering relationship between the Intelligent Services Gateway (ISG) device and selected Service Control Engine (SCE) devices. However, the SCE will attempt to reconnect with the ISG device after a configured amount of time. The clear subscriber policy peer session command can remove select session associations from a particular SCE. clear subscriber trace historyTo clear the event trace history logs for Intelligent Services Gateway (ISG) subscriber sessions, use the clear subscriber trace historycommand in privileged EXEC mode. Syntax Description
Usage GuidelinesThe clear subscriber trace historycommand deletes all event traces that are stored in the specified moduleâs history log. This command also clears the current records counter and current log size counter for the show subscriber trace statistics command. ExamplesThe following example shows how to clear the trace history for the DPM.
Router# clear subscriber trace history dpm
Related Commands
clientTo specify a RADIUS client from which a device will accept Change of Authorization (CoA) and disconnect requests, use the client command in dynamic authorization local server configuration mode. To remove this specification, use the no form of this command.
client
{name | ip-address}
[key [0 | 7] word]
[vrf vrf-id]
no
client
{name | ip-address}
[key [0 | 7] word]
[vrf vrf-id]
Syntax Description
Usage GuidelinesA device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the client command to specify the RADIUS clients for which the router will act as server. client (ISG RADIUS proxy)To enter RADIUS proxy client configuration mode, in which client-specific RADIUS proxy parameters can be specified, use the client command in RADIUS proxy server configuration mode. To remove the RADIUS proxy client and configuration, use the no form of this command.
client
{ip-address | hostname}
[subnet-mask]
[vrf vrf-name]
no
client
{ip-address | hostname}
[subnet-mask]
[vrf vrf-name]
Syntax Description
Usage GuidelinesUse the client command in RADIUS proxy server configuration mode to specify a client for which RADIUS proxy parameters can be configured. Client-specific RADIUS proxy configurations take precedence over the global RADIUS proxy server configuration. In cases where Intelligent Services Gateway (ISG) is acting as a proxy for more than one client device, all of which reside on the same subnet, client-specific parameters may be configured using a subnet definition rather than a discrete IP address for each device. This configuration method results in the sharing of a single configuration by all the client devices on the subnet. ISG is able to differentiate traffic from these devices based on the source and NAS IP address of RADIUS packets. To configure a client subnet, use the client command with the subnet-mask argument. ExamplesThe following example shows the configuration of global RADIUS proxy parameters and client-specific parameters for two RADIUS proxy clients. Client 10.1.1.1 is configured to listen for accounting packets on port 1813 and authentication packets on port 1812. Because a shared secret is not configured specifically for client 10.1.1.1, it will inherit the shared secret specification, which is âciscoâ, from the global RADIUS proxy configuration. Client 10.2.2.2 will use âsystemsâ as the shared secret and will use the default ports for listening for accounting and authentication packets. aaa server radius proxy key cisco client 10.1.1.1 accounting port 1813 authentication port 1812 ! client 10.2.2.2 key systems ! collect identifierTo enable a control policy map to collect subscriber identifiers, use the collect identifiercommand in control policy-map class configuration mode. To disable a control policy from collecting subscriber identifiers, use the no form of this command.
action-number
collect
[aaa list list-name]
identifier
{authen-status | authenticated-domain | authenticated-username | dnis | mac-address | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
no
action-number
collect
[aaa list list-name]
identifier
{authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
Syntax Description
Command History
Usage GuidelinesThe collect identifiercommand configures an action in a control policy map. Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule. Note that if you specify the default method list, the default list will not appear in the output of the show running-config command. For example, if you configure the following command:
Router(config-control-policymap-class-control)# 1 collect aaa list default
The following will display in the output for the show running-config command: 1 collect Named method lists will display in the show running-config command output. ExamplesThe following example shows how to configure ISG to collect a subscriberâs authentication status at session start: Router(config)# policy-map type control policy1 Router(config-control-policymap)# class type control always event session-start Router(config-control-policymap-class-control)# 1 collect identifier authen-status debug ip subscriberTo enable Intelligent Services Gateway (ISG) IP subscriber session debugging, use the debug ip subscriber command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug
ip
subscriber
{all | error | event | fsm | packet}
no
debug
ip
subscriber
{all | error | event | fsm | packet}
Syntax Description
Command History
ExamplesThe following example show sample output for the debug ip subscriber command:
Router# debug ip subscriber packet
Packet debugs:
1d07h: IPSUB_DP: [Et0/0:I:CEF:0000.0000.0002] Rx driver forwarded packet via les, return code = 0
1d07h: IPSUB_DP: [Et0/0:I:PROC:0000.0000.0002] Packet classified, results = 0x18
1d07h: IPSUB_DP: [ms1:I:PROC:0000.0000.0002] Rx driver forwarded the packet
1d07h: IPSUB_DP: [ms1:I:PROC:0000.0000.0002] Packet classified, results = 0x42
1d07h: IPSUB_DP: [ms1:O:PROC:RED:50.0.0.3] Packet classified, results = 0x14
Router#
1d07h: IPSUB_DP: [ms1:O:PROC:RED:50.0.0.3] Subscriber features executed, return code = 0
1d07h: IPSUB_DP: [ms1:O:PROC:RED:50.0.0.3] Tx driver forwarding the packet
1d07h: IPSUB_DP: [Et0/0:O:PROC:RED:50.0.0.3] Packet classified, results = 0x14
debug radius-proxyTo display debugging messages for Intelligent Services Gateway (ISG) RADIUS proxy functionality, use the debug radius-proxycommand in privileged EXEC mode. To disable debugging, use the no form of this command. Syntax Description
Usage GuidelinesSee the following caution before using debug commands.
ExamplesThe following example shows output for the debug radius-proxy command with the events keyword:
Router# debug radius-proxy events
*Nov 7 07:53:11.411: RP-EVENT: Parse Request: Username = 12345679@cisco
*Nov 7 07:53:11.411: RP-EVENT: Parse Request: Caller ID = 12345679@cisco
*Nov 7 07:53:11.411: RP-EVENT: Parse Request: NAS id = localhost
*Nov 7 07:53:11.411: RP-EVENT: Found matching context for user Caller ID:12345679@cisco Name:aa
*Nov 7 07:53:11.411: RP-EVENT: Received event client Access-Request in state activated
*Nov 7 07:53:11.411: RP-EVENT: User Caller ID:12345679@cisco Name:12 re-authenticating
*Nov 7 07:53:11.411: RP-EVENT: Forwarding Request to method list (handle=1979711512)
*Nov 7 07:53:11.411: RP-EVENT: Sending request to server group EAP
*Nov 7 07:53:11.411: RP-EVENT: State changed activated --> wait for Access-Response
debug sgiTo debug Service Gateway Interface (SGI), use the debug sgi command in privileged EXEC mode. To disable debugging, use the no form of this command. Syntax Description
Usage GuidelinesThe xml keyword turns on debugging for the Cisco Networking Services (CNS) XML parser and provides additional XML parsing debugging for SGI. ExamplesThe following example shows all debugging options enabled and shows the output that is received when a message is sent.
Router# debug sgi all
Router# show debug
SGI:
SGI All debugging is on
SGI Errors debugging is on
SGI XML debugging is on
SGI Informational debugging is on
SGI Generic Service Interface debugging is on
SGI ISG_API Events debugging is on
SGI ISG_API Errors debugging is on
Router#
Router#
*Jul 1 20:55:11.364: SGI: Session created, session Id 7
*Jul 1 20:55:11.372: sgi beep listen app beep[0x66245188]: frame_available: type=M number=1 answer=-1 more=* size=1400
*Jul 1 20:55:11.372: sgi beep listen app beep[0x66245188]: Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
...
*Jul 1 20:55:11.372: sgi beep listen app beep[0x66245188]: frame_available: type=M number=1 answer=-1 more=. size=111
*Jul 1 20:55:11.372: sgi beep listen app beep[0x66245188]: gitypes:policyGroup>
</objects>
</sgiops:insertPolicyObjectsRequest>
...
*Jul 1 20:55:11.372: SGI: GSI message received, msgid 1, session 7
*Jul 1 20:55:11.376: SGI: XML parsed successfully, request insertPolicyObjectsRequest, msgid 1
*Jul 1 20:55:11.376: SGI: authentication request sent to AAA
*Jul 1 20:55:11.376: SGI: req = [0x67454088] authentication succeeded
*Jul 1 20:55:11.376: SGI: Processing insertPolicyObjectsRequest
*Jul 1 20:55:11.376: SGI: insertPolicyObjectsRequest processing policyGroup:VPDN1, type 1, result: 0
*Jul 1 20:55:11.376: SGI: Processing insertPolicyObjectsResponse
*Jul 1 20:55:11.376: SGI: GSI message sent, msgid 1, session 7
*Jul 1 20:55:12.088: sgi beep listen app beep[0x66245188]: close confirmation: status=+ no error origin=L scope=C
*Jul 1 20:55:12.088: SGI: Session terminating, session Id 7
Router#
debug ssmTo display diagnostic information about the Segment Switching Manager (SSM) for switched Layer 2 segments, use the debug ssm command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug
ssm
{cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
no
debug
ssm
{cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
Syntax Description
Command History
Usage GuidelinesThe SSM manages the data-plane component of the Layer 2 Virtual Private Network (L2VPN) configuration. The CM tracks the connection-level errors and events that occur on an xconnect. The SM tracks the per-segment events and errors on the xconnect. Use the debug ssm command to troubleshoot problems in bringing up the data plane. This command is generally used only by Cisco engineers for internal debugging of SSM processes. ExamplesThe following example shows sample output for the debug ssm xdr command: Router# debug ssm xdr SSM xdr debugging is on 2w5d: SSM XDR: [4096] deallocate segment, len 16 2w5d: SSM XDR: [8193] deallocate segment, len 16 2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down 2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up 2w5d: SSM XDR: [4102] provision segment, switch 4101, len 106 2w5d: SSM XDR: [4102] update segment status, len 17 2w5d: SSM XDR: [8199] provision segment, switch 4101, len 206 2w5d: SSM XDR: [4102] update segment status, len 17 2w5d: %SYS-5-CONFIG_I: Configured from console by console 2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down 2w5d: SSM XDR: [4102] update segment status, len 17 2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up 2w5d: SSM XDR: [4102] deallocate segment, len 16 2w5d: SSM XDR: [8199] deallocate segment, len 16 2w5d: SSM XDR: [4104] provision segment, switch 4102, len 106 2w5d: SSM XDR: [4104] update segment status, len 17 2w5d: SSM XDR: [8201] provision segment, switch 4102, len 206 2w5d: SSM XDR: [4104] update segment status, len 17 2w5d: SSM XDR: [4104] update segment status, len 17 2w5d: %SYS-5-CONFIG_I: Configured from console by console The following example shows the events that occur on the segment manager when an Any Transport over MPLS (AToM) virtual circuit (VC) configured for Ethernet over MPLS is shut down and then enabled: Router# debug ssm sm events SSM Connection Manager events debugging is on Router(config)# interface fastethernet 0/1/0.1 Router(config-subif)# shutdown 09:13:38.159: SSM SM: [SSS:AToM:36928] event Unprovison segment 09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Unbind segment 09:13:38.159: SSM SM: [SSS:AToM:36928] free segment class 09:13:38.159: SSM SM: [SSS:AToM:36928] free segment 09:13:38.159: SSM SM: [SSS:AToM:36928] event Free segment 09:13:38.159: SSM SM: last segment class freed 09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] segment ready 09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Found segment data Router(config-subif)# no shutdown 09:13:45.815: SSM SM: [SSS:AToM:36929] event Provison segment 09:13:45.815: label_oce_get_label_bundle: flags 14 label 16 09:13:45.815: SSM SM: [SSS:AToM:36929] segment ready 09:13:45.815: SSM SM: [SSS:AToM:36929] event Found segment data 09:13:45.815: SSM SM: [SSS:AToM:36929] event Bind segment 09:13:45.815: SSM SM: [SSS:Ethernet Vlan:4146] event Bind segment The following example shows the events that occur on the CM when an AToM VC configured for Ethernet over MPLS is shut down and then enabled: Router(config)# interface fastethernet 0/1/0.1 Router(config-subif)# shutdown 09:17:20.179: SSM CM: [AToM] unprovision segment, id 36929 09:17:20.179: SSM CM: CM FSM: state Open - event Free segment 09:17:20.179: SSM CM: [SSS:AToM:36929] unprovision segment 1 09:17:20.179: SSM CM: [SSS:AToM] shQ request send unprovision complete event 09:17:20.179: SSM CM: [SSS:Ethernet Vlan:4146] unbind segment 2 09:17:20.179: SSM CM: [SSS:Ethernet Vlan] shQ request send ready event 09:17:20.179: SSM CM: SM msg event send unprovision complete event 09:17:20.179: SSM CM: SM msg event send ready event Router(config-subif)# no shutdown 09:17:35.879: SSM CM: Query AToM to Ethernet Vlan switching, enabled 09:17:35.879: SSM CM: [AToM] provision second segment, id 36930 09:17:35.879: SSM CM: CM FSM: state Down - event Provision segment 09:17:35.879: SSM CM: [SSS:AToM:36930] provision segment 2 09:17:35.879: SSM CM: [AToM] send client event 6, id 36930 09:17:35.879: SSM CM: [SSS:AToM] shQ request send ready event 09:17:35.883: SSM CM: SM msg event send ready event 09:17:35.883: SSM CM: [AToM] send client event 3, id 36930 The following example shows the events that occur on the CM and SM when an AToM VC is provisioned and then unprovisioned: Router# debug ssm cm events SSM Connection Manager events debugging is on Router# debug ssm sm events SSM Segment Manager events debugging is on Router# configure terminal Router(config)# interface ethernet1/0 Router(config-if)# xconnect 10.55.55.2 101 pw-class mpls 16:57:34: SSM CM: provision switch event, switch id 86040 16:57:34: SSM CM: [Ethernet] provision first segment, id 12313 16:57:34: SSM CM: CM FSM: state Idle - event Provision segment 16:57:34: SSM CM: [SSS:Ethernet:12313] provision segment 1 16:57:34: SSM SM: [SSS:Ethernet:12313] event Provison segment 16:57:34: SSM CM: [SSS:Ethernet] shQ request send ready event 16:57:34: SSM CM: SM msg event send ready event 16:57:34: SSM SM: [SSS:Ethernet:12313] segment ready 16:57:34: SSM SM: [SSS:Ethernet:12313] event Found segment data 16:57:34: SSM CM: Query AToM to Ethernet switching, enabled 16:57:34: SSM CM: [AToM] provision second segment, id 16410 16:57:34: SSM CM: CM FSM: state Down - event Provision segment 16:57:34: SSM CM: [SSS:AToM:16410] provision segment 2 16:57:34: SSM SM: [SSS:AToM:16410] event Provison segment 16:57:34: SSM CM: [AToM] send client event 6, id 16410 16:57:34: label_oce_get_label_bundle: flags 14 label 19 16:57:34: SSM CM: [SSS:AToM] shQ request send ready event 16:57:34: SSM CM: SM msg event send ready event 16:57:34: SSM SM: [SSS:AToM:16410] segment ready 16:57:34: SSM SM: [SSS:AToM:16410] event Found segment data 16:57:34: SSM SM: [SSS:AToM:16410] event Bind segment 16:57:34: SSM SM: [SSS:Ethernet:12313] event Bind segment 16:57:34: SSM CM: [AToM] send client event 3, id 16410 Router# configure terminal Router(config)# interface e1/0 Router(config-if)# no xconnect 16:57:26: SSM CM: [Ethernet] unprovision segment, id 16387 16:57:26: SSM CM: CM FSM: state Open - event Free segment 16:57:26: SSM CM: [SSS:Ethernet:16387] unprovision segment 1 16:57:26: SSM SM: [SSS:Ethernet:16387] event Unprovison segment 16:57:26: SSM CM: [SSS:Ethernet] shQ request send unprovision complete event 16:57:26: SSM CM: [SSS:AToM:86036] unbind segment 2 16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment 16:57:26: SSM CM: SM msg event send unprovision complete event 16:57:26: SSM SM: [SSS:Ethernet:16387] free segment class 16:57:26: SSM SM: [SSS:Ethernet:16387] free segment 16:57:26: SSM SM: [SSS:Ethernet:16387] event Free segment 16:57:26: SSM SM: last segment class freed 16:57:26: SSM CM: unprovision switch event, switch id 12290 16:57:26: SSM CM: [SSS:AToM] shQ request send unready event 16:57:26: SSM CM: SM msg event send unready event 16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment 16:57:26: SSM CM: [AToM] unprovision segment, id 86036 16:57:26: SSM CM: CM FSM: state Down - event Free segment 16:57:26: SSM CM: [SSS:AToM:86036] unprovision segment 2 16:57:26: SSM SM: [SSS:AToM:86036] event Unprovison segment 16:57:26: SSM CM: [SSS:AToM] shQ request send unprovision complete event 16:57:26: SSM CM: SM msg event send unprovision complete event 16:57:26: SSM SM: [SSS:AToM:86036] free segment class 16:57:26: SSM SM: [SSS:AToM:86036] free segment 16:57:26: SSM SM: [SSS:AToM:86036] event Free segment 16:57:26: SSM SM: last segment class freed debug subscriber aaa authorizationTo display diagnostic information about authentication, authorization, and accounting (AAA) authorization of Intelligent Services Gateway (ISG) subscriber sessions, use the debug subscriber aaa authorizationcommand in privileged EXEC mode. To disable debugging output, use the no form of this command. Syntax Description
ExamplesThe following is sample output of several debug subscribercommands, including the debug subscriber aaa authorizationcommand. The reports from these commands should be sent to technical personnel at Cisco Systems for evaluation. Router# debug subscriber event Router# debug subscriber error Router# debug subscriber state Router# debug subscriber aaa authorization event Router# debug subscriber aaa authorization fsm SSS: SSS events debugging is on SSS error debugging is on SSS fsm debugging is on SSS AAA authorization event debugging is on SSS AAA authorization FSM debugging is on *Mar 4 21:33:18.248: SSS INFO: Element type is Access-Type, long value is 3 *Mar 4 21:33:18.248: SSS INFO: Element type is Switch-Id, long value is -1509949436 *Mar 4 21:33:18.248: SSS INFO: Element type is Nasport, ptr value is 6396882C *Mar 4 21:33:18.248: SSS INFO: Element type is AAA-Id, long value is 7 *Mar 4 21:33:18.248: SSS INFO: Element type is AAA-ACCT_ENBL, long value is 1 *Mar 4 21:33:18.248: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006 *Mar 4 21:33:18.248: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth *Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions) *Mar 4 21:33:18.248: SSS PM [uid:7]: Need the following key: Unauth-User *Mar 4 21:33:18.248: SSS PM [uid:7]: Received Service Request *Mar 4 21:33:18.248: SSS PM [uid:7]: Event <need keys>, State: initial-req to need-init-keys *Mar 4 21:33:18.248: SSS PM [uid:7]: Policy reply - Need more keys *Mar 4 21:33:18.248: SSS MGR [uid:7]: Got reply Need-More-Keys from PM *Mar 4 21:33:18.248: SSS MGR [uid:7]: Event policy-or-mgr-more-keys, state changed from wait-for-auth to wait-for-req *Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling More-Keys event *Mar 4 21:33:20.256: SSS INFO: Element type is Unauth-User, string value is nobody2@xyz.com *Mar 4 21:33:20.256: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006 *Mar 4 21:33:20.256: SSS INFO: Element type is AAA-Id, long value is 7 *Mar 4 21:33:20.256: SSS INFO: Element type is Access-Type, long value is 0 *Mar 4 21:33:20.256: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth *Mar 4 21:33:20.256: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions) *Mar 4 21:33:20.256: SSS PM [uid:7]: Received More Initial Keys *Mar 4 21:33:20.256: SSS PM [uid:7]: Event <rcvd keys>, State: need-init-keys to check-auth-needed *Mar 4 21:33:20.256: SSS PM [uid:7]: Handling Authorization Check *Mar 4 21:33:20.256: SSS PM [uid:7]: Event <send auth>, State: check-auth-needed to authorizing *Mar 4 21:33:20.256: SSS PM [uid:7]: Handling AAA service Authorization *Mar 4 21:33:20.256: SSS PM [uid:7]: Sending authorization request for 'xyz.com' *Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Event <make request>, state changed from idle to authorizing *Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Authorizing key xyz.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:AAA request sent for key xyz.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Received an AAA pass *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <found service>, state changed from authorizing to complete *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Found service info for key xyz.com *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <free request>, state changed from complete to terminal *Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Free request *Mar 4 21:33:20.264: SSS PM [uid:7]: Event <found>, State: authorizing to end *Mar 4 21:33:20.264: SSS PM [uid:7]: Handling Service Direction *Mar 4 21:33:20.264: SSS PM [uid:7]: Policy reply - Forwarding *Mar 4 21:33:20.264: SSS MGR [uid:7]: Got reply Forwarding from PM *Mar 4 21:33:20.264: SSS MGR [uid:7]: Event policy-start-service-fsp, state changed from wait-for-auth to wait-for-service *Mar 4 21:33:20.264: SSS MGR [uid:7]: Handling Connect-Forwarding-Service event *Mar 4 21:33:20.272: SSS MGR [uid:7]: Event service-fsp-connected, state changed from wait-for-service to connected *Mar 4 21:33:20.272: SSS MGR [uid:7]: Handling Forwarding-Service-Connected event Related Commands
debug subscriber errorTo display diagnostic information about errors that may occur during Intelligent Services Gateway (ISG) subscriber session setup, use the debug subscriber errorcommand in privileged EXEC mode. To disable debugging output, use the no form of this command. ExamplesThe following sample output for the debug subscriber error command indicates that the session is stale since the session handle has already been destroyed.
Router# debug subscriber error
*Sep 20 22:39:49.455: SSS MGR: Session handle [EF000002] destroyed already
Related Commands
debug subscriber eventTo display diagnostic information about Intelligent Services Gateway (ISG) subscriber session setup events, use the debug subscriber eventcommand in privileged EXEC mode. To disable debugging output, use the no form of this command. ExamplesThe following sample output for the debug subscriber event commands indicates that the system has determined that the session should be locally terminated. The local termination module determines that an interface description block (IDB) is not required for this session, and it sets up the data plane for packet switching.
Router# debug subscriber event
*Sep 20 22:21:08.223: SSS MGR [uid:2]: Handling Connect Local Service action
*Sep 20 22:21:08.223: SSS LTERM [uid:2]: Processing Local termination request
*Sep 20 22:21:08.223: SSS LTERM [uid:2]: L3 session - IDB not required for setting up service
*Sep 20 22:21:08.223: SSS LTERM [uid:2]: Interface already present or not required for service
*Sep 20 22:21:08.223: SSS LTERM [uid:2]: Segment provision successful
Related Commands
debug subscriber featureTo display diagnostic information about the installation and removal of Intelligent Services Gateway (ISG) features on ISG subscriber sessions, use the debug subscriber feature command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug
subscriber
feature
{all | detail | error | event | name name-of-feature {detail | error | event | packet} | packet [detail | full] [issu {event | error} ] [ccm {event | error} ] }
no
debug
subscriber
feature
{all | detail | error | event | name name-of-feature {detail | error | event | packet} | packet [detail | full] [issu {event | error} ] [ccm {event | error} ] }
Syntax Description
Command History
ExamplesThe following sample output for the debug subscriber feature command indicates that the idle timeout feature has been successfully installed on the inbound segment.
Router# debug subscriber feature event
*Sep 20 22:28:57.903: SSF[myservice/uid:6/Idle Timeout]: Group feature install
*Sep 20 22:28:57.903: SSF[uid:6/Idle Timeout]: Adding feature to inbound segment(s)
debug subscriber fsmTo display diagnostic information about Intelligent Services Gateway (ISG) subscriber session state change, use the debug subscriber fsmcommand in privileged EXEC mode. To disable debugging output, use the no form of this command. ExamplesThe following sample output for the debug subscriber fsm command indicates that the session has been disconnected by the client, and the system is cleaning up the session by disconnecting the network service and removing any installed features. Router# deb ug subscriber fs m *Sep 20 22:35:10.495: SSS MGR [uid:5]: Event client-disconnect, state changed from connected to disconnecting-fsp-feat debug subscriber packetTo display information about packets as they traverse the subscriber service switch (SSS) path, use the debug subscriber packet command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug
subscriber
packet
{detail | error | event | full}
no
debug
subscriber
packet
{detail | error | event | full}
Syntax Description
ExamplesThe following example show sample output for the debug subscriber packetcommand with the fullkeyword. This output is for a PPPoE session configured with forwarding. SSS Switch: Pak encap size, old: 60, new: 24 SSS Switch: Pak 0285C458 sz 66 encap 14 *Feb 9 15:47:13.659: 000000 AA BB CC 00 0B 01 AA BB D....... *Feb 9 15:47:13.659: 000008 CC 00 0C 01 08 00 45 00 ......N. *Feb 9 15:47:13.659: 000010 00 34 00 28 00 00 FE 11 .4.(.... *Feb 9 15:47:13.659: 000018 F2 9D AC 12 B8 E7 AC 12 ........ *Feb 9 15:47:13.659: 000020 B8 E6 06 A5 06 A5 00 20 ....... *Feb 9 15:47:13.659: 000028 00 00 C0 01 02 00 00 02 ........ *Feb 9 15:47:13.659: 000030 00 01 00 18 00 00 FC A7 ........ *Feb 9 15:47:13.659: 000038 2E B3 FF 03 C2 23 03 01 .....#.. *Feb 9 15:47:13.659: 000040 00 04 .. SSS Switch: Pak encap size, old: 60, new: 24 SSS Switch: Pak 0285C458 sz 72 encap 14 *Feb 9 15:47:13.691: 000000 AA BB CC 00 0B 01 AA BB D....... *Feb 9 15:47:13.691: 000008 CC 00 0C 01 08 00 45 00 ......N. *Feb 9 15:47:13.691: 000010 00 3A 00 2A 00 00 FE 11 .:.*.... *Feb 9 15:47:13.691: 000018 F2 95 AC 12 B8 E7 AC 12 ........ *Feb 9 15:47:13.691: 000020 B8 E6 06 A5 06 A5 00 26 .......& *Feb 9 15:47:13.691: 000028 00 00 C0 01 02 00 00 02 ........ *Feb 9 15:47:13.691: 000030 00 01 00 1E 00 00 FC A7 ........ *Feb 9 15:47:13.691: 000038 2E B3 FF 03 80 21 01 01 .....!.. *Feb 9 15:47:13.691: 000040 00 0A 03 06 3A 3A 3A 3A ....:::: SSS Switch: Pak encap size, old: 24, new: 46 SSS Switch: Pak 027A5BE8 sz 36 encap 18 *Feb 9 15:47:13.691: 000000 AA BB CC 00 0B 00 AA BB D....... *Feb 9 15:47:13.691: 000008 CC 00 0A 00 81 00 01 41 .......a *Feb 9 15:47:13.691: 000010 88 64 11 00 00 01 00 0C .dN..... *Feb 9 15:47:13.691: 000018 80 21 01 01 00 0A 03 06 .!...... *Feb 9 15:47:13.691: 000020 00 00 00 00 .... SSS Switch: Pak encap size, old: 60, new: 24 SSS Switch: Pak 0285C458 sz 72 encap 14 *Feb 9 15:47:13.691: 000000 AA BB CC 00 0B 01 AA BB D....... *Feb 9 15:47:13.691: 000008 CC 00 0C 01 08 00 45 00 ......N. *Feb 9 15:47:13.691: 000010 00 3A 00 2C 00 00 FE 11 .:.,.... *Feb 9 15:47:13.691: 000018 F2 93 AC 12 B8 E7 AC 12 ........ *Feb 9 15:47:13.691: 000020 B8 E6 06 A5 06 A5 00 26 .......& *Feb 9 15:47:13.691: 000028 00 00 C0 01 02 00 00 02 ........ *Feb 9 15:47:13.691: 000030 00 01 00 1E 00 00 FC A7 ........ *Feb 9 15:47:13.691: 000038 2E B3 FF 03 80 21 03 01 .....!.. *Feb 9 15:47:13.691: 000040 00 0A 03 06 09 00 00 1F ........ debug subscriber policyTo display diagnostic information about policy execution related to Intelligent Services Gateway (ISG) subscriber sessions, use the debug subscriber policy command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug
subscriber
policy
{all | detail | error | event | fsm | prepaid | {condition | idmgr | profile | push | rule | service} [detail | error | event] | dpm [error | event] | webportal {detail | error | event} }
no
debug
subscriber
policy
{all | detail | error | event | fsm | prepaid | {condition | idmgr | profile | push | rule | service} [detail | error | event] | dpm [error | event] | webportal {detail | error | event} }
Syntax Description
ExamplesThe following example shows sample output for the debug subscriber policy command with the events keyword. This output indicates the creation of a new session. âUpdated key listâ indicates important attributes and information associated with the session. *Feb 7 18:58:24.519: SSS PM [0413FC58]: Create context 0413FC58 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Authen status update; is now "unauthen" *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Updated NAS port for AAA ID 14 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Updated key list: *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Access-Type = 15 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Protocol-Type = 4 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Media-Type = 2 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: IP-Address = 10.0.0.2 (0A000002) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: IP-Address-VRF = IP 10.0.0.2:0 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: source-ip-address = 037FBB78 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Mac-Address = aabb.cc00.6500 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Final = 1 (YES) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Authen-Status = 1 (Unauthenticated) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Nasport = PPPoEoE: slot 0 adapter 0 port 0 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Updated key list: *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Access-Type = 15 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Protocol-Type = 4 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Media-Type = 2 (IP) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: IP-Address = 10.0.0.2 (0A000002) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: IP-Address-VRF = IP 10.0.0.2:0 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: source-ip-address = 037FBB78 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Mac-Address = aabb.cc00.6500 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Final = 1 (YES) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Authen-Status = 1 (Unauthenticated) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Nasport = PPPoEoE: slot 0 adapter 0 port 0 *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Session-Handle = 486539268 (1D000004) *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: SM Policy invoke - Service Selection Request *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Access type IP *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Access type IP: final key *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Received Service Request *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Handling Authorization Check *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: SIP [IP] can NOT provide more keys *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: SIP [IP] can NOT provide more keys *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Handling Default Service *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Providing Service *Feb 7 18:58:24.519: SSS PM [uid:4][0413FC58]: Policy reply - Local Terminate *Feb 7 18:58:24.523: SSS PM [uid:4][0413FC58]: SM Policy invoke - Apply Config Success *Feb 7 18:58:24.523: SSS PM [uid:4][0413FC58]: Handling Apply Config; SUCCESS debug subscriber policy dpm timestampsTo include timestamp information for DHCP policy module (DPM) messages in debugging output, use the debug subscriber policy dpm timestampscommand in privileged EXEC mode. To remove timestamp information from output, use the no form of this command. Usage GuidelinesThe debug subscriber policy dpm timestamps command enables the timestamp information for the latest DPM message that was received to be saved after a session is established. The timestamp for DPM messages is displayed in debugging output, including output from the show s ubscriber policy dpm context command. Timestamp information is removed by default after a session is established. Enabling this command preserves the timestamp information so that it can be included in debugging output. This command does not display any debugging output; it enables timestamp output for other debug and show commands. debug subscriber serviceTo display diagnostic information about the service profile database in an Intelligent Services Gateway (ISG), use the debug subscriber service command in privileged EXEC mode. To disable debugging, use the no form of this command. Usage GuidelinesUse the debug subscriber service command to diagnose problems with service profiles or service policy maps. ExamplesThe following example shows sample output for the debug subscriber service command. This output indicates that a service logon has occurred for the service âprep_serviceâ. *Feb 7 18:52:31.067: SVM [prep_service]: needs downloading *Feb 7 18:52:31.067: SVM [D6000000/prep_service]: allocated version 1 *Feb 7 18:52:31.067: SVM [D6000000/prep_service]: [8A000002]: client queued *Feb 7 18:52:31.067: SVM [D6000000/prep_service]: [PM-Download:8A000002] locked 0->1 *Feb 7 18:52:31.067: SVM [D6000000/prep_service]: [AAA-Download:040DD9D0] locked 0->1 *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: TC feature info found *Feb 7 18:52:31.127: SVM [D0000001/prep_service]: added child *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: [TC-Child:040DD130] locked 0->1 *Feb 7 18:52:31.127: SVM [D0000001/CHILD/prep_service]: [TC-Parent:040DD1A8] locked 0->1 *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: TC flow feature info not found *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: downloaded first version *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: [8A000002]: client download ok *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: [SVM-to-client-msg:8A000002] locked 0->1 *Feb 7 18:52:31.127: SVM [D6000000/prep_service]: [AAA-Download:040DD9D0] unlocked 1->0 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: alloc feature info *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [SVM-Feature-Info:040E2E80] locked 0->1 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: has Policy info *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [PM-Info:0416BAB0] locked 0->1 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: populated client *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [PM-Download:8A000002] unlocked 1->0 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [SVM-to-client-msg:8A000002] unlocked 1->0 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [PM-Service:040E31E0] locked 0->1 *Feb 7 18:52:31.131: SVM [D0000001/CHILD/prep_service]: [SM-SIP-Apply:D0000001] locked 0->1 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [FM-Bind:82000002] locked 0->1 *Feb 7 18:52:31.131: SVM [D6000000/prep_service]: [SVM-Feature-Info:040E2E80] unlocked 1->0 *Feb 7 18:52:31.139: SVM [D0000001/CHILD/prep_service]: alloc feature info *Feb 7 18:52:31.139: SVM [D0000001/CHILD/prep_service]: [SVM-Feature-Info:040E2E80] locked 0->1 *Feb 7 18:52:31.159: SVM [D0000001/CHILD/prep_service]: [FM-Bind:2C000003] locked 0->1 *Feb 7 18:52:31.159: SVM [D0000001/CHILD/prep_service]: [SVM-Feature-Info:040E2E80] unlocked 1->0 *Feb 7 18:52:31.159: SVM [D0000001/CHILD/prep_service]: [SM-SIP-Apply:D0000001] unlocked 1->0 debug subscriber testingdrop (ISG)To configure an Intelligent Services Gateway (ISG) to discard packets belonging to the default traffic class, use the drop command in service policy-map class configuration mode. To disable the packet-discarding action, use the no form of this command. Usage GuidelinesThe drop command can only be configured in the default class of an ISG service policy map. The default traffic class handles all the traffic that is not handled by other traffic classes in a service. ExamplesThe following example shows the default class configured to drop traffic for the service âSERVICE1â: policy-map type service SERVICE1 class type traffic CLASS1 prepaid-config PREPAID class type traffic default drop Related Commands
greater-thanTo create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is greater than the specified value, use the greater-than command in control class-map configuration mode. To remove the condition, use the no form of this command.
greater-than
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no
greater-than
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command DefaultA condition that will evaluate true if the subscriber NAS port identifier is greater than the specified value is not created. Usage GuidelinesThe greater-than command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true. The class type controlcommand is used to associate a control class map with a policy control map. ExamplesThe following example shows a control class map that evaluates true for only a specific range of ATM permanent virtual circuit (PVC) VCIs, 101-104 inclusive: class-map type type control match-any MY-CONDITION greater-than nas-port type atm vpi 200 vci 100 less-than nas-port type atm vpi 200 vci 105 greater-than-or-equalTo create a condition that will evaluate true if the subscriber identifier is greater than or equal to the specified value, use the greater-than-or-equal command in control class-map configuration mode. To remove the condition, use the no form of this command.
greater-than-or-equal
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no
greater-than-or-equal
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command DefaultA condition that will evaluate true if the subscriber identifier is greater than or equal to the specified value is not created. Usage GuidelinesThe greater-than-or-equal command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true. The class type controlcommand is used to associate a control class map with a policy control map. ExamplesThe following example shows a control class map called âclass3â configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates âclass3â with the control policy map called ârule4â. class-map type control match-all class3 greater-than-or-equal nas-port port 1000 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier nas-port ! Related Commands
identifier interface
To create an Intelligent Service Agent (ISG) IP interface session, use the identifier interface command in IP subscriber configuration mode. To remove the IP interface session, use the no form of this command. Command History
Usage GuidelinesAn IP interface session includes all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the command-line interface (CLI), that is, the session is created when the IP interface session commands are entered. IP interface sessions might be used in situations in which a subscriber is represented by an interface (with the exception of PPP) and communicates using more than one IP address. For example, a subscriber using routed bridge encapsulation (RBE) access might have a dedicated ATM virtual circuit (VC) to home customer premises equipment (CPE) that is hosting multiple PCs. identifier ip src-addr
To enable an Intelligent Services Gateway (ISG) to create an IP session upon detection of the first IP packet from an unidentified subscriber, use the identifier ip src-addrcommand in IP subscriber configuration mode. To disable IP session creation upon receipt of IP packets from unidentified subscribers, use the no form of this command.
identifier
ip
src-addr
[match access-list-number]
no
identifier
ip
src-addr
[match access-list-number]
Syntax Description
Command DefaultAn ISG does not create IP sessions upon detection of the first IP packet from an unidentified subscriber. Command History
Usage GuidelinesAn ISG subscriber IP session includes all the traffic that is associated with a single subscriber IP address. An IP subnet session includes all the IP traffic that is associated with a single IP subnet. IP subnet sessions are created the same way as IP sessions, except that when a subscriber is authorized or authenticated and the Framed-IP-Netmask attribute is present in the user or service profile, the ISG converts the source-IP-based session into a subnet session with the subnet value in the Framed-IP-Netmask attribute. if upon network-service-foundTo specify whether the system should continue processing policy rules once a subscriberâs network service has been identified, use the if upon network-service-found command in control policy-map class configuration mode. To remove this action from the control policy map, use the no form of this command.
action-number
if
upon
network-service-found
{continue | stop}
no
action-number
if
upon
network-service-found
{continue | stop}
Syntax Description
Command DefaultActions will continue to be executed when a subscriberâs network service is identified. Usage GuidelinesThe if upon network-service-foundcommand configures an action in a control policy map. Control policies define the actions the system will take in response to specified events and conditions. A control policy map is used to configure an Intelligent Services Gateway (ISG) control policy. A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed. The actions are numbered and executed sequentially within the policy rule. ignore (ISG)To configure an Intelligent Services Gateway (ISG) to ignore specific parameters in requests from RADIUS clients, use the ignore command in dynamic authorization local server configuration mode. To reinstate the default behavior, use the no form of this command. Syntax Description
Usage GuidelinesAn ISG can be configured to allow external policy servers to dynamically send policies to the ISG. This functionality is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer to peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server. Use the ignorecommand to configure the ISG to ignore the server key or session key in requests from RADIUS clients. initiatorTo enable Intelligent Services Gateway (ISG) to create an IP subscriber session upon receipt of a specified type of packet, use the initiator command in IP subscriber configuration mode. To disable IP session creation in response to specified packets, use the no form of this command.
initiator
{dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}
no
initiator
{dhcp [class-aware] | radius-proxy | static ip subscriber list listname | unclassified ip | unclassified mac}
Syntax Description
Command History
Usage GuidelinesDHCP and ISG IP Session Creation If the following conditions are met, receipt of a DHCP DISCOVER packet will trigger the creation of an IP session:
DHCP and ISG IP Address Assignment When ISG is in the path of DHCP requests (either as a DHCP server or as a relay), ISG can influence the IP address pool and the DHCP server that is used to assign subscriber IP addresses. To enable ISG to influence the IP addresses assigned to subscribers, you associate a DHCP address pool class with an address domain. When a DHCP request is received from a subscriber, DHCP uses the address pool class that is associated with the subscriber to determine which DHCP address pool should be used to service the request. As a result, on a per-request basis, an IP address is provided by the local DHCP server or relayed to a remote DHCP server that is defined in the selected pool. The class-aware keyword enables the ISG to provide DHCP with a class name. ExamplesThe following example shows how to configure ISG to create IP sessions for subscribers who connect to ISG on Gigabit Ethernet interface 0/1.401 through a routed access network. ISG will create IP sessions upon receipt of DHCP DISCOVER packets, incoming valid IP packets, and RADIUS Access-Request packets. interface GigabitEthernet0/1.401 ip subscriber routed initiator dhcp class-aware initiator unclassified ip-address initiator radius-proxy initiator static ip subscriber list mylist interface multiserviceTo create a multiservice interface, which enables dynamic virtual private network (VPN) selection on an Intelligent Services Gateway (ISG), use the interface multiservice command in global configuration mode. To remove a multiservice interface, use the no form of this command. Command History
Usage GuidelinesIP interface features (such as quality of service (QoS) and access lists) are not supported on multiservice interfaces. For a subscriber without a static VPN configuration, a multiservice interface must be configured on the ISG device to map the IP subscriber session to a VRF. The multiservice interface represents a boundary between a VPN routing domain and the default routing domain. In cases where an IP subscriber may be associated with several routing domains throughout the duration of a connection, multiservice interfaces serve as demarcation points for the IP subscriber to switch from one VPN domain to another. One multiservice interface must be configured for each VPN routing domain. interim-intervalTo specify the interval at which the Intelligent Services Gateway (ISG) sends interim prepaid accounting records, use the interim-interval command in prepaid configuration mode. To disable interim prepaid accounting, use the no form of this command. Syntax Description
Usage GuidelinesWhen the interim-interval command is configured, the ISG sends accounting records at the specified interval so there will be written log of accounting events that occurred between the Accounting-Start and Accounting-Stop records. ExamplesThe following example shows an ISG prepaid feature configuration in which the interval for interim prepaid accounting is set to 5 minutes: subscriber feature prepaid conf-prepaid interim-interval 5 threshold time 20 threshold volume 0 method-list accounting ap-mlist method-list authorization default password cisco Related Commands
ip access-groupTo apply an IP access list or object group access control list (OGACL) to an interface or a service policy map, use the ip access-group command in the appropriate configuration mode. To remove an IP access list or OGACL, use the no form of this command.
ip
access-group
{access-list-name | access-list-number}
{in | out}
no
ip
access-group
{access-list-number | access-list-name}
{in | out}
Syntax DescriptionCommand ModesInterface configuration (config-if) Command History
Usage GuidelinesIf the specified access list does not exist, all packets are passed (no warning message is issued). Applying Access Lists to Interfaces Acc ess lists or OGACLs are applied on either outbound or inbound interfaces. For standard inbound access lists, after an interface receives a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists or OGACLs, the networking device also checks the destination access list or OGACL. If the access list or OGACL permits the address, the software continues to process the packet. If the access list or OGACL rejects the address, the software discards the packet and returns an Internet Control Management Protocol (ICMP) host unreachable message. For standard outbound access lists, after a device receives and routes a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists or OGACLs, the networking device also checks the destination access list or OGACL. If the access list or OGACL permits the address, the software sends the packet. If the access list or OGACL rejects the address, the software discards the packet and returns an ICMP host unreachable message. When you enable outbound access lists or OGACLs, you automatically disable autonomous switching for that interface. When you enable inbound access lists or OGACLs on any CBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception--a Storage Services Enabler (SSE) configured with simple access lists can still switch packets, on output only). Applying Access Lists or OGACLs to Service Policy Maps You can use the ip access-group command to configure Intelligent Services Gateway (ISG) per-subscriber firewalls. Per-subscriber firewalls are Cisco IOS IP access lists or OGACLs that are used to prevent subscribers, services, and pass-through traffic from accessing specific IP addresses and ports. ACLs and OGACLs can be configured in user profiles or service profiles on an authentication, authorization, and accounting (AAA) server or in service policy maps on an ISG. OGACLS or numbered or named IP access lists can be configured on the ISG, or the ACL or OGACL statements can be included in the profile configuration. When an ACL or OGACL is added to a service, all subscribers of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service. ExamplesThe following example applies list 101 on packets outbound from Ethernet interface 0: Router> enable Router# configure terminal Router(config)# interface ethernet 0 Router(config-if)# ip access-group 101 out Related Commands
ip portbundle (global)To enable portbundle configuration mode, in which Intelligent Services Gateway (ISG) port-bundle host key parameters can be configured, use the ip portbundlecommand in global configuration mode. To remove the configuration of the port-bundle host key parameters and release all the port bundles in use, use the no form of this command. Usage GuidelinesEntering the no ip portbundle command in global configuration mode removes the configuration of port-bundle host key parameters and releases all the port bundles in use by the sessions. ExamplesThe following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions: policy-map type service ISGPBHKService ip portbundle ! policy-map type control PBHKRule class type control always event session-start 1 service-policy type service ISGPBHKService ! service-policy type control PBHKRule interface ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip portbundle outside ! ip portbundle match access-list 101 length 5 source ethernet0/0 Related Commands
ip portbundle (service policy-map)To enable the Intelligent Services Gateway (ISG) Port-Bundle Host Key feature for a service, use the ip portbundle command in service policy-map configuration mode. To disable the ISG Port-Bundle Host Key feature, use the no form of this command. Usage GuidelinesWhen the ISG Port-Bundle Host Key feature is configured, TCP packets from subscribers are mapped to a local IP address for the ISG and a range of ports. This mapping allows the portal to identify the ISG gateway from which the session originated. The ISG Port-Bundle Host Key feature can be enabled in a service policy map on the router by using the ip portbundle command. The feature can also be enabled in a service profile or user profile on a AAA server. ExamplesThe following example shows how to configure the ISG Port-Bundle Host Key feature to apply to all sessions. The ISG Port-Bundle Host Key feature is enabled in the service policy map called âISGPBHKServiceâ. policy-map type service ISGPBHKService ip portbundle ! policy-map type control PBHKRule class type control always event session-start 1 service-policy type service ISGPBHKService ! service-policy type control PBHKRule interface ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip portbundle outside ! ip portbundle match access-list 101 length 5 source ethernet0/0 Related Commands
ip portbundle outsideTo configure an Intelligent Services Gateway (ISG) to translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber, use the ip portbundle outside command in interface configuration mode. To disable ISG port-bundle host key translation, use the no form of this command. Usage GuidelinesThe ip portbundle outside command must be configured on ISG interfaces that reach the portal. ExamplesThe following example configures ISG to translate the destination IP address and TCP port to the actual subscriber IP address and TCP port for traffic going from the portal to the subscriber. Ethernet interface 0/0 is an interface that reaches the portal. interface ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip portbundle outside Related Commands
ip route-cacheTo control the use of switching methods for forwarding IP packets, use the ip route-cache command in interface configuration mode. To disable any of these switching methods, use the no form of this command.
ip
route-cache
[cef | distributed | flow | policy | same-interface]
no
ip
route-cache
[cef | distributed | flow | policy | same-interface]
Syntax Description
Command History
Usage GuidelinesIP Route Cache
Using the route cache is often called fast switching . The route cache allows outgoing packets to be load-balanced on a per-destination basis rather than on a per-packet basis. The ip route-cachecommand with no additional keywords enables fast switching. Entering the ip route-cachecommand has no effect on a subinterface. Subinterfaces accept the noform of the command; however, this disables Cisco Express Forwarding or distributed Cisco Express Forwarding on the physical interface and all subinterfaces associated with the physical interface The default behavior for Fast Switching varies by interface and media.
IP Route Cache Same Interface You can enable IP fast switching when the input and output interfaces are the same interface, using the ip route-cache same-interfacecommand. This configuration normally is not recommended, although it is useful when you have partially meshed media, such as Frame Relay or you are running Web Cache Communication Protocol (WCCP) redirection. You could use this feature on other interfaces, although it is not recommended because it would interfere with redirection of packets to the optimal path. IP Route Cache Flow The flow caching option can be used in conjunction with Cisco Express Forwarding switching to enable NetFlow, which allows statistics to be gathered with a finer granularity. The statistics include IP subprotocols, well-known ports, total flows, average number of packets per flow, and average flow lifetime.
IP Route Cache Distributed The distributed option is supported on Cisco routers with line cards and Versatile Interface Processors (VIPs) that support Cisco Express Forwarding switching. On Cisco routers with Route/Switch Processor (RSP) and VIP controllers, the VIP hardware can be configured to switch packets received by the VIP with no per-packet intervention on the part of the RSP. When VIP distributed switching is enabled, the input VIP interface tries to switch IP packets instead of forwarding them to the RSP for switching. Distributed switching helps decrease the demand on the RSP. If the ip route-cache distributed, ip cef distributed, and ip route-cache flowcommands are configured, the VIP performs distributed Cisco Express Forwarding switching and collects a finer granularity of flow statistics. IP Route-Cache Cisco Express Forwarding In some instances, you might want to disable Cisco Express Forwarding or distributed Cisco Express Forwarding on a particular interface because that interface is configured with a feature that Cisco Express Forwarding or distributed Cisco Express Forwarding does not support. Because all interfaces that support Cisco Express Forwarding or distributed Cisco Express Forwarding are enabled by default when you enable Cisco Express Forwarding or distributed Cisco Express Forwarding operation globally, you must use the no form of the ip route-cache distributedcommand in the interface configuration mode to turn Cisco Express Forwarding or distributed Cisco Express Forwarding operation off a particular interface. Disabling Cisco Express Forwarding or distributed Cisco Express Forwarding on an interface disables Cisco Express Forwarding or distributed Cisco Express Forwarding switching for packets forwarded to the interface, but does not affect packets forwarded out of the interface. Additionally, when you disable distributed Cisco Express Forwarding on the RSP, Cisco IOS software switches packets using the next-fastest switch path (Cisco Express Forwarding). Enabling Cisco Express Forwarding globally disables distributed Cisco Express Forwarding on all interfaces. Disabling Cisco Express Forwarding or distributed Cisco Express Forwarding globally enables process switching on all interfaces.
IP Route Cache Policy If Cisco Express Forwarding is already enabled, the ip route-cache route command is not required because PBR packets are Cisco Express Forwarding-switched by default. Before you can enable fast-switched PBR, you must first configure PBR. FSPBR supports all of PBRâs match commands and most of PBRâs set commands, with the following restrictions:
ExamplesThe following example shows how to enable fast switching and disable Cisco Express Forwarding switching: Router(config)# interface ethernet 0/0/0 Router(config-if)# ip route-cache The following example shows that fast switching is enabled:
Router# show ip interface fastEthernet 0/0/0
FastEthernet0/0/0 is up, line protocol is up
Internet address is 10.1.1.254/24
Broadcast address is 255.255.255.224
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Distributed switching is disabled
IP Feature Fast switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
The following example shows that Cisco Express Forwarding switching is disabled:
Router# show cef interface fastEthernet 0/0/0
FastEthernet0/0/0 is up (if_number 3)
Corresponding hwidb fast_if_number 3
Corresponding hwidb firstsw->if_number 3
Internet address is 10.1.1.254/24
ICMP redirects are always sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Inbound access list is not set
Outbound access list is not set
IP policy routing is disabled
Hardware idb is FastEthernet0/0/0
Fast switching type 1, interface type 18
IP CEF switching disabled
IP Feature Fast switching turbo vector
IP Null turbo vector
Input fast flags 0x0, Output fast flags 0x0
ifindex 1(1)
Slot 0 Slot unit 0 VC -1
Transmit limit accumulator 0x48001A02 (0x48001A02)
IP MTU 1500
The following example shows the configuration information for FastEthernet interface 0/0/0:
Router# show running-config
.
.
!
interface FastEthernet0/0/0
ip address 10.1.1.254 255.255.255.0
no ip route-cache cef
no ip route-cache distributed
!
The following example shows how to enable Cisco Express Forwarding (and to disable distributed Cisco Express Forwarding if it is enabled):
Router(config-if)# ip route-cache cef
The following example shows how to enable VIP distributed Cisco Express Forwarding and per-flow accounting on an interface (regardless of the previous switching type enabled on the interface): Router(config)# interface e0 Router(config-if)# ip address 10.252.245.2 255.255.255.0 Router(config-if)# ip route-cache distributed Router(config-if)# ip route-cache flow The following example shows how to enable Cisco Express Forwarding on the router globally (which also disables distributed Cisco Express Forwarding on any interfaces that are running distributed Cisco Express Forwarding), and disable Cisco Express Forwarding (which enables process switching) on Ethernet interface 0: Router(config)# ip cef Router(config)# interface e0 Router(config-if)# no ip route-cache cef The following example shows how to enable distributed Cisco Express Forwarding operation on the router (globally), and disable Cisco Express Forwarding operation on Ethernet interface 0: Router(config)# ip cef distributed Router(config)# interface e0 Router(config-if)# no ip route-cache cef The following example shows how to reenable distributed Cisco Express Forwarding operation on Ethernet interface 0: Router(config)# ip cef distributed Router(config)# interface e0 Router(config-if)# ip route-cache distributed ExamplesThe following example shows how to enable fast switching and disable Cisco Express Forwarding switching: Router(config)# interface ethernet 0/0/0 Router(config-if)# ip route-cache same-interface The following example shows that fast switching on the same interface is enabled for interface fastethernet 0/0/0:
Router# show ip interface fastEthernet 0/0/0
FastEthernet0/0/0 is up, line protocol is up
Internet address is 10.1.1.254/24
Broadcast address is 255.255.255.224
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP Distributed switching is disabled
IP Feature Fast switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP multicast multilayer switching is disabled
The following example shows the configuration information for FastEthernet interface 0/0/0:
Router# show running-config
.
.
!
interface FastEthernet0/0/0
ip address 10.1.1.254 255.255.255.0
ip route-cache same-interface
no ip route-cache cef
no ip route-cache distributed
!
ExamplesThe following example shows how to enable NetFlow switching: Router(config)# interface ethernet 0/0/0 Router(config-if)# ip route-cache flow The following example shows that NetFlow accounting is enabled for FastEthernet interface 0/0/0:
Router# show ip interface fastEthernet 0/0/0
FastEthernet0/0/0 is up, line protocol is up
Internet address is 10.1.1.254/24
Broadcast address is 255.255.255.224
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP Distributed switching is disabled
IP Flow switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP multicast multilayer switching is disabled
ExamplesThe following example shows how to enable distributed switching: Router(config)# ip cef distributed Router(config)# interface ethernet 0/0/0 Router(config-if)# ip route-cache distributed The following example shows that distributed Cisco Express Forwarding switching is for FastEthernet interface 0/0/0:
Router# show cef interface fastEthernet 0/0/0
FastEthernet0/0/0 is up (if_number 3)
Corresponding hwidb fast_if_number 3
Corresponding hwidb firstsw->if_number 3
Internet address is 10.1.1.254/24
ICMP redirects are always sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Inbound access list is not set
Outbound access list is not set
IP policy routing is disabled
Hardware idb is FastEthernet0/0/0
Fast switching type 1, interface type 18
IP Distributed CEF switching enabled
IP Feature Fast switching turbo vector
IP Feature CEF switching turbo vector
Input fast flags 0x0, Output fast flags 0x0
ifindex 1(1)
Slot 0 Slot unit 0 VC -1
Transmit limit accumulator 0x48001A02 (0x48001A02)
IP MTU 1500
ExamplesThe following example shows how to configure a simple policy-based routing scheme and to enable FSPBR: Router(config)# access-list 1 permit 10.1.1.0 0.0.0.255 Router(config)# route-map mypbrtag permit 10 Router(config-route-map)# match ip address 1 Router(config-route-map)# set ip next-hop 10.1.1.195 Router(config-route-map)# exit Router(config)# interface fastethernet 0/0/0 Router(config-if)# ip route-cache policy Router(config-if)# ip policy route-map mypbrtag The following example shows that FSPBR is enabled for FastEthernet interface 0/0/0:
Router# show ip interface fastEthernet 0/0/0
FastEthernet0/0/0 is up, line protocol is up
Internet address is 10.1.1.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Distributed switching is enabled
IP Feature Fast switching turbo vector
IP Feature CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Distributed, Policy, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is enabled, using route map my_pbr_tag
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
IP multicast multilayer switching is disabled
Related Commands
ip sourceTo create a static session server source address, use the ip source command in server list configuration mode. To remove the static session server source address, use the no form of this command.
ip
source
ip-address
[mac mac-address | mask network-mask]
no
ip
source
ip-address
[mac mac-address | mask network-mask]
Usage GuidelinesThe static session source address can be created only after creating an ip subscriber static server list name. The keyword mask needs to be used for routed interfaces and mac needs to be used for l2-connected interfaces. ip subscriberTo enable Intelligent Services Gateway (ISG) IP subscriber support on an interface and to specify the access method that IP subscribers will use to connect to ISG on an interface, use the ip subscriber command in interface configuration mode. To disable ISG IP session support on an interface, use the no form of this command. Syntax Description
Command History
Usage GuidelinesOne access method may be specified on an interface at a time. The ip subscriber command enables IP subscriber configuration mode, in which the triggers for IP session initiation can be configured. Use the no ip subscriber command to disable IP session support on the interface. Entering the no ip subscriber command removes the commands that were entered in IP subscriber configuration submode from the configuration. It also removes the ip subscriber command from the configuration. After the no ip subscriber command has been entered, no new IP sessions will be created on the interface. IP sessions that were already created will not be brought down, but ISG will not execute any features on those sessions.
ExamplesThe following example shows how to configure ISG to create IP sessions for subscribers who connect to ISG on Gigabit Ethernet interface 0/1.401 through a Layer 2 connected access network. ISG will create IP sessions upon receipt of any frame with a valid source MAC address. interface GigabitEthernet0/1.401 ip subscriber l2-connected initiator unclassified mac-address ip subscriber interfaceTo create an Intelligent Services Gateway (ISG) IP interface session, use the ip subscriber interface command in interface configuration mode. To remove the IP interface session, use the no form of this command. Command History
Usage GuidelinesAn IP interface session includes all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the command-line interface (CLI); that is, a session is created when the IP interface session commands are entered, and the session is continuous, even when the interface is shut down. By default, IP interface sessions come up in the state âunauthenticatedâ with full network access. When access interfaces are used to identify IP subscribers, each access interface corresponds to a single IP subscriber. As soon as the access interface becomes available, ISG creates an IP session using the interface as the key, and associates all IP traffic coming into and going out of this interface to the IP session. For interface IP sessions, ISG classifies IP traffic as follows:
IP interface sessions might be used in situations in which a subscriber is represented by an interface (with the exception of PPP) and communicates using more than one IP address. For example, a subscriber using routed bridge encapsulation (RBE) access might have a dedicated ATM virtual circuit (VC) to home customer premises equipment (CPE) that is hosting multiple PCs. ip subscriber listTo create an ip subscriber static server list group name, use the ip subscriber list command in global configuration mode. To remove a static server list group, use the no form of this command. Usage GuidelinesStatic sessions are removed for all interfaces associated with the current list when you exit the ip subscriber list mode. The no ip subscriber list command is rejected if the server list is used by any other interface. ip vrf autoclassifyTo enable Virtual Routing and Forwarding (VRF) autoclassify on a source interface, use the ip vrf autoclassify command in interface configuration mode. To remove VRF autoclassify, use the no form of this command. Syntax Description
Usage GuidelinesThe ip vrf autoclassify command enables the capability to map packets from connected hosts to VRFs that are different from the VRF defined on the ingress interface. It also enables the configuration of policies that are required for the mapping of packets to the VRFs depending on whether the source address of the packet belong to those connected routes. The routing information can be learned dynamically or statically defined. ExamplesIn the following example, the Fast Ethernet interface 0/0 is configured with two secondary addresses, 1.1.1.1/24 and 2.1.1.1/24. The first address, 1.1.1.1/24, is assigned to VRF red, while the other, 2.1.1.1/24, is assigned to VRF green. So in the VRF red table, a connected route 1.1.1.0/24 is installed, while in VRF green, 2.1.1.0/24 is installed: interface fast ethernet0/0 ip address 1.1.1.1 255.255.255.0 secondary vrf red ip address 2.1.1.1 255.255.255.0 secondary vrf green ip vrf autoclassify source There is a default route in VRF red that directs all traffic to Fast Ethernet interface 1/0, while in VRF green, another default route directs all traffic to Fast Ethernet interface 1/1. When packets arrive at Fast Ethernet interface 0/0, they are mapped to either VRF red or VRF green based on their source address. If the source address is 1.1.1.2, connected route 1.1.1.0/24 is used, and the packet is mapped to VRF red. Following the default route, it is forwarded out of Fast Ethernet interface 1/0. The return packets are mapped to the VRF configured on the downstream interface. Refer to the ip vrf forwarding command for more information in the Cisco IOS Switching Services Command Reference , Release 12.3T. Related Commands
ip vrf forwarding (service policy map)To associate a virtual routing/forwarding instance (VRF) with an Intelligent Services Gateway (ISG) service policy map, use the ipvrfforwarding command in service policy map configuration mode. To disassociate a VRF, use the no form of this command. Syntax DescriptionCommand HistoryUsage GuidelinesUse the ip vrf forwarding command to configure a network-forwarding policy for IP sessions in an ISG service policy map. keepalive (ISG)To enable keepalive packets and to specify their transmission attributes, use the keepalive command in service policy map configuration mode. To disable keepalive packets, use the no form of this command.
keepalive
[idle idle-seconds]
[attempts max-retries]
[interval retry-seconds]
[protocol {ARP | ICMP [broadcast] } ]
no
keepalive
Syntax Description
Usage GuidelinesIf you enter only the keepalive command with no keywords or arguments, default values are set. Values are platform and release-specific. For more information, use the question mark (?) online help function. Keepalive Message Protocol For a directly connected host, ARP must be used. When the session is established and the keepalive feature is configured to use ARP, the keepalive feature saves the ARP entry as a valid original entry for verifying future ARP responses.
For routed hosts, you can configure ICMP as the protocol for keepalive messages. If ICMP is configured, the ICMP âhelloâ request is sent to the subscriber and checked for a response, until the configured maximum number of attempts is exceeded. For IP subnet sessions, the peer (destination) IP address to be used for ICMP âhelloâ requests will be all the IP addresses within the subnet. This means âhelloâ requests will be sent sequentially (not simultaneously) to all the possible hosts within that subnet. If there is no response from any host in that subnet, the session will be disconnected. There is an option to configure ICMP directed broadcast for keepalive requests. If the subscriber hosts recognize the IP subnet broadcast address, the ISG can send the ICMP âhelloâ request to the subnet broadcast address. The subscribers need not be on the same subnet as the ISG for this configuration to work. A directed broadcast keepalive request can work multiple hops away as long as the following conditions are satisfied:
When these two conditions are satisfied, you can optimize the ICMP keepalive configuration to minimize the number of ICMP packets.
ExamplesThe following example shows how to set the idle time to 120 seconds with 5 retry attempts at 5 second intervals using ARP protocol. Examples of both On Box and AAA Server configurations are provided: <On Box Configuration> policy-map type service Keepalive keepalive idle 120 attempts 5 interval 5 protocol ARP <AAA Server Configuration> vsa cisco generic 1 string "subscriber:keepalive=idle 120 attempts 5 interval 5 protocol ARP" key (ISG RADIUS proxy)To configure the shared key between Intelligent Services Gateway (ISG) and a RADIUS proxy client, use the key command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode. To remove this configuration, use the no form of this command. Usage GuidelinesThe shared key can be specified globally for all RADIUS proxy clients, or it can be specified per client. The per-client configuration of this command overrides the global configuration. ExamplesThe following example shows the configuration of global RADIUS proxy parameters and client-specific parameters for two RADIUS proxy clients. Because a shared secret is not configured specifically for client 10.1.1.1, it will inherit the shared secret specification, which is âciscoâ, from the global RADIUS proxy configuration. Client 10.2.2.2 will use âsystemsâ as the shared secret. aaa server radius proxy key cisco client 10.1.1.1 accounting port 1813 authentication port 1812 ! client 10.2.2.2 key systems ! length (ISG)To specify the Intelligent Services Gateway (ISG) port-bundle length, which determines the number of bundles per group and the number of ports per bundle, use the length command in portbundle configuration mode. To return the port-bundle length to the default value, use the no form of this command. Usage GuidelinesThe port-bundle length is used to determine the number of bundles in one group and the number of ports in one bundle. The number of ports in a bundle is the number of simultaneous TCP sessions that a subscriber can have. By default, the port-bundle length is 4 bits. The maximum port-bundle length is 10 bits. See the table below for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. Increasing the port-bundle length can be useful when you see frequent error messages about running out of ports in a port bundle, but note that the new value does not take effect until ISG next reloads and the portal server restarts.
ExamplesThe following example results in 64 ports per bundle and 1008 bundles per group: ip portbundle length 6 Related Commands
less-thanTo create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than the specified value, use the less-than command in control class-map configuration mode. To remove the condition, use the no form of this command.
less-than
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no
less-than
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command DefaultA condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than the specified value is not created. Usage GuidelinesThe less-than command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true. The class type controlcommand is used to associate a control class map with a policy control map. ExamplesThe following example shows a control class map that evaluates true for only a specific range of ATM permanent virtual circuit (PVC) VCIs, 101-104 inclusive: class-map type type control match-any MY-CONDITION greater-than nas-port type atm vpi 200 vci 100 less-than nas-port type atm vpi 200 vci 105 Related Commands
less-than-or-equalTo create a condition that will evaluate true if the subscriber network access server (NAS) port identifier is less than or equal to the specified value, use the less-than-or-equalcommand in control class-map configuration mode. To remove the condition, use the no form of this command.
less-than-or-equal
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
no
less-than-or-equal
[not]
nas-port
{adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
Syntax Description
Command DefaultA condition that will evaluate true if the subscriber NAS port identifier is less than or equal to the specified value is not created. Usage GuidelinesThe less-than-or-equal command is used to configure a condition within a control class map. A control class map, which is configured with the class-map type control command, specifies conditions that must be met for a control policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map can contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the conditions must evaluate true in order for the class as whole to evaluate true. The class type controlcommand is used to associate a control class map with a policy control map. ExamplesThe following example shows a control class map called âclass3â configured with three conditions. The match-all keyword indicates that all of the conditions must evaluate true before the class evaluates true. The class type controlcommand associates âclass3â with the control policy map called ârule4â. class-map type control match-all class3 less-than-or-equal nas-port port 1000 ! policy-map type control rule4 class type control class3 event session-start 1 authorize identifier nas-port Related Commands
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||