1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Gateway
  5. IOS XE Intelligent Services
  6. Configuration manual

Cisco IOS XE Intelligent Services Configuration Manual

Intelligent services gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Cisco IOS XE Intelligent Services Gateway
Configuration Guide
Release 2
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco IOS XE Intelligent Services

Summary of Contents for Cisco IOS XE Intelligent Services

  • Page 1 Cisco IOS XE Intelligent Services Gateway Configuration Guide Release 2 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3 Cisco networking devices. Audience The Cisco IOS XE documentation set is intended for users who configure and maintain Cisco networking devices (such as routers and switches) but who may not be familiar with the configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS commands necessary to perform particular tasks.

  • Page 4: Documentation Conventions

    Documentation Conventions Documentation Conventions In Cisco IOS XE documentation, the term router may be used to refer to various Cisco products; for example, routers, access servers, and switches. These and other networking devices that support Cisco IOS XE software are shown interchangeably in examples and are used only for illustrative purposes.
  • Page 5 Timesaver paragraph. Documentation Organization This section describes the Cisco IOS XE documentation set, how it is organized, and how to access it on Cisco.com. Listed are configuration guides, command references, and supplementary references and resources that comprise the documentation set.
  • Page 6 Cisco IOS XE features and the processes that comprise the related configuration guides. For each technology, there is a single command reference that covers all Cisco IOS XE releases and that is updated at each standard release. •...
  • Page 7 The command references contain commands for both Cisco IOS software and Cisco IOS XE software, for all releases. The command references support many different software releases and platforms. Your Cisco IOS XE software release or platform may not support all these technologies.
  • Page 8 About Cisco IOS XE Software Documentation Documentation Organization Table 1 Cisco IOS XE Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles Features/Protocols/Technologies Cisco IOS XE DECnet Configuration Guide DECnet protocol. • Cisco IOS DECnet Command Reference •...
  • Page 9 About Cisco IOS XE Software Documentation Documentation Organization Table 1 Cisco IOS XE Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles Features/Protocols/Technologies Cisco IOS XE IP Routing: ODR Configuration Guide On-Demand Routing (ODR). • Cisco IOS IP Routing: ODR Command Reference •...
  • Page 10 About Cisco IOS XE Software Documentation Documentation Organization Table 1 Cisco IOS XE Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles Features/Protocols/Technologies Cisco IOS XE Quality of Service Solutions Class-based weighted fair queueing (CBWFQ), low latency •...
  • Page 11 Border Element (SP Edition) can operate in two modes or deployment models: unified and distributed. The configuration guide documents the features in the unified mode. Table 2 lists documents and resources that supplement the Cisco IOS XE software configuration guides and command references.
  • Page 12 Cisco product security overview • Product alerts and field notices • Technical assistance Cisco IOS XE software technical documentation includes embedded feedback forms where you can rate documents and provide suggestions for improvement. Your feedback helps us improve our documentation.
  • Page 13 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 14 About Cisco IOS XE Software Documentation Additional Resources and Documentation Feedback...
  • Page 15 Saving Changes to a Configuration, page xii • Additional Information, page xii • For more information about using the CLI, see “Part 1: Using the Cisco IOS Command-Line Interface (CLI)” of the Cisco IOS XE Configuration Fundamentals Configuration Guide. For information about the software documentation set, see the “About Cisco IOS XE Software...

  • Page 16: Using The Cli

    • Change the behavior of the port; for example, by adding a password or changing the timeout value. The AUX port on the Route Processor (RP) installed in a Cisco ASR 1000 series router does not serve Note any useful customer purpose and should be accessed only under the advisement of a customer support representative.
  • Page 17 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI Table 1 CLI Command Modes Command Access Method Prompt Exit Method Mode Usage Mode User EXEC Log in. Router> Issue the logout or exit • Change terminal settings.
  • Page 18 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI Table 1 CLI Command Modes (continued) Command Access Method Prompt Exit Method Mode Usage Mode ROM monitor From privileged EXEC Issue the continue Run as the default rommon # >...
  • Page 19 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI EXEC commands are not saved when the software reboots. Commands that you issue in a configuration mode can be saved to the startup configuration. If you save the running configuration to the startup configuration, these commands will execute when the software is rebooted.
  • Page 20 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI The following examples show how to use the help commands: help Router> help Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.
  • Page 21 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI Table 3 CLI Syntax Conventions Symbol/Text Function Notes < > (angle brackets) Indicate that the option is an Sometimes arguments are displayed argument. without angle brackets. A.B.C.D. Indicates that you must enter a Angle brackets (<...
  • Page 22 When both passwords are set, the enable secret password takes precedence over the enable password. To remove a password, use the no form of the commands: no enable password or no enable secret password. For more information about password recovery procedures for Cisco products, see http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/ products_tech_note09186a00801746e6.shtml.
  • Page 23 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI To recall commands from the history buffer, use the following methods: Press Ctrl-P or the Up Arrow key—Recalls commands beginning with the most recent command. • Repeat the key sequence to recall successively older commands.
  • Page 24 A debug command produces extensive output that helps you troubleshoot problems in your network. These commands are available for many features and functions within Cisco IOS XE software. Some debug commands are debug all, debug aaa accounting, and debug mpls packets. To use debug commands during a Telnet session with a device, you must first enter the terminal monitor command.
  • Page 25 Using the Command-Line Interface in Cisco IOS XE Software Using the CLI Filtering Output Using Output Modifiers Many commands produce lengthy output that may use several screens to display. You can use output modifiers to filter this output to show only the information that you want to see.

  • Page 26: Additional Information

    CONFIG_FILE environment variable. The CONFIG_FILE variable defaults to NVRAM. Additional Information • “Part 1: Using the Cisco IOS Command-Line Interface (CLI)” of the Cisco IOS XE Configuration Fundamentals Configuration Guide http://www.cisco.com/en/US/docs/ios/ios_xe/fundamentals/configuration/guide/2_xe/cf_xe_book. html “Using Cisco IOS XE Software”...
  • Page 27 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 28 Using the Command-Line Interface in Cisco IOS XE Software Additional Information...

  • Page 29: First Published: March

    To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a Note given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
  • Page 30 Intelligent Services Gateway Features Roadmap Table 1 Supported ISG Features in Cisco IOS XE Release 2 Release Feature Name Feature Description Where Documented Cisco IOS XE ISG:Session: Creation: ISG IP interface sessions include all IP traffic received Configuring ISG Access Release 2.5...
  • Page 31 Intelligent Services Gateway Features Roadmap Table 1 Supported ISG Features in Cisco IOS XE Release 2 Release Feature Name Feature Description Where Documented Cisco IOS XE ISG:Accounting: ISG accounting provides a means to bill for account or Configuring ISG Release 2.2 Postpaid service usage.
  • Page 32 Intelligent Services Gateway Features Roadmap Table 1 Supported ISG Features in Cisco IOS XE Release 2 Release Feature Name Feature Description Where Documented Cisco IOS XE ISG:Policy Control: ISG control policies are a structured replacement for Configuring ISG Control Release 2.2...
  • Page 33 Intelligent Services Gateway Features Roadmap Table 1 Supported ISG Features in Cisco IOS XE Release 2 Release Feature Name Feature Description Where Documented Cisco IOS XE ISG:Policy Control: ISG supports Cisco’s proprietary protocol to Cisco SSG-to-ISG DSL Release 2.2 Policy Server: communicate with the SESM policy server.
  • Page 34 Intelligent Services Gateway Features Roadmap Table 1 Supported ISG Features in Cisco IOS XE Release 2 Release Feature Name Feature Description Where Documented Cisco IOS XE ISG:Session: Creation: Most ISG sessions are created upon detection of a data Configuring ISG Access Release 2.2...
  • Page 35 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 36 Intelligent Services Gateway Features Roadmap...

  • Page 37: Finding Feature Information

    First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 38: Information About Isg

    Overview of ISG Information About ISG Benefits of ISG, page 6 • Planning for ISG Implementation, page 6 • What Is ISG? ISG is a structured framework in which edge access devices can deliver flexible and scalable services to subscribers. ISG handles the following key aspects of subscriber management: Subscriber identification •...
  • Page 39 Overview of ISG Information About ISG ISG Principles Fundamental to the ISG architecture is the provisioning of a common session layer at which the management of generic subscriber sessions is decoupled from the technology that is used to provide access to the edge device. Within this session management layer, common methods are provided for the extraction of subscriber identity information and the determination and activation of services.
  • Page 40 Overview of ISG Information About ISG Subscriber Access Under ISG, the provisioning and handling of specific access media and protocols is decoupled as far as possible from the functionality that is applicable to all session types. This model has the following benefits: A common set of subscriber services may be used on an ISG at which heterogeneous subscriber •...
  • Page 41 Overview of ISG Information About ISG Services primarily contain traffic policies. There are some restrictions regarding the policies that may be combined in a given service; for example, a service may not contain two traffic policies that specify a different nondefault traffic class unless they apply to different traffic directions (inbound versus outbound).
  • Page 42 Information About ISG Benefits of ISG ISG provides the following benefits: A common system for session management across Cisco products and access technologies. New • access protocols, forwarding protocols, and features may be plugged in with minimal impact and maximum potential for reuse.
  • Page 43 Overview of ISG Information About ISG Trust Model Trust levels are determined by the security needs of a particular application domain and the inherent security afforded by the subscriber network. In the following situations, it may not be necessary to authenticate subscriber identity: When security is not considered paramount •...
  • Page 44 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

  • Page 45: Feature Information For The Overview Of Isg

    CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 46 Overview of ISG Feature Information for the Overview of ISG...

  • Page 47: Table Of Contents

    First Published: March 20, 2006 Last Updated: November 25, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG control policies are a means of defining the actions the system will take in response to specified conditions and events.

  • Page 48: Feature Information For Isg Control Policies" Section On Page

    Configuring ISG Control Policies Prerequisites for Configuring ISG Control Policies Prerequisites for Configuring ISG Control Policies For information about release and platform support, see the “Feature Information for ISG Control Policies” section on page Authentication, authorization, and accounting (AAA) method lists must be configured prior to defining authentication and authorization actions.
  • Page 49 Configuring ISG Control Policies Information About ISG Control Policies Apply the control policy map. A control policy map is activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts. In the following list, the context types are listed in order of precedence.

  • Page 50: How To Configure An Isg Control Policy

    Configuring ISG Control Policies How to Configure an ISG Control Policy How to Configure an ISG Control Policy Perform the following tasks to configure an ISG control policy: Configuring a Control Class Map, page 4 (required) • Configuring a Control Policy Map, page 8 (required) •...
  • Page 51 Configuring ISG Control Policies How to Configure an ISG Control Policy match no-username {no | yes} match protocol {atom | ip | pdsn | ppp | vpdn} match service-name {service-name | regexp regular-expression} match source-ip-address ip-address subnet-mask match timer {timer-name | regexp regular-expression} match tunnel-name {tunnel-name | regexp regular-expression} match unauthenticated-domain {domain-name | regexp regular-expression} match unauthenticated-username {username | regexp regular-expression}...
  • Page 52 (Optional) Creates a condition that evaluates true if a regexp regular-expression} subscriber’s authenticated domain matches the specified domain. Example: Router(config-control-classmap)# match authenticated-domain cisco.com Step 11 (Optional) Creates a condition that evaluates true if a match authenticated-username {username | regexp regular-expression} subscriber’s authenticated username matches the specified username.
  • Page 53 Configuring ISG Control Policies How to Configure an ISG Control Policy Command or Action Purpose Step 12 (Optional) Creates a condition that evaluates true if a match dnis {dnis | regexp regular-expression} subscriber’s Dialed Number Identification Service number (DNIS number, also referred to as called-party number) Example: matches the specified DNIS number.
  • Page 54 Configuring ISG Control Policies How to Configure an ISG Control Policy Command or Action Purpose Step 19 (Optional) Creates a condition that evaluates true if a match source-ip-address ip-address subnet-mask subscriber’s source IP address matches the specified IP address. Example: Router(config-control-classmap)# match source-ip-address 10.10.10.10 255.255.255.255 Step 20...
  • Page 55 Configuring ISG Control Policies How to Configure an ISG Control Policy Default Method Lists If you specify the default method list for any of the control policy actions, the default list will not appear in the output of the show running-config command. For example, if you configure the following command: Router(config-control-policymap-class-control)# 1 authenticate aaa list default the following will display in the output for the show running-config command:...
  • Page 56 Configuring ISG Control Policies How to Configure an ISG Control Policy DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3...
  • Page 57 Configuring ISG Control Policies How to Configure an ISG Control Policy Command or Action Purpose Step 7 (Optional) Collects the specified subscriber identifier from action-number collect [aaa list list-name] identifier {authen-status | the access protocol. authenticated-domain | authenticated-username | dnis | mac-address | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain |...
  • Page 58 Configuring ISG Control Policies How to Configure an ISG Control Policy Command or Action Purpose Step 13 (Optional) Sets a variable name. action-number set name identifier {authen-status | authenticated-domain | authenticated-username | dnis | mac-address | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username | vrf}...
  • Page 59 Configuring ISG Control Policies How to Configure an ISG Control Policy DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3...
  • Page 60 Configuring ISG Control Policies How to Configure an ISG Control Policy Command or Action Purpose Step 3 Specifies an interface and enters interface configuration interface type number[.subinterface-number] mode. Example: Router(config)# interface gigabitethernet 0/0/1.1 Step 4 Applies a control policy. service-policy type control policy-map-name Example: Router(config-if)# service-policy type control policy1...

  • Page 61: Configuration Examples For Isg Control Policies

    Configuring ISG Control Policies Configuration Examples for ISG Control Policies Monitoring and Maintaining ISG Control Policies Optionally, you can perform this task to monitor and maintain ISG control policy operation. Steps can be performed in any order. SUMMARY STEPS enable show class-map type control show policy-map type control clear class-map control...
  • Page 62 Configuring ISG Control Policies Configuration Examples for ISG Control Policies Control Policy for Layer 2 Access and Service Provisioning: Example The following example shows how to configure a control policy that produces the following results: VPDN forwarding is applied to anyone dialing in from “example1.com”. •...
  • Page 63 Configuring ISG Control Policies Configuration Examples for ISG Control Policies Unique Session ID: 2022 Identifier: user1@xyz.com SIP subscriber access type(s): PPPoE/PPP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:08:57, Last Changed: 00:08:57 Interface: Virtual-Access1.1 Policy information: Context 2C655DF0: Handle A2070D8D AAA_id 00007DE8: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services:...
  • Page 64 Configuring ISG Control Policies Configuration Examples for ISG Control Policies Unique Session ID: 2023 Identifier: user2@abc.com SIP subscriber access type(s): PPPoE/PPP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:09:17, Last Changed: 00:09:17 Interface: Virtual-Access1.2 Policy information: Context 2C656120: Handle F4070D8E AAA_id 00007DE9: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services:...
  • Page 65 Configuring ISG Control Policies Configuration Examples for ISG Control Policies Time remaining is 00:02:40 Configuration sources associated with this session: Interface: Virtual-Template1, Active Time = 00:09:19 Control Policy for Restricting Access on the Basis of Interface and Access Media: Example This example shows how to configure a control policy to allow access only to users who enter the router from a particular interface and access type.

  • Page 66: Additional References

    RULEA class type control CONDA event session-start 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address 2 apply aaa list LOCAL service redirectprofile 3 set-timer TIMERB 5 minutes class type control CONDF event timed-policy-expiry...

  • Page 67: Feature Information For Isg Control Policies

    An account on Cisco.com is not required. Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a Note given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that...
  • Page 68 Feature Information for ISG Control Policies Feature Name Releases Feature Configuration Information ISG: Policy Control: Policy: Domain Based Cisco IOS XE ISG control policies manage the primary services and rules (Autodomain, Proxy) Release 2.2 used to enforce particular contracts. These policies include...
  • Page 69 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 70 Configuring ISG Control Policies Feature Information for ISG Control Policies...
  • Page 71 First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 72: Prerequisites For Isg Access For Ppp Sessions

    See the module “Configuring ISG Control Policies” for information about how configure control policies. Restrictions for ISG Access for PPP Sessions In Cisco IOS XE, SSO and ISSU are not supported for the following features on ISG PPP sessions: Port-Bundle Host Key •...
  • Page 73 Local address pools • Standard methods of IP address management for PPP (see the Cisco IOS XE Dial Technologies Configuration Guide for information about IP address management support for PPP sessions) When a locally terminated PPP session is transferred from one VRF to another VRF, the peer IP address is renegotiated using IPCP.

  • Page 74: How To Configure Isg Access For Ppp Sessions Using Control Policies

    VRF transfer to work. For information about how to configure virtual templates and support for PPP sessions, see the Cisco IOS XE Dial Technologies Configuration Guide.
  • Page 75 Configuring ISG Access for PPP Sessions How to Configure ISG Access for PPP Sessions Using Control Policies Specifying a VRF in a Service Policy Map VRF transfer occurs when a new primary service is activated for a session, causing the session to transfer from one VRF to another.
  • Page 76 Configuring ISG Access for PPP Sessions How to Configure ISG Access for PPP Sessions Using Control Policies Command or Action Purpose Step 5 Defines the service as a primary service. sg-service-type primary • A primary service is a service that contains a network-forwarding policy.
  • Page 77 Configuring ISG Access for PPP Sessions How to Configure ISG Access for PPP Sessions Using Control Policies Command or Action Purpose Step 3 Displays information related to ISG session and service show idmgr {service key session-handle session-handle service-key service | session identity.
  • Page 78 Configuring ISG Access for PPP Sessions How to Configure ISG Access for PPP Sessions Using Control Policies Command or Action Purpose Step 3 Filters debug output on the basis of the specified condition. debug condition condition Note See the module “Troubleshooting ISG with Session Monitoring and Distributed Conditional Example:...

  • Page 79: Configuration Examples For Isg Access For Ppp Sessions

    Configuring ISG Access for PPP Sessions Configuration Examples for ISG Access for PPP Sessions Example In the following example, the output of the debug subscriber packet detail command is filtered on the basis of the username “cpe6_1@isp.com”: Router# debug condition username cpe6_1@isp.com Condition 1 set Router# show debug Condition 1: username cpe6_1@isp.com (0 flags triggered)
  • Page 80 Configuring ISG Access for PPP Sessions Configuration Examples for ISG Access for PPP Sessions ISG will deny service to and disconnect the session for subscribers matching domain “ispd”. PPP domain-based service activation • For subscribers matching all other domains, ISG will activate a service that has the same name as the specified domain.
  • Page 81 Configuring ISG Access for PPP Sessions Configuration Examples for ISG Access for PPP Sessions 1 service-policy type service ispc Define a control policy rule that results in session disconnection for subscribers that match service “ispd”. class type control ISPD event session-start service disconnect Define a control policy rule that defines the default for all other domains, which is to activate a service having the same name as the specified domain.

  • Page 82: Additional References

    Cisco IOS XE Security Configuration Guide AAA commands Cisco IOS Security Command Reference PPP configuration tasks The “PPP Configuration” section of the Cisco IOS XE Dial Services Configuration Guide PPP commands Cisco IOS Dial Services Command Reference...

  • Page 83: Feature Information For Isg Access For Ppp Sessions

    Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 84 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 85 First Published: December 5, 2006 Last Updated: November 25, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG supports IP sessions for subscribers who connect to ISG from routed, Layer 2 or Layer 3 access networks.
  • Page 86 Configuring ISG Access for IP Subscriber Sessions Prerequisites for ISG Access for IP Subscriber Sessions Configuration Examples for ISG Access for IP Subscriber Sessions, page 34 • Additional References, page 38 • Feature Information for ISG Access for IP Subscriber Sessions, page 40 •...
  • Page 87 IP Session Recovery for DHCP-Initiated IP Sessions, page 13 Default Services for IP Subscriber Sessions, page 13 • Types of IP Subscriber Sessions ISG supports the following types of IP subscriber sessions on Cisco IOS XE software: IP Sessions, page 4 • IP Interface Sessions, page 4 •...
  • Page 88 (data and multicast) on the same VLAN by enabling multicast and IP sessions to coexist on the same subinterface for Cisco ASR 10000 Series Aggregation Routers. ISG IP sessions are supported on nonaccess-type subinterfaces. In the case of an existing session or even when no session exists, this support helps the multicast traffic to pass through the interfaces configured for the IP sessions in both upstream and downstream directions without creating a session.
  • Page 89 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions IP Subscriber Connectivity IP subscribers connect to ISG through either Layer 2 connected access networks or routed access networks. The following sections describe these types of IP subscriber connectivity: •...
  • Page 90 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions Figure 2 Routed Access Network Routed Core network access network IP subscriber IP subscriber IP Subscriber Session Initiation ISG can be configured to allow one or more of the following events to signal the start of an IP session or IP subnet session on an interface: •...
  • Page 91 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions Methods of ISG Subscriber IP Address Assignment IP subscribers either have IP addresses configured statically or obtain IP addresses dynamically through some network protocol that has the ability to assign IP addresses. For a subscriber to be routable within a given IP service domain, the subscriber must present a domain-specific IP address to the network.
  • Page 92 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions When the access network is a Layer 2 connected network, a subscriber IP address can be either native or foreign to an access interface. A native subscriber IP address is one that belongs to the subnet provisioned on the access interface.
  • Page 93 ISG devices to store the MAC address as part of the session identifiers. For routed IP subscriber sessions, the MAC address is collected from the DHCP server using the DHCP Lease Query Protocol. For information about configuring the command, see the “Configuring ISG Control Policies” module in the Cisco IOS ISG Configuration Guide.
  • Page 94 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions DHCP Lease Query Support The DHCP Lease Query message is a DHCP message type transmitted from a DHCP relay agent to a DHCP server. A DHCP Lease Query aware relay agent sends the location of an IP endpoint to the DHCP Lease Query message.
  • Page 95 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions Dynamic VPN selection can be initiated through automatic service logon, where the VRF is downloaded and applied to the subscriber session at session start, or through subscriber service selection at a web portal, in which case the subscriber is transferred to the VRF that corresponds to the selected service.
  • Page 96 Configuring ISG Access for IP Subscriber Sessions Information About ISG Access for IP Subscriber Sessions Service Model for VRF Transfers A primary service is a service that contains a network-forwarding policy (such as a VRF) in its service definition. Only one primary service at a time can be activated for a session. A secondary service is any service that does not contain a network-forwarding policy.
  • Page 97 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Idle timeout and session timeout • Idle timeouts and session timeouts can be used to detect or impose termination of an IP session. Control policy •...
  • Page 98 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Creating IP Subscriber Sessions for Routed ISG Subscribers, page 14 (required) • Creating IP Subscriber Sessions for Layer 2 Connected ISG Subscribers, page 15 (required) •...
  • Page 99 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 5 Configures ISG to create an IP subscriber session upon initiator {dhcp [class-aware] | radius-proxy | unclassified ip-address} receipt of the specified packet type. •...
  • Page 100 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 101 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 6 (Optional) Returns to privileged EXEC mode. Example: Router(config-subscriber)# end Creating ISG IP Interface Sessions An ISG IP interface session encompasses all IP packets that cross the specified interface or subinterface. Perform this task to create an ISG IP interface session.
  • Page 102 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Creating an ISG Static Session The ISG Static Session Creation feature enables administrator initiated static IP sessions. An ISG static session enables you to configure static IP sessions from the CLI. You can create static IP sessions by configuring a group of server addresses.
  • Page 103 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 5 Specifies an interface and enters interface configuration interface type number mode. Example: Router(config)# interface GigabitEthernet 2/0/0 Step 6 Specifies the type of IP subscriber to be hosted on the ip subscriber l2-connected interface and enters ISG IP subscriber configuration mode.
  • Page 104 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 105 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions SUMMARY STEPS enable configure terminal policy-map type control policy-map-name class type control {control-class-name | always} event session-restart action-number authorize [aaa list list-name] [password password] [upon network-service-found {continue | stop}] identifier {authenticated-domain | authenticated-username | auto-detect | circuit-id [plus remote-id] | dnis | mac-address | nas-port | remote-id [plus circuit-id] | source-ip-address | tunnel-name | unauthenticated-domain | unauthenticated-username}...
  • Page 106 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 5 (Optional) Initiates a request for authorization on the basis action-number authorize [aaa list list-name] [password password] [upon network-service-found of the specified identifier. {continue | stop}] identifier {authenticated-domain | authenticated-username | auto-detect | circuit-id [plus remote-id] |...
  • Page 107 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 1 show subscriber session [detailed] [identifier Displays information about ISG policies and features for identifier | uid session-id | username name] subscriber sessions.

  • Page 108: Troubleshooting Tips

    Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 (Optional) Displays information about ISG subscriber IP show ip subscriber [dangling seconds | detail | ip ip-address | mac mac-address | vrf vrf-name sessions.
  • Page 109 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Prerequisites For ISG to use DHCP to assign IP addresses, the following prerequisites must be met: • The subscriber must be Layer 2 connected. • ISG must be in the path of DHCP requests, serving as a DHCP server or relay.
  • Page 110 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 5 Enables ISG IP subscriber configuration mode. ip subscriber [l2-connected | routed] Example: Router(config-if)# ip subscriber Step 6 Configures ISG to create IP sessions upon receipt of DHCP initiator dhcp class-aware DISCOVER packets.
  • Page 111 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 3 Creates a service policy map or specifies an existing service policy-map type service policy-name policy map for configuration, and enters service policy-map configuration mode.
  • Page 112 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Add the DHCP Class attribute to the user or service Associates a DHCP address pool with a service or specific profile.
  • Page 113 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 114 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions interface multiservice 2 ip vrf forwarding VRF_A Multiservice Interface Model For a subscriber without a static VPN configuration, a multiservice interface must be configured on the ISG device to map the IP session to a VRF.
  • Page 115 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions Command or Action Purpose Step 3 Creates a multiservice interface, which enables dynamic interface multiservice interface-number VPN selection and enters interface configuration mode. Example: Router(config)# interface multiservice 1 Step 4 Associates a VPN VRF with an interface or subinterface.
  • Page 116 Configuring ISG Access for IP Subscriber Sessions How to Configure ISG for IP Subscriber Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 117 Displays the current state of the routing table. show ip route [vrf vrf-name] Example: Router# show ip route Step 6 Displays address bindings on the Cisco IOS DHCP server. show ip dhcp binding [ip-address] Example: Router# show ip dhcp binding...
  • Page 118 {error | event} is related to DHCP events. Example: Router# debug subscriber policy dpm event Step 4 Enables Cisco IOS DHCP server debugging. debug ip dhcp server {events | packets | linkage | class} Example: Router# debug dhcp ip dhcp server events...
  • Page 119 Configuring ISG Access for IP Subscriber Sessions Configuration Examples for ISG Access for IP Subscriber Sessions DHCP Address Pool Classes and Relay Actions for ISG: Examples, page 36 • Dynamic VPN Selection: Example, page 38 • ISG IP Interface Subscriber: Example The following example shows how to configure an IP interface session on GigabitEthernet interface 0/0/1.401: interface GigabitEthernet 0/0/1.401...
  • Page 120 Configuring ISG Access for IP Subscriber Sessions Configuration Examples for ISG Access for IP Subscriber Sessions DHCP-Initiated Session Recovery: Example The following example configures an ISG policy that applies a service called “FIRST-SERVICE” upon session restart for subscribers belonging to the VRF “FIRST”. class-map type control TEST match vrf FIRST policy-map type control GLOBAL...
  • Page 121 Configuring ISG Access for IP Subscriber Sessions Configuration Examples for ISG Access for IP Subscriber Sessions DHCP Server Coresident with ISG Configuration In the following configuration example, the ISPs are ISP1 and ISP2 companies. The ISP1 company has its addresses assigned from an address pool that is dynamically allocated using on-demand address pools (ODAP).
  • Page 122 Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference DHCP configuration The “DHCP” module of the Cisco IOS XE IP Addressing Configuration Guide Configuring ISG Control Policies “Configuring ISG Control Policies” module in the Cisco IOS...
  • Page 123 Additional References Standards Standard Title None MIBs MIBs Link None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs Title None Technical Assistance Description Link The Cisco Support website provides extensive online http://www.cisco.com/techsupport...
  • Page 124 Note Table 2 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 125 Feature Information for ISG Layer 3 Access (continued) Feature Name Releases Feature Configuration Information ISG: Instrumentation: DHCP Cisco IOS XE The DHCP Lease Query transaction is a DHCP transaction with special Lease Query Support Release 2.5.0 message types that enable, among other things, clients to query DHCP servers regarding the owner and the lease expiration time of an IP address.
  • Page 126 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 127 PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 128 Configuring ISG Access for IP Subscriber Sessions Feature Information for ISG Access for IP Subscriber Sessions...

  • Page 129: First Published: March

    The MQC Support for IP Sessions feature provides modular quality of service (QoS) command-line interface (CLI) provisioning on Cisco Intelligent Services Gateway (ISG) IP sessions. It makes the full set of modular QoS CLI (MQC) syntax available for the sessions, whether they are configured locally or downloaded from a remote authentication, authorization, and accounting (AAA) server.

  • Page 130: Restrictions For Mqc Support For Ip Sessions

    Configuring MQC Support for IP Sessions Restrictions for MQC Support for IP Sessions Restrictions for MQC Support for IP Sessions The following restrictions apply to the MQC Support for IP Sessions feature: Creation of IP sessions over PPP sessions is not supported. •...

  • Page 131: How To Configure Mqc Support For Ip Sessions

    See the section “Configuring Per-Session QoS Using the ISG Framework” in the “Configuring ISG Control Policies” chapter in Cisco IOS XE Intelligent Services Gateway Configuration Guide for information about configuring a local service profile. Local Subscriber Profile MQC Support To configure QoS policy maps on service profiles, perform the steps in the following procedure:...
  • Page 132 Configuring MQC Support for IP Sessions How to Configure MQC Support for IP Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.

  • Page 133: Configuration Examples For Mqc Support For Ip Sessions

    Configuring MQC Support for IP Sessions Configuration Examples for MQC Support for IP Sessions DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.

  • Page 134: Additional References

    Cisco IOS Intelligent Services Gateway Command Reference MIBs MIBs Link No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS XE feature. releases, and feature sets, use Cisco MIB Locator found at the following URL:...

  • Page 135: Feature Information For Mqc Support For Ip Sessions

    CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 136 Configuring MQC Support for IP Sessions Feature Information for MQC Support for IP Sessions...

  • Page 137: First Published: March

    First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 138: Prerequisites For The Isg Port-Bundle Host Key Feature

    Configuring ISG Port-Bundle Host Key Prerequisites for the ISG Port-Bundle Host Key Feature Prerequisites for the ISG Port-Bundle Host Key Feature For information about release and platform requirements, see the “Feature Information for ISG Port-Bundle Host Key” section on page The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.

  • Page 139: How To Configure Isg Port-Bundle Host Key

    Configuring ISG Port-Bundle Host Key How to Configure ISG Port-Bundle Host Key to a configured ISG IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page.
  • Page 140 Configuring ISG Port-Bundle Host Key How to Configure ISG Port-Bundle Host Key Configuring Port-Bundle Host Key Parameters, page 5 • Verifying ISG Port-Bundle Host Key Configuration, page 8 • Enabling the ISG Port-Bundle Host Key Feature in a Service Policy Map Perform this task to enable the ISG Port-Bundle Host Key feature in a service policy map.
  • Page 141 Configuring ISG Port-Bundle Host Key How to Configure ISG Port-Bundle Host Key Enabling the ISG Port-Bundle Host Key Feature in a User Profile or Service Profile on the AAA Server Perform this task to enable the ISG Port-Bundle Host Key feature in a user profile or service profile on the AAA server.
  • Page 142 BUNDLE_LENGTH argument. If you change the port-bundle length on an ISG, be sure to make the corresponding change in the configuration on the portal. The Cisco ASR 1000 series routers support a maximum port-bundle length of 7. Note SUMMARY STEPS...
  • Page 143 Length” for more information. Example: The default is 4. • Router(config-portbundle)# length 5 The Cisco ASR 1000 series routers support a maximum • port-bundle length of 7. Step 6 Specifies the interface for which the main IP address will be...

  • Page 144: Configuration Examples For Isg Port-Bundle Host Key

    Configuring ISG Port-Bundle Host Key Configuration Examples for ISG Port-Bundle Host Key Verifying ISG Port-Bundle Host Key Configuration Perform this task to display information about ISG port-bundle host key configuration. SUMMARY STEPS enable show ip portbundle status [free | inuse] show ip portbundle ip portbundle-ip-address bundle port-bundle-number show subscriber session [detailed] [identifier identifier | uid session-id | username name] DETAILED STEPS...

  • Page 145: Additional References

    Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for ISG Port-Bundle Host Key Table 3 lists the features in this module and provides links to specific configuration information.
  • Page 146 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 147 First Published: December 5, 2006 Last Updated: November 25, 2009 Intelligent Services Gateway (ISG) is a Cisco XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. The ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an authentication, authorization, and accounting (AAA) server.

  • Page 148: Prerequisites For Isg Radius Proxy

    Configuring ISG as a RADIUS Proxy Prerequisites for ISG RADIUS Proxy Prerequisites for ISG RADIUS Proxy The Cisco IOS image must support AAA and ISG. Restrictions for ISG RADIUS Proxy Wireless Internet service provider roaming (WISPr) attributes are not supported.
  • Page 149 Configuring ISG as a RADIUS Proxy Information About ISG RADIUS Proxy Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet. ISG RADIUS Proxy Handling of Accounting Packets By default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command can be used to configure ISG to forward RADIUS proxy client accounting packets to a specified server.

  • Page 150: How To Configure Isg As A Radius Proxy

    Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy 3GPP Attribute Support In GGSN environments ISG RADIUS proxy must understand and parse the Third Generation Partnership Project (3GPP) attributes described in Table 1. These attributes form part of the accounting requests.
  • Page 151 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Initiating ISG RADIUS Proxy IP Sessions Perform this task to configure ISG to initiate an IP session upon receipt of a RADIUS proxy message from a RADIUS client. SUMMARY STEPS enable configure terminal...
  • Page 152 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Configuring ISG RADIUS Proxy Global Parameters Perform this task to configure ISG RADIUS proxy parameters that are applied by default to all RADIUS proxy clients. Client-specific parameters can also be configured and take precedence over this global configuration.
  • Page 153 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Command or Action Purpose Step 5 (Optional) Correlates the RADIUS server requests of a session-identifier {attribute number | vsa vendor id type number} session and identifies the session in the RADIUS proxy module.
  • Page 154 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Configuring ISG RADIUS Proxy Client-Specific Parameters Perform this task to configure client-specific parameters for the ISG RADIUS proxy. This configuration applies to the specified client or subnet only. The client-specific configuration takes precedence over the global ISG RADIUS proxy configuration.
  • Page 155 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Command or Action Purpose Step 5 Specifies a RADIUS proxy client for which client-specific client {name | ip-address} [subnet-mask [vrf vrf-id]] parameters can be configured, and enters RADIUS client configuration mode.
  • Page 156 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Command or Action Purpose Step 12 Specifies the amount of time ISG waits for the specified timer {ip-address | request} seconds event before terminating the session. •...
  • Page 157 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy Command or Action Purpose Step 4 Configures AAA authorization methods for ISG RADIUS aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]] proxy subscribers. • A method may be either of the following: Example: –...
  • Page 158 Configuring ISG as a RADIUS Proxy How to Configure ISG as a RADIUS Proxy DETAILED STEPS Command or Action Purpose Step 1 Displays RADIUS proxy configuration information and a show radius-proxy client ip-address [vrf vrf-id] summary of sessions for an ISG RADIUS proxy client. Example: Router# show radius-proxy client 10.10.10.10 Step 2...

  • Page 159: Configuration Examples For Isg Radius Proxy

    Configuring ISG as a RADIUS Proxy Configuration Examples for ISG RADIUS Proxy DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 clear radius-proxy client ip-address Clears all ISG RADIUS proxy sessions that are associated with the specified client device.
  • Page 160 ! The control policy "PROXYRULE" is applied to the interface. service-policy type control PROXYRULE radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123 radius-server vsa send accounting radius-server vsa send authentication...

  • Page 161: Additional References

    Service: service1, Active Time = 00:00:40 Interface: FastEthernet0/1, Active Time = 00:00:40 Additional References The following sections provide references related to ISG RADIUS proxy. Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Standards Standard Title None —...
  • Page 162 Configuring ISG as a RADIUS Proxy Additional References MIBs MIBs Link None To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs Title...

  • Page 163: Feature Information For Isg Radius Proxy

    Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 164 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 165 “Feature Information for RADIUS-Based Policing” section on page Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 166: Restrictions For Radius-Based Policing

    For a CoA message, the ISG also sends a negative Ack (Nack) response to the RADIUS server. Information About RADIUS-Based Policing To configure the RADIUS-based policing features supported on the Cisco ASR 1000 Series Aggregation Services Router, you should understand the following topics: RADIUS Attributes, page 2 •...
  • Page 167 This VSA has the following format: av-pair = "policy-type=command 9 parameter1 ,...,parametern" Use the following Cisco VSA 1 format to add and remove classes and QoS actions to and from the QoS policy that is currently active on a session:...
  • Page 168 RADIUS-Based Policing Information About RADIUS-Based Policing For example, the following class list identifies the class named “voip”, which gets added to a nested policy. The VoIP class is configured in a nested child policy that is applied to the parent class-default class.

  • Page 169: How To Configure Radius-Based Policing

    In the current release, multiple complex strings in a CoA message are not supported because they do not display correct behavior of VSA 1, as shown in the next example: vsa cisco 250 S152.1.1.2 vsa cisco generic 252 binary 0b suffix "q-p-out=IPOne1-isg-acct1(1)((c-d,tv)1(10000))" vsa cisco generic 252 binary 0b suffix "q-p-out=IPOne1-isg-acct(1)((c-d,voip)1(10000))" In the above example: All services are enabled on target.
  • Page 170 RADIUS-Based Policing How to Configure RADIUS-Based Policing Prerequisites for Per-Service Policing Using RADIUS You must configure all traffic classes on the ISG before referencing the classes in policy maps. You must configure and apply QoS policy maps on the ISG before the ISG can construct and apply an ANCP-based dynamic service policy.
  • Page 171 RADIUS-Based Policing How to Configure RADIUS-Based Policing Command Purpose Step 2 Enters global configuration mode. configure terminal Example: Router# configure terminal Step 3 Creates or modifies a policy map and enters policy-map policy-map policy-map-name configuration mode. policy-map-name is the name of the policy map. Example: •...
  • Page 172 For more information on the commands you can specify for a traffic class, see the Cisco 10000 Series Router Quality of Service Configuration Guide. Configuring a Hierarchical QoS Parent Policy with Policing Use the following procedure to configure a hierarchical QoS Parent policy with policing.
  • Page 173 RADIUS-Based Policing How to Configure RADIUS-Based Policing Command Purpose Step 4 Modifies the class-default traffic class and enters class class-default policy-map class configuration mode. Example: Router(config-pmap)# class class-default Step 5 Shapes traffic to the indicated bit rate. shape average mean-rate [[burst-size] [excess-burst-size]] [account {qinq | dot1q | average is the maximum number of bits sent out •...

  • Page 174: Configuration Examples For Radius-Based Policing

    Configuration Examples for RADIUS-Based Policing Configuring Per-Service Policing on the RADIUS Server To use RADIUS to set the policing rate for a subscriber service, configure the following Cisco VSAs in the service profile on RADIUS: vsa cisco generic 1 string "qos-policy-out=add-class(sub,(class-list), shape(rate))"...
  • Page 175 RADIUS-Based Policing Configuration Examples for RADIUS-Based Policing policy-map type service IPOne 10 class type traffic IPOne accounting aaa list default policy-map output_parent class class-default police 32000 32000 32000 conform-action transmit exceed-action drop violate-action drop service-policy output_child policy-map output_child class voip police 32000 32000 32000 conform-action transmit exceed-action drop violate-action drop ! RADIUS relays the string for service activation.
  • Page 176 192.168.5.7 0.0.0.64 RADIUS Configuration The following Cisco VSA is configured in a user profile on RADIUS. This VSA changes the policing rate of the Premium class in the Child policy. The Child policy is applied to the class-default class of the Parent policy.
  • Page 177 The ISG copies the service policy that is currently applied to the session and creates a transient policy named New_Parent to which it makes the appropriate changes. Based on the Cisco VSA included in the Access-Accept message, the ISG adds the policing rate to the Premium traffic class. The Premium class is configured in the transient New_Child policy, which is applied to the New_Parent class-default class.

  • Page 178: Verifying Radius-Based Policing

    The ISG copies the service policy named Parent currently applied to the session and creates a transient copy named New_Parent to which it makes the appropriate changes. Based on the Cisco VSA included in the Access-Accept message, the ISG changes the policing rate of the Premium traffic class from 5000 bps to 200,000 bps.

  • Page 179: Additional References

    Additional References The following sections provide references related to the RADIUS-Based Policing feature. Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference...
  • Page 180 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

  • Page 181: Feature Information For Radius-Based Policing

    Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 182 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...

  • Page 183: First Published: March

    First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 184: Prerequisites For Isg Automatic Subscriber Logon

    Configuring ISG Policies for Automatic Subscriber Logon Prerequisites for ISG Automatic Subscriber Logon Additional References, page 9 • Feature Information for ISG Automatic Subscriber Logon, page 10 • Prerequisites for ISG Automatic Subscriber Logon For information about release and platform support, see the “Feature Information for ISG Automatic Subscriber Logon”...

  • Page 185: How To Configure Isg Policies For Automatic Subscriber Logon

    For IP sessions that use DHCP Option 82 authorization, accounting messages are sent to the AAA server with the Circuit ID and Remote ID Cisco VSAs. Although you can configure a combination of circuit ID and remote ID as the username for authorization, the attributes are sent individually in accounting records.
  • Page 186 Configuring ISG Policies for Automatic Subscriber Logon How to Configure ISG Policies for Automatic Subscriber Logon Configuring an ISG Control Policy for Automatic Subscriber Logon, page 5 • Enabling the Remote-ID to Be Sent as the Calling-Station-ID, page 6 • Verifying ISG Automatic Subscriber Logon, page 7 •...
  • Page 187 Configuring ISG Policies for Automatic Subscriber Logon How to Configure ISG Policies for Automatic Subscriber Logon Command or Action Purpose Step 4 Creates a condition that will evaluate true if a subscriber’s match source-ip-address ip-address subnet-mask source IP address matches the specified IP address. match nas-port circuit-id name Creates a condition that will evaluate true if a subscriber’s circuit ID matches the specified value.
  • Page 188 Example: • The auto-detect keyword allows authorization to be Router(config-control-policymap-class-control)# performed on Cisco Catalyst switches with 1 authorize aaa list TAL_LIST password cisco remote-ID:circuit-ID and on DSL Forum switches with identifier source-ip-address circuit-ID only. What to Do Next You must apply the control policy to a context by using the service-policy type control command. For information about applying control policies, see the module “Configuring ISG Control...
  • Page 189 Configuring ISG Policies for Automatic Subscriber Logon How to Configure ISG Policies for Automatic Subscriber Logon DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.

  • Page 190: Configuration Examples For Isg Automatic Subscriber Logon

    If the subscriber does not log in within five minutes, the session is disconnected. ISG Configuration subscriber service password cisco interface GigabitEthernet0/0/0 service-policy type control RULEA...
  • Page 191 Cisco IOS Intelligent Services Gateway Command Reference MIBs MIBs Link No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS XE feature. releases, and feature sets, use Cisco MIB Locator found at the following URL:...
  • Page 192 Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 193 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 194 Configuring ISG Policies for Automatic Subscriber Logon Feature Information for ISG Automatic Subscriber Logon...
  • Page 195 First Published: March 20, 2006 Last Updated: June 19, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 196: Prerequisites For Isg Interaction With External Policy Servers

    Enabling ISG to Interact with External Policy Servers Prerequisites for ISG Interaction with External Policy Servers Prerequisites for ISG Interaction with External Policy Servers For information about release and platform support, see the “Feature Information for ISG Interaction with External Policy Servers” section on page Restrictions for ISG Interaction with External Policy Servers The ISG and external policy servers should be in the same virtual routing and forwarding instance (VRF).
  • Page 197 Enabling ISG to Interact with External Policy Servers How to Enable ISG to Interact with External Policy Servers Prerequisites The servers and server groups referenced by the AAA methods must be configured. SUMMARY STEPS enable configure terminal aaa authentication login {default | list-name} method1 [method2...] aaa authentication ppp {default | list-name} method1 [method2...] aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2...]]...
  • Page 198 Enabling ISG to Interact with External Policy Servers How to Enable ISG to Interact with External Policy Servers Command or Action Purpose Step 6 Specifies one or more AAA authorization methods for ISG aaa authorization subscriber-service {default | list-name} method1 [method2...] to use in providing a service.
  • Page 199 Step 6 server-key [0 | 7] word Specifies the encryption key shared with the RADIUS client. Example: Router(config-locsvr-da-radius)# server-key cisco Step 7 auth-type {all | any | session-key} Specifies the attributes to be used for session authorization. Example: Router(config-locsvr-da-radius)# auth-type all...

  • Page 200: Configuration Examples For Isg Interaction With External Policy Servers

    The following sections provide references related to ISG interaction with external policy servers. Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference AAA configuration tasks “Authentication, Authorization, and Accounting (AAA)” section of the Cisco IOS XE Security Configuration Guide AAA commands...
  • Page 201 Additional References MIBs MIBs Link No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS XE feature. releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs...

  • Page 202: Feature Information For Isg Interaction With External Policy Servers

    ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 203 Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers coincidental. © 2006–2009 Cisco Systems, Inc. All rights reserved.
  • Page 204 Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers...
  • Page 205 First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.
  • Page 206 Configuring ISG Subscriber Services Prerequisites for Configuring ISG Subscriber Services Prerequisites for Configuring ISG Subscriber Services For information about release and platform support, see the “Feature Information for ISG Subscriber Services” section on page Restrictions for Configuring ISG Subscriber Services Only one nondefault traffic class may be configured in each service.

  • Page 207: Information About Isg Subscriber Services

    Default traffic is accounted for in the main session accounting. A service can contain one traffic class and one default class. Traffic classes are assigned unique identifiers that can be tracked with Cisco IOS show commands. Traffic Policies Traffic policies define the handling of data packets. A traffic policy contains a traffic class and one or more features.
  • Page 208 Configuring ISG Subscriber Services Information About ISG Subscriber Services Figure 1 shows how features apply to a subscriber session and to traffic flows within the session. Figure 1 ISG Feature Application on a Session and Flows Subscriber session Traffic Flow classification feature ACL #x...

  • Page 209: How To Configure Isg Services On The Router

    Configuring ISG Subscriber Services How to Configure ISG Services on the Router Automatic Service Activation The Auto Service attribute, which can be configured in user profiles, enables subscribers to be automatically logged in to specified services when the user profile is downloaded, usually following authentication.
  • Page 210 Note order to work properly. Details on how to configure specific ISG features and functionality are provided in other modules in the Cisco IOS XE Intelligent Services Gateway Configuration Guide. Restrictions A service that is configured with per-session functionality and a traffic policy will not work correctly.
  • Page 211 Configuring ISG Subscriber Services How to Configure ISG Services on the Router Command or Action Purpose Step 4 Indicates that the service requires authentication as a authenticate aaa list name-of-list condition of activation and initiates an authentication request. Example: Router(config-service-policymap)# authenticate aaa list mlist Step 5 Associates a Dynamic Host Configuration Protocol (DHCP)
  • Page 212 Configuring ISG Subscriber Services How to Configure ISG Services on the Router Command or Action Purpose Step 12 Associates the service with a specified service group. sg-service-group service-group-name Example: Router(config-service-policymap)# sg-service-group group1 Step 13 Defines the service as a primary or secondary service. sg-service-type {primary | secondary} •...
  • Page 213 Some of the commands that can be configured in a service policy map require other configuration in Note order to work properly. Details on how to configure specific ISG features and functionality are provided in other modules in the Cisco IOS Intelligent Services Gateway Configuration Guide. SUMMARY STEPS enable...
  • Page 214 Configuring ISG Subscriber Services How to Configure ISG Services on the Router [priority] class type traffic class-map-name accounting aaa list AAA-method-list police {input | output} committed-rate normal-burst excess-burst redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds] timeout absolute duration-in-seconds timeout idle duration-in-seconds exit...
  • Page 215 Configuring ISG Subscriber Services How to Configure ISG Services on the Router Command or Action Purpose Step 7 Redirects traffic to a specified server or server group. redirect [list access-list-number] to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds] Example: Router(config-service-policymap-class-traffic)#...
  • Page 216 Configuring ISG Subscriber Services How to Configure ISG Services on the Router DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3...
  • Page 217 Configuring ISG Subscriber Services How to Configure ISG Services on the Router DETAILED STEPS Command or Action Purpose Step 1 Automatically logs the subscriber in to the specified service Add the Auto Service attribute to the user profile. when the user profile is downloaded. 26,9,251="Aservice-name[;username;password]"...
  • Page 218 Configuring ISG Subscriber Services How to Configure ISG Services on the Router Command or Action Purpose Step 4 Specifies a class and, optionally, an event for which actions class type control {always | map-class-name} [event account-logon | credit-exhausted | may be configured. quota-depleted | service-start | service-stop | session-default-service | session-service-found | session-start | timed-policy-expiry]...

  • Page 219: Configuration Examples For Isg Services

    CAR_ACCNT_LIST class type traffic default in-out drop AAA Server Configuration Attributes/ Cisco-AVPair = "ip:traffic-class=in access-group name SERVICE1_ACL_IN priority 10" Cisco-AVPair = "ip:traffic-class=in default drop" Cisco-AVPair = "ip:traffic-class=out access-group name SERVICE1_ACL_OUT priority 10" Cisco-AVPair = "ip:traffic-class=out default drop" Cisco-AVPair = subscriber:accounting-list=CAR_ACCNT_LIST...
  • Page 220 AAA Server Configuration Attributes/ Cisco-AVPair = "ip:traffic-class=in access-group name BOD1M_IN_ACL priority 10" Cisco-AVPair = "ip:traffic-class=in default drop" Cisco-AVPair = "ip:traffic-class=out access-group name BOD1M _OUT_ACL priority 10" Cisco-AVPair = "ip:traffic-class=out default drop" Cisco-AVPair = subscriber:accounting-list=CAR_ACCNT_LIST Cisco-SSG-Service-Info = IBOD1M Cisco-SSG-Service-Info = QU;512000;256000;5000;D;1024000;512000;5000...
  • Page 221 INTERNET_IN_ACL in ip access-group INTERNET_OUT_ACL out AAA Server Configuration Attributes/ Cisco-AVPair = ip:inacl=INTERNET_IN_ACL Cisco-AVPair = ip:outacl=INTERNET_OUT_ACL Service for Redirecting Layer 4 Subscriber Traffic: Example The following example shows the configuration of a service called “UNAUTHORIZED_REDIRECT_SVC”. The control policy “UNAUTHEN_REDIRECT” is configured to apply the service upon session start.

  • Page 222: Additional References

    An account on Cisco.com is not required. Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Note Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE...
  • Page 223 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 224 Configuring ISG Subscriber Services Feature Information for ISG Subscriber Services...
  • Page 225 First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. An ISG network forwarding policy is a type of traffic policy that allows packets to be routed or forwarded to and from an upstream network.

  • Page 226: Prerequisites For Configuring Isg Network Forwarding Policies

    Configuring ISG Network Forwarding Policies Prerequisites for Configuring ISG Network Forwarding Policies Prerequisites for Configuring ISG Network Forwarding Policies For information about release and platform support, see the “Feature Information for ISG Network Policies” section on page Restrictions for Configuring ISG Network Forwarding Policies A service can contain only one network forwarding policy.

  • Page 227: How To Configure Isg Network Policies

    Configuring ISG Network Forwarding Policies How to Configure ISG Network Policies If a network forwarding policy is not specified in a user profile or service, the ISG session will inherit the network service from another source. ISG can inherit a network service from the following sources: •...
  • Page 228 Configuring ISG Network Forwarding Policies How to Configure ISG Network Policies ip vrf forwarding name-of-vrf DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 Enters global configuration mode. configure terminal Example: Router# configure terminal...
  • Page 229 Configuring ISG Network Forwarding Policies How to Configure ISG Network Policies What to Do Next You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module “Configuring ISG Subscriber Services.”...

  • Page 230: Configuration Examples For Isg Network Policies

    Configuring ISG Network Forwarding Policies Configuration Examples for ISG Network Policies Command or Action Purpose Step 4 Associates the service with a VRF. ip vrf forwarding name-of-vrf Example: Router(config-service-policymap)# ip vrf forwarding blue Step 5 Defines the service as a primary service. sg-service-type primary •...

  • Page 231: Additional References

    Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 232 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 233 First Published: March 20, 2006 Last Updated: June 25, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 234: Prerequisites For Isg Accounting

    Configuring ISG Accounting Prerequisites for ISG Accounting Prerequisites for ISG Accounting For information about release and platform support, see the “Feature Information for ISG Accounting” section on page Restrictions for ISG Accounting ISG accounting supports only the RADIUS protocol. If authentication, authorization, and accounting (AAA) broadcast accounting is used in conjunction with periodic accounting, you cannot configure different accounting periods for different accounting groups.
  • Page 235 The name of the service is included in accounting records for service logon and logoff. Accounting records may be sent for events other than account and service logon and logoff. See the “Configuring Accounting” chapter of the Cisco IOS XE Security Configuration Guide, for more information. Interim Accounting Updates ISG supports interim (intermittent) RADIUS accounting updates, which work the same way as “watchdog”...

  • Page 236: How To Configure Isg Accounting

    Configuring ISG Accounting How to Configure ISG Accounting Postpaid Tariff Switching ISG postpaid tariff switching allows changes in tariffs during the lifetime of a connection. This feature applies to time-based or volume-based postpaid sessions in which the tariff changes at certain times of the day.
  • Page 237 The tasks in this section assume that you have configured a AAA method list by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information.
  • Page 238 DETAILED STEPS Step 1 Cisco-AVpair = "ip:traffic-class={in | out} access-group [acl_number | name acl_name] [priority n]" Add the ISG Traffic Class attribute to the service profile. This attribute specifies input and output traffic to which the service will apply. Both an input and output traffic classifier can be added to a service profile.
  • Page 239 Configuring ISG Accounting How to Configure ISG Accounting Add the Accounting attribute to the service profile on the AAA server. This attribute enables accounting and specifies the AAA method list to which accounting updates will be sent. The AAA method list must be configured.
  • Page 240 Configuring ISG Accounting How to Configure ISG Accounting Command or Action Purpose Step 3 Creates or defines a service policy map, which is used to policy-map type service policy-map-name define an ISG service and enters service policy-map configuration mode. Example: Router(config)# policy-map type service service1 Step 4...
  • Page 241 The tasks in this section assume that you have configured a AAA method list by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information.
  • Page 242 How to Configure ISG Accounting Configuring RADIUS for Service Activation and Deactivation Configure Cisco VSA 250 and VSA 252 in the service profile on RADIUS to dynamically activate and deactivate services. RADIUS uses VSA 250 in Access-Accept and VSA 252 in CoA messages. These VSAs have the following syntax: 252 0b "service(parameter1=value,parameter2=value,...)"...
  • Page 243 Configuring ISG Accounting How to Configure ISG Accounting policy-map type service policy-map-name class type traffic class-map-name accounting aaa list AAA-method-list exit DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router>...
  • Page 244 Prerequisites ISG per-session or per-flow accounting must be configured in order for postpaid tariff switching to work. SUMMARY STEPS Cisco-AVpair = “PPWhh:mm:ss:days” Cisco-AVpair = "ip:traffic-class={in | out} access-group [acl_number | name acl_name] [priority n]" DETAILED STEPS Step 1 Cisco-AVpair = “PPWhh:mm:ss:d”...
  • Page 245 00010000 = Friday 00100000 = Saturday 01000000 = Sunday Cisco-AVpair = "ip:traffic-class={in | out} access-group [acl_number | name acl_name] [priority n]" Step 2 Add the ISG Traffic Class attribute to the service profile. This attribute specifies input and output traffic to which the service will apply.
  • Page 246 Configuring ISG Accounting How to Configure ISG Accounting DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 show subscriber session [detailed] [identifier Displays ISG subscriber session information. identifier | uid session-id | username name] Example: Router# show subscriber session...
  • Page 247 Configuring ISG Accounting How to Configure ISG Accounting Configuration sources associated with this session: Service: video1, Active Time = 3 minutes, 46 seconds show subscriber session Output When ISG Accounting Is Applied to a Session The following example shows sample output for the show subscriber session command for a session rather than a flow.
  • Page 248 Configuring ISG Accounting How to Configure ISG Accounting DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 show aaa sessions Displays AAA subscriber session information. Example: Router# show aaa sessions Examples...
  • Page 249 Configuring ISG Accounting How to Configure ISG Accounting Examples This section contains examples of output for the show aaa user command: Output for a Specific User Unique id 151 is currently in use. Accounting: log=0x20C201 Events recorded : CALL START NET UP IPCP_PASS INTERIM START...
  • Page 250 Configuring ISG Accounting How to Configure ISG Accounting TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0...
  • Page 251 Configuring ISG Accounting How to Configure ISG Accounting Attribute list: 1A1CADF0 0 00000001 session-id(361) 4 167(A7) 1A1CAE00 0 00000001 protocol(297) 4 ip 1A1CAE10 0 00000001 addr(8) 4 192.168.0.1 1A1CAE20 0 00000001 Framed-Protocol(101) 4 PPP 1A1CAE30 0 00000009 clid-mac-addr(37) 6 00 00 04 00 00 2A -------- No data for type CMD No data for type SYSTEM...
  • Page 252 Configuring ISG Accounting How to Configure ISG Accounting DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 show sss session [all] Displays Subscriber Service Switch session status. Example: Router# show sss session Examples...

  • Page 253: Configuration Examples For Isg Accounting

    Per-Flow Accounting Configured in a Service Profile on the AAA Server The following example shows per-flow accounting configured in a remote service profile for a service called “video1”. video1 Password = "cisco"...
  • Page 254 Configuring ISG Accounting Configuration Examples for ISG Accounting Cisco-AVpair = "traffic-class=input access-group 101 priority 20", Cisco-AVpair = "traffic-class=output access-group 112 priority 20", Cisco-Avpair = "accounting-list=remote-local", Service-Info = "QU;8000", Service-Info = "QD;64000" Per-Service Accounting: Example The following configuration example allows multiple services in a single Access-Accept message and enables session accounting for the services.

  • Page 255: Additional References

    Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
  • Page 256 Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 257 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 258 First Published: March 20, 2006 Last Updated: November 25, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG prepaid billing support allows an ISG to check a subscriber's available credit to determine whether to allow the subscriber access to a service and how long the access can last.

  • Page 259: Prerequisites For Isg Prepaid Billing Support

    Restrictions for ISG Prepaid Billing Support ISG volume-based prepaid billing is not supported on the Cisco 10000-PRE2. • ISG prepaid billing support can be applied only to traffic flows that have been defined by an ISG •...
  • Page 260 Accounting-Stop message. ISG Prepaid Volume Monitor Polling Timer and QV Values The Cisco IOS prepaid volume monitor polling timer determines when ISG will initiate a prepaid reauthorization. The polling timer value is (15 seconds < polling-monitor-time < 300 seconds). This value is calculated dynamically based on the QV value (which defines the volume-based quota), the actual rate, and the configured volume threshold.

  • Page 261: How To Configure Isg Support For Prepaid Billing

    Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing Benefits of ISG Prepaid Billing Concurrent Prepaid Service Access The ISG Support for Prepaid Billing feature can support concurrent prepaid service access while maintaining the same pool of quota at the prepaid billing server. ISG services can be configured for concurrent or sequential access.
  • Page 262 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing Forwarding Subscriber Traffic upon Depletion of Quota, page 14 (optional) • Troubleshooting ISG Prepaid Billing Support, page 16 (optional) • The tasks in this document assume that a subscriber session has been created and a method of service Note activation is in place Configuring RADIUS Attribute Support for ISG Prepaid Billing...
  • Page 263 ISG prepaid support has been enabled. Default Prepaid Configuration A default prepaid configuration exists with the following parameters: subscriber feature prepaid default threshold time 0 seconds threshold volume 0 bytes method-list authorization default method-list accounting default password cisco...
  • Page 264 Prerequisites This task assumes that AAA method lists, server groups, and servers have been configured. See the Cisco IOS Security Configuration Guide: Securing User Services for more information. SUMMARY STEPS enable...
  • Page 265 Configures the password to be used for ISG prepaid password password authorization and reauthorization requests. Example: Router(config-prepaid)# password cisco Step 7 Configures the threshold at which ISG will send a threshold {time seconds | volume {kilobytes Kbytes | megabytes Mbytes | bytes bytes}} reauthorization request to the prepaid billing server.
  • Page 266 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing SUMMARY STEPS enable configure terminal policy-map type service policy-map-name [priority] class type traffic class-map-name prepaid config name-of-configuration show subscriber session [detailed] [identifier identifier | uid session-id | username name] DETAILED STEPS Command or Action Purpose...
  • Page 267 Specifies input and output traffic to which the service will profile. apply. Both an input and output traffic classifier can be added • Cisco-AVpair = "ip:traffic-class=in to a service profile. access-group [<acl_number> | name <acl_name>] [priority <n>]" Cisco-AVpair = "ip:traffic-class=out access-group [<acl_number>...
  • Page 268 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing What to Do Next You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module “Configuring ISG Subscriber Services”.
  • Page 269 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing SUMMARY STEPS enable configure terminal policy-map type service policy-map-name [priority] class type traffic class-name redirect to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds] show subscriber session [detailed] [identifier identifier | uid session-id | username name] DETAILED STEPS Command or Action...
  • Page 270 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing Command or Action Purpose Step 6 Exits the current configuration mode and returns to privileged EXEC mode. Example: Router(config-control-policymap-class-traffic)# Step 7 (Optional) Displays ISG subscriber session information. show subscriber session [detailed] [identifier identifier | uid session-id | username name] Example:...
  • Page 271 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing Command or Action Purpose Step 3 Creates or modifies a policy map that defines a control policy-map type control policy-map-name policy. Example: Router(config)# policy-map type control policyA Step 4 Specifies a control class and event for which actions may be class type control {control-class-name |...
  • Page 272 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing The quota-depleted event is not necessarily an indication that a subscriber does not have any more credit. ISG does not know for certain whether the subscriber has any more credit until a reauthorization response is returned from the billing server.
  • Page 273 Configuring ISG Support for Prepaid Billing How to Configure ISG Support for Prepaid Billing Command or Action Purpose Step 5 Configures ISG to continue to allow traffic to pass when the action-number set-param drop-traffic false quota has been depleted. Example: Router(config-control-policymap-class-control)# 1 set-param drop-traffic false Step 6...

  • Page 274: Configuration Examples For Isg Prepaid Billing Support

    Configuring ISG Support for Prepaid Billing Configuration Examples for ISG Prepaid Billing Support Configuration Examples for ISG Prepaid Billing Support This section contains the following examples: ISG Prepaid Billing Support: Example, page 17 • ISG Policies for Handling Credit-Exhausted and Quota-Depleted Prepaid Billing Events: Example, •...
  • Page 275 The following sections provide references related to ISG support for prepaid billing. Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference AAA configuration tasks “Authentication, Authorization, and Accounting (AAA)” section in Cisco IOS Security Configuration Guide: Securing User...
  • Page 276 Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to...
  • Page 277 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 278 First Published: March 20, 2006 Last Updated: November 5, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.
  • Page 279 Configuring ISG Policies for Session Maintenance Prerequisites for Configuring Policies for Session Maintenance Information About Configuring Policies for Session Maintenance, page 2 • How to Configure Policies for Session Maintenance Timers, page 4 • Configuration Examples for Session Maintenance Timers, page 14 •...
  • Page 280 Configuring ISG Policies for Session Maintenance Information About Configuring Policies for Session Maintenance The scope of the session timers and connection timers is determined by the type of service within which the timer is specified. If specified in a service profile for which no traffic class is defined, the timer action will be to terminate the session or connection.
  • Page 281 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers For IP subnet sessions, the peer (destination) IP address to be used for ICMP “hello” requests will be all the IP addresses within the subnet. This means “hello” requests will be sent sequentially (not simultaneously) to all the possible hosts within that subnet.
  • Page 282 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers Configuring the Session Timer in a Service Policy Map Perform this task to set the session timer in a service policy map. SUMMARY STEPS enable configure terminal policy-map type service policy-map-name [priority] class type traffic class-map-name timeout absolute duration-in-seconds...
  • Page 283 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers What to Do Next You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module “Configuring ISG Subscriber Services.”...
  • Page 284 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers Command or Action Purpose Step 3 Enters policy map configuration mode so you can begin policy-map type service policy-map-name configuring the service policy. Example: Router(config)# policy-map type service policy1 Step 4 Associates a previously configured traffic class to the policy [priority] class type traffic class-map-name...
  • Page 285 Prerequisites for Troubleshooting the Session Maintenance Timers Before performing the task in this section, it is recommended that you be familiar with the use of Cisco IOS debug commands described in the introductory chapters of the Cisco IOS Debug Command Reference. Also see the module “Troubleshooting ISG with Session Monitoring and Distributed...
  • Page 286 For this reason, use the Cisco IOS debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users, or on a debug chassis with a single active session.
  • Page 287 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers Command or Action Purpose Step 2 Enter one or more of the debug commands listed in Table debug command • Enter the specific no debug command when you are finished.
  • Page 288 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 289 Configuring a Session Keepalive on a RADIUS Server This task describes how to configure the session keepalive parameters on a RADIUS server. SUMMARY STEPS Service-Name password = “cisco” Cisco-Avpair = "subscriber:keepalive = [idle period1] [attempts Max-retries] [interval period2] [protocol ICMP [broadcast] | ARP}" DETAILED STEPS Step 1 Service-Name password = “cisco”...
  • Page 290 Configuring ISG Policies for Session Maintenance How to Configure Policies for Session Maintenance Timers server-key word exit DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 291 Configuring ISG Policies for Session Maintenance Configuration Examples for Session Maintenance Timers Configuration Examples for Session Maintenance Timers This section contains the following examples: Session Timer Configuration in a Service Policy Map: Example, page 14 • Connection Idle Timer Configuration in a Service Policy Map: Example, page 14 •...
  • Page 292 Configuring ISG Policies for Session Maintenance Configuration Examples for Session Maintenance Timers Interface: Virtual-Access2.1 Policy information: Context 02DE7380: Handle 1B000009 Authentication status: authen User profile, excluding services: Framed-Protocol 1 [PPP] username "user01" Framed-Protocol 1 [PPP] username "user01" Prepaid context: not present Non-datapath features: Feature: Session Timeout Timeout value is 180000 seconds...
  • Page 293 The following sections provide references related to session maintenance timers. Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference ppp timeout idle and timeout absolute PPP timer Cisco IOS Dial Technologies Command Reference commands...
  • Page 294 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
  • Page 295 Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 296 Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks;...
  • Page 297 Configuring ISG Policies for Session Maintenance Feature Information for Configuring ISG Policies for Session Maintenance...
  • Page 298 First Published: March 20, 2006 Last Updated: June 25, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure ISG to redirect subscriber traffic by using the ISG Layer 4 Redirect feature.
  • Page 299 The ISG Layer 4 Redirect feature applies only to TCP or UDP traffic. In Cisco IOS XE, access lists cannot be configured as match criteria in ISG Layer 4 redirect configuration. As an alternative, Layer 4 redirect should be configured in ISG traffic class services.
  • Page 300 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect How to Configure ISG Layer 4 Redirect When traffic is redirected, ISG modifies the destination IP address and TCP port of upstream packets to reflect the destination server. For downstream packets, ISG changes the destination IP address and port to the original packet’s source.
  • Page 301 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect How to Configure ISG Layer 4 Redirect SUMMARY STEPS enable configure terminal redirect server-group group-name server ip ip-address port port-number DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. •...
  • Page 302 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect How to Configure ISG Layer 4 Redirect DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode.
  • Page 303 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect How to Configure ISG Layer 4 Redirect SUMMARY STEPS enable configure terminal policy-map type service policy-map-name class type traffic class-name redirect to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds] DETAILED STEPS Command or Action Purpose...
  • Page 304 Configuring Layer 4 Redirection in a Service Profile or User Profile on the AAA Server The Layer 4 Redirect feature can be configured as a Cisco vendor-specific attribute (VSA) in a user or service profile on an authentication, authorization, and accounting (AAA) server. This attribute can appear more than once in a profile to define different types of redirections for a session and can be used in both user and service profiles simultaneously.
  • Page 305 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect How to Configure ISG Layer 4 Redirect DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 show redirect translations [ip ip-address] Displays ISG Layer 4 redirect translations for sessions.
  • Page 306 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect Configuration Examples for ISG Layer 4 Redirect subscriber rule-map blind-rdt condition always event session-start action 1 service-policy type service name blind-rdt Session inbound features: Feature: Layer 4 Redirect Rule Definition Redirect to group sesm-grp !! applied redirect Configuration sources associated with this session: Service: blind-rdt, Active Time = 40 minutes, 32 seconds...
  • Page 307 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect Configuration Examples for ISG Layer 4 Redirect Service-policy type control DEFAULT-IP-POLICY policy-map type control DEFAULT-IP-POLICY class type control always event session-start 1 service-policy type service BLIND-RDT class type control always event account-logon 1 authenticate aaa list AUTH-LIST 2 service-policy type service unapply BLIND-RDT policy-map type service BLIND-RDT...
  • Page 308 Redirecting Subscriber Traffic Using ISG Layer 4 Redirect Configuration Examples for ISG Layer 4 Redirect Initial Redirection: Example The following example shows ISG configured to redirect user traffic that comes over interface FastEthernet0/0.505 to a server group called “ADVT” for the initial 60 seconds of the session. After the initial 60 seconds, ISG will stop redirecting the traffic for the rest of the lifetime of the session.
  • Page 309 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
  • Page 310 PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
  • Page 311 First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.
  • Page 312 Configuring ISG Policies for Regulating Network Access Prerequisites for ISG Policies for Regulating Network Access Prerequisites for ISG Policies for Regulating Network Access For information about release and platform support, see the “Feature Information for ISG Policies for Regulating Network Access” section on page Information About ISG Policies for Regulating Network Access Before you configure ISG policies for regulating network access, you should understand the following concept:...
  • Page 313 Configuring ISG Policies for Regulating Network Access How to Configure ISG Policies for Regulating Network Access Overview of ISG Policing Traffic policing allows you to control the maximum rate of traffic sent or received on an interface. Policing is often configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 314 Configuring ISG Policies for Regulating Network Access How to Configure ISG Policies for Regulating Network Access SUMMARY STEPS enable configure terminal policy-map type service policy-map-name [priority] class type traffic class-map-name police input committed-rate normal-burst excess-burst police output committed-rate normal-burst excess-burst DETAILED STEPS Command or Action Purpose...
  • Page 315 Configuring ISG Policies for Regulating Network Access How to Configure ISG Policies for Regulating Network Access Configuring Policing in a Service Profile or User Profile on the AAA Server SUMMARY STEPS Add the Policing VSA to the user profile or service profile on the AAA server. DETAILED STEPS Command or Action Purpose...
  • Page 316 Configuring ISG Policies for Regulating Network Access How to Configure ISG Policies for Regulating Network Access DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 show subscriber session [detailed] [identifier Displays ISG subscriber session information.
  • Page 317 Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference How to configure QoS policies using the MQC “Applying QoS Features Using the MQC” section in the Cisco IOS XE Quality of Service Configuration Guide...
  • Page 318 Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 319 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 320 Configuring ISG Policies for Regulating Network Access Feature Information for ISG Policies for Regulating Network Access...
  • Page 321 First Published: February 22, 2008 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.

  • Page 322: Prerequisites For Configuring Isg Integration With Sce

    Prerequisites for Configuring ISG Integration with SCE Prerequisites for Configuring ISG Integration with SCE The following prerequisites apply to the configuration of ISG integration with SCE. Hardware Requirements An ISG platform, which can be a Cisco ASR 1000 series router • An SCE platform •...
  • Page 323 Configuring ISG Integration with SCE Information About Configuring ISG Integration with SCE Overview of ISG-SCE Integration The ISG Integration with SCE feature integrates ISG and SCE at the policy plane level so that for purposes of subscriber provisioning, ISG and SCE function as a single logical entity. The ISG device and SCE communicate to manage subscriber sessions jointly, minimizing the requirements for coordination with additional external components.

  • Page 324: How To Configure Isg Integration With Sce

    Communication between the SCE and the ISG device is managed by an external policy delegation (EPD) handler module in Cisco IOS software. The EPD implements the control bus on the ISG and handles all messaging between the ISG device and SCE. Details of communications between the ISG and AAA servers are found in the Cisco IOS Intelligent Services Gateway Configuration Guide.
  • Page 325 Example: (3799) is used. ISG sends CoA messages to the SCE to Router(config-locsvr-radius)# client 10.10.10.1 provision, update, or deactivate a session and activate key cisco port 1431 or deactivate policies. A shared secret configured for a specific client • overrides the key configured using the key shared-secret command.
  • Page 326 Configuring ISG Integration with SCE How to Configure ISG Integration with SCE Configuring SCE Connection Parameter on ISG To configure the server connection management on either a per-server or a global basis, perform the steps in this section. SUMMARY STEPS enable configure terminal policy-peer address ip-address keepalive seconds...
  • Page 327 Router(config)# exit Configuring Control Policy on the Policy Manager To configure the policy manager to download a service, through rules configured by Cisco IOS command line interface (CLI) commands, follow the steps in this section. Configuring Control Policy on the ISG To configure the control policy on the ISG device, perform the steps in this section.
  • Page 328 Configuring ISG Integration with SCE How to Configure ISG Integration with SCE configure terminal policy-map type control policy-map-name class type control {class-map-name | always} event session-start action-number service-policy type service name service-name exit DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode.
  • Page 329 Configuring Services To configure services, perform the steps in this section. You can configure this feature either on the ISG device, using the Cisco IOS command line interface (CLI) commands, or on the AAA server. Configuring Services on ISG To configure a service containing accounting features and to activate an external policy on the SCE device, follow the steps in this section.
  • Page 330 Example: Router(config-control-policymap)# service-monitor enable Step 9 Exits policy map configuration mode. exit Example: Router(config-pol-map)# exit Configuring Services on the AAA Server To configure a service on the external AAA server, perform the steps in this section. SUMMARY STEPS Cisco:Avpair="subscriber:sg-service-type=external-policy" Cisco:Avpair="subscriber:policy-name=gold"...
  • Page 331 Configuring ISG Integration with SCE How to Configure ISG Integration with SCE Cisco:Avpair="subscriber:service-monitor=1" Cisco:Avpair="accounting-list=list1" DETAILED STEPS Cisco:Avpair="subscriber:sg-service-type=external-policy" Step 1 Defines the service as an external policy. Step 2 Cisco:Avpair="subscriber:policy-name=gold" Defines a corresponding external policy name on the ISG. Step 3 Cisco:Avpair="subscriber:service-monitor=1"...
  • Page 332 SCE. aaa accounting network service_acct start-stop group radius aaa accounting network session_acct start-stop group radius aaa server radius policy-device authentication port 1343 accounting port 1345 message-authenticator ignore client 10.10.10.1 port 1341 key cisco...
  • Page 333 SCE Control Bus Setup Configured in PUSH Mode The following example shows how to configure the SCE control bus in PUSH mode: scmp scmp name ISG radius 10.10.10.2 secret cisco auth 1433 acct 1435 scmp subscriber send-session-start interface LineCard 0 subscriber anonymous-group name all IP-range 192.168.12.0:0xffffff00 scmp name ISG...

  • Page 334: Feature Information For Configuring Isg Integration With Sce

    Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
  • Page 335 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 336 Configuring ISG Integration with SCE Feature Information for Configuring ISG Integration with SCE...
  • Page 337 “Feature Information for Service Gateway Interface” section on page Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

  • Page 338: Information About Service Gateway Interface

    • Benefits of SGI, page 2 • ISG is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. See Overview of ISG...
  • Page 339 Service Gateway Interface How to Enable Service Gateway Interface DETAILED STEPS Command or Action Purpose Step 1 Enables privileged EXEC mode. enable Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3 Enables the SGI feature.
  • Page 340 Service Gateway Interface How to Enable Service Gateway Interface Router# show sgi statistics sgi statistics total messages received 45 current active messages 5; maximum active messages 7 total isg service requests 4 current active services 2; maximum active services 2 sgi process statistics process sgi handler 1 pid 95, cpu percent (last minute) 1, cpu runtime 10(msec), memory accocated 4200 (bytes)

  • Page 341: Configuration Examples For Service Gateway Interface

    Cisco IOS Intelligent Services Gateway Configuration Guide, ISG commands Cisco IOS Intelligent Services Gateway Command Reference MIBs MIBs Link • None To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs...

  • Page 342: Feature Information For Service Gateway Interface

    CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 343 All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only.
  • Page 344 Service Gateway Interface Feature Information for Service Gateway Interface...
  • Page 345 First Published: March 20, 2006 Last Updated: March 2, 2009 Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.This document describes ISG session monitoring and distributed conditional debugging.
  • Page 346 For this reason, use the Cisco IOS debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users, or on a debug chassis with a single active session.
  • Page 347 Instead, it is more practical to filter debugging messages for a single session or call across the various Cisco IOS XE components that a session traverses. For this reason, the conditional debugging previously offered in the Cisco IOS XE software has been enhanced to facilitate debug filtering for ISG and is available as distributed conditional debugging.
  • Page 348 Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging How to Enable ISG Session Monitoring and Distributed Conditional Debugging SUMMARY STEPS enable show interface type number monitor [interval seconds] show processes cpu monitor [interval seconds] DETAILED STEPS Command or Action Purpose Step 1 enable...
  • Page 349 Debug Commands That Are Supported by ISG Conditional Debug Table 2 lists the Cisco IOS debugging commands that are supported for distributed conditional debugging. The commands are listed by component. One or more of these commands can be issued after...
  • Page 350 Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging How to Enable ISG Session Monitoring and Distributed Conditional Debugging Table 2 Debug Commands Supported by ISG Distributed Conditional Debugging (continued) debug ppp subscriber PPPoE Debug Commands debug pppoe data debug pppoe error debug pppoe event debug pppoe packet Session Manager Debug Commands...
  • Page 351 The debug condition session-id command filters a session only after the session has been established. The session identifier is a unique dynamic number generated internally by the Cisco IOS software and assigned to each session when the session is established.
  • Page 352 Example: Router# show debug condition Troubleshooting Tips The Cisco IOS software displays messages as you set the conditions for filtering the debugging. When a condition is set, it is assigned a number, as follows: Condition 1 set If a condition has already been set, the following message is displayed:...
  • Page 353 Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Configuration Examples for ISG Distributed Conditional Debugging The following messages and prompt are displayed when you attempt to disable the last condition using the no form of a debug condition command: This condition is the last interface condition set.
  • Page 354 The following example shows how to filter PPP, PPPoE, and Session Manager debugs for a PPPoE session with username “user@cisco.com”. Only debugging messages for the defined user are displayed on the console. Any other debugging messages associated with other users will not be displayed.
  • Page 355 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for Distributed Conditional Debugging Table 3 lists the features in this module and provides links to specific configuration information.
  • Page 356 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks;...
  • Page 357 Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. © 2006–2009 Cisco Systems, Inc. All rights reserved.
  • Page 358 Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Feature Information for Distributed Conditional Debugging...

This manual is also suitable for:

Ios xe

Table of Contents