Cisco IOS XE страница 185 Скачать руководство пользователя | Manualshive

Страница: 185 / 358

background image

Configuring ISG Policies for Automatic Subscriber Logon

How to Configure ISG Policies for Automatic Subscriber Logon

3

The event that triggers automatic subscriber logon is session-start. For IP sessions, session-start occurs
when a DHCP DISCOVER request is received or when an unrecognized source IP address is detected.
For PPPoE sessions, session-start occurs when a client attempts to initiate a session by sending a PPPoE
Active Discovery Initiation (PADI) packet.

Supported Identifiers for ISG Automatic Subscriber Logon

For IP sessions, an ISG device can be configured to use the following identifiers in place of the username
in authorization requests: IP address, MAC address, circuit ID, remote ID, or a combination of the circuit
ID and remote ID.

For PPPoE sessions, an ISG device can be configured to use the remote ID in place of the username in
authorization requests.

Authorization Based on Circuit ID and Remote ID

The circuit ID and remote ID fields are part of the DHCP relay agent information option (also referred
to as Option 82) and the PPPoE Tag VSA. These fields are inserted into DHCP and PPPoE messages by
a DSLAM. An ISG device can be configured to use the circuit ID, remote ID, or a combination of circuit
ID and remote ID as the username in authorization requests.

By default, the ISG device will use the circuit ID and remote ID that are provided by the Layer 2 edge
access device for authorization. If the ip dhcp relay information option command is configured, the
ISG device will use the circuit ID and remote ID that are received in a DHCP message.

Accounting Behavior When ISG Automatic Subscriber Logon Is Configured

Accounting Behavior for MAC-Address-Based Authorization

If the MAC address is sent as the username in authorization requests, the MAC address will also be sent
as the Calling Station ID in accounting records.

Accounting Behavior for Remote-ID- and Circuit-ID-Based Authorization

For IP sessions that use DHCP Option 82 authorization, accounting messages are sent to the AAA server
with the Circuit ID and Remote ID Cisco VSAs. Although you can configure a combination of circuit
ID and remote ID as the username for authorization, the attributes are sent individually in accounting
records. You can also configure the circuit ID and remote ID to be sent together in accounting records
as the NAS Port ID.

For PPPoE sessions, the Remote ID VSA is sent in accounting records, and the remote ID is also sent as
the NAS Port ID.

If the radius-server attribute 31 remote-id command is configured, the remote ID is sent in accounting
records as the Calling Station ID.

How to Configure ISG Policies for Automatic Subscriber Logon

To configure ISG policies to automatically log on subscribers, perform the following tasks:

•

Identifying Traffic for Automatic Logon in a Control Policy Class Map, page 4

«
...
183
184
185
186
187
...
»

Содержание IOS XE

Страница 1: ...arters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco IOS XE Intelligent Services Gateway Configuration Guide Release 2 ...

Страница 2: ...co Pulse Cisco SensorBase Cisco StackPower Cisco StadiumVision Cisco TelePresence Cisco Unified Computing System Cisco WebEx DCE Flip Channels Flip for Good Flip Mino Flipshare Design Flip Ultra Flip Video Flip Video Design Instant Broadband and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn Cisco Capital Cisco Capital Design Cisco Financed Stylized Cisco ...

Страница 3: ...entation Feedback page x Documentation Objectives Cisco IOS XE documentation describe the tasks and commands available to configure and maintain Cisco networking devices Audience The Cisco IOS XE documentation set is intended for users who configure and maintain Cisco networking devices such as routers and switches but who may not be familiar with the configuration and maintenance tasks the relati...

Страница 4: ...or example the key combination D or Ctrl D means that you hold down the Control key while you press the D key Keys are indicated in capital letters but are not case sensitive string A string is a nonquoted set of characters shown in italics For example when setting a Simple Network Management Protocol SNMP community string to public do not use quotation marks around the string otherwise the string...

Страница 5: ...co com Listed are configuration guides command references and supplementary references and resources that comprise the documentation set Cisco IOS XE Documentation Set page iv Cisco IOS XE Documentation on Cisco com page iv Configuration Guides Command References and Supplementary Resources page v Convention Description Courier font Courier font is used for information that is displayed on a PC or...

Страница 6: ...elease and all commands that are new modified removed or replaced in the release Reference book for system messages for all Cisco IOS XE releases Cisco IOS XE Documentation on Cisco com The following sections describe the documentation organization and how to access various document types Use Cisco Feature Navigator to find information about Cisco IOS XE software image support To access Cisco Feat...

Страница 7: ...ing of SPA interface processors SIPs and shared port adapters SPAs that are supported on the Cisco ASR 1000 Series Router Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide Overview of software functionality that is specific to the Cisco ASR 1000 Series Aggregation Services Routers Cisco IOS XE Access Node Control Protocol Configuration Guide Cisco IOS Access Node Cont...

Страница 8: ... Addressing Services Configuration Guide Cisco IOS IP Addressing Services Command Reference IP addressing Address Resolution Protocol ARP Network Address Translation NAT Domain Name System DNS Dynamic Host Configuration Protocol DHCP and Next Hop Address Resolution Protocol NHRP Cisco IOS XE IP Application Services Configuration Guide Cisco IOS IP Application Services Command Reference Enhanced Ob...

Страница 9: ...cs ios ios_xe ipv6 configuratio n guide ip6 roadmap_xe html Cisco IOS XE ISO CLNS Configuration Guide Cisco IOS ISO CLNS Command Reference ISO Connectionless Network Service CLNS Cisco IOS XE LAN Switching Configuration Guide Cisco IOS LAN Switching Command Reference VLANs and multilayer switching MLS Cisco IOS XE Multiprotocol Label Switching Configuration Guide Cisco IOS Multiprotocol Label Swit...

Страница 10: ...IOS XE Security Configuration Guide Securing the Data Plane Access Control Lists ACLs Firewalls Context Based Access Control CBAC and Zone Based Firewall Cisco IOS Intrusion Prevention System IPS Flexible Packet Matching Unicast Reverse Path Forwarding uRPF Threat Information Distribution Protocol TIDP and TMS Cisco IOS XE Security Configuration Guide Securing User Services AAA includes Network Ad...

Страница 11: ...de Operating in the distributed mode the SBC is a toolkit of functions that can be used to deploy and manage VoIP services such as signaling interworking network hiding security and quality of service Cisco Unified Border Element SP Edition Configuration Guide Unified Model Cisco Unified Border Element SP Edition Command Reference Unified Model The Cisco Unified Border Element SP Edition is a high...

Страница 12: ...all Cisco IOS XE software releases Cisco IOS Debug Command Reference Alphabetical list of debug commands including brief descriptions of use command syntax and usage guidelines Cisco IOS XE system messages List of Cisco IOS XE system messages and descriptions System messages may indicate problems with your system may be informational only or may help diagnose problems with communications lines int...

Страница 13: ...n Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise WebEx and the WebE...

Страница 14: ...About Cisco IOS XE Software Documentation Additional Resources and Documentation Feedback xii ...

Страница 15: ...iguration Guide For information about the software documentation set see the About Cisco IOS XE Software Documentation document Initially Configuring a Device Initially configuring a device varies by platform For information about performing an initial configuration see the hardware installation documentation that is provided with the original packaging of the product or go to the Product Support ...

Страница 16: ...sentative Using the CLI This section describes the following topics Understanding Command Modes page ii Using the Interactive Help Feature page v Understanding Command Syntax page vi Understanding Enable and Enable Secret Passwords page viii Using the Command History Feature page viii Abbreviating Commands page ix Using Aliases for CLI Commands page ix Using the no and default Forms of Commands pa...

Страница 17: ...s Manage device file systems Global configuration From privileged EXEC mode issue the configure terminal command Router config Issue the exit command or the end command to return to privileged EXEC mode Configure the device Interface configuration From global configuration mode issue the interface command Router config if Issue the exit command to return to global configuration mode or the end com...

Страница 18: ...reak signal Ctrl C Ctrl Shift 6 or the send break command was entered and the router was configured to enter diagnostic mode when the break signal was received Router diag If a Cisco IOS XE process failure is the reason for entering diagnostic mode the failure must be resolved and the router must be rebooted to exit diagnostic mode If the router is in diagnostic mode because of a transport map con...

Страница 19: ... executing a downloaded image context display the context of a loaded image cookie display contents of cookie PROM in hex rommon 2 The following example shows how the command prompt changes to indicate a different command mode Router enable Router configure terminal Router config interface ethernet 1 1 Router config if ethernet Router config line exit Router config end Router Note A keyboard alter...

Страница 20: ...s List entry access profile Apply user profile to interface access template Create a temporary access List entry alps ALPS exec commands archive manage archive files snip partial command Router config zo zone zone pair partial command Tab Router config we Tab webvpn command Router config if pppoe enable Enable pppoe max sessions Maximum PPPOE sessions command keyword Router config if pppoe enable ...

Страница 21: ...brackets Indicate that the option is an argument Sometimes arguments are displayed without angle brackets A B C D Indicates that you must enter a dotted decimal IP address Angle brackets are not always used to indicate that an IP address is an argument WORD all capital letters Indicates that you must enter one word Angle brackets are not always used to indicate that a WORD is an argument LINE all ...

Страница 22: ...eywords that are single integer values If you choose a number for the first character of your password followed by a space the system will read the number as if it were the numeric keyword and not as part of your password When both passwords are set the enable secret password takes precedence over the enable password To remove a password use the no form of the commands no enable password or no ena...

Страница 23: ...eature for a terminal session issue the terminal no history command in user EXEC or privileged EXEC mode or the no history command in line configuration mode Abbreviating Commands Typing a complete command name is not always required for the command to execute The CLI recognizes an abbreviated command when the abbreviation contains enough characters to uniquely identify the command For example the...

Страница 24: ...ettings the default form enables the command and returns the settings to their default values The no form is documented in the command pages of command references The default form is generally documented in the command pages only when the default form performs a different function than the plain and no forms of the command To see what default commands are available on your system enter default in ...

Страница 25: ... include the expression protocol Router show interface include protocol FastEthernet0 0 is up line protocol is up Serial4 0 is up line protocol is up Serial4 1 is up line protocol is up Serial4 2 is administratively down line protocol is down Serial4 3 is administratively down line protocol is down Understanding CLI Error Messages You may encounter some error messages while using the CLI Table 5 s...

Страница 26: ...ed to NVRAM On platforms with a Class A flash file system the configuration is saved to the location specified by the CONFIG_FILE environment variable The CONFIG_FILE variable defaults to NVRAM Additional Information Part 1 Using the Cisco IOS Command Line Interface CLI of the Cisco IOS XE Configuration Fundamentals Configuration Guide http www cisco com en US docs ios ios_xe fundamentals configur...

Страница 27: ...rtified Internetwork Expert logo Cisco IOS Cisco Lumin Cisco Nexus Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networ...

Страница 28: ...Using the Command Line Interface in Cisco IOS XE Software Additional Information xiv ...

Страница 29: ...ture Feature and Release Support Table 1 lists ISG feature support for Cisco IOS XE Release 2 Use Cisco Feature Navigator to find information about platform support and software image support Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release feature set or platform To access Cisco Feature Navigator go to http www cisco com go cf...

Страница 30: ...ngs clients to query DHCP servers regarding the owner and the lease expiration time of an IP address Configuring ISG Access for IP Subscriber Sessions Cisco IOS XE Release 2 5 ISG AAA Wireless Enhancements This feature enhances ISG RADIUS proxy functionality to provide additional support for mobile wireless environments It includes changes to RADIUS attribute 31 processing Configuring ISG as a RAD...

Страница 31: ...rol Dynamic Rate Limiting ISG can change the allowed bandwidth of a session or flow by dynamically applying rate limiting policies Configuring ISG Network Forwarding Policies Cisco IOS XE Release 2 2 ISG Instrumentation Advanced Conditional Debugging ISG provides the ability to define various conditions for filtering debug output Conditional debugging generates very specific and relevant informati...

Страница 32: ...OS XE Release 2 2 ISG Policy Control Policy Domain Based Auto domain Proxy ISG control policies manage the primary services and rules used to enforce particular contracts Polices can be configured to interpret the domain as a request to activate the service associated with that domain name allowing users to automatically receive services in accordance with the domain that they are attempting to co...

Страница 33: ...allows the portal to identify the ISG gateway from which the session originated Configuring ISG Port Bundle Host Key Cisco IOS XE Release 2 2 ISG Session Auth Single Sign On Single sign on eliminates the need to authenticate a session more than once when a subscriber has access to services provided by other devices in the administrative domain of the access or service provider Overview of ISG Cisc...

Страница 34: ...any variants of P2P encapsulation such as PPP PPPoE and PPPoA Configuring ISG Access for PPP Sessions Cisco IOS XE Release 2 2 ISG Session Lifecycle Idle Timeout The ISG idle timeout controls how long a connection can be idle before it is terminated Configuring ISG Policies for Session Maintenance Cisco IOS XE Release 2 2 ISG Session Lifecycle Packet of Disconnect POD An ISG can be configured to i...

Страница 35: ...nity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise W...

Страница 36: ...Intelligent Services Gateway Features Roadmap 8 ...

Страница 37: ... the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for the Overview of ISG section on page 9 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE sof...

Страница 38: ...d service edge of a network and is applicable to a range of subscriber network environments such as digital subscriber line DSL public wireless LAN PWLAN and mobile wireless Moreover ISG has been designed to accommodate a flexible distribution of subscriber and service information within a given solution Figure 1 illustrates a typical DSL deployment for which service profile data may be stored in ...

Страница 39: ...r 3 depending on the packet types that are being handled by the session For instance a PPP session is a Layer 2 session in that it includes all packets transferred over a link that was established using PPP negotiation An IP session is Layer 3 because it includes all IP packets exchanged with a subscriber device at a single IP address Whether a session is Layer 2 or Layer 3 will to some extent det...

Страница 40: ...ailable at session start can be used to drive the extraction of further identity from the subscriber and determine new policy for the session The following example illustrates how ISG might handle subscriber identity For an IP session where session start is signaled by a DHCP protocol event a TCP redirection policy could be activated This policy would facilitate the collection of a username and cr...

Страница 41: ...valuated A control policy rule consists of a control class a flexible condition clause an event for which the condition is evaluated and one or more control actions Control actions are general system functions such as authenticate or activate a service Control policies may be activated on various targets such as interfaces or ATM virtual circuits VCs and typically control the extraction and authen...

Страница 42: ...ucture to provide session functionality Use of existing Cisco IOS infrastructure to track session state and life cycle Creation of a session context at first instance of subscriber interaction thereby facilitating the immediate application of policy to subscriber traffic Flexible distribution of service data Range of accounting options including prepaid accounting postpaid accounting tariff switch...

Страница 43: ...ce overheads associated with this practice Subscriber Access Model The trust model will to a large extent determine the choice of access protocol However the access model will also depend on other factors such as the underlying media for example ATM versus Ethernet type of endpoint for example PC cell phone PDA mobility requirements the system s ability to influence the software installed on a sub...

Страница 44: ... intervals traditional postpaid Billing according to policies provisioned for the session Billing according to the time of day tariff switching Additional References The following sections provide references related to ISG Related Documents Technical Assistance Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support webs...

Страница 45: ...isco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum ...

Страница 46: ...Overview of ISG Feature Information for the Overview of ISG 10 ...

Страница 47: ...w to configure ISG control policies Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Control Policies section on page 21 Use Cisco Feature Navi...

Страница 48: ...es of Control Policies page 3 Control Policies Control policies define the actions that the system will take in response to specified events and conditions For example a control policy can be configured to authenticate specific subscribers and then provide them with access to specific services A control policy is made of one or more control policy rules A control policy rule is an association of a...

Страница 49: ...actions configured for the radius timeout and access reject events the system can distinguish between the different reasons for an authentication failure Different events are thrown by the system for example a received authentication reject or an unavailable RADIUS server event This allows the control policy to specify different actions for each type of authentication failure For example if the RA...

Страница 50: ...i vpi number 6 greater than or equal not nas port adapter adapter number channel channel number ipaddr ip address port port number shelf shelf number slot slot number sub interface sub interface number type interface type vci vci number vlan vlan id vpi vpi number 7 less than not nas port adapter adapter number channel channel number ipaddr ip address port port number shelf shelf number slot slot ...

Страница 51: ... match all class1 Creates or modifies a control class map which defines the conditions under which the actions of a control policy map will be executed and enters control class map configuration mode Step 4 available authen status authenticated domain authenticated username dnis media mlp negotiated nas port no username protocol service name source ip address timer tunnel name unauthenticated doma...

Страница 52: ... number channel channel number ipaddr ip address port port number shelf shelf number slot slot number sub interface sub interface number type interface type vci vci number vlan vlan id vpi vpi number Example Router config control classmap less than or equal nas port ipaddr 10 10 10 10 Optional Creates a condition that evaluates true if the specified subscriber NAS port identifier is less than or e...

Страница 53: ...it id name ipaddr ip address port port number remote id name shelf shelf number slot slot number sub interface sub interface number type async atm basic rate enm ether fxo fxs none primary rate synch vlan vty vci vci number vlan vlan id vpi vpi number Example Router config control classmap match nas port type ether slot 3 Optional Creates a condition that evaluates true if a subscriber s NAS port ...

Страница 54: ...tional Creates a condition that evaluates true upon expiry of a specified policy timer Step 21 match tunnel name tunnel name regexp regular expression Example Router config control classmap match tunnel name regexp L Optional Creates a condition that evaluates true if a subscriber s virtual private dialup network VPDN tunnel name matches the specified tunnel name Step 22 match unauthenticated doma...

Страница 55: ...omain authenticated username auto detect circuit id plus remote id dnis mac address nas port remote id plus circuit id source ip address tunnel name unauthenticated domain unauthenticated username vendor class id 7 action number collect aaa list list name identifier authen status authenticated domain authenticated username dnis mac address media mlp negotiated nas port no username protocol service...

Страница 56: ...piry Example Router config control policymap class type control always event session start Specifies a control class for which actions may be configured and enters control policy map class configuration mode A policy rule for which the control class is always will always be treated as the lowest priority rule within the control policy map Step 5 action number authenticate aaa list list name Exampl...

Страница 57: ... config control policymap class control 1 proxy accounting aaa list default Optional Specifies the list that the request should be proxied to Step 10 action number service disconnect local vpdn Example Router config control policymap class control 3 service disconnect Optional Specifies a network service type for PPP sessions Step 11 action number service policy type control policy map name Exampl...

Страница 58: ...ted username dnis mac address media mlp negotiated nas port no username protocol service name source ip address timer tunnel name unauthenticated domain unauthenticated username vrf Example Router config control policymap class control 1 set APJ identifier authen status Optional Sets a variable name Step 14 action number set timer name of timer minutes Example Router config control policymap class...

Страница 59: ...AILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 service policy type control policy map name Example Router config service policy type control policy1 Applies a control policy Command or Action Purpose Step 1 enabl...

Страница 60: ...nfiguration mode Step 4 service policy type control policy map name Example Router config if service policy type control policy1 Applies a control policy Command or Action Purpose Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step...

Страница 61: ...ss Media Example page 19 Control Policies for Automatic Subscriber Login Example page 20 Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show class map type control Example Router show class map type control Displays information about ISG control class maps The display includes statistics on the number of times a par...

Страница 62: ...RS event session start 1 service local class type control MY LOCAL USERS event session start 1 service local class type control always event session start 2 service disconnect policy map type control ppp users class type control always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY Verifying a Control Policy Examples The following examples s...

Страница 63: ... timeout 720 0x2D0 ssg account info QU 10000 D 20000 Rules actions and conditions executed subscriber rule map ppp users condition always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY subscriber condition map match all MY FORWARDING USERS match identifier unauthenticated domain xyz com TRUE subscriber rule map MY POLICY condition MY FORWARD...

Страница 64: ...imeout 720 0x2D0 ssg account info QU 10000 D 20000 Rules actions and conditions executed subscriber rule map ppp users condition always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY subscriber condition map match all MY FORWARDING USERS match identifier unauthenticated domain xyz com FALSE subscriber rule map MY POLICY condition MY FORWARDI...

Страница 65: ... the NAS port associated with this subscriber Specifically only subscribers that arrive on a Gigabit Ethernet interface and on slot 3 will evaluate to true Configure the control class maps class map type control match all MATCHING USERS class type control NOT ATM match media ether match nas port type ether slot 3 class map type control match none NOT ATM match media atm If the conditions in the cl...

Страница 66: ... radius aaa authentication login LOCAL local access list 100 permit ip any any class map type traffic match any all traffic match access group input 100 match access group output 100 policy map type service redirectprofile class type traffic all traffic redirect to ip 10 0 0 148 port 8080 class map type control match all CONDA match source ip address 209 165 201 1 255 255 255 0 class map type cont...

Страница 67: ...ntroduced support for a given feature in a given Cisco IOS XE software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature MIB MIBs Link No new or modified MIBs are supported by this feature To locate and download MIBs for selected platforms Cisco IOS XE releases and feature sets use Cisco MIB Locator found at the following...

Страница 68: ... ISG Policy Control Policy Triggers Cisco IOS XE Release 2 2 ISG control policies can be configured with time based volume based and duration based policy triggers Time based triggers use an internal clock allowing policies to be applied at specific times Volume based triggers are based on packet count when the packet count reaches a specified value the specified policy is applied Duration based t...

Страница 69: ...ot imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2006 2009 Cisco System...

Страница 70: ...Configuring ISG Control Policies Feature Information for ISG Control Policies 24 ...

Страница 71: ...re release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Access for PPP Sessions section on page 13 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www cisco com go cfn...

Страница 72: ...ons you should understand the following concepts Overview of ISG Access for PPP Sessions page 2 ISG Subscriber IP Address Management for PPP Sessions page 3 VRF Transfer for PPP Sessions page 3 Default Policy for ISG Access for PPP Sessions page 3 Overview of ISG Access for PPP Sessions Layer 2 sessions are established by means of control protocols that operate between the peer entities and the IS...

Страница 73: ...e a PPP session comes up with the IP address from the network access point NAP the subscriber can access a web portal and choose a service provider On VRF transfers in PPP sessions ISG must reassign the IP address from the new domain to the PPP session In PPP sessions the IP address is reassigned by IPCP renegotiation Without PPP renegotiation VRF transfer is not supported for PPP sessions Default...

Страница 74: ...ol policies See the Configuration Examples for ISG Access for PPP Sessions section on page 9 for an example of a control policy for Layer 2 access 3 Enable ISG VRF transfer for PPP sessions 4 Verify and troubleshoot the configuration as needed This section contains the following tasks Enabling ISG VRF Transfer for PPP Sessions page 4 Troubleshooting ISG Access for PPP Sessions page 7 Enabling ISG ...

Страница 75: ...minal 3 policy map type service policy map name 4 ip vrf forwarding name of vrf 5 sg service type primary 6 sg service group service group name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type se...

Страница 76: ...e type primary Defines the service as a primary service A primary service is a service that contains a network forwarding policy A primary service must be defined as a primary service by using the sg service type primary command Any service that is not a primary service is defined as a secondary service by default Step 6 sg service group service group name Example Router config service policymap s...

Страница 77: ...gr service key session handle session handle service key service session key domainip vrf ip address ip address vrf id vrf id ip address ip address mac address mac address nativeip vrf ip address ip address vrf id vrf id portbundle ip ip address bundle bundle number session handle session handle Example Router show idmgr session key ip address 10 0 0 1 Displays information related to ISG session a...

Страница 78: ...nostic information about packets during Subscriber Service Switch SSS call setup Step 5 debug subscriber error Example Router debug subscriber error Displays diagnostic information about errors that can occur during SSS call setup Step 6 debug subscriber event Example Router debug subscriber event Displays diagnostic information about SSS call setup events Step 7 debug subscriber fsm Example Route...

Страница 79: ...or PPP Sessions Example The following example shows the configuration of an ISG policy that provides services to PPP subscribers This example configures ISG to perform the following actions PPP local termination ISG will provide local termination by activating the service ispa for subscribers matching the domain ispa The system will authenticate the subscriber using method list list1 For local ter...

Страница 80: ...ontrol L2_ACCESS Define a control policy rule that activates a forwarding service on the basis of the ATM VPI VCI on which the call came in class type control NAS_PORT_CONDITION event session start 1 service policy type service xconnect Define a control policy rule that collects the domain name from the protocol The domain name is available from a structured user name e g user domain class type co...

Страница 81: ...vice policy type control L2_ACCESS VRF Transfer for PPP Sessions Using IPCP Renegotiation Example The following example shows a configuration that uses PPPoE to establish a session and the RADIUS service profile that is created to associate the VRF In this example when a PPP session initially comes up it belongs to the default routing table and the IP address is assigned from the default IP addres...

Страница 82: ...ice Info R10 1 1 0 255 255 255 0 Framed Protocol PPP Service Type Framed Additional References The following sections provide references related to ISG access for PPP sessions Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference AAA configuration tasks The Authentication Authorization and Accounting AAA section in the Cisco IOS XE Sec...

Страница 83: ...tion Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and...

Страница 84: ...the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United St...

Страница 85: ...ent assumes that Network Address Translation is performed on a Layer 3 gateway other than the ISG Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ...

Страница 86: ...s IP Subnet Session Restrictions IP subnet sessions are not supported on an interface configured with the ip subscriber l2 connected command IP subnet sessions are supported only when the ip subscriber routed command is configured on the interface ISG DHCP Restrictions ISG cannot relay DHCP requests when a Layer 3 DHCP relay agent is between the ISG device and subscriber devices Dynamic VPN Select...

Страница 87: ...d for ISG IP subscriber sessions or traffic class sessions Upon switchover an IP session must be re created or restarted for DHCP sessions when the session becomes active again SSO and ISSU are not supported for any features on IP subscriber sessions or traffic class sessions Information About ISG Access for IP Subscriber Sessions Before you configure ISG access for subscriber sessions you should ...

Страница 88: ... represents all the traffic that is associated with a single IP subnet IP subnet sessions are used to apply uniform edge processing to packets associated with a particular IP subnet When an IP subnet session is configured ISG treats the subnet as a single subscriber which means that ISG features and functionality are applied to the subnet traffic as an aggregate IP subnet sessions are supported fo...

Страница 89: ...r 3 forwarding is either absent or not used to direct subscriber traffic in the Layer 2 access network IP addresses of the subscribers may or may not be on the same subnet as the Layer 2 connected physical interfaces Figure 1 shows an example of a Layer 2 connected access network Figure 1 Layer 2 Connected Access Network Routed Access Networks Routed subscriber traffic is routed through a Layer 3 ...

Страница 90: ...by the appearance of an IP packet with an unclassified source IP address which means that an IP session does not yet exist for that IP address Unclassified source MAC address For Layer 2 connected IP subscribers a new IP session is triggered by the appearance of an IP packet with an unclassified source MAC address which means that an IP session does not yet exist for that MAC address RADIUS Access...

Страница 91: ...nvolved in the assignment of an IP address for the subscriber DHCP If DHCP is being used to assign IP addresses and the IP address that is assigned by DHCP is correct for the service domain ISG does not have to be involved in the assignment of an IP address for the subscriber If the IP address that is assigned by DHCP is not correct for the service domain or if the domain changes because of a VRF ...

Страница 92: ...k should use a Layer 2 separation mechanism to differentiate the IP address spaces For example the access network may put each IP address space in a different VLAN In cases in which the access network serves both local IP subscribers and roaming users the static private IP address of a roaming subscriber may overlap the native private IP address of another subscriber For example a public wireless ...

Страница 93: ...Internet NAT must be performed For routed IP subscribers the subscriber IP address serves as the key for an IP session ISG associates IP traffic with an IP session as follows In the upstream direction the source IP address of an IP packet is used to identify the IP session The source IP address is the subscriber IP address In the downstream direction the destination IP address of an IP packet is u...

Страница 94: ...IP subscribers both the subscriber MAC address unique within a VLAN and the IP address serve as the keys for the IP session but they are used in different directions In the upstream direction the VLAN ID and source MAC address of an IP packet are used to identify the IP session In the downstream direction both the destination IP address and the VLAN ID of an IP packet are used to identify the IP s...

Страница 95: ...ly be altered once the current lease has expired Subscribers will not have access to the selected domain before the next DHCP renew request is received Using short initial lease times minimizes the interval between a VRF change and a DHCP renewal If long lease times are used an out of band method of initiating IP address change should be implemented When DHCP can be used to assign a new address at...

Страница 96: ...called equal access networking must be supported Equal access networking is often mandated by regulatory rules stating that an access provider should allow service providers equal access to a retail subscriber network ISG dynamic VPN selection facilitates equal access networking by allowing subscribers to transfer between network services IP Session Termination An IP session may be terminated in o...

Страница 97: ...icy appears in the output for the show subscriber policy rules command as follows Rule internal rule session restart Class map always event session restart Action 1 service disconnect delay 60 Executed 0 Default Services for IP Subscriber Sessions Newly created IP sessions may require a default service to allow subsequent subscriber packets to be processed appropriately for example to permit or fo...

Страница 98: ...bscribers that are routed through a Layer 3 access network with at least one transit router before reaching the ISG Perform this task to configure ISG to create IP sessions for routed IP subscribers SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 ip subscriber routed 5 initiator dhcp class aware radius proxy unclassified ip address 6 end DETAILED STEPS Command or Action Purpo...

Страница 99: ...upon receipt of the specified packet type dhcp ISG will initiate an IP session upon receipt of a DHCP DISCOVER packet The class aware keyword allows ISG to influence the IP address assigned by DHCP by providing DHCP with a class name radius proxy ISG will initiate an IP session upon receipt of a RADIUS Access Request packet unclassified ip address ISG will initiate an IP session upon receipt of th...

Страница 100: ...es are routable in the access domain Step 5 initiator dhcp class aware radius proxy unclassified mac address Example Router config subscriber initiator unclassified mac address Configures ISG to create an IP subscriber session upon receipt of the specified packet type dhcp ISG initiates an IP session upon receipt of a DHCP DISCOVER packet The class aware keyword allows ISG to influence the IP addr...

Страница 101: ...Returns to privileged EXEC mode Command or Action Purpose Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 interface type number subinterface number Example Router config interface GigabitEthernet 0 0 0 1 Specifies an interfac...

Страница 102: ...routed 7 initiator static ip subscriber list list name 8 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 ip subscriber list list name Example Router config ip subscriber list mylist Specifies the IP subscri...

Страница 103: ...ype number Example Router config interface GigabitEthernet 2 0 0 Specifies an interface and enters interface configuration mode Step 6 ip subscriber l2 connected or ip subscriber routed Example Router config if ip subscriber l2 connected or Router config if ip subscriber routed Specifies the type of IP subscriber to be hosted on the interface and enters ISG IP subscriber configuration mode Note It...

Страница 104: ...erface type number Example Router config interface gigabitethernet 0 0 0 Specifies an interface and enters interface configuration mode Step 4 ip subscriber routed Example Router config if ip subscriber routed Specifies the type of IP subscriber to be hosted on the interface and enters ISG IP subscriber configuration mode Step 5 initiator unclassified ip address Example Router config subscriber in...

Страница 105: ...n unauthenticated username 7 action number set timer name of timer minutes DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type control policy map name Example Router config policy map type control M...

Страница 106: ...icated domain unauthenticated username Example Router config control policymap class control 1 authorize identifier source ip address Optional Initiates a request for authorization on the basis of the specified identifier Step 6 action number service policy type service unapply aaa list list name name service name identifier authenticated domain authenticated username dnis nas port tunnel name una...

Страница 107: ...ep 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 1 show subscriber session detailed identifier identifier uid session id username name Example Router show subscriber session detailed Displays information about ISG policies and features for subscriber sessions Step 2 show ip subscriber dangling seconds detail ip ip address mac mac address vrf vrf n...

Страница 108: ...er IP addresses To enable ISG to influence the IP addresses assigned to subscribers you associate a DHCP address pool class with an address domain The DHCP address pool class must also be configured in a service policy map service profile or user profile which is associated with a subscriber When a DHCP request is received from a subscriber DHCP uses the address pool class that is associated with ...

Страница 109: ...t with a class name The class name refers to a class configured using the ip dhcp pool command and can reference a pool of addresses or a relay destination SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 ip address ip address mask secondary 5 ip subscriber l2 connected routed 6 initiator dhcp class aware 7 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Rou...

Страница 110: ... name 4 classname class name 5 end 6 show policy map type service DETAILED STEPS Step 5 ip subscriber l2 connected routed Example Router config if ip subscriber Enables ISG IP subscriber configuration mode Step 6 initiator dhcp class aware Example Router config if initiator dhcp class aware Configures ISG to create IP sessions upon receipt of DHCP DISCOVER packets The class aware keyword allows IS...

Страница 111: ...d with the class Prerequisites A DHCP address pool must be configured Classes configured within the DHCP address pool must match the DHCP address pool classes configured in the service or user profile SUMMARY STEPS 1 Add the DHCP Class attribute to the user or service profile Step 3 policy map type service policy name Example Router config policy map type service service1 Creates a service policy ...

Страница 112: ...HCP servers available on the network and to specify the DHCP lease query for routed IP sessions Note The DHCP server IP address needs to be configured for routed IP sessions if the DHCP lease query is performed Prerequisites The DHCP server must support the DHCP lease protocol The IP address of the phone must be assigned by DHCP address assignments The traffic must be classified as Layer 3 SUMMARY...

Страница 113: ...Restrictions IP interface features such as quality of service QoS and access lists are not supported on multiservice interfaces Only one multiservice interface can belong to a single VRF For example the following configuration will not work interface multiservice 1 ip vrf forwarding VRF_A Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password...

Страница 114: ...es serve as demarcation points for the IP subscriber to switch from one VPN domain to another Figure 3 illustrates the multiservice interface model Figure 3 Multiservice Interface Model One multiservice interface must be configured for each VPN routing domain SUMMARY STEPS 1 enable 2 configure terminal 3 interface multiservice interface number 4 ip vrf forwarding vrf name 5 ip address ip address m...

Страница 115: ...vice SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 ip vrf forwarding name of vrf 5 sg service type primary 6 sg service group service group name Step 3 interface multiservice interface number Example Router config interface multiservice 1 Creates a multiservice interface which enables dynamic VPN selection and enters interface configuration mode Step 4 ip ...

Страница 116: ... a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 ip vrf forwarding name of vrf Example Router config service policymap ip vrf forwarding vrf2 Associates the service with a VRF Step 5 sg service type primary Example Router config service policymap sg service type primary Defines the service as a primary service A primary service is...

Страница 117: ...er sessions with a specific session identifier Step 3 show ip subscriber dangling seconds detail ip ip address mac mac address vrf vrf name dangling seconds detail ip ip address Example Router show ip subscriber vrf vrf3 Displays information about ISG IP subscriber sessions Step 4 show idmgr memory detailed component substring service key session handle session handle string service key key value ...

Страница 118: ...age 35 ISG Layer 2 Connected IP Subscriber Example page 35 DHCP Initiated Session Recovery Example page 36 ISG Interface with DHCP Class Aware Capability Example page 36 Command or Action Purpose Step 1 debug subscriber event error packet policy service Example Router debug subscriber service Displays debugging messages pertaining to subscriber policies policy server events and changes to service ...

Страница 119: ...401 ip subscriber routed initiator dhcp class aware initiator unclassified ip address initiator radius proxy ISG Layer 2 Connected IP Subscriber Example The following example shows how to configure ISG to create IP sessions for subscribers who connect to ISG on GigabitEthernet interface0 0 1 401 through a Layer 2 connected access network ISG will create IP sessions upon receipt of any frame with a...

Страница 120: ... the service SERVICE_DHCP is activated the DHCP pool DHCP_POOL2 is used for address assignment Otherwise the default pool DHCP_POOL1 is used interface GigabitEthernet1 0 0 400 encapsulation dot1Q 400 ip address 10 1 15 1 255 255 255 0 secondary ip address 10 1 10 1 255 255 255 0 no snmp trap link status service policy type control RULE_406a ip subscriber l2 connected initiator dhcp class aware ip ...

Страница 121: ... 0 255 255 0 0 lease 0 0 10 class default DHCP Relay Agent Coresident with ISG Configuration In the following configuration example there are two ISPs poolA and poolB The poolA ISP and its customers are allowed to have addresses in the ranges 10 1 0 0 16 and 10 3 0 0 16 and are relayed to the DHCP server at 10 55 10 1 The poolB ISP and its customers are allowed to have addresses in the range 10 2 ...

Страница 122: ... 255 255 0 0 default router 20 10 1 1 lease 0 0 2 class vrf class vrf1 ip dhcp class vrf class vrf1 policy map type control TAL class type control always event session start 1 service policy type service name pbhk 2 authorize identifier mac address interface GigabitEthernet0 0 7 ip address 10 1 1 0 255 255 0 0 load interval 30 negotiation auto no cdp enable service policy type control TAL ip subsc...

Страница 123: ... The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really S...

Страница 124: ...xy Cisco IOS XE Release 2 2 This feature enables ISG to dynamically interact with DHCP and apply policies that influence the IP addresses that DHCP assigns subscribers The following section provides information about this feature Assigning ISG Subscriber IP Addresses Using DHCP page 24 IP Session Recovery for DHCP Initiated IP Sessions Cisco IOS XE Release 2 2 ISG provides a default policy and the...

Страница 125: ...interface IP interface sessions are provisioned through the CLI that is a session is created when the IP interface session commands are entered The following sections provide information about this feature Information About ISG Access for IP Subscriber Sessions page 3 Creating ISG IP Interface Sessions page 17 ISG Session Creation IP Session Protocol Event DHCP Cisco IOS XE Release 2 2 Most ISG se...

Страница 126: ... 3 How to Configure ISG for IP Subscriber Sessions page 13 ISG Session Multicast Coexistence Cisco IOS XE Release 2 5 0 The ISG Session Multicast Coexistence feature introduces the ability to host all the subscribers and services data and multicast on the same VLAN by enabling multicast and IP sessions to coexist on the same e subinterface for Cisco ASR 10000 Series Aggregation Routers The followi...

Страница 127: ...ates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display outpu...

Страница 128: ...Configuring ISG Access for IP Subscriber Sessions Feature Information for ISG Access for IP Subscriber Sessions 44 ...

Страница 129: ...est feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for MQC Support for IP Sessions section on page 7 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE sof...

Страница 130: ...mation About MQC Support for IP Sessions To use and troubleshoot the MQC Support for IP Sessions feature you should understand the following concepts Supported Interfaces page 2 ISG Policers page 2 Precedence Order in Policy Maps page 3 Supported Interfaces MQC is not supported on the following interfaces Bridge Group Virtual Interface BVI GEC Interfaces configured for Layer 2 Tunnel Protocol L2TP...

Страница 131: ...the previously existing configuration is reapplied if no higher precedence configuration source is in effect Given those precedence qualifications the policy map is determined as follows If there is no policy map on the session the incoming policy map is not applied If an existing policy map is configured from a higher priority source than an incoming one the incoming policy map is not applied If ...

Страница 132: ...class name Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service service name Example Router config policy map type service service1 Enters policy map configuration mode Specifies the policy map name and its...

Страница 133: ...ss map match any EF WAN Router config cmap match qos group 6 Router config cmap policy map PREMIUM_MARK_IN Router config pmap class EF customer Router config pmap c set cos 6 Router config pmap c set dscp ef Router config pmap c set qos group 6 Router config pmap c class class default Router config pmap c set dscp af11 Router config pmap c set qos group 1 Router config pmap c set cos 1 Router conf...

Страница 134: ...l interface GigabitEthernet0 0 0 Router config if ip address 10 0 0 1 255 255 255 0 Router config if pppoe enable group global Router config if service policy type control INT Additional References The following sections provide references related to the MQC Support for IP sessions feature Related Documents MIBs Related Topic Document Title How to configure ISG control policies Configuring ISG Con...

Страница 135: ...nity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert...

Страница 136: ...Configuring MQC Support for IP Sessions Feature Information for MQC Support for IP Sessions 8 ...

Страница 137: ...g Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Port Bundle Host Key section on page 9 Use Cisco Feature Navigator to find information about platfor...

Страница 138: ...IP packets for example for PPP sessions or for DHCP initiated IP sessions with transparent autologon Information About ISG Port Bundle Host Key Before you configure the ISG Port Bundle Host Key feature you should understand the following concepts Overview of ISG Port Bundle Host Key page 2 Port Bundle Host Key Mechanism page 2 Benefits of ISG Port Bundle Host Key page 3 Overview of ISG Port Bundle...

Страница 139: ...dle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership Without the use of port bundle host keys all subscribers accessing a single external portal must have unique IP addresses Furthermore since port bundle host keys isolate VRF specific addresses from the domain in which the portal resides routing considerations are simplified Portal Provisioning...

Страница 140: ...the service policy map or service profile for example control policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enter...

Страница 141: ...arameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic Port Bundle Length The port bundle length is used to determine the number of ports in one bundle By default the port bundle length is four bits The maximum port bundle length is ten bits See Table 2 for available port bundle length values and the resulting p...

Страница 142: ...1 enable 2 configure terminal 3 ip portbundle 4 match access list access list number 5 length bits 6 source interface type interface number 7 exit 8 interface type number 9 ip portbundle outside DETAILED STEPS 5 32 2016 6 64 1008 7 128 504 8 256 252 9 512 126 10 1024 63 Table 2 Port Bundle Lengths and Resulting Port per Bundle and Bundle per Group Values Port Bundle Length in bits Number of Ports ...

Страница 143: ...pport a maximum port bundle length of 7 Step 6 source interface type interface number Example Router config portbundle source loopback 0 Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic It is recommended that you use a loopback interface as the source interface Step 7 exit Example Router config portbundle exit Returns...

Страница 144: ... Host Key Configuration Example The following example shows how to configure the ISG Port Bundle Host Key feature to apply to all sessions policy map type service ISGPBHKService ip portbundle Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show ip portbundle status free inuse Example Router show ip portbundle status ...

Страница 145: ...o specific configuration information For information about a feature in this technology that is not documented here see the Intelligent Services Gateway Features Roadmap Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshootin...

Страница 146: ...udy IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in ...

Страница 147: ...responding ISG session This document describes how to configure ISG as a RADIUS proxy Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG RADIUS P...

Страница 148: ... corresponding IP session upon successful authentication This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge When configured as a RADIUS proxy ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server as described in RFC...

Страница 149: ...ribute Processing and RADIUS Request Correlation page 3 3GPP Attribute Support page 4 Attribute Processing and RADIUS Request Correlation When authentication and accounting requests originate from separate RADIUS client devices ISG uses correlation rules to associate all the requests with the appropriate session The association of the disparate RADIUS flows with the underlying session is performed...

Страница 150: ...lowing procedures Initiating ISG RADIUS Proxy IP Sessions page 5 required Configuring ISG RADIUS Proxy Global Parameters page 6 required Configuring ISG RADIUS Proxy Client Specific Parameters page 8 optional Defining an ISG Policy for RADIUS Proxy Events page 10 required Verifying ISG RADIUS Proxy Configuration page 11 optional Clearing ISG RADIUS Proxy Sessions page 12 optional Table 1 3GPP Attr...

Страница 151: ...ure terminal Enters global configuration mode Step 3 interface type number Example Router config interface GigabitEthernet 0 0 0 Specifies an interface for configuration and enters interface configuration mode Step 4 ip subscriber interface l2 connected routed Example Router config if ip subscriber routed Enables ISG IP subscriber support on an interface specifies the access method that IP subscri...

Страница 152: ...s proxy 5 session identifier attribute number vsa vendor id type number 6 calling station id format mac address msisdn 7 accounting method list method list name default 8 accounting port port number 9 authentication port port number 10 key 0 7 word 11 timer ip address request seconds 12 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode En...

Страница 153: ...on which the ISG listens for accounting packets from RADIUS clients The default port is 1646 Step 9 authentication port port number Example Router config locsvr proxy radius authentication port 1111 Specifies the port on which the ISG listens for authentication packets from RADIUS clients The default port is 1645 Step 10 key 0 7 word Example Router config locsvr proxy radius key radpro Configures ...

Страница 154: ...dentifier attribute number vsa vendor id type number 7 calling station id format mac address msisdn 8 accounting method list method list name default 9 accounting port port number 10 authentication port port number 11 key 0 7 word 12 timer ip address request seconds 13 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password ...

Страница 155: ... the calling station id format Step 8 accounting method list method list name default Example Router config locsvr radius client accounting method list fwdacct Specifies the server to which accounting packets from RADIUS clients are forwarded Step 9 accounting port port number Example Router config locsvr radius client accounting port 2222 Specifies the port on which the ISG listens for accounting...

Страница 156: ...ample Router config locsvr radius client timer ip address 5 Specifies the amount of time ISG waits for the specified event before terminating the session ip address Specifies the amount of time ISG waits for an IP address to be assigned to the session request Specifies the amount of time ISG waits to receive an Access Request from a client device Step 13 end Example Router config locsvr radius cli...

Страница 157: ... following group group name Uses a subset of RADIUS servers for authorization as defined by the server group group name command group radius Uses the list of all RADIUS servers for authorization as defined by the aaa group server radius command Step 5 policy map type control policy map name Example Router config policy map type control proxyrule Creates or modifies a control policy map which defin...

Страница 158: ...adius proxy session id id number ip ip address Example Router show radius proxy session ip 10 10 10 10 Displays information about an ISG RADIUS proxy session Note The ID can be found in the output of the show radius proxy client command Step 3 show subscriber session identifier authen status authenticated unauthenticated authenticated domain domain name authenticated username username dnis dnis me...

Страница 159: ...start stop group EAP aaa accounting network FLOWACCT start stop group EAP aaa server radius proxy session identifier attribute 1 calling station id format msisdn authentication port 1111 accounting port 2222 key radpro message authenticator ignore The method list FWDACCT was configured by the aaa accounting network FWDACCT start stop group EAP command above Command or Action Purpose Step 1 enable ...

Страница 160: ...y PROXYRULE is applied to the interface service policy type control PROXYRULE radius server host 10 2 36 253 auth port 1812 acct port 1813 key cisco radius server host 10 76 86 83 auth port 1665 acct port 1666 key rad123 radius server vsa send accounting radius server vsa send authentication aaa new model aaa group server radius EAP server 10 2 36 253 auth port 1812 acct port 1813 ISG RADIUS Proxy...

Страница 161: ...lied before account logon Rules actions and conditions executed subscriber rule map PROXYRULE condition always event session start 1 proxy aaa list RP 2 service policy type service name service1 Session inbound features Feature Layer 4 Redirect L4 redirect is applied to the session at session start Rule table is empty Traffic classes Traffic class session ID 67 ACL Name 101 Packets 0 Bytes 0 Unmat...

Страница 162: ...69 RADIUS Extensions Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Techn...

Страница 163: ...S software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 2 Feature Information for ISG RADIUS Proxy Feature Name Releases Feature Information ISG AAA Wireless Enhancements Cisco IOS XE Release 2 5 0 This feature enhances ISG RADIUS proxy to provide additional support for mobile wireless environments It includes ...

Страница 164: ...d States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures inc...

Страница 165: ...e features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for RADIUS Based Policing section on page 17 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Cont...

Страница 166: ...olicing features supported on the Cisco ASR 1000 Series Aggregation Services Router you should understand the following topics RADIUS Attributes page 2 Parameterized QoS Policy as VSA 1 page 5 Parameterization of QoS ACLs page 5 RADIUS Attributes RADIUS communicates with the ISG device by embedding specific attributes in Access Accept and change of authentication CoA messages RADIUS based policing...

Страница 167: ...ementing the changes specified in the Cisco VSA the ISG does not make the changes to the originally configured QoS policy on the ISG device Instead the ISG copies the active QoS policy for the session and then makes the required changes to the policy copy which is referred to as a transient policy The originally configured QoS policy on the ISG device is not changed The following sections describe...

Страница 168: ...cy child1 The qos actions list field indicates a QoS action such as police followed by the action parameters enclosed in parentheses and separated by commas For example the following sample configuration specifies the police action and defines the parameters bps burst normal burst max conform action exceed action and violate action Parentheses enclose the action parameters voip aggregate police 20...

Страница 169: ... acct 1 c d voip 1 10000 In the above example All services are enabled on target Parameterized QoS policy in the second command syntax is not echoed in the ISG service Parameterized QoS policy in the first command syntax is echoed Parameterization of QoS ACLs The Parameterization of QoS Access Control Lists ACLs feature supports multiple ISG and QoS parameterized services in a single Access Accept...

Страница 170: ...ible Configuring Per Service Policing Using RADIUS To configure per service policing perform the following configuration tasks Configuring a Hierarchical QoS Child Policy with Policing page 6 Configuring a Hierarchical QoS Parent Policy with Policing page 8 Configuring Per Service Policing on the RADIUS Server page 10 Configuring a Hierarchical QoS Child Policy with Policing Use the following proc...

Страница 171: ...ge 10000 Shapes traffic to the indicated bit rate average is the maximum number of bits sent out in each interval Available only on the PRE3 mean rate is the committed information rate CIR in bits per second Step 6 police bps burst normal burst max conform action action exceed action action violate action action Example Router config pmap c police 10000 Configures traffic policing bps is the avera...

Страница 172: ...eat steps 2 through 5 for each traffic class you want to define in each policy map Specify either the shape command or the police command for a traffic class but not both commands for the same class You may also specify other commands for each traffic class such as the priority set precedence and random detect commands For more information on the commands you can specify for a traffic class see th...

Страница 173: ...rfaces set prec transmit value Sets the IP precedence value set qos transmit value Sets the QoS group value transmit Transmits the packet The packet is not altered Step 4 class class default Example Router config pmap class class default Modifies the class default traffic class and enters policy map class configuration mode Step 5 shape average mean rate burst size excess burst size account qinq d...

Страница 174: ...Examples for RADIUS Based Policing This section provides the following configuration examples Adding Parameterization of QoS ACLs Example page 10 Setting the Policing Rate Using an Access Accept Message Examples page 12 Setting the Policing Rate Using a CoA Message Examples page 13 Adding Parameterization of QoS ACLs Example The following example shows how to parameterize the set source IP address...

Страница 175: ...atch any voip 10 10 1 0 28 10 3 20 29 match access group name IPOne acl 10 10 1 0 28 10 3 20 29 The old class is replaced with the new class in the output QoS policy of the subscriber along with any other attributes Adding Parameterization of QoS ACLs with ISG Service accounting The following example shows how to add QoS accounting by configuring the Intelligent Services Gateway ISG accounting ser...

Страница 176: ...of the Premium class in the Child policy The Child policy is applied to the class default class of the Parent policy radius subscriber 6 framed protocol ppp service framed vsa cisco generic 1 string qos policy out add class sub class default Premium police 200000 RADIUS Access Accept Message The ISG receives the following RADIUS Access Accept message Notice that the above Cisco VSA configured in t...

Страница 177: ...sage to change the policing rate of a service and is based on the following ISG configuration policy map Child class Premium police 12000 policy map Parent class class default shape average 10000 service policy Child RADIUS Configuration The following Cisco VSA is configured in a user s profile on RADIUS This VSA modifies the Premium class of the Child policy which is applied to the class default ...

Страница 178: ... policy map New_Child New cloned child policy class Premium police 200000 New policing rate policy map New_Parent New cloned parent policy class class default shape average 10000 service policy New_Child New cloned child policy attached to the new cloned parent policy Verifying RADIUS Based Policing To verify the configuration of RADIUS based policing on the ISG use any of the following commands i...

Страница 179: ...guration you want to display If you do not specify class name the router displays the configuration of all of the classes configured in the policy map Router show policy map session output output uid The inbound or outbound policy maps configured per session Also displays the dynamic policy map that is applied to the subscriber session If you do not specify any arguments all sessions with configur...

Страница 180: ...echnical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password http www cis...

Страница 181: ...account on Cisco com is not required Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 1 Feature Information for RADIUS Based Policing Feature Name Releases Feature Information ISG P...

Страница 182: ...he use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples command display output network topology diagrams and other figures included in the document are shown for illustrative purposes only Any use of...

Страница 183: ...ts are received from a subscriber Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Automatic Subscriber Logon section on page 10 Use Cisco Feat...

Страница 184: ...configure ISG automatic subscriber logon you should understand the following concepts Overview of ISG Automatic Subscriber Logon page 2 Supported Identifiers for ISG Automatic Subscriber Logon page 3 Authorization Based on Circuit ID and Remote ID page 3 Accounting Behavior When ISG Automatic Subscriber Logon Is Configured page 3 Overview of ISG Automatic Subscriber Logon Service providers commonl...

Страница 185: ...l use the circuit ID and remote ID that are provided by the Layer 2 edge access device for authorization If the ip dhcp relay information option command is configured the ISG device will use the circuit ID and remote ID that are received in a DHCP message Accounting Behavior When ISG Automatic Subscriber Logon Is Configured Accounting Behavior for MAC Address Based Authorization If the MAC address...

Страница 186: ...ill apply SUMMARY STEPS 1 enable 2 configure terminal 3 class map type control match all class map name 4 match source ip address ip address subnet mask or match nas port circuit id name or match nas port remote id name 5 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Ro...

Страница 187: ...uit id DETAILED STEPS Step 4 match source ip address ip address subnet mask or match nas port circuit id name or match nas port remote id name Example Router config control classmap match source ip address 10 1 1 0 255 255 255 0 Creates a condition that will evaluate true if a subscriber s source IP address matches the specified IP address or Creates a condition that will evaluate true if a subscr...

Страница 188: ...rol policy map which is used to define a control policy Step 4 class type control class map name always event session start Example Router config control policymap class type control TAL subscribers event session start Specifies a control class which defines the conditions that must be met in order for an associated set of actions to be executed Specify the control class map that was configured in...

Страница 189: ...ll still be brought up but in the state unauthen The following sample output shows information for a session for which automatic subscriber authorization was successful Router show subscriber session all Current Subscriber Information Total sessions 1 Unique Session ID 3 Identifier aabb cc01 3000 SIP subscriber access type s IP Current SIP options Req Fwding Req Fwded Session Up time 00 00 24 Last...

Страница 190: ...ss as the username If the authorization request is successful any automatic activation services specified in the returned user profile are activated for the session and the execution of rules within the control policy stops If the authorization is not successful the rule execution proceeds and the subscriber is redirected to the policy server to log in If the subscriber does not log in within five...

Страница 191: ...o Internet proxy user cisco Service Profile Configuration Auto Internet Password cisco Cisco Service Info IAuto Internet Cisco Avpair traffic class input access group 100 proxy user Password cisco Idle Timeout 5 Additional References The following sections provide references related to ISG automatic subscriber logon Related Documents MIBs Related Topic Document Title ISG commands Cisco IOS Intelli...

Страница 192: ...r go to http www cisco com go cfn An account on Cisco com is not required Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online...

Страница 193: ...ir respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content i...

Страница 194: ...Configuring ISG Policies for Automatic Subscriber Logon Feature Information for ISG Automatic Subscriber Logon 12 ...

Страница 195: ...e release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Interaction with External Policy Servers section on page 8 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www c...

Страница 196: ...In this model the external policy server is typically an authentication authorization and accounting AAA server that uses RADIUS ISG is the RADIUS client Instead of a AAA server some systems use a RADIUS proxy component that converts to other database protocols such as Lightweight Directory Access Protocol LDAP The dynamic authorization model allows the external policy server to dynamically send p...

Страница 197: ...TEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 aaa authentication login default list name method1 method2 Example Router config aaa authentication login PPP1 group radius Specifies one or more AAA authentication methods...

Страница 198: ...l any session key 8 ignore server key session key 9 end Step 6 aaa authorization subscriber service default list name method1 method2 Example Router config aaa authorization subscriber service default radius Specifies one or more AAA authorization methods for ISG to use in providing a service Step 7 aaa accounting auth proxy system network exec connection commands level default list name vrf vrf n...

Страница 199: ...le Router config locsvr da radius Specifies a client with which ISG will be communicating Step 5 port port number Example Router config locsvr da radius port 1600 Specifies the RADIUS server port Default is 1700 Step 6 server key 0 7 word Example Router config locsvr da radius server key cisco Specifies the encryption key shared with the RADIUS client Step 7 auth type all any session key Example R...

Страница 200: ...thorization network default group CAR_SERVER aaa authorization subscriber service default local group radius aaa accounting network default start stop group CAR_SERVER aaa server radius dynamic author client 10 76 86 90 key cisco client 172 19 192 25 vrf VRF1 key cisco client 172 19 192 25 vrf VRF2 key cisco client 172 19 192 25 key cisco message authenticator ignore Additional References The foll...

Страница 201: ...cription Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter...

Страница 202: ...isco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Fast Step Follow Me Browsing FormShare GainMaker GigaDrive HomeLink iLYNX Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo Laser Link LightStream Link...

Страница 203: ...Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers 9 coincidental 2006 2009 Cisco Systems Inc All rights reserved ...

Страница 204: ...Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers 10 ...

Страница 205: ...nding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Subscriber Services section on page 18 Use Cisco Feature Navigator to find information about pla...

Страница 206: ...ic Policies page 3 ISG Features page 3 Service Groups page 4 Service Activation Methods page 4 ISG Services An ISG service is a collection of policies that may be applied to a subscriber session ISG services can be applied to any session regardless of subscriber access media or protocol and a single service may be applied to multiple sessions An ISG service is not necessarily associated with a des...

Страница 207: ... that traffic class If there are multiple services with the traffic classes by default packets are matched according to the order in which the services are installed Traffic classes can also be assigned priority The priority of a traffic class determines which class will be used first for a specified match In other words if a packet matches more than one traffic class it will be classified to the ...

Страница 208: ...an one such service at the same time Service Groups A service group is a grouping of services that may be simultaneously active for a given session Typically a service group includes one primary service and one or more secondary services Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active Once a primary...

Страница 209: ...VICE1_CHECK match service name SERVICE1 policy map type control SERVICE1_CHECK event service start 1 service policy type service name SERVICE1 The same default behavior applies to subscriber logoffs with the ISG policy engine searching for a policy that matches the event service stop If a policy is configured it is the responsibility of the policy to specify how the service should be applied How t...

Страница 210: ...olicy map name 4 authenticate aaa list name of list 5 classname dhcp pool name 6 ip portbundle 7 ip unnumbered interface type interface number 8 ip vrf forwarding name of vrf 9 service deny 10 service relay pppoe vpdn group VPDN group name 11 service vpdn group VPDN group name 12 sg service group service group name 13 sg service type primary secondary DETAILED STEPS Command or Action Purpose Step ...

Страница 211: ...tethernet 0 0 0 Enables IP processing on an interface without assigning an explicit IP address to the interface Step 8 ip vrf forwarding name of vrf Example Router config service policymap ip vrf forwarding blue Associates the service with a VRF Configuring this command will make the service a primary service Step 9 service deny Example Router config service policymap service deny Denies network s...

Страница 212: ...ess list in order to configure a service with a traffic policy that applies to all session traffic Prerequisites This task assumes that access control lists ACLs have been configured for classifying traffic SUMMARY STEPS 1 enable 2 configure terminal 3 class map type traffic match any class map name 4 match access group input access list number name access list name 5 match access group output acc...

Страница 213: ...nfigure terminal Enters global configuration mode Step 3 class map type traffic match any class map name Example Router config class map type traffic match any class1 Creates or modifies a traffic class map which is used for matching packets to a specified ISG traffic class Step 4 match access group input access list number name access list name Example Router config traffic classmap match access ...

Страница 214: ...e1 Creates or modifies a service policy map which is used to define an ISG service Step 4 priority class type traffic class map name Example Router config service policymap class type traffic classb Specifies a named traffic class whose policy you want to create or change The priority argument determines which class will be used first for a specified match When a packet matches more than one traff...

Страница 215: ...p 7 redirect list access list number to group server group name ip ip address port port number duration seconds frequency seconds Example Router config service policymap class traffic redirect to ip 10 10 10 10 Redirects traffic to a specified server or server group Step 8 timeout absolute duration in seconds Example Router config control policymap class traffic timeout absolute 30 Specifies the s...

Страница 216: ...ure automatic service activation for a service in a subscriber s user profile SUMMARY STEPS 1 Add the Auto Service attribute to the user profile Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy m...

Страница 217: ...ta depleted service start service stop session default service session service found session start timed policy expiry 5 action number service policy type service name unapply policy map name DETAILED STEPS Command or Action Purpose Step 1 Add the Auto Service attribute to the user profile 26 9 251 Aservice name username password Automatically logs the subscriber in to the specified service when t...

Страница 218: ...ifies a class and optionally an event for which actions may be configured Step 5 action number service policy type service name unapply policy map name Example Router config control policymap class control 1 service policy type service service1 Applies the specified service policy map To remove the service policy map use the unapply keyword Command or Action Purpose Command or Action Purpose Step ...

Страница 219: ...SERVICE1_TC match access group input name SERVICE1_ACL_IN match access group output name SERVICE1_ACL_OUT policy map type service SERVICE1 10 class type traffic SERVICE1_TC accounting aaa list CAR_ACCNT_LIST class type traffic default in out drop AAA Server Configuration Attributes Cisco AVPair ip traffic class in access group name SERVICE1_ACL_IN priority 10 Cisco AVPair ip traffic class in defau...

Страница 220: ... lists BOD1M_IN_ACL_IN and BOD1M_ACL_OUT are used to define the traffic class These examples are equivalent and show the two methods of service configuration in a service policy map that is configured directly on the ISG and in a service profile that is configured on a AAA server ISG Configuration class map type traffic match any BOD1M_TC match access group input name BOD1M_IN_ACL_IN match access ...

Страница 221: ...e upon session start class map type traffic match any UNAUTHORIZED_TRAFFIC match access group input 100 policy map type service UNAUTHORIZED_REDIRECT_SVC class type traffic UNAUTHORIZED_TRAFFIC redirect to ip 10 0 0 148 port 8080 policy map type control UNAUTHEN_REDIRECT class type control always event session start 1 service policy type service name UNAUTHORIZED_REDIRECT_SVC Deactivating a Layer ...

Страница 222: ...o com go cfn An account on Cisco com is not required Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command ...

Страница 223: ...e Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Int...

Страница 224: ...Configuring ISG Subscriber Services Feature Information for ISG Subscriber Services 20 ...

Страница 225: ...t feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Network Policies section on page 7 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software ima...

Страница 226: ...ng identifier must be specified to indicate which routing table should be used to make the routing decision each VRF represents an independent routing context within a single router Where the network policy type is forwarding forwarding decisions are made at Layer 2 which means that all subscriber packets are forwarded to and from a single virtual endpoint within the system This virtual endpoint r...

Страница 227: ...in Service Policy Maps page 3 Configuring Network Policies for IP Sessions in Service Policy Maps page 5 Configuring Network Policies for PPP Sessions in Service Policy Maps Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG device Perform this task to configure a network forwarding policy for PPP sessions in a se...

Страница 228: ...mple Router config service policymap service local Example Router config service policymap service relay pppoe vpdn group vpdn1 Provides virtual private dialup network VPDN service or Provides local termination service or Provides VPDN service by relaying PPPoE over VPDN L2TP tunnels If you terminate the service locally by configuring the service local command you can also specify the routing doma...

Страница 229: ...on the device Note If a network forwarding policy is not specified in a user profile service profile or service policy map a subscriber session will inherit the network forwarding policy from another source See the Configuration Sources for Network Policies section on page 2 for more information SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 ip vrf forwardi...

Страница 230: ...a network forwarding policy for PPP sessions policy map type service my_service service vpdn group vpdn1 Network Forwarding Policy for IP Sessions Example The following example shows a service policy map configured with a network forwarding policy for IP sessions policy map type service my_service ip vrf forwarding vrf1 Step 4 ip vrf forwarding name of vrf Example Router config service policymap i...

Страница 231: ...list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference VPDN configuration tasks Cisco IOS XE VPDN Technologies ...

Страница 232: ...ctive owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is uninte...

Страница 233: ...feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Accounting section on page 24 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image supp...

Страница 234: ...traffic as defined by a traffic class is enabled in a service profile or service policy map When per flow accounting is configured the Parent Session ID vendor specific attribute VSA is included in accounting records so that per session and per flow accounting records can be correlated in the RADIUS server When accounting is configured in a user profile the service name attribute is not included i...

Страница 235: ...ting session ID of the parent session The Acct Status Type attribute included in the Accounting Request record indicates whether the record marks the start or the end of the service The name of the service is included in accounting records for service logon and logoff Accounting records may be sent for events other than account and service logon and logoff See the Configuring Accounting chapter of...

Страница 236: ...ormation in interim accounting records The billing server monitors all interim accounting updates and obtains the information about the traffic sent at each tariff rate Note Tariff switching is not required for time based billing services Because the billing server knows the service logon time stamp and logoff time stamp it can calculate the various tariffs that apply during that time How to Confi...

Страница 237: ...o Avpair accounting list accounting_mlist_name 2 IETF RADIUS attribute Acct Interim Interval attribute 85 DETAILED STEPS Step 1 Cisco Avpair accounting list accounting_mlist_name Add the Accounting attribute to the user profile This attribute enables accounting and specifies the AAA method list to which accounting updates will be sent Step 2 IETF RADIUS attribute Acct Interim Interval attribute 85...

Страница 238: ...ounting command See the Cisco IOS Security Command Reference for more information AAA servers must be configured to support ISG accounting Enabling Per Flow Accounting in a Service Profile on the AAA Server Perform this task to configure per flow accounting in a service profile on the AAA server Prerequisites This task assumes that you have defined IP access lists for specifying traffic SUMMARY ST...

Страница 239: ...bute specifies the number of seconds between interim updates Enabling Per Flow Accounting in a Service Policy Map on the Router Perform this task to enable accounting in a local service policy map for a specific flow Prerequisites This task assumes that you have defined a traffic class map and associated IP access lists See the module Configuring ISG Subscriber Services for more information about ...

Страница 240: ...rerequisites page 9 Enabling Per Service Accounting on the ISG page 9 Configuring RADIUS for Service Activation and Deactivation page 10 Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 class type traffic class m...

Страница 241: ... for more information AAA servers must be configured to support ISG accounting Enabling Per Service Accounting on the ISG Use the following procedure to enable per service accounting on the ISG SUMMARY STEPS 1 enable 2 configure terminal 3 subscriber service session accounting 4 exit DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter you...

Страница 242: ...vice accounting the traffic class attribute should not be included in the service profile SUMMARY STEPS 1 Cisco Avpair accounting list accounting_mlist_name 2 IETF RADIUS attribute Acct Interim Interval attribute 85 DETAILED STEPS Step 1 Cisco Avpair accounting list accounting_mlist_name Add the Accounting attribute to the service profile This attribute enables accounting and specifies the AAA met...

Страница 243: ...s list for matching traffic Step 4 exit Example Router config traffic classmap exit Exit traffic class map configuration mode Step 5 policy map type service policy map name Example Router config policy map type service polmap1 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 6 class type traffic class map name Exam...

Страница 244: ...paid tariff switching will apply to the specified flow If you do not configure a traffic class postpaid tariff switching will apply to the session Perform this task to configure per session or per flow postpaid tariff switching Prerequisites ISG per session or per flow accounting must be configured in order for postpaid tariff switching to work SUMMARY STEPS 1 Cisco AVpair PPWhh mm ss days 2 Cisco...

Страница 245: ...ntrol policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Verifying ISG Accounting and Postpaid Tariff Switching Perform the following tasks to verify ISG accounting and postpaid tariff switching configuration Display Information About a Subscriber Session page 13 Display AAA Subscriber Sessions page ...

Страница 246: ...IP options Req Fwding Req Fwded Session Up time 3 minutes 45 seconds Last Changed 3 minutes 45 seconds AAA unique ID 0 Switch handle F300015F Session inbound features Feature Service accounting Service video1 Method List remote local Outbound direction Packets 84 Bytes 33600 Feature Policing Upstream Params Average rate 8000 Normal burst 1500 Excess burst 3000 Config level Service Session outbound...

Страница 247: ...s Last Changed 2 minutes 59 seconds AAA unique ID 81 Switch handle 890003A0 Interface ATM6 0 1 Policy information Authentication status authen Config downloaded for session policy From Access Type Account Logon CH Client SM Event Got More Keys Profile name apply config only 2 references ssg account info SAfoo Rules actions and conditions executed subscriber rule map rule1 condition always event an...

Страница 248: ...A subscribers SUMMARY STEPS 1 enable 2 show aaa user all unique id DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show aaa sessions Example Router show aaa sessions Displays AAA subscriber session information Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode En...

Страница 249: ...00001 pre bytes out 291 4 0 0 1A1CAC90 0 00000001 paks_in 136 4 92215 16837 1A1CADF0 0 00000001 paks_out 275 4 0 0 1A1CAE00 0 00000001 pre paks in 292 4 0 0 1A1CAE10 0 00000001 pre paks out 293 4 0 0 No data for type EXEC No data for type CONN NET Username n a Session Id 000000A7 Unique Id 00000097 Start Sent 1 Stop Only N stop_has_been_sent N Method List 189F046C Name CAR_mlist Attribute list 1A1...

Страница 250: ...Unique id 151 is currently in use Accounting log 0x20C201 Events recorded CALL START NET UP IPCP_PASS INTERIM START VPDN NET UP update method s PERIODIC update interval 60 Outstanding Stop Records 0 Dynamic attribute list 1A1CABE8 0 00000001 connect progress 68 4 Call Up 1A1CABF8 0 00000001 pre session time 294 4 0 0 1A1CAC08 0 00000001 nas tx speed 421 4 423630024 194014C8 1A1CAC18 0 00000001 nas...

Страница 251: ...Num 1 Stop Received 0 Byte Packet Counts till Call Start Start Bytes In 0 Start Bytes Out 0 Start Paks In 0 Start Paks Out 0 Byte Packet Counts till Service Up Pre Bytes In 0 Pre Bytes Out 0 Pre Paks In 0 Pre Paks Out 0 Cumulative Byte Packet Counts Bytes In 11434660 Bytes Out 0 Paks In 92215 Paks Out 0 StartTime 12 02 40 IST Oct 16 2007 AuthenTime 12 02 40 IST Oct 16 2007 Component IEDGE_ACCOUNTI...

Страница 252: ..._id 00003EAB Flow_handle 0 Authentication status authen Downloaded User profile excluding services service type 2 Framed ssg account info Ntc_svc1 ssg account info Atc_svc1 Downloaded User profile including services service type 2 Framed ssg account info Ntc_svc1 ssg account info Atc_svc1 timeout 2000 0x7D0 idletime 2000 0x7D0 traffic class in access group name 101 traffic class out access group n...

Страница 253: ...iated with this session Service tc_svc1 Active Time 00 11 36 AAA Service ID 806290049 Interface Virtual Template1 Active Time 00 11 36 Configuration Examples for ISG Accounting This section contains the following examples Per Flow Accounting Examples page 21 Per Service Accounting Example page 22 Per Service Accounting on ISG Example page 22 ISG Postpaid Tariff Switching Examples page 22 Per Flow ...

Страница 254: ...ce session accounting subscriber authorization enable vpdn enable Per Service Accounting on ISG Example The following example shows how to configure per service accounting in a service policy map on the ISG device class map type traffic match any classmap1 policy map type service polmap1 class type traffic classmap1 accounting aaa list mlist1 ISG Postpaid Tariff Switching Examples The following ex...

Страница 255: ...tion Authorization and Accounting AAA section in the Cisco IOS Security Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such ...

Страница 256: ...ted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 1 Feature Information for ISG Accounting Feature Name Releases Feature Configuration Information ISG Accounting Per Session Service and Flow Cisco IOS XE Release 2 2 ISG accounting provides the means to bill for account or service usage ISG accounting uses the RADIUS protocol to facilitate...

Страница 257: ...o Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any...

Страница 258: ...ices each with a different billing rate ISG supports time and volume based prepaid billing This module provides information about how to configure ISG support for prepaid billing Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of...

Страница 259: ...lume Monitor Polling Timer and QV Values page 3 ISG Prepaid Threshold page 3 ISG Prepaid Idle Timeout page 3 Benefits of ISG Prepaid Billing page 4 Overview of ISG Support for Prepaid Billing ISG prepaid billing support allows ISG to check the available credit for a subscriber to determine whether to activate the service for the subscriber and how long the session can last The subscriber s credit ...

Страница 260: ...ess rate x 300 For example an ADSL2 or VDSL user access rate can be up to 20 Mbps That is approximately 2 5 megabytes MB of data in one second Calculate the QV value by using the following formula 2 5 MB x 15 seconds QV 2 5 MB x 300 seconds This calculation results in a QV value between 37 5 MB and 750 MB however we recommend you do not choose either the highest or lowest value in this range For e...

Страница 261: ...is actively using Threshold Values ISG enables you to configure threshold values that cause prepaid sessions to be reauthorized before the subscriber completely consumes the allotted quota for a service Traffic Status During Reauthorization You can prevent revenue leaks by configuring ISG to drop connected traffic during reauthorization of a service The user remains connected to the service and ne...

Страница 262: ... created and a method of service activation is in place Configuring RADIUS Attribute Support for ISG Prepaid Billing Perform this task to enable ISG to include RADIUS attribute 44 in Access Request packets and attribute 55 in Accounting Request packets SUMMARY STEPS 1 enable 2 configure terminal 3 radius server attribute 44 include in access req vrf vrf name 4 radius server attribute 55 include in...

Страница 263: ...es privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 radius server attribute 44 include in access req vrf vrf name Example Router config radius server attribute 44 include in access req Sends RADIUS attribute 44 Accounting Session ID in Access Request packets before user authentication Step 4 rad...

Страница 264: ...terim interval number of minutes 5 method list accounting authorization name of method list 6 password password 7 threshold time seconds volume kilobytes Kbytes megabytes Mbytes bytes bytes 8 end 9 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your p...

Страница 265: ...thod list accounting list1 Specifies the AAA method list to be used for ISG prepaid accounting or authorization Step 6 password password Example Router config prepaid password cisco Configures the password to be used for ISG prepaid authorization and reauthorization requests Step 7 threshold time seconds volume kilobytes Kbytes megabytes Mbytes bytes bytes Example Router config prepaid threshold t...

Страница 266: ...ice mp3 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 priority class type traffic class map name Example Router config service policymap class type traffic class acl 101 Associates a previously configured traffic class with the policy map and enters control policy map traffic class configuration mode Step 5 pr...

Страница 267: ...control policymap class traffic end Exits the current configuration mode and returns to privileged EXEC mode Step 7 show subscriber session detailed identifier identifier uid session id username name Example Router show subscriber session detailed Optional Displays ISG subscriber session information Command or Action Purpose Command or Action Purpose Step 1 Add the ISG Traffic Class attribute to t...

Страница 268: ...erver has determined for certain that the subscriber does not have enough credit but the idle timeout provides a grace period in which the subscriber could recharge the account Typically a service provider would want to redirect the subscriber s traffic to a web portal where the subscriber could recharge the account At the end of the idle timeout interval ISG will send a reauthorization request Th...

Страница 269: ...er configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service redirect service Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 priority class type traffic class name Example Router config service policymap class type traffic cl...

Страница 270: ...type control control class name always event credit exhausted 5 action number service policy type service name policy map name 6 end 7 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Step 6 end Example Router config control policymap class traffic end Exits the current configuration mode and returns to privileged EXEC mode Step 7 show subscriber s...

Страница 271: ...server responds to the reauthorization request that ISG sent when the threshold was met Step 3 policy map type control policy map name Example Router config policy map type control policyA Creates or modifies a policy map that defines a control policy Step 4 class type control control class name always event credit exhausted Example Router config control policymap class type control always event c...

Страница 272: ...olicy map type control policy map name 4 class type control control class name always event quota depleted 5 action number set param drop traffic false 6 end 7 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure t...

Страница 273: ...tication succeeded Step 3 Make sure the AAA method list referred to in the prepaid billing configuration is valid and has been configured with the aaa accounting network command Step 4 Use the test aaa command to make sure the AAA server is reachable from ISG Step 5 Use the debug subscriber policy prepaid command to display debug messages about prepaid operation Step 5 action number set param drop...

Страница 274: ...st that will be used for this service to authenticate subscribers is called cp mlist That is the same method list to which the service accounting records will be sent Prepaid authorization reauthorization and accounting messages will be sent to the AAA method list called ap mlist aaa authorization network default local aaa authorization network ap mlist group sg2 aaa authentication login cp mlist ...

Страница 275: ...ta depleted 1 set param drop traffic false class type control always event credit exhausted 1 service policy type service name l4redirect policy map type service l4redirect class type traffic CLASS ALL redirect to group SESM subscriber feature prepaid conf prepaid threshold time 100 threshold volume 1000 bytes method list author prepaidlist method list accounting default password cisco Additional ...

Страница 276: ...o access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required MIB MIBs Link To locate and download MIBs for selected platforms Cisco IOS XE software releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs Description Link The Cisco Support website provides extensive online resources including documentation and...

Страница 277: ...ink LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned...

Страница 278: ...alive support is configured for monitoring session data traffic in the upstream direction for idleness Address Resolution Protocol ARP is used for Layer 2 connected subscribers For routed host Layer 3 connected subscribers the protocol defaults to Internet Control Message Protocol ICMP ICMP is also used in configurations where the access interface does not support ARP Finding Feature Information F...

Страница 279: ...hich the idle timer is applied is always outbound ISG supports both per session and per flow accounting Per session accounting is the aggregate of all the flow traffic for a session Per session accounting can be enabled in a user profile or in a service profile or service policy map Information About Configuring Policies for Session Maintenance Before you configure the ISG session maintenance time...

Страница 280: ...live feature configured for the subscriber If a session is idle for a configured period of time keepalive requests are sent to the subscriber This action verifies that the connection is still active The protocol to use for the keepalive request and response can be configured based on the IP subscriber session type If it is a directly connected host Layer 2 connection ARP is used For routed host La...

Страница 281: ...ed to the hosts must enable directed broadcast forwarding so that the IP subnet broadcast gets translated into a Layer 2 broadcast When these two conditions are satisfied you can optimize the ICMP keepalive configuration to minimize the number of ICMP packets Note Because enabling directed broadcasts increases the risk of denial of service attacks the use of subnet directed broadcasts is not turne...

Страница 282: ...Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service policy1 Enters policy map configuration mode so you can begin configuring the service policy Step 4 priority class type traffic class map name Example Router config control policymap class type traffic class1 Assoc...

Страница 283: ...to a user or service profile DETAILED STEPS Configuring the Connection Timer in a Service Policy Map Perform this task to set the connection timer in a service policy map SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 priority class type traffic class map name 5 timeout idle duration in seconds 6 end DETAILED STEPS Command or Action Purpose Step 1 Session T...

Страница 284: ...ce policy map name Example Router config policy map type service policy1 Enters policy map configuration mode so you can begin configuring the service policy Step 4 priority class type traffic class map name Example Router config control policymap class type traffic class1 Associates a previously configured traffic class to the policy map Step 5 timeout idle duration in seconds Example Router conf...

Страница 285: ...mers page 9 Debug Commands Available for the Session Maintenance Timers page 9 Enabling the Session Maintenance Timer Debug Commands page 9 Prerequisites for Troubleshooting the Session Maintenance Timers Before performing the task in this section it is recommended that you be familiar with the use of Cisco IOS debug commands described in the introductory chapters of the Cisco IOS Debug Command Re...

Страница 286: ...ble 1 lists the debug commands that can be used to diagnose problems with the session maintenance timers Enabling the Session Maintenance Timer Debug Commands Perform this task to enable the session maintenance timer debug commands SUMMARY STEPS 1 enable 2 debug command 3 end DETAILED STEPS Table 1 Debug Commands for Troubleshooting Session Maintenance Timers Command Purpose debug subscriber featu...

Страница 287: ...ample a PPP over Ethernet PPPoE or PPP over ATM PPPoA session this feature application will fail and the following applies If the feature is applied at a session start event both the feature application and the session will fail If this feature is pushed onto a session after the session start event the push will fail SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map ...

Страница 288: ...onfigured only in this mode Step 4 keepalive idle period1 attempts max retries interval period2 protocol ICMP broadcast ARP Example Router config service policymap keepalive idle 7 attempts 3 interval 1 protocol arp Configures the maximum idle period number of requests interval between requests and protocol for keepalive messages The ranges and defaults are Idle period range 5 to 2147483647 second...

Страница 289: ...efaults are as follows Idle period range is 5 to 2147483647 seconds default is 10 seconds Attempts range is 3 to 10 default is 5 Interval default is 1 to 60 seconds Protocol for Layer 2 connections the default is ARP for routed connections the default is ICMP Broadcast option by default this option is disabled Note If a service profile includes an ISG traffic class configuration the keepalive feat...

Страница 290: ...rnal policy server and enters dynamic authorization local server configuration mode Step 5 client ip address Example Router config locsvr da radius client 10 10 10 11 Specifies a RADIUS client from which a device will accept Change of Authorization CoA and disconnect requests The example specifies 10 10 10 11 as the IP address of the RADIUS client Step 6 port port number Example Router config locs...

Страница 291: ...rvice video service class type traffic traffic class police input 20000 30000 60000 police output 21000 31500 63000 timeout absolute 4800 class type traffic default output drop Connection Idle Timer Configuration in a Service Policy Map Example The following example limits idle connection time in a service policy map to 30 seconds class map type traffic match any traffic class match access group i...

Страница 292: ...ubscriber Information Total sessions 1 Unique Session ID 4 Identifier user01 SIP subscriber access type s PPPoE PPP Current SIP options Req Fwding Req Fwded Session Up time 00 01 44 Last Changed 00 01 46 AAA unique ID 5 Interface Virtual Access2 1 Policy information Context 02DE7380 Handle AD00000C Authentication status authen User profile excluding services Framed Protocol 1 PPP username user01 F...

Страница 293: ...nfigured features Jan 12 18 43 15 167 SSF Vt1 uid 4 Associate segment element handle 0xF4000003 for session 67108875 1 entries Jan 12 18 43 15 167 SSF Vt1 uid 4 Idle Timeout Group feature install Jan 12 18 43 15 167 SSF uid 4 Idle Timeout Adding feature to outbound segment s Jan 12 18 43 15 167 Idle Timeout uid 4 Idle timer start duration 2000 seconds direction outbound Jan 12 18 43 16 327 SSM FH ...

Страница 294: ...oubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user...

Страница 295: ...specific software release feature set or platform To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support...

Страница 296: ...ers The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional a...

Страница 297: ...Configuring ISG Policies for Session Maintenance Feature Information for Configuring ISG Policies for Session Maintenance 20 ...

Страница 298: ...bscriber authentication initial and periodic advertising captivation redirection of application traffic and DNS redirection Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see th...

Страница 299: ... can be forwarded to a server that redirects the users to a logon page Similarly if users try to access a service to which they have not logged on the packets can be redirected to a server that provides a service logon screen The Layer 4 Redirect feature supports three types of redirection which can be applied to subscriber sessions or to flows Permanent redirection Specified traffic is redirected...

Страница 300: ...pots subscribers may have a static DNS server addresses which may not be reachable at certain locations Redirecting DNS queries to a local DNS server allows applications to work properly without requiring reconfiguration How to Configure ISG Layer 4 Redirect There are three ways to apply Layer 4 redirection to sessions One way is to configure redirection directly on a physical main interface or lo...

Страница 301: ...server group name ip ip address port port number duration seconds frequency seconds Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 redirect server group group name Example Router config redirect server group ADVT SERVER Defi...

Страница 302: ... 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 interface type number Example Router config interface fastethernet 0 0 505 Specifies an interface and enters interface configuration mode Step 4 ip subscriber Example Router config if ip subscriber Optional Enables ISG IP subscriber configuration mode Step 5 identifier interface Example Router config su...

Страница 303: ...e Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or modifies a service policy map which is used to define an ISG service Step 4 class type traffic ...

Страница 304: ...er 4 redirection in a service profile you may want to configure a method of activating the service profile for example control policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Verifying ISG Traffic Redirection Perform this task to verify the configuration and operation of ISG Layer 4 traffic redire...

Страница 305: ...n Up time 40 minutes 30 seconds Last Changed 40 minutes 30 seconds AAA unique ID 135 Switch handle F000086 Interface ATM2 0 53 Policy information Authentication status unauthen Config downloaded for session policy From Access Type IP Interface Client SM Event Service Selection Request Service Profile name blind rdt 2 references username blind rdt l4redirect redirect to group sesm grp Rules actions...

Страница 306: ... Session Up time 42 minutes 54 seconds Last Changed 42 minutes 54 seconds AAA unique ID 133 Switch handle 17000084 Interface FastEthernet0 0 505 Policy information Authentication status unauthen Session inbound features Feature Layer 4 Redirect Rule Cfg Definition 1 INT Redirect to group sesm grp Configuration sources associated with this session Interface FastEthernet0 0 505 Active Time 42 minute...

Страница 307: ...n the subscriber logs out of the service redirection is applied again service policy type control THE_RULE class map type traffic match any CLASS ALL class map type traffic match any CLASS 100_110 match access group input 100 match access group output 110 policy map type service blind rdt class type traffic CLASS ALL redirect to group PORTAL policy map type service svc rdt class type traffic CLASS...

Страница 308: ...f the lifetime of the session service policy type control initial rdt policy map type control intial rdt class type control always event session start 1 service policy type service name initial rdt profile policy map type service initial rdt profile class type traffic CLASS ALL redirect to group ADVT duration 60 Periodic Redirection Examples The following example shows how to redirect subscriber t...

Страница 309: ...ed to the ISG Layer 4 Redirect feature Related Documents Technical Assistance Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security an...

Страница 310: ...nk Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Ci...

Страница 311: ...ies and ISG policing Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Policies for Regulating Network Access section on page 8 Use Cisco Featur...

Страница 312: ...pports policing of upstream and downstream traffic ISG policing differs from policing configured using the MQC in that ISG policing can be configured in service profiles to support policing of traffic flows MQC policies cannot be configured in service profiles ISG policing can also be configured in user profiles and service profiles to support session policing How to Configure ISG Policies for Reg...

Страница 313: ... configured on a AAA server in either a user profile or a service profile that does not specify a traffic class It can also be configured on the router in a service policy map Session based policing parameters that are configured in a user profile take precedence over session based policing parameters configured in a service profile or service policy map Flow Based Policing Flow based policing app...

Страница 314: ...er configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or modifies a service policy map which is used to define an ISG service Step 4 priority class type traffic class map name Example Router config service policymap class type traffic silver Associates a previously configured traffic clas...

Страница 315: ...icing Perform this task to verify ISG policing configuration SUMMARY STEPS 1 enable 2 show subscriber session detailed identifier identifier uid session id username name Command or Action Purpose Step 1 Add the following Policing vendor specific attribute VSA to the user profile on the AAA server 26 9 250 QU committed rate normal burst excess burst D com mitted rate normal burst excess burst or Ad...

Страница 316: ...rmal burst 3000 Excess burst 6000 Config level Service The following example shows output for the show subscriber session command where upstream policing parameters are specified in a user profile and downstream policing parameters are specified in a service profile Router show subscriber session all Current Subscriber Information Total sessions 2 Unique Session ID 2 Session inbound features Featu...

Страница 317: ...in 103 match access group out 203 policy map type service P3 class type traffic C3 police input 20000 30000 60000 police output 21000 31500 63000 Session Based Policing Configured in a User Profile on a AAA Server The following example shows policing configured in a user profile Cisco Account Info QU 23465 8000 12000 D 64000 Session Based Policing Configured in a Service Profile on a AAA Server Th...

Страница 318: ... train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subsc...

Страница 319: ...tudy IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in...

Страница 320: ...Configuring ISG Policies for Regulating Network Access Feature Information for ISG Policies for Regulating Network Access 10 ...

Страница 321: ...s for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Configuring ISG Integration with SCE section on page 14 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Na...

Страница 322: ...additional policies will override the policy previously applied on the SCE This feature requires a control bus communication protocol which runs over RADIUS and RADIUS extensions as specified in RFC 3576 operating in two modes PUSH and PULL In PULL mode the ISG device waits for a query from the SCE In PUSH mode the download of an external feature is initiated by the ISG device as soon as an extern...

Страница 323: ... of ISG and SCE in subscriber management Table 1 ISG and SCE Roles in Subscriber Management ISG pushes policies or external services to the SCE for a given subscriber session in the form of RADIUS change of authorization CoA messages External service activation can be triggered by the policy manager component inside the ISG or by an external authentication authorization and accounting AAA server T...

Страница 324: ... Between SCE and ISG Communication between the SCE and the ISG device is managed by an external policy delegation EPD handler module in Cisco IOS software The EPD implements the control bus on the ISG and handles all messaging between the ISG device and SCE Details of communications between the ISG and AAA servers are found in the Cisco IOS Intelligent Services Gateway Configuration Guide This tas...

Страница 325: ... SCE to provision update or deactivate a session and activate or deactivate policies A shared secret configured for a specific client overrides the key configured using the key shared secret command Step 5 authentication port port number Example Router config locsvr radius authentication port 1433 Specifies the port on which the EPD handler listens for session and identity query requests from SCE ...

Страница 326: ...ing SCE Connection Parameter on ISG To configure the server connection management on either a per server or a global basis perform the steps in this section SUMMARY STEPS 1 enable 2 configure terminal 3 policy peer address ip address keepalive seconds 4 policy peer keepalive seconds 5 exit ...

Страница 327: ...palive seconds Example Router config policy peer address 10 10 10 1 keepalive 6 Configures the keepalive value in seconds for a specific policy defined by the given IP address Valid values are from 5 to 3600 The default value is zero 0 If the default value is in effect on the ISG device the keepalive value proposed by the external policy device is used Step 4 policy peer keepalive seconds Example ...

Страница 328: ...D_POLICY Configures the specified policy map on the ISG and enters policy map configuration mode Step 4 class type control class map name always event session start Example Router config control policymap class type control always event acct notification Specifies to apply actions matching conditions defined by the class map name or always for an event type Event types include the following accoun...

Страница 329: ...mmands or on the AAA server Configuring Services on ISG To configure a service containing accounting features and to activate an external policy on the SCE device follow the steps in this section SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service service map name 4 class map type traffic class map name 5 accounting aaa list listname 6 sg service type external policy 7 policy nam...

Страница 330: ...raffic class and enters control policy map class configuration mode Step 5 accounting aaa list listname Example Router config service policymap accounting aaa list list1 Configures accounting for ISG and enters service policy map configuration mode Step 6 sg service type external policy Example Router config control policymap sg service type external policy Defines the service as an external polic...

Страница 331: ...ed to troubleshoot the integration of ISG with SCE show subscriber policy peer address ip address handle connection handle id all Examples This section contains sample output of the show subscriber policy peer command show subscriber policy peer all The following example shows sample output of the command when the all keyword is used Router show subscriber policy peer all Peer IP 10 0 0 10 Conn ID...

Страница 332: ...tEthernet5 1 1 ip address 10 10 10 1 255 255 255 0 ISG Integration with SCE Example The following example shows how to configure two SCEs each with the same authentication and accounting ports ISG handles CoA messages on port 1700 for one SCE and on default port 3799 for the other SCE Peering is maintained for each SCE with the ISG via different keepalive intervals When a user session starts POLIC...

Страница 333: ...ontrol bus in PUSH mode scmp scmp name ISG radius 10 10 10 2 secret cisco auth 1433 acct 1435 scmp subscriber send session start interface LineCard 0 subscriber anonymous group name all IP range 192 168 12 0 0xffffff00 scmp name ISG SCE Control Bus Setup Configured in PULL Mode The following example shows how to configure the SCE control bus in PULL mode scmp scmp name ISG radius 10 10 10 2 secret...

Страница 334: ...to http www cisco com go cfn An account on Cisco com is not required Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online reso...

Страница 335: ... and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in...

Страница 336: ...Configuring ISG Integration with SCE Feature Information for Configuring ISG Integration with SCE 16 ...

Страница 337: ...he operational interface to provision update delete and control activation of those policies Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Servi...

Страница 338: ...ard that is scalable efficient simple extensible and robust BEEP is a framework for designing application protocols Benefits of SGI SGI is a protocol that allows Cisco IOS XE software to be controlled using third party applications toolkits and development platforms for web services The SGI feature is a common model that can express ISG provisioning in many languages and it is easy to use How to E...

Страница 339: ...nning including the running state It also shows statistical information about SGI sessions that have been started and are currently running The following is sample output from this command Router show sgi session sgi sessions open 1 max 10 started 15 session id 1 started at 9 08 05 state OPEN Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your pass...

Страница 340: ...pp beep 0x66245188 frame_available type M number 1 answer 1 more size 1400 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 Content Type application xml xml version 1 0 encoding UTF 8 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 frame_available type M number 1 answer 1 more size 111 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 gitypes policyGroup objects sgiops insertPoli...

Страница 341: ...g BEEP Listener Connection Example The following example shows how to configure the BEEP listener connection The port number is set to 2089 enable configure terminal sgi beep listener 2089 Additional References Related Documents MIBs Related Topic Document Title Overview of ISG Cisco IOS Intelligent Services Gateway Configuration Guide ISG commands Cisco IOS Intelligent Services Gateway Command Re...

Страница 342: ...sco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNo...

Страница 343: ... imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2009 Cisco Systems Inc A...

Страница 344: ...Service Gateway Interface Feature Information for Service Gateway Interface 8 ...

Страница 345: ...s distributed conditional debugging Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Distributed Conditional Debugging section on page 11 Use Cisco...

Страница 346: ...em unusable For this reason use the Cisco IOS debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff Moreover it is best to use debug commands during periods of lower network traffic and fewer users or on a debug chassis with a single active session Debugging during these periods decreases the likelihood that increased debug comm...

Страница 347: ...mponents that a session traverses For this reason the conditional debugging previously offered in the Cisco IOS XE software has been enhanced to facilitate debug filtering for ISG and is available as distributed conditional debugging Cisco IOS XE Software Components Supported by Distributed Conditional Debugging The following components are supported for ISG distributed conditional debugging Authe...

Страница 348: ...ng Distributed Conditional Debugging page 7 Restrictions page 7 Enabling Distributed Conditional Debugging page 7 Displaying Debugging Conditions page 8 Troubleshooting Tips page 8 ISG Debug Condition Commands Table 1 lists the debug condition commands that you can issue at the EXEC prompt to enable distributed conditional debugging You can set more than one condition Command or Action Purpose Ste...

Страница 349: ...on mac address hexadecimal MAC address Filters messages on the specified MAC address debug condition portbundle ip IP address bundle bundle number Filters messages on the specified Port Bundle Host Key PBHK debug condition session id session ID Filters messages on the specified session identifier Note The session identifier can be obtained by entering the show subscriber session command debug cond...

Страница 350: ...e detail debug subscriber feature error debug subscriber feature event debug subscriber feature interface config error debug subscriber feature interface config event debug subscriber feature modem on hold detail debug subscriber feature modem on hold error debug subscriber feature modem on hold event debug subscriber feature portbundle error debug subscriber feature portbundle event debug subscri...

Страница 351: ...onditions If multiple conditions are set the debugging messages corresponding to all the sessions that meet any of the conditions will be displayed Some conditions such as domain name will trigger debugging messages for all the sessions that belong to the particular domain Enabling Distributed Conditional Debugging Perform this task to enable distributed conditional debugging for ISG SUMMARY STEPS...

Страница 352: ...y been set the following message is displayed Condition already set Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 debug condition command Example Router debug condition username user cisco com Enter one or more of the debug condition commands listed in Table 1 to enable distributed conditional debugging Step 3 debu...

Страница 353: ...contains the following examples Monitoring Interface Statistics Example page 9 Monitoring CPU Statistics Example page 10 Enabling ISG Distributed Conditional Debugging Example page 10 Displaying Debugging Conditions Example page 10 Filtering Debug Output Example page 10 Monitoring Interface Statistics Example The following example shows sample output for the show interface monitor command The disp...

Страница 354: ...Only debugging messages for the defined user are displayed on the console Any other debugging messages associated with other users will not be displayed Router debug condition username user cisco com Condition 1 set Router debug ppp negotiation Router debug pppoe event Router debug subscriber session event Displaying Debugging Conditions Example The following example shows how to display debugging...

Страница 355: ...vices Gateway Features Roadmap Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Cisco IOS debug commands Cisco IOS Debug Command Reference Conditional debugging Conditionally Triggered Debugging chapter in the Cisco IOS Debug Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and...

Страница 356: ... Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countr...

Страница 357: ...ny Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2006 2009 Cisco Systems Inc All rights reserved ...

Страница 358: ...Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Feature Information for Distributed Conditional Debugging 14 ...

Отзывы:

Нет отзывов

Похожие инструкции для IOS XE

Бренд: 3Com Страницы: 112

Бренд: FarSite Communications Страницы: 2

Бренд: Lucent Technologies Страницы: 33

INSOMNIAC CIA G-600

Бренд: Opentech Страницы: 13

Бренд: 2N Страницы: 35

Бренд: Unitronics Страницы: 28

Бренд: 3Com Страницы: 464

Бренд: Danfoss Страницы: 68

Бренд: Abocom Страницы: 23

Бренд: Multitech Страницы: 35

Conduit 300 Series

Бренд: Multitech Страницы: 42

Бренд: Eaton Страницы: 4

Бренд: RayTalk Страницы: 168

B-900-MOIP-4K-CTRL

Бренд: Binary Страницы: 20

Бренд: Allot Страницы: 51

Бренд: RTA Страницы: 69

Бренд: RTA Страницы: 73

Бренд: RTA Страницы: 70

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды