- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- Configuring ISG IPv6 Support
- Configuring MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- ISG RADIUS Proxy Support for Mobile Users: Hotspot Roaming and Accounting Start Filtering
- Walk-By User Support for PWLANs in ISG
- Configuring RADIUS-Based Policing
- Configuring Ambiguous VLAN support for IP sessions over ISG
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring Layer 4 Redirect Logging
- Configuring ISG Policies for Regulating Network Access
- Configuring ISG Integration with SCE
- Service Gateway Interface
- ISG MIB
- ISG SSO and ISSU Support
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Configuring ISG Troubleshooting Enhancements
- Finding Feature Information
- Information About ISG Policies for Regulating Network Access
- How to Configure ISG Policies for Regulating Network Access
Configuring ISG Policies for Regulating Network Access
Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG supports the use of policies for governing subscriber session bandwidth and network accessibility. This module provides information about the following methods of regulating session bandwidth and network access: Modular Quality of Service (QoS) command-line interface (CLI) policies and ISG policing.
- Finding Feature Information
- Information About ISG Policies for Regulating Network Access
- How to Configure ISG Policies for Regulating Network Access
- Configuration Examples for ISG Policies for Regulating Network Access
- Additional References
- Feature Information for ISG Policies for Regulating Network Access
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About ISG Policies for Regulating Network Access
Methods of Regulating Network Access
ISG supports the following methods of regulating network access. Each of these methods can be applied to an ISG session and can be dynamically updated.
Modular QoS CLI (MQC) Policies
QoS policies configured using the MQC are supported for subscriber sessions only. MQC policies cannot be applied to ISG services.
ISG Policing
ISG policing supports policing of upstream and downstream traffic. ISG policing differs from policing configured using the MQC in that ISG policing can be configured in service profiles to support policing of traffic flows. MQC policies cannot be configured in service profiles. ISG policing can also be configured in user profiles and service profiles to support session policing.
Overview of ISG Policing
Traffic policing allows you to control the maximum rate of traffic sent or received on an interface. Policing is often configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate parameters is sent, whereas traffic that exceeds the parameters is dropped or sent with a different priority.
ISG policing supports policing of upstream and downstream traffic and can be applied to a session or a flow. The following sections describe session-based policing and flow-based policing.
Session-Based Policing
Session-based policing applies to the aggregate of subscriber traffic for a session. In the figure below, session policing would be applied to all traffic moving from the PPPoE client to ISG and from ISG to the PPPoE client.
Session-based policing parameters can be configured on a AAA server in either a user profile or a service profile that does not specify a traffic class. It can also be configured on the router in a service policy map. Session-based policing parameters that are configured in a user profile take precedence over session-based policing parameters configured in a service profile or service policy map.
Flow-Based Policing
Flow-based policing applies only to the destination-based traffic flows that are specified by a traffic class. In the figure below, flow-based policing would allow you to police the traffic between the PPPoE client and Internet 1 or Internet 2.
Flow-based policing can be configured on a AAA server in a service profile that specifies a traffic class. It can also be configured on the router under a traffic class in a service policy map. Flow-based policing and session-based policing can coexist and operate simultaneously on subscriber traffic.
How to Configure ISG Policies for Regulating Network Access
Configuring ISG Policing
- Configuring Policing in a Service Policy Map on the Router
- Configuring Policing in a Service Profile or User Profile on the AAA Server
- Verifying ISG Policing
Configuring Policing in a Service Policy Map on the Router
Perform this task to configure ISG policing on the router.
1.
enable
2.
configure
terminal
3.
policy-map
type
service
policy-map-name
4. [priority]class type traffic class-map-name
5.
police
input
committed-rate
normal-burst
excess-burst
6.
police
output
committed-rate
normal-burst
excess-burst
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-map
type
service
policy-map-name
Example: Router(config)# policy-map type service service1 |
Creates or modifies a service policy map, which is used to define an ISG service. |
Step 4 |
[priority]class type traffic class-map-name Example: Router(config-service-policymap)# class type traffic silver |
Associates a previously configured traffic class with the policy map. |
Step 5 |
police
input
committed-rate
normal-burst
excess-burst
Example: Router(config-service-policymap-class-traffic)# police input 20000 30000 60000 |
Configures ISG policing of upstream traffic.
|
Step 6 |
police
output
committed-rate
normal-burst
excess-burst
Example: Router(config-service-policymap-class-traffic)# police output 21000 31500 63000 |
Configures ISG policing of downstream traffic.
|
What to Do Next
You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".
Configuring Policing in a Service Profile or User Profile on the AAA Server
- Add the following Policing vendor-specific attribute (VSA) to the user profile on the AAA server.
- 26, 9, 250 "QU;committed-rate;normal-burst;excess-burst;D;committed-rate;normal-burst;excess-burst"
- Add the following Policing VSA to the service profile on the AAA server.
1.
Do one of the following:
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | Do one of the following:
Example: 26,9,251 "QU;committed-rate;normal-burst;excess-burst;D;committed-rate;normal-burst;excess-burst" |
Enables ISG policing of upstream and downstream traffic.
|
What to Do Next
You may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".
Verifying ISG Policing
Perform this task to verify ISG policing configuration.
1.
enable
2.
show
subscriber
session
[detailed] [identifier
identifier
|
uid
session-id|
username
name]
DETAILED STEPS
Command or Action | Purpose |
---|
Examples
The following example shows output for the show subscriber session command when policing parameters have been configured in the service profile. The “Config level” field indicates where the policing parameters are configured; in this case, in the service profile.
Router# show subscriber session detailed Current Subscriber Information: Total sessions 2 Unique Session ID: 1 ..... Session inbound features: Feature: Policing Upstream Params: Average rate = 24000, Normal burst = 4500, Excess burst = 9000 Config level = Service Session outbound features: Feature: Policing Dnstream Params: Average rate = 16000, Normal burst = 3000, Excess burst = 6000 Config level = Service .....
The following example shows output for the show subscriber session command where upstream policing parameters are specified in a user profile and downstream policing parameters are specified in a service profile.
Router# show subscriber session all Current Subscriber Information: Total sessions 2 Unique Session ID: 2 ..... Session inbound features: Feature: Policing Upstream Params: Average rate = 24000, Normal burst = 4500, Excess burst = 9000 Config level = Per-user ===========> Upstream parameters are specified in the user profile. Session outbound features: Feature: Policing Dnstream Params: Average rate = 16000, Normal burst = 3000, Excess burst = 6000 Config level = Service ============> No downstream parameters in the user profile, hence the parameters in the service profile are applied. .....
Configuration Examples for ISG Policies for Regulating Network Access
ISG Policing Examples
Flow-Based Policing Configured in a Service Policy Map Using the CLI
The following example shows the configuration of ISG flow-based policing in a service policy map:
class-map type traffic match-any C3 match access-group in 103 match access-group out 203 policy-map type service P3 class type traffic C3 police input 20000 30000 60000 police output 21000 31500 63000
Session-Based Policing Configured in a User Profile on a AAA Server
The following example shows policing configured in a user profile:
Cisco:Account-Info = "QU;23465;8000;12000;D;64000"
Session-Based Policing Configured in a Service Profile on a AAA Server
The following example shows policing configured in a service profile:
Cisco:Service-Info = "QU;16000;D;31000"
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
ISG commands |
|
How to configure QoS policies using the MQC |
"Applying QoS Features Using MQC" module in the Quality of Service Configuration Guide |
How to configure DBS |
"Controlling Subscriber Bandwidth" module in the Broadband Access Aggregation and DSL Configuration Guide |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for ISG Policies for Regulating Network Access
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
ISG: Flow Control: QoS Control: Dynamic Rate Limiting |
Cisco IOS XE Release 2.2 |
ISG can change the allowed bandwidth of a session or flow by dynamically applying rate-limiting policies. |