Table Of Contents
debug sss aaa authorization event
debug sss aaa authorization fsm
subscriber authorization enable
Subcriber Service Switch
The Subscriber Service Switch feature directs PPP between points using a Layer 2 subscriber policy. It also provides the following features for Internet service provides (ISPs):
•Flexible connection options for subscribers seeking available services
•Flexible number of subscribers
•Flexible definition of services
Configuration Information
Configuration information is included in the "How to Configure a Subscriber Service Switch Policy" module in the "Configuring Cisco Subscriber Service Switch Policies" chapter of the Cisco IOS Broadband and DSL Configuration Guide, Release 12.4.
Command Reference Information
This section documents modified commands.
•atm pppatm passive
•clear pppatm interface atm
•clear pppoe
•debug pppatm
•debug sss aaa authorization event
•debug sss aaa authorization fsm
•debug sss error
•debug sss event
•debug sss fsm
•multihop-hostname
•show pppatm summary
•show pppatm trace
•show sss session
•show vpdn session
•subscriber access
•subscriber authorization enable
•vpdn authorize domain
•vpn service
atm pppatm passive
To place an ATM subinterface in passive mode, use the atm pppatm passive command in ATM subinterface configuration mode. To change the configuration back to the default (active) mode, use the no form of this command.
atm pppatm passive
no atm pppatm passive
Syntax Description
This command has no arguments or keywords.
Defaults
Active mode
Command Modes
ATM subinterface configuration
Command History
Release Modification12.2(13)T
This feature was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
The atm pppatm passive command places PPP over ATM (PPPoA) sessions on an ATM subinterface in "listening" mode. Rather than trying to establish the sessions actively by sending out Link Control Protocol (LCP) packets, these sessions listen to the incoming LCP packets and become active only after they have received their first LCP packet. This feature is useful for L2TP access concentrators (LACs) in the broadband access deployments where thousands of PPPoA sessions are configured on LACs. When PPPoA is in the passive mode, the LAC will bring up the sessions only when the subscribers become active and not waste its processing power on polling all the sessions.
For better scalability and faster convergence of PPP sessions, Cisco recommends setting the PPPoA sessions to passive mode at the LAC.
Examples
The following example configures the passive mode for the PPPoA sessions on an ATM subinterface:
interface atm 1/0.1 multipointatm pppatm passiverange range-pppoa-1 pvc 100 199protocol ppp virtual-template 1clear pppatm interface atm
To clear PPP ATM sessions on an ATM interface, use the clear pppatm interface atm command in privileged EXEC mode.
clear pppatm interface atm interface-number[.subinterface-number] [vc {[vpi/]vci | virtual-circuit-name}]
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
This command clears the PPP over ATM (PPPoA) sessions in an interface, or in a VC when the VC is specified.
When the clear pppatm interface atm command is used to clear sessions on an interface, PPP keepalives continue to work and can be used to detect a broken link.
Examples
The following example clears a PPP ATM session on ATM interface 1/0.10:
Router# clear pppatm interface atm 1/0.10Related Commands
Command Descriptiondebug pppatm
Enables reports for PPPoA events, errors, and states either globally or conditionally on an interface or VC.
show pppatm summary
Displays PPPoA session counts.
clear pppoe
To clear PPP over Ethernet (PPPoE) sessions, use the clear pppoe command in privileged EXEC mode.
clear pppoe {interface type number [vc {[vpi/]vci | vc-name}] [vlan vlan-id] | rmac mac-address [sid session-id] | all}
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.3(2)T
The vlan vlan-id keyword and argument were added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Use the clear pppoe all command to clear all PPPoE sessions.
Use the interface keyword and arguments and the vlan keyword and argument to clear PPPoE sessions on a specific Ethernet 802.1Q VLAN.
Use the interface, vc, and vlan keywords and arguments to clear PPPoE over 802.1Q VLAN sessions on an ATM PVC.
Examples
The following example clears all PPPoE sessions:
Router# clear pppoe alldebug pppatm
To enable debug reports for PPP over ATM (PPPoA) events, errors, and states, either globally or conditionally, on an interface or virtual circuit (VC), use the debug pppatm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug pppatm {event | error | state} [interface atm interface-number [subinterface-number]] vc {[vpi/vci]vci | virtual-circuit-name}
no debug pppatm {event | error | state} [interface atm interface-number [subinterface-number] vc {[vpi/]vci | virtual-circuit-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Each specific PPPoA debug report must be requested on a separate command line; see the "Examples" section.
Examples
The following is example output of a PPPoA session with event, error, and state debug reports enabled on ATM interface 1/0.10:
Router# debug pppatm event interface atm1/0.10Router# debug pppatm error interface atm1/0.10Router# debug pppatm state interface atm1/0.1000:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = Clear Session00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = Disconnecting00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = AAA gets dynamic attrs00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = AAA gets dynamic attrs00:03:08: PPPATM: ATM1/0.10 0/101 [1], Event = SSS Cleanup00:03:08: PPPATM: ATM1/0.10 0/101 [0], State = DOWN00:03:08: PPPATM: ATM1/0.10 0/101 [0], Event = Up Pending00:03:16: PPPATM: ATM1/0.10 0/101 [0], Event = Up Dequeued00:03:16: PPPATM: ATM1/0.10 0/101 [0], Event = Processing Up00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = Access IE allocated00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = Set Pkts to SSS00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets retrived attrs00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets nas port details00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = AAA unique id allocated00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = No AAA method list set00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = SSS Request00:03:16: PPPATM: ATM1/0.10 0/101 [2], State = NAS_PORT_POLICY_INQUIRY00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = SSS Msg Received = 100:03:16: PPPATM: ATM1/0.10 0/101 [2], State = PPP_START00:03:16: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 100:03:16: PPPATM: ATM1/0.10 0/101 [2], State = LCP_NEGOTIATION00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 400:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = HW Switch support FORW = 000:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = Access IE get nas port00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = AAA gets dynamic attrs00:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = PPP Msg Received = 500:03:27: PPPATM: ATM1/0.10 0/101 [2], Event = Set Pkts to SSS00:03:27: PPPATM: ATM1/0.10 0/101 [2], State = FORWARDEDTable 1 describes the significant fields shown in the display.
Related Commands
Command Descriptionatm pppatm passive
Places an ATM subinterface into passive mode.
show pppatm summary
Displays PPPoA session counts.
debug sss aaa authorization event
To display messages about authentication, authorization, and accounting (AAA) authorization events that are part of normal call establishment, use the debug sss aaa authorization event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss aaa authorization event
no debug sss aaa authorization event
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following is sample output of several Subscriber Service Switch (SSS) debug commands including the debug sss aaa authorization event command. The reports from these commands should be sent to technical personnel at Cisco Systems for evaluation.
Router# debug sss eventRouter# debug sss errorRouter# debug sss stateRouter# debug sss aaa authorization eventRouter# debug sss aaa authorization fsmSSS:SSS events debugging is onSSS error debugging is onSSS fsm debugging is onSSS AAA authorization event debugging is onSSS AAA authorization FSM debugging is on*Mar 4 21:33:18.248: SSS INFO: Element type is Access-Type, long value is 3*Mar 4 21:33:18.248: SSS INFO: Element type is Switch-Id, long value is -1509949436*Mar 4 21:33:18.248: SSS INFO: Element type is Nasport, ptr value is 6396882C*Mar 4 21:33:18.248: SSS INFO: Element type is AAA-Id, long value is 7*Mar 4 21:33:18.248: SSS INFO: Element type is AAA-ACCT_ENBL, long value is 1*Mar 4 21:33:18.248: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006*Mar 4 21:33:18.248: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth*Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)*Mar 4 21:33:18.248: SSS PM [uid:7]: Need the following key: Unauth-User*Mar 4 21:33:18.248: SSS PM [uid:7]: Received Service Request*Mar 4 21:33:18.248: SSS PM [uid:7]: Event <need keys>, State: initial-req to need-init-keys*Mar 4 21:33:18.248: SSS PM [uid:7]: Policy reply - Need more keys*Mar 4 21:33:18.248: SSS MGR [uid:7]: Got reply Need-More-Keys from PM*Mar 4 21:33:18.248: SSS MGR [uid:7]: Event policy-or-mgr-more-keys, state changed from wait-for-auth to wait-for-req*Mar 4 21:33:18.248: SSS MGR [uid:7]: Handling More-Keys event*Mar 4 21:33:20.256: SSS INFO: Element type is Unauth-User, string value is nobody2@xyz.com*Mar 4 21:33:20.256: SSS INFO: Element type is AccIe-Hdl, ptr value is 78000006*Mar 4 21:33:20.256: SSS INFO: Element type is AAA-Id, long value is 7*Mar 4 21:33:20.256: SSS INFO: Element type is Access-Type, long value is 0*Mar 4 21:33:20.256: SSS MGR [uid:7]: Event service-request, state changed from wait-for-req to wait-for-auth*Mar 4 21:33:20.256: SSS MGR [uid:7]: Handling Policy Authorize (1 pending sessions)*Mar 4 21:33:20.256: SSS PM [uid:7]: Received More Initial Keys*Mar 4 21:33:20.256: SSS PM [uid:7]: Event <rcvd keys>, State: need-init-keys to check-auth-needed*Mar 4 21:33:20.256: SSS PM [uid:7]: Handling Authorization Check*Mar 4 21:33:20.256: SSS PM [uid:7]: Event <send auth>, State: check-auth-needed to authorizing*Mar 4 21:33:20.256: SSS PM [uid:7]: Handling AAA service Authorization*Mar 4 21:33:20.256: SSS PM [uid:7]: Sending authorization request for 'xyz.com'*Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Event <make request>, state changed from idle to authorizing*Mar 4 21:33:20.256: SSS AAA AUTHOR [uid:7]:Authorizing key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:AAA request sent for key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Received an AAA pass*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <found service>, state changed from authorizing to complete*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Found service info for key xyz.com*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Event <free request>, state changed from complete to terminal*Mar 4 21:33:20.260: SSS AAA AUTHOR [uid:7]:Free request*Mar 4 21:33:20.264: SSS PM [uid:7]: Event <found>, State: authorizing to end*Mar 4 21:33:20.264: SSS PM [uid:7]: Handling Service Direction*Mar 4 21:33:20.264: SSS PM [uid:7]: Policy reply - Forwarding*Mar 4 21:33:20.264: SSS MGR [uid:7]: Got reply Forwarding from PM*Mar 4 21:33:20.264: SSS MGR [uid:7]: Event policy-start-service-fsp, state changed from wait-for-auth to wait-for-service*Mar 4 21:33:20.264: SSS MGR [uid:7]: Handling Connect-Forwarding-Service event*Mar 4 21:33:20.272: SSS MGR [uid:7]: Event service-fsp-connected, state changed from wait-for-service to connected*Mar 4 21:33:20.272: SSS MGR [uid:7]: Handling Forwarding-Service-Connected eventRelated Commands
debug sss aaa authorization fsm
To display information about authentication, authorization, and accounting (AAA) authorization state changes, use the debug sss aaa authorization fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss aaa authorization fsm
no debug sss aaa authorization fsm
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.
Router# debug sss aaa authorization fsmRelated Commands
debug sss error
To display diagnostic information about errors that may occur during Subscriber Service Switch (SSS) call setup, use the debug sss error command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss error
no debug sss error
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.
Router# debug sss errorRelated Commands
debug sss event
To display diagnostic information about Subscriber Service Switch (SSS) call setup events, use the debug sss event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss event
no debug sss event
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization eventcommand page for an example of output.
Router# debug sss eventRelated Commands
debug sss fsm
To display diagnostic information about the Subscriber Service Switch (SSS) call setup state, use the debug sss fsm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug sss fsm
no debug sss fsm
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example shows how to enter this command. See the "Examples" section of the debug sss aaa authorization event command page for an example of output.
Router# debug sss fsmmultihop-hostname
To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command.
multihop-hostname ingress-tunnel-name
no multihop-hostname ingress-tunnel-name
Syntax Description
Command Default
No multihop hostname is configured.
Command Modes
VPDN request-dialin subgroup configuration
Command History
Usage Guidelines
Use the multihop-hostname command only on a device configured as a tunnel switch.
The ingress-tunnel-name argument must specify either the hostname of the device initiating the tunnel that is to be to be switched, or the tunnel ID of the ingress tunnel that is to be switched.
Removing the request-dialin subgroup configuration will remove the multihop-hostname configuration.
Examples
The following example configures a Layer 2 Tunnel Protocol (L2TP) virtual private dialup network (VPDN) group on a tunnel switch to forward ingress sessions from the host named LAC-1 through an outgoing tunnel to IP address 10.3.3.3:
vpdn-group 11request-dialinprotocol l2tpmultihop-hostname LAC-1initiate-to ip 10.3.3.3local name tunnel-switchRelated Commands
show pppatm summary
To display PPP over ATM (PPPoA) session counts, use the show pppatm summary command in privileged EXEC mode.
show pppatm summary [interface atm interface-number[.subinterface-number]]
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
This command is useful for obtaining session counts, the state of the PPPoA sessions, and the interfaces on which they are running.
This command gives a summary of the number of PPPoA sessions in each state and the session information of each individual session. If a subinterface number is given in the command, the output is a summary report of the PPPoA sessions in the subinterface. If a main interface number is given, the output will have the summary reports for each individual subinterface of that main interface as shown in the Examples section. If no interface is given, the output will contain the summary reports for each ATM interface on the router.
Examples
The following example displays PPPoA session counts and states for ATM interface 5/0:
Router# show pppatm summary interface atm 5/0ATM5/0.3:0 sessions totalATM5/0.6:1 in PTA (PTA) State1 sessions totalVPI VCI Conn ID PPPoA ID SSS ID PPP ID AAA ID VT VA/SID State6 101 11 DA000009 BB000013 E5000017 C 1 1.1 PTAMost of the fields displayed by the show pppatm summary command are self-explanatory. Table 2 describes the significant fields shown in the displays. Any data not described in Table 2 is used for internal debugging purposes.
Related Commands
show pppatm trace
To display a sequence of PPP over ATM (PPPoA) events, errors, and state changes when the debug pppatm command is enabled, use the show pppatm trace command in privileged EXEC mode.
show pppatm trace [error | event | state] interface atm interface-number[.subinterface-number] vc {[vpi/]vci | virtual-circuit-name}
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
When the debug pppatm command has been enabled, this command displays messages from the specified permanent virtual circuit (PVC). If only one debug pppatm command keyword is supplied in the command, the report will display only the sequence of events for that particular debug type.
Examples
The following example traces the debugging messages supplied by the debug pppatm command on PVC 101. The report is used by Cisco technical personnel for diagnosing system problems.
Router# debug pppatm trace interface atm 1/0.10 vc 101Router# debug pppatm state interface atm 1/0.10 vc 101Router# debug pppatm event interface atm 1/0.10 vc 101Router# show pppatm trace interface atm 1/0.10 vc 101Event = DisconnectingEvent = AAA gets dynamic attrsEvent = AAA gets dynamic attrsEvent = SSS CleanupState = DOWNEvent = Up PendingEvent = Up DequeuedEvent = Processing UpEvent = Access IE allocatedEvent = Set Pkts to SSSEvent = AAA gets retrieved attrsEvent = AAA gets nas port detailsEvent = AAA gets dynamic attrsEvent = AAA gets dynamic attrsEvent = AAA unique id allocatedEvent = No AAA method list setEvent = SSS RequestState = NAS_PORT_POLICY_INQUIRYEvent = SSS MsgState = PPP_STARTEvent = PPP MsgState = LCP_NEGOTIATIONEvent = PPP MsgEvent = Access IE get nas portEvent = AAA gets dynamic attrsEvent = AAA gets dynamic attrsEvent = PPP MsgEvent = Set Pkts to SSSState = FORWARDEDRelated Commands
show sss session
To display Subscriber Service Switch session status, use the show sss session command in privileged EXEC mode.
show sss session [all]
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(13)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Use this command to verify correct operation of PPP connections in the Subscriber Service Switch environment.
Examples
The following sample output from the show sss session command provides a basic report of Subscriber Service Switch session activity:
Router# show sss sessionCurrent SSS Information: Total sessions 9Uniq ID Type State Service Identifier Last Chg9 PPPoE/PPP connected VPDN nobody3@cisco.com 00:02:3610 PPPoE/PPP connected VPDN nobody3@cisco.com 00:01:5211 PPPoE/PPP connected VPDN nobody3@cisco.com 00:01:523 PPPoE/PPP connected VPDN user3@cisco.com 2d21h6 PPPoE/PPP connected Local Term user1 00:03:357 PPPoE/PPP connected Local Term user2 00:03:358 PPPoE/PPP connected VPDN nobody3@cisco.com 00:02:362 PPP connected Local Term user5 00:05:064 PPP connected VPDN nobody2@cisco.com 00:06:52The following sample output from the show sss session all command provides a more extensive report of Subscriber Service Switch session activity:
Router# show sss session allCurrent SSS Information: Total sessions 9SSS session handle is 40000013, state is connected, service is VPDNUnique ID is 9SIP subscriber access type(s) are PPPoE/PPPIdentifier is nobody3@cisco.comLast Changed 00:02:49Root SIP Handle is DF000010, PID is 49AAA unique ID is 10Current SIP options are Req Fwding/Req FwdedSSS session handle is B0000017, state is connected, service is VPDNUnique ID is 10SIP subscriber access type(s) are PPPoE/PPPIdentifier is nobody3@cisco.comLast Changed 00:02:05Root SIP Handle is B9000015, PID is 49AAA unique ID is 11Current SIP options are Req Fwding/Req FwdedSSS session handle is D6000019, state is connected, service is VPDNUnique ID is 11SIP subscriber access type(s) are PPPoE/PPPIdentifier is nobody3@cisco.comLast Changed 00:02:13Root SIP Handle is D0000016, PID is 49AAA unique ID is 12Current SIP options are Req Fwding/Req FwdedSSS session handle is 8C000003, state is connected, service is VPDNUnique ID is 3SIP subscriber access type(s) are PPPoE/PPPIdentifier is user3@cisco.comLast Changed 2d21hRoot SIP Handle is D3000002, PID is 49AAA unique ID is 3Current SIP options are Req Fwding/Req FwdedSSS session handle is BE00000B, state is connected, service is Local TermUnique ID is 6SIP subscriber access type(s) are PPPoE/PPPIdentifier is user1Last Changed 00:03:56Root SIP Handle is A9000009, PID is 49AAA unique ID is 7Current SIP options are Req Fwding/Req FwdedSSS session handle is DC00000D, state is connected, service is Local TermUnique ID is 7SIP subscriber access type(s) are PPPoE/PPPIdentifier is user2Last Changed 00:03:57Root SIP Handle is 2C00000A, PID is 49AAA unique ID is 8Current SIP options are Req Fwding/Req FwdedSSS session handle is DB000011, state is connected, service is VPDNUnique ID is 8SIP subscriber access type(s) are PPPoE/PPPIdentifier is nobody3@cisco.comLast Changed 00:02:58Root SIP Handle is 1000000F, PID is 49AAA unique ID is 9Current SIP options are Req Fwding/Req FwdedSSS session handle is 3F000007, state is connected, service is Local TermUnique ID is 2SIP subscriber access type(s) are PPPIdentifier is user5Last Changed 00:05:30Root SIP Handle is 8A000009, PID is 92AAA unique ID is 1Current SIP options are Req Fwding/Req FwdedSSS session handle is 97000005, state is connected, service is VPDNUnique ID is 4SIP subscriber access type(s) are PPPIdentifier is nobody2@cisco.comLast Changed 00:07:16Root SIP Handle is 32000000, PID is 92AAA unique ID is 5Current SIP options are Req Fwding/Req FwdedMost of the fields displayed by the show sss session and show sss session all commands are self-explanatory. Table 3 describes the significant fields shown in the displays. Any data not described in Table 3 is used for internal debugging purposes.
Related Commands
Command Descriptionshow vpdn session
Displays session information about the L2TP and L2F protocols, and PPPoE tunnels in a VPDN.
show vpdn session
To display session information about active Layer 2 sessions for a virtual private dialup network (VPDN), use the show vpdn session command in privileged EXEC mode.
show vpdn session [l2f | l2tp | pptp] [all | packets | sequence | state [filter]]
Syntax Description
l2f
(Optional) Displays information about Layer 2 Forwarding (L2F) calls only.
l2tp
(Optional) Displays information about Layer 2 Tunnel Protocol (L2TP) calls only.
pptp
(Optional) Displays information about Point-to-Point Tunnel Protocol (PPTP) calls only.
all
(Optional) Displays extensive reports about active sessions.
filter
(Optional) One of the filter parameters defined in Table 4.
packets
(Optional) Displays information about packet and byte counts for sessions.
sequence
(Optional) Displays sequence information for sessions.
state
(Optional) Displays state information for sessions.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show vpdn session command to display information about all active sessions using L2TP, L2F, and PPTP.
The output of the show vpdn session command displays PPPoE session information as well. PPPoE is supported on ATM permanent virtual connections (PVCs) compliant with RFC 1483 only. PPPoE is not supported on Frame Relay and any other LAN interfaces such as FDDI and Token Ring.
Reports and options for this command depend upon the configuration in which it is used. Use the command-line question mark (?) help function to display options available with the show vpdn session command.
Table 4 defines the filter parameters available to refine the output of the show vpdn session command. You may use any one of the filter parameters in place of the filter argument.
Examples
The show vpdn session command provides reports on call activity for all active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn sessionL2TP Session Information Total tunnels 1 sessions 4LocID RemID TunID Intf Username State Last Chg Uniq ID4 691 13695 Se0/0 nobody2@cisco.com est 00:06:00 45 692 13695 SSS Circuit nobody1@cisco.com est 00:01:43 86 693 13695 SSS Circuit nobody1@cisco.com est 00:01:43 93 690 13695 SSS Circuit nobody3@cisco.com est 2d21h 3L2F Session Information Total tunnels 1 sessions 2CLID MID Username Intf State Uniq ID1 2 nobody@cisco.com SSS Circuit open 101 3 nobody@cisco.com SSS Circuit open 11%No active PPTP tunnelsPPPoE Session Information Total tunnels 1 sessions 7PPPoE Session InformationUID SID RemMAC OIntf Intf SessionLocMAC VASt state3 1 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.08406 2 0030.949b.b4a0 Fa2/0 Vi1.1 CNCT_PTA0010.7b90.0840 UP7 3 0030.949b.b4a0 Fa2/0 Vi1.2 CNCT_PTA0010.7b90.0840 UP8 4 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.08409 5 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.084010 6 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.084011 7 0030.949b.b4a0 Fa2/0 N/A CNCT_FWDED0010.7b90.0840Table 5 describes the significant fields in the show vpdn session display.
The show vpdn session packets command provides reports on call activity for all the currently active sessions. The following output is from a device carrying an active PPPoE session:
Router# show vpdn session packets%No active L2TP tunnels%No active L2F tunnelsPPPoE Session Information Total tunnels 1 sessions 1PPPoE Session InformationSID Pkts-In Pkts-Out Bytes-In Bytes-Out1 202333 202337 2832652 2832716Table 6 describes the significant fields shown in the show vpdn session packets command display.
The show vpdn session all command provides extensive reports on call activity for all the currently active sessions. The following output is from a device carrying active L2TP, L2F, and PPPoE sessions:
Router# show vpdn session allL2TP Session Information Total tunnels 1 sessions 4Session id 5 is up, tunnel id 13695Call serial number is 3355500002Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:03:5352 Packets sent, 52 received2080 Bytes sent, 1316 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterfaceRemote session id is 692, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 8Session id 6 is up, tunnel id 13695Call serial number is 3355500003Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:04:2252 Packets sent, 52 received2080 Bytes sent, 1316 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterfaceRemote session id is 693, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 9Session id 3 is up, tunnel id 13695Call serial number is 3355500000Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 2d21h48693 Packets sent, 48692 received1947720 Bytes sent, 1314568 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody2@cisco.comInterfaceRemote session id is 690, remote tunnel id 58582UDP checksums are disabledSSS switching enabledNo FS cached header information availableSequencing is offUnique ID is 3Session id 4 is up, tunnel id 13695Call serial number is 3355500001Remote tunnel name is User03Internet address is 10.0.0.63Session state is established, time since change 00:08:40109 Packets sent, 3 received1756 Bytes sent, 54 receivedLast clearing of "show vpdn" counters neverSession MTU is 1464 bytesSession username is nobody@cisco.comInterface Se0/0Remote session id is 691, remote tunnel id 58582UDP checksums are disabledIDB switching enabledFS cached header information:encap size = 36 bytes4500001C BDDC0000 FF11E977 0A00003E0A00003F 06A506A5 00080000 0202E4D602B30000Sequencing is offUnique ID is 4L2F Session Information Total tunnels 1 sessions 2MID: 2User: nobody@cisco.comInterface:State: openPackets out: 53Bytes out: 2264Packets in: 51Bytes in: 1274Unique ID: 10Last clearing of "show vpdn" counters neverMID: 3User: nobody@cisco.comInterface:State: openPackets out: 53Bytes out: 2264Packets in: 51Bytes in: 1274Unique ID: 11Last clearing of "show vpdn" counters never%No active PPTP tunnelsPPPoE Session Information Total tunnels 1 sessions 7PPPoE Session InformationSID Pkts-In Pkts-Out Bytes-In Bytes-Out1 48696 48696 681765 13146572 71 73 1019 10433 71 73 1019 10434 61 62 879 15675 61 62 879 15676 55 55 791 13637 55 55 795 1363The significant fields shown in the show vpdn session all command display are similar to those defined in Table 5 and Table 6.
Related Commands
subscriber access
To configure a network access server (NAS) to enable Subscriber Service Switch (SSS) to preauthorize the NAS port identifier (NAS-Port-ID) string before authorizing the domain name, use the subscriber access command in global configuration mode. To disable SSS preauthorization, use the no form of this command.
subscriber access {pppoe | pppoa} pre-authorize nas-port-id [default | list-name] [send username]
no subscriber access {pppoe | pppoa} pre-authorize nas-port-id
Syntax Description
Defaults
Preauthorization is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The NAS-Port-ID string is used to locate the first service record, which may contain one of three attributes, as follows:
•A restricted set of values for the domain substring of the unauthenticated PPP name.
This filtered service key then locates the final service. See the vpdn authorize domain command for more information.
•PPPoE session limit.
•The logical line ID (LLID).
Once NAS port authorization has taken place, normal authorization, which is usually the domain authorization, continues.
Logical Line ID
The LLID is an alphanumeric string of from 1 to 253 characters that serves as the logical identification of a subscriber line. LLID is maintained in a RADIUS server customer profile database and enables users to track their customers on the basis of the physical lines on which customer calls originate. Downloading the LLID is also referred to as "preauthorization" because it occurs before normal virtual private dialup network (VPDN) authorization downloads L2TP tunnel information.
This command enables LLID and SSS querying only for PPP over Ethernet over ATM (PPPoEoATM) and PPP over Ethernet over VLAN (PPPoEoVLAN or Dot1Q) calls; all other calls, such as ISDN, are not supported.
Per-NAS-Port Session Limits for PPPoE
Use this command to configure SSS preauthorization on the LAC so that the PPPoE per-NAS-port session limit can be downloaded from the customer profile database. To use PPPoE per-NAS-port session limits, you must also configure the PPPoE Session-Limit per NAS-Port Cisco attribute-value pair in the user profile.
Examples
The following example signals SSS to preauthorize the NAS-Port-ID string before authorizing the domain name. This policy applies only to sessions that have a PPPoE access type.
aaa new-modelaaa group server radius sg_llidserver 172.20.164.106 auth-port 1645 acct-port 1646aaa group server radius sg_groupserver 172.20.164.106 auth-port 1645 acct-port 1646aaa authentication ppp default group radiusaaa authorization confg-commandsaaa authorization network default group sg_groupaaa authorization network mlist_llid group sg_llidaaa session-id common!username s7200_2 password 0 labusername s5300 password 0 labusername sg_group password 0 labvpdn enable!vpdn-group 2request-dialinprotocol 12tpdomain example.cominitiate-to ip 10.1.1.1local name s7200_2!vpdn-group 3accept dialinprotocol pppoevirtual-template 1!! Signals Subscriber Service Switch to preauthorize the NAS-Port-ID string before! authorizing the domain name.subscriber access pppoe pre-authorize nas-port-id mlist_llid!interface Loopback0ip address 10.1.1.2 255.255.255.0!interface Loopback1ip address 10.1.1.1 255.255.255.0!interface Ethernet1/0ip address 10.2.2.2 255.255.255.0 secondaryip address 10.0.58.111 255.255.255.0no cdp enable!interface ATM4/0no ip addressno atm ilmi-keepalive!interface ATM4/0.1 point-to-pointpvc 1/100encapsulation aa15snapprotocol pppoe!interface virtual-template1no ip unnumbered Loopback0no peer default ip addressppp authentication chap!radius-server host 172.20.164.120 auth-port 1645 acct-port 1646 key rad123radius-server host 172.20.164.106 auth-port 1645 acct-port 1646 key rad123ip radius source-interface Loopback1The following example is identical to the previous example except that it also adds support for sending the PPP authenticating username with the preauthorization in the Connect-Info attribute. This example also includes command-line interface (CLI) suppression on the LLID if the username that is used to authenticate has a domain that includes #184.
aaa new-modelaaa group server radius sg_llidserver 172.31.164.106 auth-port 1645 acct-port 1646aaa group server radius sg_groupserver 172.31.164.106 auth-port 1645 acct-port 1646aaa authentication ppp default group radiusaaa authorization confg-commandsaaa authorization network default group sg_groupaaa authorization network mlist_llid group sg_llidaaa session-id common!username s7200_2 password 0 labusername s5300 password 0 labusername sg_group password 0 labvpdn enable!vpdn-group 2request-dialinprotocol 12tpdomain example.comdomain example.com#184initiate-to ip 10.1.1.1local name s7200_2l2tp attribute clid mask-method right * 255 match #184!vpdn-group 3accept dialinprocotol pppoevirtual-template 1!subscriber access pppoe pre-authorize nas-port-id mlist_llid send username!Related Commands
subscriber authorization enable
To enable Subscriber Service Switch type authorization, use the subscriber authorization enable command in global configuration mode. To disable the Subscriber Service Switch authorization, use the no form of this command.
subscriber authorization enable
no subscriber authorization enable
Syntax Description
This command has no arguments or keywords.
Defaults
Authorization is disabled.
Command Modes
Global configuration
Command History
Release Modification12.2(13)T
This feature was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
The subscriber authorization enable command triggers Subscriber Service Switch type authorization for local termination, even if virtual private dialup network (VPDN) and Stack Group Bidding Protocol (SGBP) are disabled.
Examples
The following example enables Subscriber Service Switch type authorization:
subscriber authorization enableRelated Commands
vpdn authorize domain
To enable domain preauthorization on a network access server (NAS), use the vpdn authorize domain command in global configuration mode. To disable domain preauthorization, use the no form of this command.
vpdn authorize domain
no vpdn authorize domain
Syntax Description
This command has no arguments or keywords.
Defaults
Domain preauthorization is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
A domain preauthorization RADIUS user profile must also be created. See the "Examples" section and refer to the Cisco IOS Security Configuration Guide for information on how to create these profiles.
Examples
Domain Preauthorization Configuration on the LAC Example
The following example shows the configuration necessary for an L2TP access concentrator (LAC) to participate in domain preauthorization:
!aaa new-modelaaa authorization network default local group radius!vpdn authorize domain!radius-server host 10.9.9.9 auth-port 1645 acct-port 1646radius-server attribute nas-port format dradius-server key MyKeyradius-server vsa send authentication!Domain Preauthorization RADIUS User Profile Example
The following example shows a domain preauthorization RADIUS user profile:
user = nas-port:10.9.9.9:0/0/0/30.33{profile_id = 826profile_cycle = 1radius=Cisco {check_items= {2=cisco}reply_attributes= {9,1="vpdn:vpn-domain-list=net1.com,net2.com"6=5}}Related Commands
vpn service
To configure a static domain name, use the vpn service command in ATM VC, ATM VC class or VC class configuration mode or in PVC range configuration mode. To remove a static domain name, use the no form of this command.
vpn service domain-name [replace-authen-domain]
no vpn service domain-name [replace-authen-domain]
Syntax Description
Defaults
No default behavior or values
Command Modes
ATM VC configuration
ATM VC class configuration
PVC range configurationCommand History
Usage Guidelines
Use the vpn service command in a permanent virtual circuit (PVC), VC class configuration, or PVC range configuration so that PPP over ATM (PPPoA) or PPP over Ethernet over ATM (PPPoEoA) sessions in those PVCs will be forwarded according to the domain name supplied, without starting PPP.
To replace the VPN service domain name with the domain name from the username during preauthentication, use this command with the replace-authen-domain keyword, in conjunction with the vpdn authen-before-forward command.
Examples
In the following partial example, VPDN group 1 is selected for PPPoA session forwarding based on the domain name example.com:
vpdn-group 1request-dialinprotocol l2tpdomain example.cominitiate-to ip 10.1.1.1 priority 1...interface ATM1/0.1 multipointpvc 101encapsulation aal5mux ppp virtual-Template 1vpn service example.netIn the following partial example using the replace-authen-domain keyword, the domain field is replaced by the domain name during preauthentication:
vpdn-group 1request-dialinprotocol l2tpdomain example.netauthen-before-forwardinitiate-to ip 10.1.1.1 priority 1...interface atm 4/0ip address 3.0.0.2 255.255.0.0pvc 1/20encapsulation aal5mux ppp virtual-Template 1vpn service example.net replace-authen-domainRelated Commands
Command Descriptionvpdn authen-before-forward
Enables authentication of all dial-in L2TP sessions before the sessions are forwarded to the tunnel server (global preauthentication).