Configuring ISG Network Forwarding Policies

Intelligent Services Gateway (ISG) is a Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. An ISG network forwarding policy is a type of traffic policy that allows packets to be routed or forwarded to and from an upstream network. This module provides information about how to configure network forwarding policies.

Restrictions for ISG Network Forwarding Policies

A service can contain only one network forwarding policy.

For each subscriber session, only one instance of a network forwarding policy can be in effect at any one time.

Information About ISG Network Policies

Network Policies

For subscriber packets to reach a network, some form of forwarding must be specified for a subscriber session. A traffic policy that allows packets to be routed or forwarded to and from an upstream network is known as a network forwarding policy .

Where the network forwarding policy type is routing, forwarding decisions are made at Layer 3, and a VRF (Virtual Routing and Forwarding) identifier must be specified to indicate which routing table should be used to make the routing decision (each VRF represents an independent routing context within a single router). Where the network policy type is forwarding, forwarding decisions are made at Layer 2, which means that all subscriber packets are forwarded to and from a single virtual endpoint within the system. This virtual endpoint represents a Layer 2 tunnel, and a tunnel identifier determines which tunnel should be used. If a network forwarding policy is not specified, the global routing table will be used to route traffic.

An ISG service that includes a network forwarding policy is known as a primary service . Primary services are mutually exclusive and may not be active simultaneously. Upon activation of a new primary service, ISG will deactivate the existing primary service and any other services dependent on the existing primary service through association with a service group.

Configuration Sources for Network Policies

Network policies can be configured in user profiles and service profiles on an external authentication, authorization, and accounting (AAA) server or in service policy maps on the ISG-enabled device. A network forwarding policy configured in a user profile takes precedence over a network forwarding policy specified in a service.

If a network forwarding policy is not specified in a user profile or service, the ISG session will inherit the network service from another source. ISG can inherit a network service from the following sources:

  • Global

  • Interface

  • Subinterface

  • Virtual template

These configuration sources are listed in order of precedence. For example, a network forwarding policy that is configured for a virtual template takes precedence over a network forwarding policy that is configured on an interface.

For each subscriber session, only one instance of a network forwarding policy can be in effect at any point in time.

How to Configure ISG Network Policies

Configuring Network Policies for PPP Sessions in Service Policy Maps

Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG device. Perform this task to configure a network forwarding policy for PPP sessions in a service policy map on the ISG device.


Note

If a network forwarding policy is not specified in a user profile, service profile, or service policy map, a subscriber session will inherit the network forwarding policy from another source. See the "Configuration Sources for Network Policies" section for more information.

Before you begin

This task assumes that virtual private dial up network (VPDN) groups have been configured.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. policy-map type service policy-map-name
  4. Do one of the following:
    • service vpdn group vpdn-group-name
    • service local
    • service relay pppoe vpdn group vpdn-group-name
  5. ip vrf forwarding name-of-vrf

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

policy-map type service policy-map-name

Example:


Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISG service.

Step 4

Do one of the following:

  • service vpdn group vpdn-group-name
  • service local
  • service relay pppoe vpdn group vpdn-group-name

Example:


Router(config-service-policymap)# service vpdn group vpdn1

Example:


Router(config-service-policymap)# service local

Example:


Router(config-service-policymap)# service relay pppoe vpdn group vpdn1

Provides virtual private dialup network (VPDN) service.

or

Provides local termination service.

or

Provides VPDN service by relaying PPPoE over VPDN L2TP tunnels.

  • If you terminate the service locally by configuring the service local command, you can also specify the routing domain in which to terminate the session by configuring the ip vrf forwarding command.

Step 5

ip vrf forwarding name-of-vrf

Example:


Router(config-service-policymap)# ip vrf forwarding blue

Associates the service with a VRF.

  • Perform this step only if you configured the service local command in Step 4. If you configured the service local command, you can use theip vrf forwarding command to specify the routing domain in which to terminate session. If you do not specify the routing domain, the global VRF will be used.

What to Do Next

You may want to configure a method of activating the service policy map; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".

Configuring Network Policies for IP Sessions in Service Policy Maps

Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG device. Perform this task to configure a network forwarding policy for IP sessions in a service policy map on the device.


Note

If a network forwarding policy is not specified in a user profile, service profile, or service policy map, a subscriber session will inherit the network forwarding policy from another source. See the "Configuration Sources for Network Policies" section for more information.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. policy-map type service policy-map-name
  4. ip vrf forwarding name-of-vrf
  5. sg-service-type primary

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

policy-map type service policy-map-name

Example:


Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISG service.

Step 4

ip vrf forwarding name-of-vrf

Example:


Router(config-service-policymap)# ip vrf forwarding blue

Associates the service with a VRF.

Step 5

sg-service-type primary

Example:


Router(config-service-policymap)# sg-service-type primary

Defines the service as a primary service.

  • A primary service is a service that contains a network forwarding policy. A primary service must be defined as a primary service by using the sg-service-type primary command. Any service that is not a primary service is defined as a secondary service by default.

What to Do Next

You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".

Configuration Examples for ISG Network Policies

Network Forwarding Policy for PPP Sessions Example

The following example shows a service policy map configured with a network forwarding policy for PPP sessions: 


policy-map type service my_service
 service vpdn group vpdn1

Network Forwarding Policy for IP Sessions Example

The following example shows a service policy map configured with a network forwarding policy for IP sessions: 


policy-map type service my_service
 ip vrf forwarding vrf1

Additional References

Related Documents

Related Topic

Document Title

ISG commands

Cisco IOS Intelligent Services Gateway Command Reference

VPDN configuration tasks

Cisco IOS VPDN Technologies Configuration Guide

PPP and VPDN commands

Cisco IOS VPDN Technologies Command Reference

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for ISG Network Policies

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for ISG Network Forwarding Policies

Feature Name

Releases

Feature Configuration Information

ISG: Network Interface: IP Routed, VRF-Aware MPLS

Cisco IOS XE Release 2.2

ISG supports multiple forwarding types to connect sessions to networks. These connections can be to the Internet, corporate intranets, ISPs, or walled gardens for content delivery. ISG supports both routed and MPLS-enabled interfaces for network access.

ISG: Network Interface: Tunneled (L2TP)

Cisco IOS XE Release 2.2

ISG is flexible to support multiple interface types to connect sessions to networks. These connections can be to the Internet, corporate intranets, ISPs or walled gardens for content delivery. ISG supports tunneled interfaces to networks.