An ISG service is a collection of policies that may be applied to a subscriber session. ISG services can be applied to any session, regardless of subscriber access media or protocol, and a single service may be applied to multiple sessions. An ISG service is not necessarily associated with a destination zone or a particular uplink interface.

Services can be defined in two ways: in a service policy map that is configured on the ISG device by using the CLI, and in a service profile that is configured on an external device, such as an authentication, authorization, and accounting (AAA) server. Although they are configured differently, service policy maps and service profiles serve the same purpose: they contain a collection of traffic policies and other functionality that can be applied to a subscriber session. Traffic policies determine which functionality will be applied to which session traffic. A service policy map or service profile may also contain a network-forwarding policy, a specific type of traffic policy that determines how session data packets will be forwarded to the network.

When a network-forwarding policy is included in a service profile or service policy map, the service is known as a primary service . Primary services are mutually exclusive and may not be simultaneously active. Upon activation of a new primary service, ISG will deactivate the existing primary service and any other services dependent on the existing primary service through association with a service group.

If a primary service is deactivated, sessions may be left without a network-forwarding policy, that is, with no means to route or forward packets. A policy may be applied to defend against this condition such that a specific service is activated upon deactivation of all others (or all other primary services). This backup service would return network-forwarding policy to the session and allow the subscriber to reach a web portal. However, it should be noted that an IP session will not be automatically terminated when all services are deactivated unless such a policy has been defined and applied.

ISG traffic classes provide differentiated behavior for different traffic streams to and from a particular subscriber. Each traffic stream is represented by a classification and a set of applied features. A traffic class, also known as a flow, is a kind of service.

For traffic to be classified into streams, you must specify an access control list (ACL) that classifies the traffic and the direction of the traffic to which the ACL applies (inbound or outbound). Optionally, the priority of the traffic class can also be specified. Traffic that meets the specifications of a traffic class is said to match the traffic class. Once a match is made, features defined in the traffic policy are executed for that traffic class.

The priority of a traffic class determines which class is used first for a specified match if more than one traffic policy has been activated for a single session. In other words, if a packet matches more than one traffic class, it is classified to the class with the higher priority.

Packets that do not match any of the ACLs are considered part of the default traffic class and are processed as if a traffic policy was not applied to the session. A default class exists for every service. The default action of the default class is to pass traffic, or the default class can be configured to drop traffic. Default traffic is accounted for in the main session accounting. A service can contain one traffic class and one default class.

ISG traffic classes are created dynamically, either at session start or later during the life of the session, when a service with a classification (the class definition of the service contains at least one named or numbered ACL) is applied to a session. A service with a classification is called a flow service. A service without a classification is called a classless service.

Traffic classes are assigned unique identifiers that can be tracked with Cisco IOS show commands.

In Cisco IOS XE Release 3.3S and later releases, separate sessions are no longer created for each traffic class; the traffic class is handled as a flow within the parent subscriber session.

A flow, or traffic class, represents a subset of subscriber traffic identified by a pair of class identifiers. Each class identifier, or classifier, represents a single class or a directional flow. Traffic can have a classifier in either or both directions. If there is no classifier in a particular direction, traffic in that direction is not subjected to the flow.

The ISG classifier is responsible for managing and enforcing classifiers and the corresponding policies associated with ISG subscriber sessions, also called targets. Each ISG subscriber session can have one or more classifiers associated with it. The different classifiers that can be associated with a subscriber session are:

• Match-Always Classifier—Identifies the entire traffic of a target in a particular direction. A target may have only one match-always classifier in each direction.

• Flow Classifier—Identifies a subset of traffic of a target in a particular direction. A target may have any number of flow classifiers in each direction.

• Default Classifier—Identifies the traffic of a target that does not match any of the flow classifiers in a particular direction. A target may have only one default classifier in each direction.

A set of features represent a policy attached to a classifier. Two classifiers on a target may have the same policy or different policies attached to it. ISG, however, considers the policy of each classifier to be independent of the other classifiers on a target.

The priority defines the order in which a packet should be subjected to classifiers when multiple classifiers are associated with a target. If no priority is defined, the default value of 0 is assumed and the following rules are used to provide the highest possible classification match:

• order of matching

• priority 0 (or not defined )

• priority 1

• priority 2

• ….

Note	If two classifiers have the same priority, the order of association to the subscriber session is the differentiator. It is not recommended to use this method, as different delays can occur in bringing up a service and may cause an incorrect classification.

Traffic policies define the handling of data packets. A traffic policy contains a traffic class and one or more features. Whereas you can specify the event that will trigger an ISG control policy, the trigger for a traffic policy is implicit--the arrival of a data packet.

The features configured within a traffic policy apply only to the traffic defined by the traffic class. Multiple traffic policies with various features can be applied to a session.

An ISG feature is a functional component that performs a specific operation on a session’s data stream. A feature may or may not be associated with a traffic class. However, once associated with a traffic class, a feature can be applied only to the packets that match that traffic class. Otherwise, the feature is applied to all packets for that session.

The figure below shows how features apply to a subscriber session and to traffic flows within the session.

Note

Two or more services that specify the same feature and apply to the entire session rather than to a specified traffic flow should not be activated for a session simultaneously. If two or more of these services are activated for a session, deactivation of one of the services will remove the feature from the session. If you need to offer to a subscriber multiple services that specify the same feature and apply to the session rather than a specific flow, configure the services so that they are mutually exclusive. That is, the subscriber should not be able to activate more than one such service at the same time. Similarly, control policies should not activate more than one such service at the same time.

A service group is a grouping of services that may be simultaneously active for a given session. Typically, a service group includes one primary service and one or more secondary services.

Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active. Once a primary service has been activated, any other services that reference the same group may also be activated. Services that belong to other groups, however, may be activated only if they are primary. If a primary service from another service group is activated, all services in the current service group will also be deactivated because they have a dependency on the previous primary service.

There are three methods by which services can be activated:

• Automatic service activation

• Control policy service activation

• Subscriber-initiated service activation

class-map type control match-all SERVICE1_CHECK
   match service-name SERVICE1
policy-map type control SERVICE1_CHECK event service-start
   1 service-policy type service name SERVICE1

An ISG traffic policy contains a traffic class and one or more ISG features. The traffic class defines the traffic to which the features will be applied. Perform the following tasks to configure an ISG service with a traffic policy on the router:

There are three ways that ISG subscriber services can be activated: by specifying the service as an automatic activation service in a subscriber’s user profile, by configuring control policies to activate the service, and by a subscriber-initiated service logon. No special configuration is necessary to enable a subscriber to log on to a service.

To configure a service for automatic activation and to configure control policies to activate services, perform the following tasks: