Configuring ISG Control Policies
Configuration Examples for ISG Control Policies
19
Time remaining is 00:02:40
Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 00:09:19
Control Policy for Restricting Access on the Basis of Interface and
Access Media: Example
This example shows how to configure a control policy to allow access only to users who enter the router
from a particular interface and access type. In this case, only PPPoE users will be allowed; everyone else
is barred.
The first condition class map “MATCHING-USERS” evaluates true only if all of the lines within it also
evaluate true; however, within “MATCHING-USERS” is a nested class map (second condition),
“NOT-ATM”. This nested class map represents a subcondition that must also evaluate to true. Note that
the class map “NOT-ATM” specifies “match-none”. This means that “NOT-ATM” evaluates to true only
if every condition line within it evaluates to false.
The third condition specifies matching on the NAS port associated with this subscriber. Specifically,
only subscribers that arrive on a Gigabit Ethernet interface and on slot 3 will evaluate to true.
! Configure the control class maps.
class-map type control match-all MATCHING-USERS
class type control NOT-ATM
match media ether
match nas-port type ether slot 3
!
class-map type control match-none NOT-ATM
match media atm
!
If the conditions in the class map “MATCHING-USERS” evaluate to true, the first action to be executed
is to authenticate the user. If authentication is successful, the service named “service1” will be
downloaded and applied. Finally, a Layer 3 service is provided.
If “MATCHING-USERS” is not evaluated as true, the “always” class will apply, which results in barring
anyone who does not match “MATCHING-USERS”.
! Configure the control policy map.
policy-map type control my-pppoe-rule
class type control MATCHING-USERS event session-start
1 authenticate aaa list XYZ
2 service-policy type service service1
3 service local
!
class type control always
1 service disconnect
!
! Apply the control policy to an interface.
interface gigabitethernet3/0/0
service-policy type control my-pppoe-rule
Finally, the policy is associated with an interface.
To Next Page
Loading...
Need help?
General