RADIUS-Based Policing
Configuration Examples for RADIUS-Based Policing
10
Configuring Per-Service Policing on the RADIUS Server
To use RADIUS to set the policing rate for a subscriber service, configure the following Cisco VSAs in
the service profile on RADIUS:
vsa cisco generic 1 string "qos-policy-out=add-class(sub,(class-list), shape(rate))"
vsa cisco generic 1 string "qos-policy-out=add-class(sub,(class-list), police(rate))"
When the ISG receives a RADIUS Access-Accept or change of authentication (CoA) message with these
VSAs included, the ISG copies the originally configured policy map that is active on the session and
changes the policing rate of the traffic class specified in the class-list field. The ISG makes changes only
to the transient policy and applies the transient policy to the subscriber service; no changes are made to
the original policy map.
Note Per-service policing does not apply to the parent class-default class.
For more information, see the “RADIUS Attributes” section on page 2.
Configuration Examples for RADIUS-Based Policing
This section provides the following configuration examples:
• Adding Parameterization of QoS ACLs: Example, page 10
• Setting the Policing Rate Using an Access-Accept Message: Examples, page 12
• Setting the Policing Rate Using a CoA Message: Examples, page 13
Adding Parameterization of QoS ACLs: Example
The following example shows how to parameterize the set source IP address and destination IP address
parameter, set-src-dst-ip-in-acl, through CoA or Access-Accept messages. The QoS parameterized
service is added in the parameterized QoS service RADIUS form:
VSA252 0b q-p-out=IPOne(1)((c-d,voip)13(201.10.1.0/28,202.3.20/29))
! The above command activates the service in a CoA message.
vsa cisco generic 1 string
"qos-policy-out=add-class(sub,(class-default,voip),set-src-dst-ip-in-acl(10.10.1.0/28,10.3
.20/29))"
! The above command activates the service in a Access-Accept message.
The Cisco ASR 1000 Series Router is configured as follows:
ip access-list extended IPOne-acl
remark Voice-GW
permit ip host 10.0.1.40 any
!
class-map match-any voip
match access-group name IPOne-acl
!
class-map type traffic match-any IPOne
match access-group output name IPOne-acl
match access-group input name IPOne-acl
!
!
To Next Page
Loading...
Need help?
General