[cisco-bba] Rate Limiting / Load Balancing Radius Requests

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Mar 17 09:45:37 EST 2005

> We have a number of 7200G and G1s which are being used as LNSes and
> BRASes.
> We also have an electricity company which can't keep a steady supply
> of electricity going for more than a week or two.
> When there's a brownout, several thousand (sometimes a few thousand,
> sometimes over ten thousand) clients drop off suddenly, and then their
> modems / routers try to reconnect suddenly.
> This causes the BRAS / LNS to send a flood of radius requests to the
> radius servers. Various bad things happen, including there being more
> than 256 requests at a time causing the radius-id to overflow, along
> with load issues on the radius servers, and clients who get auth
> timeouts.
> Anyone know if there's an effective way of rate-limiting the number of
> radius authentication requests sent on the LNS / BRAS - eg to a max of
> 50 or 100 per second - or getting the LNS / BRAS to load balance
> radius requests to multiple servers, rather than waiting for the
> first one to die / timeout?

Couple of points:

- enable radius extended ports to allow for more than 256 simulatenous
outstanding requests ("radius-server source-ports extended")
- increase hold-queue on your Interface towards the radius server (in
case you drop incoming replies, reported as drops in "show int")
- rate-limit/police the Radius traffic (many customers do this in front
of their Radius server according to its performance) to prevent
overloading the Radius server

On some platforms (ex: 10k) we can use Call Admission Control to stop
accepting any new connections when the CPU load is too high. But quite
often the Radius server infrastructure is the limiting factor in these


More information about the cisco-bba mailing list