<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=426554500-13092007>Hi
There...</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=426554500-13092007></SPAN></FONT> </DIV>
<DIV><SPAN class=426554500-13092007></SPAN><FONT face=Arial><FONT size=2><SPAN
class=426554500-13092007>I work for a service proivder and </SPAN>I'<SPAN
class=426554500-13092007>m</SPAN> trying to load balance four of our radius
servers using IOS SLB. The config works well and the radius servers are
accepting requests fine. </FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=426554500-13092007>We
are implementing IOS SLB on our CISCO 7606 running IOS 12.2(17r)S2. Our LNS
servers at the moment directly talk to the radius servers but eventually they'll
just make a request to the virtual server IP set up on the 7606 and
the IOS SLB will work out which radius server to forward the
request to.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=426554500-13092007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2>I follow<SPAN class=426554500-13092007>ed</SPAN>
this article<SPAN class=426554500-13092007> on how to set up the IOS SLB config
but have a few questions about some of the settings.</SPAN><BR><BR></FONT><A
href="javascript:newWin('http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95f.pdf')"><FONT
face=Arial color=#003399
size=2>http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95f.pdf</FONT></A><FONT
face=Arial size=2> <BR><BR>My two questions are: <BR><BR><STRONG>1. Sticky
Option </STRONG><BR><BR>I understand it's use to make sure the client's
accounting information goes to the correct real server, but I'm not sure how it
really works and what's the best time to set it to<SPAN
class=426554500-13092007>.</SPAN><BR><BR>Eg:<BR><BR>ip slb vserver RAD-UDP-1646
<BR>virtual 210.x.x.224 udp 1646 <BR>serverfarm RADFARM <BR>sticky 86400 group
10 <BR>inservice <BR><BR>a/ The documentation says "This configuraion causes the
sticky database to store its entries for 86,400 seconds of inactivity". What do
they mean by "inactivity" - no radius packets coming through? inactivity from
the user's end?<SPAN class=426554500-13092007>???</SPAN><BR><BR>b/ It also says
"the client's IP address is added to the IOS SLB database..." - <SPAN
class=426554500-13092007>I presume this is the LNS IP as seen
below</SPAN>?</FONT></DIV>
<DIV><SPAN class=426554500-13092007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=426554500-13092007><FONT face=Arial size=2>core1-<SPAN
class=426554500-13092007>router</SPAN>#sh ip slb sticky | inc 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74<BR>ip/netmask
id
conns server real firewall
real<BR>------------------------------------------------------------------------------<BR> 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>204</SPAN>/32
10
2 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74</FONT></SPAN></DIV>
<DIV><SPAN class=426554500-13092007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN class=426554500-13092007>Because there
is a sticky in place for the LNS IP, wouldn't this mean that all new
connections coming from users yet to log on, who happen to land on this LNS
(203.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN class=426554500-13092007>204)
-</SPAN> the new radius requests would simply be forwarded the real server
IP (203.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74) as defined in the sticky database??? This
doesn't seem to be a good way to load balance in which the LNS keeps
sending radius requests (new and old) to the same real server based on it's
sticky database entry.<BR></SPAN><BR>c/ And what would be the optimum time to
set the sticky timer to be? <BR><BR><STRONG>2. SLB connection
statistics </STRONG><BR><BR><SPAN class=426554500-13092007>My testing shows
that when I disconnect my adsl connection</SPAN>, the slb stats still
show <SPAN class=426554500-13092007>a</SPAN> connect<SPAN
class=426554500-13092007>ion</SPAN> to <SPAN
class=426554500-13092007>t</SPAN>he real server <SPAN
class=426554500-13092007>on </SPAN>both udp ports which isn't very
accurate. <SPAN class=426554500-13092007>I know that there </SPAN>is a
default "delay" time which handles TCP disconnections and after being
disconnected for 10 sec, the SLB stats are updated to reflect this (I've
verified this works)<SPAN class=426554500-13092007> </SPAN>- but <SPAN
class=426554500-13092007>there is </SPAN>no<SPAN class=426554500-13092007>
mention</SPAN> about how it handles UDP disconnections??? This would skew the
stats and give us a very bad misrepresentation of the number of current and
valid connections. Is there anyway to correct this<SPAN
class=426554500-13092007> </SPAN>??? </FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=426554500-13092007>Below is what
my slb stats show while my ADSL connection is connection (I'm ok with
this) and it shows exactly the same thing after I've
disconnected.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=426554500-13092007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2>core1<SPAN
class=426554500-13092007>-router</SPAN>#sh ip slb reals</FONT></DIV>
<DIV><FONT face=Arial
size=2>real
farm name weight
state
conns<BR>-------------------------------------------------------------------<BR>203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74
RADFARM
2 OPERATIONAL
2<BR>203.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.78
RADFARM
2 OPERATIONAL
0<BR>203.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.79
RADFARM
2 OPERATIONAL
0<BR>203.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.80
RADFARM
2 OPERATIONAL
0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>core1-<SPAN
class=426554500-13092007>router</SPAN>#sh ip slb vservers</FONT></DIV>
<DIV><FONT face=Arial size=2>slb vserver
prot
virtual
state conns
interface(s)<BR>--------------------------------------------------------------------------------------<BR>RAD-UDP-1645
UDP 210.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.224/32:1645
OPERATIONAL 1
<any><BR>RAD-UDP-1646 UDP 210.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.224/32:1646
OPERATIONAL 1
<any><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>core1-<SPAN
class=426554500-13092007>router</SPAN>#sh ip slb sticky | inc 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74<BR>ip/netmask
id
conns server real firewall
real<BR>------------------------------------------------------------------------------<BR> 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>204</SPAN>/32
10
2 203.<SPAN
class=426554500-13092007>x</SPAN>.<SPAN
class=426554500-13092007>x</SPAN>.74<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Thanks. <BR><BR>Andy</FONT><FONT face=Arial
size=2></FONT></DIV></BODY><!--[object_id=#staff.netspace.net.au#]--><P align=left><FONT face=Arial size=1>This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email.</FONT></P></HTML>