L through R
Available Languages
Table Of Contents
maxconns (firewall farm datagram protocol)
maxconns (firewall farm TCP protocol)
mls ip reflexive ndr-entry tcam
platform trace runtime process forwarding-manager module wccp
predictor hash address (firewall farm)
probe (firewall farm real server)
purge radius framed-ip acct on-off
purge radius framed-ip acct stop
replicate casa (firewall farm)
replicate casa (virtual server)
replicate interval (firewall farm)
replicate interval (virtual server)
replicate slave (firewall farm)
replicate slave (virtual server)
lookup
To configure an IP address of a real server that a Domain Name System (DNS) server should supply in response to a domain name resolve request, use the lookup command in DNS probe configuration mode. To remove an IP address from the expected list, use the no form of this command.
lookup ip-address
no lookup ip-address
Syntax Description
ip-address
IP address of a real server that a DNS server should supply in response to a domain name resolve request.
Defaults
No lookup IP address is configured.
Command Modes
DNS probe configuration (config-slb-probe)
Command History
Examples
The following example configures a DNS probe named PROBE4, enters DNS probe configuration mode, and specifies 10.1.10.1 as the IP address to resolve:
Router(config)# ip slb probe PROBE4 dnsRouter(config-slb-probe)# lookup 10.1.10.1Related Commands
ip slb probe dns
Configures a DNS probe name and enters DNS probe configuration mode.
show ip slb probe
Displays information about an IOS SLB probe.
manager (DFP agent)
This command has been removed. Its function is now performed by the ip dfp agent global configuration command, and by the following DFP agent configuration commands:
•
inservice (DFP agent)
•
•
•
See the description of these commands for more information.
maxclients
To specify the maximum number of IOS Server Load Balancing (IOS SLB) RADIUS and GTP sticky subscribers that can be assigned to an individual virtual server, use the maxclients command in real server configuration mode. To remove the limit, use the no form of this command.
maxclients maximum-number
no maxclients
Syntax Description
Defaults
There is no limit on the number of IOS SLB RADIUS and GTP sticky subscribers that can be assigned to an individual virtual server.
Command Modes
Real server configuration (config-slb-real)
Command History
Examples
The following example specifies that up to 10 IOS SLB RADIUS sticky subscribers can be assigned to an individual real server:
Router(config-slb-real)# maxclients 10Related Commands
ip slb route
Enables IOS SLB to inspect packets for RADIUS framed-IP sticky routing.
show ip slb sticky
Displays the IOS SLB sticky database.
maxconns (firewall farm datagram protocol)
To limit the number of active datagram connections to the firewall farm, use the maxconns command in firewall farm datagram protocol configuration mode. To restore the default of 4294967295, use the no form of this command.
maxconns maximum-number
no maxconns
Syntax Description
maximum-number
Maximum number of simultaneous active datagram connections using the firewall farm. Valid values range from 1 to 4294967295. The default is 4294967295.
Defaults
The default maximum number of simultaneous active datagram connections using the firewall farm is 4294967295.
Command Modes
Firewall farm datagram protocol configuration (config-slb-fw-udp)
Command History
Examples
The following example limits the real server to a maximum of 1000 simultaneous active connections:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# protocol datagramRouter(config-slb-fw-udp)# maxconns 1000Related Commands
maxconns (firewall farm TCP protocol)
To limit the number of active TCP connections to the firewall farm, use the maxconns command in firewall farm TCP protocol configuration mode. To restore the default of 4294967295, use the no form of this command.
maxconns maximum-number
no maxconns
Syntax Description
maximum-number
Maximum number of simultaneous active TCP connections using the firewall farm. Valid values range from 1 to 4294967295. The default is 4294967295.
Defaults
The default maximum number of simultaneous active TCP connections using the firewall farm is 4294967295.
Command Modes
Firewall farm TCP protocol configuration (config-slb-fw-tcp)
Command History
Examples
The following example limits the real server to a maximum of 1000 simultaneous active connections:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# protocol tcpRouter(config-slb-fw-tcp)# maxconns 1000Related Commands
maxconns (server farm)
To limit the number of active connections to the real server, use the maxconns command in SLB server farm configuration mode. To restore the default of 4294967295, use the no form of this command.
maxconns maximum-number [sticky-override]
no maxconns
Syntax Description
Defaults
The default maximum number of simultaneous active connections on the real server is 4294967295.
Command Modes
SLB server farm configuration (config-slb-real)
Command History
Examples
The following example limits the real server to a maximum of 1000 simultaneous active connections:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# real 10.10.1.1Router(config-slb-real)# maxconns 1000Related Commands
mls aging slb normal
To configure the aging time for flows, use the mls aging slb normal command in global configuration mode. To restore the default setting, use the no form of this command.
mls aging slb normal time
no mls aging slb normal time
Syntax Description
Defaults
The default aging idle time is 2000 milliseconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is supported for Catalyst 6000 family switches only.
Examples
The following example sets the idle time to 4000 milliseconds:
Router(config)# mls aging slb normal 4000Related Commands
mls aging slb process
To control how often the aging process runs, use the mls aging slb process command in global configuration mode. To restore the default setting, use the no form of this command.
mls aging slb process time
no mls aging slb process time
Syntax Description
time
Aging process interval, in milliseconds. The valid range is 1 millisecond to 10000 milliseconds. The default setting is 2000 seconds.
Defaults
The default aging process interval is 2000 milliseconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is supported for Catalyst 6000 family switches only.
Examples
The following example sets the aging process interval to 4000 milliseconds:
Router(config)# mls aging slb process 4000Related Commands
mls ip install-threshold
To install the configured ACL thresholds, use the mls ip install-threshold command in global configuration mode.
mls ip install-threshold acl-num
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration (config)
Command History
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The mls ip install-threshold command is active only when you enable the mls ip reflexive ndr-entry tcam command.
Examples
This example shows how to install an ACL threshold:
Router(config)# mls ip install-threshold 123Related Commands
mls ip reflexive ndr-entry tcam
To enable the shortcuts in TCAM for the reflexive TCP/UDP entries when installed by the NDR, use the mls ip reflexive ndr-entry tcam command in global configuration mode. To disable the shortcuts in TCAM for the reflexive TCP/UDP entries when installed by the NDR, use the no form of this command.
mls ip reflexive ndr-entry tcam
no mls ip reflexive ndr-entry tcam
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
When you enter the mls ip reflexive ndr-entry tcam command, the reflexive ACL dynamic entries are installed in TCAM instead of in NetFlow.
Examples
This example shows how to enable the shortcuts in TCAM for the reflexive TCP/UDP entries when installed by the NDR:
Router(config)#mls ip reflexive ndr-entry tcamThis example shows how to disable the shortcuts in TCAM for the reflexive TCP/UDP entries when installed by the NDR:
Router(config)#no mls ip reflexive ndr-entry tcamRelated Commands
mls ip delete-threshold
Deletes configured ACL thresholds.
mls ip install-threshold
Installs the configured ACL thresholds.
mls ip slb purge global
To specify protocol-level purging of MLS entries from active TCP and UDP flow packets, use the mls ip slb purge global command in global configuration mode. To disable purge throttling, use the no form of this command.
mls ip slb purge global
no mls ip slb purge global
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is for protocol-level purging.
Command Modes
Global configuration (config)
Command History
Examples
The following example disables purge throttling on TCP and UDP flow packets:
Router(config)# no mls ip slb purge globalRouter(config)#
The following example returns purge throttling on TCP and UDP flow packets to its default setting:
Router(config)# mls ip slb purge globalRouter(config)#
mls ip slb search wildcard
To specify the behavior of IOS Server Load Balancing (IOS SLB) wildcard searches, use the mls ip slb search wildcard command in global configuration mode. To restore the default setting, use the no form of this command.
mls ip slb search {wildcard [pfc | rp] | icmp}
no mls ip slb search {wildcard [pfc | rp] | icmp}
Syntax Description
Defaults
The default setting is for the PFC to perform IOS SLB wildcard searches.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is supported for Catalyst 6500 family switches only.
If you configure IOS SLB and either input ACLs or firewall load balancing on the same Catalyst 6500 Family Switch, you can exceed the capacity of the TCAM on the PFC. To correct the problem, use the mls ip slb search wildcard rp command to reduce the amount of TCAM space used by IOS SLB. However, be aware that this command can result in a slight increase in route processor utilization.
Examples
The following example limits wildcard searches to the route processor:
Router(config)# mls ip slb search wildcard rpRelated Commands
nat
To configure Cisco IOS Server Load Balancing (IOS SLB) Network Address Translation (NAT) and specify a NAT mode, use the nat command in SLB server farm configuration mode. To remove a NAT configuration, use the no form of this command.
nat {client pool | server}
no nat {client | server}
Syntax Description
Defaults
No IOS SLB NAT is configured.
Command Modes
SLB server farm configuration (config-slb-sfarm)
Command History
Usage Guidelines
The no nat command is allowed only if the virtual server was removed from service with the no inservice command.
Examples
The following example enters server farm configuration mode and configures NAT mode as server address translation on server farm FARM2:
Router# ip slb serverfarm FARM2Router(config-slb-sfarm)# nat serverThe following example configures the NAT mode on server farm FARM2 to client translation mode and, using the real command in server farm configuration mode, configures the real server IP address as 10.3.1.1:
Router(config-slb-sfarm)# nat client web-clientsRouter(config-slb-sfarm)# real 10.3.1.1Related Commands
object (tracking)
To specify an object for a tracked list, use the object command in tracking configuration mode. To remove the object from the tracked list, use the no form of this command.
object object-number [not] [weight weight-number]
no object object-number [not] [weight weight-number]
Syntax Description
Command Default
The object is not included in the tracked list.
Command Modes
Tracking configuration (config-track)
Command History
Usage Guidelines
As of Cisco IOS Release 15.1(3)T, a maximum of 1000 objects can be tracked. Although 1000 tracked objects can be configured, each tracked object uses CPU resources. The amount of available CPU resources on a router is dependent upon variables such as traffic load and how other protocols are configured and run. The ability to use 1000 tracked objects is dependent upon the available CPU. Testing should be conducted on site to ensure that the service works under the specific site traffic conditions.
Examples
The following example shows two serial interfaces (objects) that are in tracked list 100. The Boolean "not" negates the state of object 2, resulting in the tracked list regarding object 2 as down when it is up.
Router(config)# track 1 interface serial2/0 line-protocolRouter(config)# track 2 interface serial2/1 line-protocolRouter(config-track)# exitRouter(config)# track 100 list boolean andRouter(config-track)# object 1Router(config-track)# object 2 notRelated Commands
password (DFP agent)
To configure a Dynamic Feedback Protocol (DFP) agent password for Message Digest Algorithm Version 5 (MD5) authentication, use the password command in DFP agent configuration mode. To remove the DFP agent password, use the no form of this command.
password [0 | 7] password [timeout]
no password
Syntax Description
Defaults
The password encryption default is 0 (unencrypted).
The password timeout default is 180 seconds.Command Modes
DFP agent configuration (config-dfp)
Command History
Usage Guidelines
The password specified on this command must match the password specified on the DFP manager.
The timeout option allows you to change the password without stopping messages between the DFP agent and its manager. The default value is 180 seconds.
During the timeout, the agent sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After the timeout expires, the agent sends and receives packets only with the new password; received packets that use the old password are discarded.
If you are changing the password for an entire load-balanced environment, set a longer timeout. Setting a longer timeout allows enough time for you to update the password on all agents and servers before the timeout expires. It also prevents mismatches between agents and servers that have begun running the new password and agents, and servers on which you have not yet changed the old password.
If you are running IOS SLB as a DFP manager, and you specify a password on the ip slb dfp command in global configuration mode, the password must match the one specified on the password command in DFP agent configuration mode in the DFP agent.
Examples
The following example sets the DFP agent password (unencrypted by default) to Password1 and the timeout to 360 seconds:
Router(config)# ip dfp agent slbRouter(config-dfp)# password Password1 360Related Commands
peer port
To specify the port to which the IOS SLB KeepAlive Application Protocol (KAL-AP) agent is to connect, use the peer port command in SLB Content Application Peering Protocol (CAPP) configuration mode. To restore the default settings, use the no form of this command.
peer [ip-address] port port
no peer [ip-address] port port
Syntax Description
Defaults
If you do not specify a port, the KAL-AP agent connects to port 5002.
Command Modes
SLB CAPP configuration (config-slb-capp)
Command History
Usage Guidelines
Use this command to specify a port number, other than port 5002, to be used by the KAL-AP agent.
You can configure any number of peer port commands with the ip-address argument, but only one without the ip-address argument.
Examples
The following example configures the KAL-AP agent to connect to port number 6000:
Router(config-slb-capp)# peer port 6000Related Commands
ip capp udp
Enables the IOS SLB KeepAlive Application Protocol (KAL-AP) agent and enters SLB Content Application Peering Protocol (CAPP) configuration mode.
peer secret
To enable Message Digest Algorithm Version 5 (MD5) authentication for the IOS SLB KeepAlive Application Protocol (KAL-AP) agent, use the peer secret command in SLB Content Application Peering Protocol (CAPP) configuration mode. To disable MD5 authentication, use the no form of this command.
peer [ip-address] secret [encrypt] secret-string
no peer [ip-address] secret secret-string
Syntax Description
Defaults
The KAL-AP agent does not use MD5 authentication with IOS SLB.
Command Modes
SLB CAPP configuration (config-slb-capp)
Command History
Usage Guidelines
You can configure any number of peer secret commands with the ip-address argument, but only one without the ip-address argument.
Examples
The following example configures secret string SECRET_STRING for the KAL-AP agent:
Router(config-slb-capp)# peer secret SECRET_STRINGRelated Commands
ip capp udp
Enables the IOS SLB KeepAlive Application Protocol (KAL-AP) agent and enters SLB Content Application Peering Protocol (CAPP) configuration mode.
platform trace runtime process forwarding-manager module wccp
To enable Forwarding Manager Route Processor and Embedded-Service-Processor trace messages for the Web Cache Communication Protocol (WCCP) process, use the platform trace runtime process forwarding-manager module wccp command in global configuration mode. To disable debug messages, use the no form of this command.
platform trace runtime slot slot bay bay process forwarding-manager module wccp level {level}
no platform trace runtime slot slot bay bay process forwarding-manager module wccp
Syntax Description
Command Default
The default tracing level for every module on the Cisco ASR 1000 Series Routers is notice.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Trace level settings are leveled: every setting will contain all messages from the lower setting plus the messages from its own setting. For instance, setting the trace level to 3 (error) ensures that the trace file contains all output for the 0 (emergencies), 1 (alerts), 2 (critical), and 3 (error) settings. Setting the trace level to 4 (warning) ensures that all trace output for the specific module is included in that trace file.
All trace levels are not user-configurable. Specifically, the alert, critical, and notice tracing levels cannot be set by users. If you wish to trace these messages, set the trace level to a higher level that will collect these messages.
When setting trace levels, it is also important to remember that the setting is not done in a configuration mode, so trace level settings are returned to their defaults after every router reload.
Caution
Caution
Examples
In the following example, the trace level for the WCCP module in the Forwarding Manager of the ESP processor in slot 0 is set to the informational tracing level (info):
Router(config)# platform trace runtime slot F0 bay 0 process forwarding-manager module wccp level infoRelated Commands
show platform software trace level
Displays trace levels for specified modules.
show platform software trace message
Displays trace messages.
port (custom UDP probe)
To specify the port to which a custom User Datagram Protocol (UDP) probe is to connect, use the port command in custom UDP probe configuration mode. To restore the default settings, use the no form of this command.
port port
no port port
Syntax Description
Defaults
In dispatched mode, the port number is inherited from the virtual server.
If port translation is configured for the real server, that port number is used. See the real (server farm) command for more details.Command Modes
Custom UDP probe configuration (config-slb-probe)
Command History
Examples
The following example configures a custom UDP probe named PROBE6, enters custom UDP probe configuration mode, and configures the probe to connect to port number 8:
Router(config)# ip slb probe PROBE6 custom UDPRouter(config-slb-probe)# port 8Related Commands
port (DFP agent)
To define the port number to be used by the Dynamic Feedback Protocol (DFP) manager to connect to the DFP agent, use the port command in DFP agent configuration mode. To disable the port number definition and remove existing connections, use the no form of this command.
port port-number
no port port-number
Syntax Description
port-number
Port number used by a DFP manager to connect to a DFP agent. The valid range is from 1 to 65535.
Defaults
No port number is defined.
Command Modes
DFP agent configuration (config-dfp)
Command History
Examples
In the following example, the DFP manager is enabled to connect to the DFP agent using port number 2221:
Router(config)# ip dfp agent slbRouter(config-dfp)# port 2221Related Commands
port (HTTP probe)
To specify the port to which an HTTP probe is to connect, use the port command in HTTP probe configuration mode. To restore the default settings, use the no form of this command.
port port
no port port
Syntax Description
Defaults
In dispatched mode, the port number is inherited from the virtual server.
If port translation is configured for the real server, that port number is used. See the real (server farm) command for more details.Command Modes
HTTP probe configuration (config-slb-probe)
Command History
Examples
The following example configures an HTTP probe named PROBE2, enters HTTP probe configuration mode, and configures the probe to connect to port number 8:
Router(config)# ip slb probe PROBE2 httpRouter(config-slb-probe)# port 8Related Commands
port (TCP probe)
To specify the port to which a TCP probe is to connect, use the port command in TCP probe configuration mode. To restore the default settings, use the no form of this command.
port port
no port port
Syntax Description
Defaults
In dispatched mode, the port number is inherited from the virtual server.
If port translation is configured for the real server, that port number is used. See the real (server farm) command for more details.Command Modes
TCP probe configuration (config-slb-probe)
Command History
Examples
The following example configures a TCP probe named PROBE5, enters TCP probe configuration mode, and configures the probe to connect to port number 8:
Router(config)# ip slb probe PROBE5 tcpRouter(config-slb-probe)# port 8Related Commands
predictor
To specify the load-balancing algorithm for selecting a real server in the server farm, use the predictor command in SLB server farm configuration mode. To restore the default load-balancing algorithm of weighted round robin, use the no form of this command.
predictor [roundrobin | leastconns | route-map mapname]
no predictor
Syntax Description
Defaults
If you do not enter a predictor command, or if you enter the predictor command without specifying a load-balancing algorithm, the weighted round robin algorithm is used.
Command Modes
SLB server farm configuration (config-slb-sfarm)
Command History
Usage Guidelines
RADIUS load balancing requires the weighted round robin algorithm.
The route map algorithm is supported only for RADIUS load balancing accelerated data plane forwarding. When you specify the predictor route-map command, no further commands in SLB server farm configuration mode or real server configuration mode are allowed.
GPRS load balancing without GTP cause code inspection enabled requires the weighted round robin algorithm. A server farm that uses weighted least connections can be bound to a virtual server providing GPRS load balancing without GTP cause code inspection enabled, but you cannot place the virtual server INSERVICE. If you try to do so, Cisco IOS SLB) issues an error message.
The Home Agent Director requires the weighted round robin algorithm. A server farm that uses weighted least connections can be bound to a Home Agent Director virtual server, but you cannot place the virtual server INSERVICE. If you try to do so, Cisco IOS SLB issues an error message.
Examples
The following example specifies the weighted least connections algorithm:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# predictor leastconnsRelated Commands
predictor hash address (firewall farm)
To specify the load-balancing algorithm for selecting a firewall in the firewall farm, use the predictor hash address command in firewall farm configuration mode. To restore the default load-balancing algorithm, use the no form of this command.
predictor hash address [port]
no predictor
Syntax Description
port
(Optional) Uses the source and destination TCP or User Datagram Protocol (UDP) port numbers, in addition to the source and destination IP addresses, when selecting a firewall.
Defaults
IOS Server Load Balancing (IOS SLB) uses the source and destination IP addresses when selecting a firewall.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Examples
The following example specifies that source and destination IP addresses are to be used when selecting a firewall:
Router(config)# ip slb firewall FIRE1Router(config-slb-fw)# predictor hash addressRelated Commands
probe (firewall farm real server)
To associate a probe with a firewall farm, use the probe command in firewall farm real server configuration mode. To remove the association, use the no form of this command.
probe probe
no probe probe
Syntax Description
Defaults
No probe is associated with a firewall farm.
Command Modes
Firewall farm real server configuration (config-slb-fw-real)
Command History
Usage Guidelines
You can configure more than one probe for each firewall in a firewall farm.
If you configure probes in your network, you must also do one of the following:
•
•
Examples
The following example associates probe FireProbe with server farm FIRE1:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw-real)# probe FireProbeRelated Commands
show ip slb firewallfarm
Displays information about the server farm configuration.
probe (server farm)
To associate a probe with a server farm, use the probe command in server farm configuration mode. To remove the association, use the no form of this command.
probe probe
no probe probe
Syntax Description
Defaults
No probe is associated with a server farm.
Command Modes
Server farm configuration (config-slb-sfarm)
Command History
Usage Guidelines
You can configure more than one probe for each server farm.
If you configure probes in your network, you must also do one of the following:
•
•
Examples
The following example associates probe PROBE1 with server farm PUBLIC:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# probe PROBE1Related Commands
show ip slb serverfarms
Displays information about the server farm configuration.
protocol datagram
To enter firewall farm datagram protocol configuration mode, use the protocol datagram command in firewall farm configuration mode.
protocol datagram
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
Firewall farm datagram protocol configuration applies to the Encapsulation Security Payload (ESP), Generic Routing Encapsulation (GRE), IP in IP encapsulation, and User Datagram Protocol (UDP) protocols.
Examples
The following example enters firewall farm datagram protocol configuration mode:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# protocol datagramRelated Commands
show ip slb firewallfarm
Displays information about the firewall farm configuration.
protocol tcp
To enter firewall farm TCP protocol configuration mode, use the protocol tcp command in firewall farm configuration mode.
protocol tcp
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Examples
The following example enters firewall farm TCP protocol configuration mode:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# protocol tcpRelated Commands
show ip slb firewallfarm
Displays information about the firewall farm configuration.
purge connection
To enable IOS SLB firewall load balancing to send purge requests for connections, use the purge connection command in firewall farm configuration mode. To prevent the sending of purge requests, use the no form of this command.
purge connection
no purge connection
Syntax Description
This command has no arguments or keywords.
Defaults
IOS SLB firewall load balancing sends purge requests for connections.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
By default, IOS SLB firewall load balancing sends purge requests for connections. However, if a large number of purge requests are sent, the CPU might be impacted. To prevent this problem, use the no form of this command to prevent the sending of purge requests.
Examples
The following example prevents the sending of purge requests for connections:
Router(config-slb-fw)# no purge connectionRelated Commands
mls ip slb purge global
Specifies protocol-level purging of MLS entries from active TCP and UDP flow packets.
purge sticky
TBD
purge radius framed-ip acct on-off
To enable IOS SLB to purge entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting ON or OFF message, use the purge radius framed-ip acct on-off command in virtual server configuration mode. To disable this behavior, use the no form of this command.
purge radius framed-ip acct on-off
no purge radius framed-ip acct on-off
Syntax Description
This command has no arguments or keywords.
Defaults
IOS SLB purges entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting ON or OFF message.
Command Modes
Virtual server configuration (config-slb-vserver)
Command History
Examples
The following example prevents IOS SLB from purging entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting ON or OFF message:
Router(config)# ip slb vserver VS1Router(config-slb-vserver)# no purge radius framed-ip acct on-offRelated Commands
sticky (virtual server)
Assigns all connections from a client to the same real server.
purge radius framed-ip acct stop
To enable IOS Server Load Balancing to purge entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting-Stop message, use the purge radius framed-ip acct stop in virtual server configuration mode. To disable this behavior, use the no form of this command.
purge radius framed-ip acct stop {attribute-number | 26 | vsa {vendor-ID | 3gpp | 3gpp2} sub-attribute-number}
no purge radius framed-ip acct stop {attribute-number | 26 | vsa {vendor-ID | 3gpp | 3gpp2} sub-attribute-number}
Syntax Description
Defaults
IOS SLB purges entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting-Stop message.
Command Modes
Virtual server configuration (config-slb-vserver)
Command History
Examples
The following example prevents IOS SLB from purging entries in the IOS SLB RADIUS framed-ip sticky database upon receipt of an Accounting-Stop message:
Router(config)# ip slb vserver VS1Router(config-slb-vserver)# no purge radius framed-ip acct stop 44Related Commands
sticky (virtual server)
Assigns all connections from a client to the same real server.
purge sticky
To enable IOS SLB firewall load balancing to send purge requests for sticky connections when the sticky timer expires, use the purge sticky command in firewall farm configuration mode. To prevent the sending of purge requests when the timer expires, use the no form of this command.
purge sticky
no purge sticky
Syntax Description
This command has no arguments or keywords.
Defaults
IOS SLB firewall load balancing sends purge requests when the sticky timer expires.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
By default, IOS SLB firewall load balancing sends purge requests for sticky connections when the sticky timer expires. However, large volumes of purge requests can impact the CPU. To prevent this problem, use the no form of this command to prevent the sending of purge requests when the sticky timer expires.
To configure a sticky timer for IOS SLB firewall load balancing, use the sticky command in either firewall farm datagram protocol or firewall farm TCP protocol configuration mode.
Examples
The following example prevents the sending of purge requests for sticky connections:
Router(config-slb-fw)# no purge stickyRelated Commands
radius acct local-ack key
To enable a RADIUS virtual server to acknowledge RADIUS accounting messages, use the radius acct local-ack key command in SLB virtual server configuration mode. To restore the default behavior, use the no form of this command.
radius acct local-ack key [encrypt] secret-string
no radius acct local-ack key [encrypt] secret-string
Syntax Description
Defaults
By default, this command is not enabled. When this command is enabled, the RADIUS load balancing device, not the real server, acknowledges RADIUS accounting messages.
If you configure this command but you do not specify the 7 keyword, the secret-string is stored in the plain text.Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
Configure this command only on a RADIUS virtual server.
Examples
The following example shows how to enable RADIUS virtual server PUBLIC_RADIUS to acknowledge RADIUS accounting messages with key SECRET_PASSWORD.
Router(config)# ip slb vserver PUBLIC_RADIUSRouter(config-slb-vserver)# radius acct local-ack key SECRET_PASSWORDRelated Commands
radius inject acct key
To configure a vendor-specific attribute (VSA) correlation group for an IOS SLB RADIUS load balancing accelerated data plane forwarding accounting virtual server, and to enable Message Digest Algorithm Version 5 (MD5) authentication for VSA correlation, use the radius inject acct key command in SLB virtual server configuration mode. To disable VSA correlation on this virtual server, use the no form of this command.
radius inject acct group-number key [encrypt] secret-string
no radius inject acct group-number key secret-string
Syntax Description
Defaults
VSA correlation is disabled on this virtual server.
Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
This command is valid only for VSA correlation accounting virtual servers.
Examples
The following example configures VSA correlation group 1 and configures plain text secret string SECRET_STRING for VSA correlation:
Router(config-slb-vserver)# radius inject acct 1 key 0 SECRET_STRINGRelated Commands
radius inject auth
To configure a vendor-specific attribute (VSA) correlation group for an IOS SLB RADIUS load balancing accelerated data plane forwarding authentication virtual server, and to specify whether IOS SLB is to create VSA correlation entries based on RADIUS calling station IDs or RADIUS usernames, use the radius inject auth command in SLB virtual server configuration mode. To disable VSA correlation on this virtual server, use the no form of this command.
radius inject auth group-number {calling-station-id | username}
no radius inject auth group-number {calling-station-id | username}
Syntax Description
Defaults
VSA correlation is disabled on this virtual server.
Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
For a given authentication virtual server, you can configure a single radius inject auth group-number calling-station-id command or a single radius inject auth group-number username command, but not both.
This command is valid only for VSA correlation authentication virtual servers.
Examples
The following example configures VSA correlation group 1 and specifies that IOS SLB is to create VSA correlation entries based on the RADIUS calling station ID attribute:
Router(config-slb-vserver)# radius inject auth 1 calling-station-idRelated Commands
radius inject auth timer
To configure a timer for vendor-specific attribute (VSA) correlation for an IOS SLB RADIUS load balancing accelerated data plane forwarding authentication virtual server, use the radius inject auth timer command in SLB virtual server configuration mode. To delete the VSA correlation timer from the configuration, use the no form of this command.
radius inject auth timer seconds
no radius inject auth timer
Syntax Description
seconds
Time, in seconds, that IOS SLB maintains an entry in the VSA correlation database. Valid range is 1 to 255.
Defaults
No VSA correlation timer is configured for the authentication virtual server.
Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
This command is valid only for VSA correlation authentication virtual servers.
Examples
The following example configures a VSA correlation timer of 45 seconds:
Router(config-slb-vserver)# radius inject auth timer 45Related Commands
radius inject auth vsa
To buffer vendor-specific attributes (VSAs) for VSA correlation for an IOS SLB RADIUS load balancing accelerated data plane forwarding authentication virtual server, use the radius inject auth vsa command in SLB virtual server configuration mode.
radius inject auth vsa vendor-id
Syntax Description
Defaults
VSAs are not buffered.
Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
This command is valid only for VSA correlation authentication virtual servers.
Examples
The following example buffers the Cisco VSA:
Router(config-slb-vserver)# radius inject auth vsa ciscoRelated Commands
rate
To specify the maximum number of connections allowed for a real server in a server farm, use the rate command in real server configuration mode. To remove the rate limit, use the no form of this command.
rate maximum-rate [burst burst-rate]
no rate
Syntax Description
Defaults
There is no limit on the number of connection allowed for the real server.
If you do not configure a burst rate, the default burst rate is (maximum-rate/10) connections per second.Command Modes
Real server configuration (config-slb-real)
Command History
Usage Guidelines
The rate command is valid only for real servers in server farms. It is not valid for real servers in firewall farms.
If the rate limit for a real server is exceeded, and a new connection request is received, IOS SLB assigns the new connection request to the next rate-configured real server in the server farm's queue. If no other rate-configured real server is available in the server farm, IOS SLB drops the connection request.
The rate limit also applies to sticky connections. That is, if the rate limit for a real server is exceeded, and a new sticky connection request is received, IOS SLB drops the sticky connection request.
IOS SLB uses slow start even if a real server has a rate limit configured.
Examples
The following example specifies that up to 100 connections per second are allowed for the real server in a server farm, with a burst rate of 25 burst connections per second:
Router(config-slb-real)# rate 100 burst 25real (firewall farm)
To identify a firewall as a member of a firewall farm and enter real server configuration mode, use the real command in firewall farm configuration mode. To remove the firewall from the IOS Server Load Balancing (IOS SLB) configuration, use the no form of this command.
real ip-address
no real ip-address
Syntax Description
Defaults
No firewall is identified as a member of a firewall farm.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
A firewall farm comprises a number of firewalls. The firewalls are the physical devices that provide the firewall load-balanced services.
Examples
The following example identifies a firewall as a member of firewall farm FIRE1:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# real 10.1.1.1Related Commands
real (server farm)
To identify a real server as a member of a server farm and enter real server configuration mode, use the real command in SLB server farm configuration mode. To remove the real server from the IOS Server Load Balancing (IOS SLB) configuration, use the no form of this command.
real ipv4-address [ipv6 ipv6-address] [port]
no real ipv4-address [ipv6 ipv6-address] [port]
Syntax Description
ipv4-address
Real server IPv4 address.
ipv6 ipv6-address
(Optional) For dual-stack, real server IPv6 address.
port
(Optional) Port translation for the server. Valid values range from 1 to 65535.
Command Default
No real server is identified as a member of a server farm.
Command Modes
SLB server farm configuration (config-slb-sfarm)
Command History
Usage Guidelines
A server farm comprises a number of real servers. The real servers are the physical devices that provide the load-balanced services.
In general packet radio service (GPRS) load balancing, this command identifies a gateway GPRS support node (GGSN) that is a member of the server farm. Also, remember that the Cisco GGSN IP addresses are virtual template IP addresses, not real interface IP addresses.
IOS SLB supports GPRS Tunneling Protocol (GTP) v0, v1, and v2 real servers. A GTP v2 real server can be either a Packet Data Network Gateway (PGW) or a serving gateway (SGW).
•
•
•
IOS SLB supports dual-stack addresses for GTP load balancing only. To support dual-stack addresses, you must configure the real server as a dual-stack real server, with the IPv4 and IPv6 addresses, using this command.
In Virtual Private Network (VPN) server load balancing, this command identifies a real server acting as a VPN terminator.
Examples
The following example identifies a real server as a member of the server farm:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# real 10.1.1.1The following example identifies a dual-stack real server as a member of the server farm:
Router(config)# ip slb serverfarm DUAL-PUBLICRouter(config-slb-sfarm)# real 10.1.1.1 ipv6 12AB:0000:0000:CD31:0000:0000:0000:0000/64Related Commands
real (static NAT)
To configure one or more real servers to use static Network Address Translation (NAT), use the real command in static NAT configuration mode. To restore the default behavior, use the no form of this command.
real ip-address [port]
no real ip-address [port]
Syntax Description
Defaults
No real server is configured to use static NAT.
Command Modes
Static NAT configuration (config-slb-static)
Command History
Usage Guidelines
If no port number is specified, IOS SLB uses static NAT for all packets outbound from the real server.
Examples
The following example configures real server 10.1.1.3 to use static NAT:
Router(config)# ip slb static natRouter(config-slb-static)# real 10.1.1.3Related Commands
reassign
To specify the threshold of consecutive unacknowledged SYNchronize sequence numbers (SYNs) or Create Packet Data Protocol (PDP) requests that, if exceeded, result in an attempted connection to a different real server, use the reassign command in SLB real server configuration mode. To restore the default reassignment threshold, use the no form of this command.
reassign threshold
no reassign
Syntax Description
Defaults
The default threshold value is 3.
Command Modes
SLB real server configuration (config-slb-real)
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
IOS SLB does not reassign sticky connections if either of the following conditions is true:
•
•
In GPRS load balancing, this command specifies the number of consecutive unacknowledged Create PDP requests (not TCP SYNs) that are directed to a gateway GPRS support node (GGSN) before the connection is reassigned to a different GGSN. You must specify a reassign threshold less than the N3-REQUESTS counter value of the serving GRPS support node (SGSN).
Examples
The following example shows how to set the threshold of unacknowledged SYNs to 2:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# real 10.10.1.1Router(config-slb-real)# reassign 2Related Commands
replicate casa (firewall farm)
To configure a stateful backup of IOS Server Load Balancing (IOS SLB) decision tables to a backup switch, use the replicate casa command in firewall farm configuration mode. To remove a this configuration, use the no form of this command.
replicate casa listen-ip remote-ip port [interval] [password [encrypt] secret-string [timeout]]
no replicate casa listen-ip remote-ip port
Syntax Description
Defaults
The default interval is 10 seconds.
The default password encryption is 0 (unencrypted).
The default password timeout is 180 seconds.Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
The timeout option allows you to change the password without stopping messages between the backup and primary Layer 3 switches. The default value is 180 seconds.
During the timeout, the backup sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After the timeout expires, the backup sends and receives packets only with the new password.
When setting a new password timeout, remember the following considerations:
•
•
If you configure this command but you do not specify the 7 keyword, the secret-string is stored in the plain text.
Examples
The following example configures a stateful backup Layer-3 switch with a listening IP address of 10.10.10.11 and a remote IP address of 10.10.11.12 over HTTP port 4231:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# replicate casa 10.10.10.11 10.10.11.12 4231Related Commands
show ip slb firewallfarm
Displays information about the firewall farm configuration.
show ip slb replicate
Displays the configuration of IO SLB IP replication.
replicate casa (virtual server)
To configure a stateful backup of IOS Server Load Balancing (IOS SLB) decision tables to a backup switch, use the replicate casa command in virtual server configuration mode. To remove this configuration, use the no form of this command.
replicate casa listen-ip remote-ip port [interval] [password [encrypt] secret-string [timeout]]
no replicate casa listen-ip remote-ip port
Syntax Description
Defaults
The default interval is 10 seconds.
The default password encryption is 0 (unencrypted).
The default password timeout is 180 seconds.Command Modes
Virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
The timeout option allows you to change the password without stopping messages between the backup and primary Layer 3 switches. The default value is 180 seconds.
During the timeout, the backup sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After the timeout expires, the backup sends and receives packets only with the new password.
When setting a new password timeout, remember the following considerations:
•
•
General packet radio service (GPRS) load balancing without GPRS Tunneling Protocol (GTP) cause code inspection enabled does not support the replicate casa command in virtual server configuration mode.
The Home Agent Director does not support the replicate casa command in virtual server configuration mode.
If you configure this command but you do not specify the 7 keyword, the secret-string is stored in the plain text.
Examples
The following example configures a stateful backup Layer-3 switch with a listening IP address of 10.10.10.11 and a remote IP address of 10.10.11.12 over HTTP port 4231:
Router(config)# ip slb vserver VS1Router(config-slb-vserver)# replicate casa 10.10.10.11 10.10.11.12 4231Related Commands
show ip slb replicate
Displays the configuration of IOS SLB IP replication.
show ip slb vserver
Displays information about the virtual servers defined to IOS SLB.
replicate interval (firewall farm)
To set the replication delivery interval for an IOS Server Load Balancing (IOS SLB) firewall farm, use the replicate interval command in firewall farm configuration mode. To restore the default interval, use the no form of this command.
replicate interval interval
no replicate interval
Syntax Description
Defaults
The default interval is 10 seconds.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
General packet radio service (GPRS) load balancing without GPRS Tunneling Protocol (GTP) cause code inspection enabled does not support the replicate interval command in firewall farm configuration mode.
The Home Agent Director does not support the replicate interval command in firewall farm configuration mode.
Examples
The following example configures a replication interval of 20 seconds:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# replicate interval 20Related Commands
replicate interval (virtual server)
To set the replication delivery interval for an IOS Server Load Balancing (IOS SLB) virtual server, use the replicate interval command in virtual server configuration mode. To restore the default interval, use the no form of this command.
replicate interval interval
no replicate interval
Syntax Description
Defaults
The default interval is 10 seconds.
Command Modes
Virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
General packet radio service (GPRS) load balancing without GPRS Tunneling Protocol (GTP) cause code inspection enabled does not support the replicate interval command in virtual server configuration mode.
The Home Agent Director does not support the replicate interval command in virtual server configuration mode.
Examples
The following example configures a replication interval of 20 seconds:
Router(config)# ip slb vserver VS1Router(config-slb-vserver)# replicate interval 20Related Commands
replicate slave (firewall farm)
To enable stateful backup of redundant route processors for an IOS Server Load Balancing (IOS SLB) firewall farm, if the slave device is present, use the replicate slave command in firewall farm configuration mode. To disable stateful backup of redundant route processors, use the no form of this command.
replicate slave
no replicate slave
Syntax Description
This command has no arguments or keywords.
Defaults
Stateful backup of redundant route processors is disabled.
Command Modes
Firewall farm configuration (config-slb-fw)
Command History
Usage Guidelines
General packet radio service (GPRS) load balancing without GPRS Tunneling Protocol (GTP) cause code inspection enabled does not support the replicate slave command in firewall farm configuration mode.
The Home Agent Director does not support the replicate slave command in firewall farm configuration mode.
Examples
The following example enables stateful backup of redundant route processors:
Router(config)# ip slb firewallfarm FIRE1Router(config-slb-fw)# replicate slaveRelated Commands
replicate slave (virtual server)
To enable stateful backup of redundant route processors for an IOS Server Load Balancing (IOS SLB) virtual server, if the slave device is present, use the replicate slave command in virtual server configuration mode. To disable stateful backup of redundant route processors, use the no form of this command.
replicate slave
no replicate slave
Syntax Description
This command has no arguments or keywords.
Defaults
Stateful backup of redundant route processors is disabled.
Command Modes
Virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
General packet radio service (GPRS) load balancing without GPRS Tunneling Protocol (GTP) cause code inspection enabled does not support the replicate slave command in virtual server configuration mode.
The Home Agent Director does not support the replicate slave command in virtual server configuration mode.
If you are using a single Supervisor with replicate slave configured, you might receive out-of-sync messages on the Supervisor.
Examples
The following example enables stateful backup of redundant route processors:
Router(config)# ip slb vserver VS1Router(config-slb-vserver)# replicate slaveRelated Commands
request (custom UDP probe)
To define the payload of the User Datagram Protocol (UDP) request packet to be sent by a custom UDP probe, use the request command in custom UDP probe configuration mode.
request data {start-byte | continue} hex-data-string
Syntax Description
Defaults
The payload of the UDP request packet is not defined.
Command Modes
Custom UDP probe configuration (config-slb-probe)
Command History
Usage Guidelines
You can enter more than one request command, to specify the entire UDP payload.
Examples
The following example generates custom UDP probe PROBE6, with the specified 119-byte UDP payload.
Router(config)# ip slb probe PROBE6 custom UDPRouter(config-slb-probe)# request data 0 05 04 00 77 18 2A D6 CD 0A AD 53 4D F1 29 29 CF C1 96 59 CBRouter(config-slb-probe)# request data 20 01 07 63 68 72 69 73 28 06 00 00 00 01 2C 0A 30 30 30 30 30Router(config-slb-probe)# request data 40 30 30 42 07 06 00 00 00 07 1E 10 63 75 66 66 2E 63 69 73 63Router(config-slb-probe)# request data 60 6F 2E 63 6F 6D 1F 0C 39 31 39 33 39 32 39 31 36 39 08 06 0ARouter(config-slb-probe)# request data 80 0A 01 01 2D 06 00 00 00 01 3D 06 00 00 00 05 05 06 00 00 00Router(config-slb-probe)# request data 100 00 06 06 00 00 00 02 04 06 0A 0A 18 0A 29 06 00 00 00 00Related Commands
request (HTTP probe)
To configure an HTTP probe to check the status of the real servers, use the request command in HTTP probe configuration mode. To remove a request configuration, use the no form of this command.
request [method {get | post | head | name name}] [url path]
no request [method {get | post | head | name name}] [url path]
Syntax Description
Defaults
No HTTP probe is configured to check the status of the real servers.
Command Modes
HTTP probe configuration (config-slb-probe)
Command History
Usage Guidelines
The request command configures the Cisco IOS Server Load Balancing (Cisco IOS SLB) HTTP probe method used to receive data from the server. Only one Cisco IOS SLB HTTP probe can be configured for each server farm.
If no values are configured following the method keyword, the default is Get.
If no URL path is set to the server, the default is /.
Examples
The following example configures an IOS SLB HTTP probe named PROBE2, enters HTTP probe configuration mode, and configures HTTP requests to use the post method and the URL /probe.cgi?all:
Router(config)# ip slb probe PROBE2 httpRouter(config-slb-probe)# request method post url /probe.cgi?allRelated Commands
ip slb probe http
Configures the Cisco IOS SLB IP probe name.
show ip slb probe
Displays information about an Cisco IOS SLB probe.
response
To define the data string to match against custom User Datagram Protocol (UDP) probe response packets, use the response command in custom UDP probe configuration mode.
response clause-number data start-byte hex-data-string
Syntax Description
Defaults
The data string to match against custom UDP probe response packets is not defined.
Command Modes
Custom UDP probe configuration (config-slb-probe)
Command History
Usage Guidelines
You can enter up to 8 individual response commands, to parse up to 8 non-contiguous bytes of data.
Examples
In the following example, if the 26th and 27th bytes of the response from PROBE6 are not FF FF, and the 44th and 45th bytes are not DD DD, the probe fails.
Router(config)# ip slb probe PROBE6 custom UDPRouter(config-slb-probe)# response 1 data 26 FF FFRouter(config-slb-probe)# response 2 data 44 DD DDRelated Commands
retry (real server)
To specify how long to wait before a new connection is attempted to a failed server, use the retry command in SLB real server configuration mode. To restore the default retry value, use the no form of this command.
retry retry-value
no retry
Syntax Description
Defaults
The default retry-value is 60 seconds.
Command Modes
SLB real server configuration (config-slb-real)
Command History
Examples
The following example specifies that 120 seconds must elapse after the detection of a server failure before a new connection is attempted:
Router(config)# ip slb serverfarm PUBLICRouter(config-slb-sfarm)# real 10.10.1.1Router(config-slb-real)# retry 120Related Commands
Feedback