Cisco IOS Server Load Balancing Configuration Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- March 23, 2011
Chapter: How to Configure IOS SLB Features
- How to Configure Required and Optional IOS SLB Functions
- How to Configure Firewall Load Balancing
- How to Configure a Probe
- How to Configure DFP
- GPRS Load Balancing Configuration Task List
- GGSN-IOS SLB Messaging Task List
- How to Configure GPRS Load Balancing Maps
- How to Configure KAL-AP Agent Support
- RADIUS Load Balancing Configuration Task List
- Exchange Director for mSEF Configuration Task List
- RADIUS Configuration for the Exchange Director
- Firewall Configuration for the Exchange Director
- How to Configure a Firewall Farm
- How to Verify a Firewall Farm
- How to Verify Firewall Connectivity
- How to Configure a Probe
- How to Configure a Wildcard Search
- How to Configure Protocol-Level Purging of MLS entries
- How to Configure Connection Purge Request Behavior
- How to Configure Sticky Connection Purge Request Behavior
How to Configure IOS SLB Features
Configuring IOS SLB involves identifying server farms, configuring groups of real servers in server farms, and configuring the virtual servers that represent the real servers to the clients.
For configuration examples associated with these tasks, see the "Configuration Examples for IOS SLB" section on page 4-1.
For a complete description of the IOS SLB commands in this section, refer to the "Server Load Balancing Commands" chapter of the Cisco IOS IP Application Services Command Reference. To locate documentation of other commands that appear in this section, search online using Cisco.com.
To configure IOS SLB, perform the tasks in the following sections:
•
How to Configure Required and Optional IOS SLB Functions (Required)
•How to Configure Firewall Load Balancing (Optional)
•How to Configure a Probe (Optional)
•How to Configure DFP (Optional)
•GPRS Load Balancing Configuration Task List (Optional)
•GGSN-IOS SLB Messaging Task List (Optional)
•How to Configure GPRS Load Balancing Maps (Optional)
•How to Configure KAL-AP Agent Support (Optional)
•RADIUS Load Balancing Configuration Task List (Optional)
•Exchange Director for mSEF Configuration Task List (Optional)
•VPN Server Load Balancing Configuration Task List (Optional)
•ASN Load Balancing Configuration Task List (Optional)
•Home Agent Director Configuration Task List (Optional)
•How to Configure NAT (Optional)
•How to Configure Static NAT (Optional)
•Stateless Backup Configuration Task List (Optional)
•Stateful Backup of Redundant Route Processors Configuration Task List (Optional)
•How to Configure Database Entries (Optional)
•How to Configure Buffers for the Fragment Database (Optional)
•How to Clear Databases and Counters (Optional)
•How to Configure a Wildcard Search (Optional)
•How to Purge and Reassign Connections (Optional)
•How to Disable Automatic Server Failure Detection (Optional)
•How to Monitor and Maintain the Cisco IOS SLB Feature (Optional)
How to Configure Required and Optional IOS SLB Functions
To configure IOS SLB functions, perform the tasks in the following sections. Required and optional tasks are indicated.
•How to Configure a Server Farm and a Real Server (Required)
•How to Configure a Virtual Server (Required)
•How to Verify a Virtual Server (Optional)
•How to Verify a Server Farm (Optional)
•How to Verify Clients (Optional)
•How to Verify IOS SLB Connectivity (Optional)
How to Configure a Server Farm and a Real Server
Perform this required task to configure a server farm and a real server.
Note You cannot configure IOS SLB from different user sessions at the same time.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb serverfarm server-farm
4. access interface
5. bindid [bind-id]
6. nat {client pool | server}
7. predictor [roundrobin | leastconns | route-map mapname]
8. probe probe
9. real ipv4-address [ipv6 ipv6-address] [port]
10. faildetect numconns number-of-conns [numclients number-of-clients]
11. maxclients number-of-conns
12. maxconns number-of-conns [sticky-override]
13. reassign threshold
14. retry retry-value
15. weight setting
16. inservice
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
enable Router> enable |
Enables privileged EXEC mode. If prompted, enter your password. |
Step 2 |
configure terminal Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip slb serverfarm server-farm Router(config)# ip slb serverfarm PUBLIC |
Adds a server farm definition to the IOS SLB configuration and enters server farm configuration mode. |
Step 4 |
access interface Router(config-slb-sfarm)# access GigabitEthernet 0/1.1 |
(Optional) Configures an access interface or subinterface for a server farm. |
Step 5 |
bindid [bind-id] Router(config-slb-sfarm)# bindid 309 |
(Optional) Specifies a bind ID on the server farm for use by Dynamic Feedback Protocol (DFP). Note |
Step 6 |
nat {client pool | server} Router(config-slb-sfarm)# nat server |
(Optional) Configures Network Address Translation (NAT) client translation mode or NAT server address translation mode on the server farm. All IPv4 or IPv6 server farms that are associated with the same virtual server must have the same NAT configuration. |
Step 7 |
predictor [roundrobin | leastconns | route-map mapname] Router(config-slb-sfarm)# predictor leastconns |
(Optional) Specifies the algorithm to be used to determine how a real server is selected. Note For more details, see the following sections: • • |
Step 8 |
probe probe Router(config-slb-sfarm)# probe PROBE1 |
(Optional) Associates a probe with the real server. |
Step 9 |
real ipv4-address [ipv6 ipv6-address] [port] Router(config-slb-sfarm)# real 10.1.1.1 |
Identifies a real server by IPv4 address, and optional IPv6 address and port number, as a member of a server farm and enters real server configuration mode. Note |
Step 10 |
faildetect numconns number-of-conns [numclients number-of-clients] Router(config-slb-real)# faildetect numconns 10 numclients 3 |
(Optional) Specifies the number of consecutive connection failures and, optionally, the number of unique client connection failures, that constitute failure of the real server. • • |
Step 11 |
maxclients number-of-conns Router(config-slb-real)# maxclients 10 |
(Optional) Specifies the maximum number of IOS SLB RADIUS and GTP sticky subscribers that can be assigned to an individual virtual server. |
Step 12 |
maxconns number-of-conns [sticky-override] Router(config-slb-real)# maxconns 1000 |
(Optional) Specifies the maximum number of active connections allowed on the real server at one time. |
Step 13 |
reassign threshold Router(config-slb-real)# reassign 2 |
(Optional) Specifies the threshold of consecutive unacknowledged SYNchronize sequence numbers (SYNs) or Create Packet Data Protocol (PDP) requests that, if exceeded, result in an attempted connection to a different real server. Note |
Step 14 |
retry retry-value Router(config-slb-real)# retry 120 |
(Optional) Specifies the time interval, in seconds, to wait between the detection of a server failure and the next attempt to connect to the failed server. |
Step 15 |
weight setting Router(config-slb-real)# weight 24 |
(Optional) Specifies the real server workload capacity relative to other servers in the server farm. Note |
Step 16 |
inservice Router(config-slb-real)# inservice |
Enables the real server for use by IOS SLB. |
Note When performing server load balancing and firewall load balancing together on a Cisco Catalyst 6500 Family Switch, use the mls ip slb wildcard search rp command to reduce the probability of exceeding the capacity of the Telecommunications Access Method (TCAM) on the Policy Feature Card (PFC). See the"How to Configure a Wildcard Search" section for more details.
How to Configure a Virtual Server
Perform this required task to configure a virtual server. IOS SLB supports up to 500 virtual servers.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb vserver virtual-server
4. virtual ipv4-address [ipv4-netmask [group]] {esp | gre | protocol}
5. serverfarm primary-farm [backup backup-farm [sticky]] [ipv6-primary ipv6-primary-farm [ipv6-backup ipv6-backup-farm]] [map map-id priority priority]
6. access interface [route framed-ip]
7. advertise [active]
8. client {ipv4-address netmask [exclude] | gtp carrier-code [code]}
9. delay {duration | radius framed-ip duration}
10. gtp notification cac [reassign-count]
11. gtp session
12. gw port port
13. hand-off radius duration
14. idle [asn request duration | asn msid msid | gtp imsi duration [query [max-queries]] | gtp request duration | ipmobile request duration | radius {request | framed-ip} duration]
15. purge radius framed-ip acct on-off
16. purge radius framed-ip acct stop {attribute-number | {26 | vsa} {vendor-ID | 3gpp | 3gpp2} sub-attribute-number}
17. radius acct local-ack key [encrypt] secret-string
18. radius inject auth group-number {calling-station-id | username}
19. radius inject auth timer seconds
20. radius inject auth vsa vendor-id
21. replicate casa listen-ip remote-ip port [interval] [password [encrypt] secret-string timeout]
22. replicate interval interval
23. replicate slave
24. sticky {duration [group group-id] [netmask netmask] | asn msid [group group-id] | gtp imsi [group group-id] | radius calling-station-id | radius framed-ip [group group-id] | radius username [msid-cisco] [group group-id]}
25. synguard syn-count interval
26. inservice [standby group-name] [active]
DETAILED STEPS
How to Verify a Virtual Server
Perform the following optional task to verify a virtual server.
SUMMARY STEPS
1. show ip slb vservers
DETAILED STEPS
The following show ip slb vservers command verifies the configuration of the virtual servers PUBLIC_HTTP and RESTRICTED_HTTP:
Router# show ip slb vservers
slb vserver prot virtual state conns
-------------------------------------------------------------------
PUBLIC_HTTP TCP 10.0.0.1:80 OPERATIONAL 0
RESTRICTED_HTTP TCP 10.0.0.2:80 OPERATIONAL 0
Router#
How to Verify a Server Farm
Perform the following optional task to verify a server farm.
SUMMARY STEPS
1. show ip slb reals
2. show ip slb serverfarm
DETAILED STEPS
The following show ip slb reals command shows the status of server farms PUBLIC and RESTRICTED, the associated real servers, and their status:
Router# show ip slb real
real farm name weight state conns
---------------------------------------------------------------------
10.1.1.1 PUBLIC 8 OPERATIONAL 0
10.1.1.2 PUBLIC 8 OPERATIONAL 0
10.1.1.3 PUBLIC 8 OPERATIONAL 0
10.1.1.20 RESTRICTED 8 OPERATIONAL 0
10.1.1.21 RESTRICTED 8 OPERATIONAL 0
Router#
The following show ip slb serverfarm command displays the configuration and status of server farms PUBLIC and RESTRICTED:
Router# show ip slb serverfarm
server farm predictor nat reals bind id
---------------------------------------------------
PUBLIC ROUNDROBIN none 3 0
RESTRICTED ROUNDROBIN none 2 0
Router#
How to Verify Clients
Perform the following optional task to verify clients.
SUMMARY STEPS
1. show ip slb conns
DETAILED STEPS
The following show ip slb conns command verifies the restricted client access and status:
Router# show ip slb conns
vserver prot client real state nat
-------------------------------------------------------------------------------
RESTRICTED_HTTP TCP 10.4.4.0:80 10.1.1.20 CLOSING none
Router#
The following show ip slb conns command shows detailed information about the restricted client access status:
Router# show ip slb conns client 10.4.4.0 detail
VSTEST_UDP, client = 10.4.4.0:80
state = CLOSING, real = 10.1.1.20, nat = none
v_ip = 10.0.0.2:80, TCP, service = NONE
client_syns = 0, sticky = FALSE, flows attached = 0
Router#
How to Verify IOS SLB Connectivity
Perform the following optional task to verify IOS SLB connectivity.
SUMMARY STEPS
1. show ip slb stats
DETAILED STEPS
To verify that the IOS SLB feature is installed and is operating correctly, ping the real servers from the IOS SLB switch, then ping the virtual servers from the clients.
The following show ip slb stats command shows detailed information about the IOS SLB network status:
Router# show ip slb stats
Pkts via normal switching: 0
Pkts via special switching: 6
Pkts dropped: 0
Connections Created: 1
Connections Established: 1
Connections Destroyed: 0
Connections Reassigned: 0
Zombie Count: 0
Connections Reused: 0
•Normal switching exists when IOS SLB packets are managed on normal IOS switching paths (CEF, fast switching, and process level switching).
•Special switching exists when IOS SLB packets are managed on hardware-assisted switching paths.
See the "How to Monitor and Maintain the Cisco IOS SLB Feature" section for additional commands used to verify IOS SLB networks and connections.
How to Configure Firewall Load Balancing
Perform the following tasks to configure a basic IOS SLB firewall load-balancing network.
IOS SLB firewall load balancing uses probes to detect and recover from failures. You must configure a probe on each real server in the firewall farm. Ping probes are recommended; see the "How to Configure a Ping Probe" section for more details. If a firewall does not allow ping probes to be forwarded, use HTTP probes instead. See the "How to Configure an HTTP Probe" section for more details. You can configure more than one probe, in any combination of supported types (DNS, HTTP, TCP, or ping), for each firewall in a firewall farm.
When you perform server load balancing and firewall load balancing together on a Cisco Catalyst 6500 switch, use the mls ip slb wildcard search rp command in global configuration mode to reduce the probability of exceeding the capacity of the Telecommunications Access Method (TCAM) on the Policy Feature Card (PFC). See the "How to Configure a Wildcard Search" section for more details.
If IOS SLB experiences a high purge rate, the CPU might be impacted. If this problem occurs, use the no form of the mls ip slb purge global command in global configuration mode to disable purge throttling on TCP and UDP flow packets. See the"How to Configure Protocol-Level Purging of MLS Entries" section for more details.
This section describes the following IOS SLB firewall load-balancing configuration tasks. Required and optional tasks are indicated.
•How to Configure a Firewall Farm (Required)
•How to Verify a Firewall Farm (Optional)
•How to Verify Firewall Connectivity (Optional)
How to Configure a Firewall Farm
Perform the following required task to configure a firewall farm.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb firewallfarm firewall-farm
4. real ip-address
5. probe probe
6. weight setting
7. inservice
8. access [source source-ip netmask | destination destination-ip netmask | inbound {inbound-interface | datagram connection} | outbound outbound-interface]
9. predictor hash address [port]
10. purge connection
11. purge sticky
12. replicate casa listen-ip remote-ip port [interval] [password [encrypt] secret-string [timeout]]
13. replicate interval interval
14. replicate slave
15. protocol tcp
16. delay duration
17. idle duration
18. maxconns maximum-number
19. sticky duration [netmask netmask] [source | destination]
20. protocol datagram
21. idle duration
22. maxconns maximum-number
23. sticky duration [netmask netmask] [source | destination]
24. inservice
DETAILED STEPS
How to Verify a Firewall Farm
Perform the following optional task to verify a firewall farm.
SUMMARY STEPS
1. show ip slb real
2. show ip slb firewallfarm
DETAILED STEPS
The following show ip slb reals command shows the status of firewall farm FIRE1, the associated real servers, and the server status:
Router# show ip slb real
real farm name weight state conns
--------------------------------------------------------------------
10.1.1.2 FIRE1 8 OPERATIONAL 0
10.1.2.2 FIRE1 8 OPERATIONAL 0
The following show ip slb firewallfarm command shows the configuration and status of firewall farm FIRE1:
Router# show ip slb firewallfarm
firewall farm hash state reals
------------------------------------------------
FIRE1 IPADDR INSERVICE 2
How to Verify Firewall Connectivity
Perform the following optional task to verify firewall connectivity.
SUMMARY STEPS
1. Ping the external real servers.
2. Ping the internal real servers.
3. show ip slb stats
4. show ip slb real detail
5. show ip slb conns
DETAILED STEPS
To verify that IOS SLB firewall load balancing is configured and is operating correctly, perform the following steps:
Step 1 Ping the external real servers (the ones outside the firewall) from the IOS SLB firewall load-balancing switch.
Step 2 Ping the internal real servers (the ones inside the firewall) from the clients.
Step 3 Use the show ip slb stats command to show information about the IOS SLB firewall load-balancing network status:
Router# show ip slb stats
Pkts via normal switching: 0
Pkts via special switching: 0
Pkts dropped: 0
Connections Created: 1911871
Connections Established: 1967754
Connections Destroyed: 1313251
Connections Reassigned: 0
Zombie Count: 0
Connections Reused: 59752
Connection Flowcache Purges:1776582
Failed Connection Allocs: 17945
Failed Real Assignments: 0
•Normal switching exists when IOS SLB packets are managed on normal IOS switching paths (CEF, fast switching, and process level switching).
•Special switching exists when IOS SLB packets are managed on hardware-assisted switching paths.
Step 4 Use the show ip slb real detail command to show information about the IOS SLB firewall load-balancing real server status:
Router# show ip slb reals detail
172.16.88.5, SF1, state = OPERATIONAL, type = server
ipv6 = 2342:2342:2343:FF04:2388:BB03:3223:8912
conns = 0, dummy_conns = 0, maxconns = 4294967295
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
reassign = 3, retry = 60
failconn threshold = 8, failconn count = 0
failclient threshold = 2, failclient count = 0
total conns established = 0, total conn failures = 0
server failures = 0
Step 5 Use the show ip slb conns command to show information about the active IOS SLB firewall load-balancing connections:
Router# show ip slb conns
vserver prot client real state nat
-------------------------------------------------------------------------------
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
See the "How to Monitor and Maintain the Cisco IOS SLB Feature" section for additional commands used to verify IOS SLB networks and connections.
How to Configure a Probe
The following sections describe how to configure and verify probes. By default, no probes are configured in IOS SLB.
IOS SLB uses probes to verify connectivity and detect failures. For a detailed description of each type of probe, see the "Probes" section on page 2-19.
Perform the following task to configure a probe. Required and optional tasks are indicated.
•How to Configure a Custom UDP Probe (Required)
•How to Configure a DNS Probe (Required)
•How to Configure an HTTP Probe (Required)
•How to Configure a Ping Probe (Required)
•How to Configure a TCP Probe (Required)
•How to Configure a WSP Probe (Required)
•How to Associate a Probe (Required)
•How to Verify a Probe (Optional)
How to Configure a Custom UDP Probe
Perform the following task to configure a custom User Datagram Protocol (UDP) probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe custom udp
4. address [ip-address] [routed]
5. faildetect number-of-probes
6. interval seconds
7. port port
8. request data {start-byte | continue} hex-data-string
9. response clause-number data start-byte hex-data-string
10. timeout seconds
DETAILED STEPS
How to Configure a DNS Probe
Perform the following task to configure a Domain Name System (DNS) probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe dns
4. address [ip-address [routed]]
5. faildetect number-of-probes
6. interval seconds
7. lookup ip-address
DETAILED STEPS
How to Configure an HTTP Probe
Perform the following task to configure an HTTP probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe http
4. address [ip-address [routed]]
5. credentials {username [password]}
6. expect [status status-code] [regex expression]
7. header field-name [field-value]
8. interval seconds
9. port port
10. request [method {get | post | head | name name}] [url path]
11. Configure a route to the virtual server.
DETAILED STEPS
How to Configure a Ping Probe
Perform the following task to configure a ping probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe ping
4. address [ip-address [routed]]
5. faildetect number-of-pings
6. interval seconds
DETAILED STEPS
How to Configure a TCP Probe
Perform the following task to configure a TCP probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe tcp
4. address [ip-address [routed]]
5. interval seconds
6. port port
DETAILED STEPS
How to Configure a WSP Probe
Perform the following task to configure a Wireless Session Protocol (WSP) probe.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb probe probe wsp
4. address [ip-address [routed]]
5. interval seconds
6. url [path]
DETAILED STEPS
How to Associate a Probe
Perform the following task to associate a probe with a real server or firewall.
After configuring a probe, you must associate the probe with a real server or firewall using the probe command. See the "How to Configure a Server Farm and a Real Server" section and the "How to Configure Firewall Load Balancing" section for more details.
Note You cannot associate a WSP probe with a firewall.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb firewallfarm firewall-farm
4. probe probe
DETAILED STEPS
How to Verify a Probe
Perform the following optional task to verify a probe.
SUMMARY STEP
1. show ip slb probe
DETAILED STEP
To verify that a probe is configured correctly, use the show ip slb probe command:
Router# show ip slb probe
Server:Port State Outages Current Cumulative
----------------------------------------------------------------
10.1.1.1:80 OPERATIONAL 0 never 00:00:00
10.1.1.2:80 OPERATIONAL 0 never 00:00:00
10.1.1.3:80 OPERATIONAL 0 never 00:00:00
How to Configure DFP
Perform the following task to configure IOS SLB as a Dynamic Feedback Protocol (DFP) manager, and to identify a DFP agent with which IOS SLB can initiate connections.
You can define IOS SLB as a DFP manager, as a DFP agent for another DFP manager, or as both at the same time. Depending on your network configuration, you might enter the commands for configuring IOS SLB as a DFP manager and the commands for configuring IOS SLB as a DFP agent on the same device or on different devices.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb dfp [password [[encrypt] secret-string [timeout]]
4. agent ip-address port [timeout [retry-count [retry-interval]]]
5. Configure IOS SLB as a DFP agent.
DETAILED STEPS
GPRS Load Balancing Configuration Task List
Perform the following tasks to configure general packet radio service (GPRS) load balancing.
SUMMARY STEPS
1. Configure a server farm and a real server.
2. Configure a virtual server.
3. Configure the virtual IP address as a loopback on each of the gateway GPRS support nodes (GGSNs) in the servers.
4. Route each GGSN to each associated SGSN.
5. Route each SGSN to the virtual templates on each associated Cisco GGSN, and to the GPRS load-balancing virtual server.
6. Configure a GSN idle timer.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for GPRS load balancing, keep the following considerations in mind: • – – • • • – |
Step 2 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual command, keep the following considerations in mind: • • • • – In GPRS load balancing without GTP cause code inspection enabled, when you configure the idle timer using the idle command, specify an idle timer greater than the longest possible interval between PDP context requests on the SGSN. – • – – – |
Step 3 |
Configure the virtual IP address as a loopback on each of the GGSNs in the servers. |
(Required for dispatched mode) This step is required only if you are using dispatched mode without GTP cause code inspection enabled. Refer to the Cisco IOS Interface Configuration Guide "Configuring Virtual Interfaces" section for more information. |
Step 4 |
Route each GGSN to each associated SGSN. |
The route can be static or dynamic, but the GGSN needs to be able to reach the SGSN. Refer to the Cisco IOS Mobile Wireless Configuration Guide "Configuring Network Access to the GGSN" section for more details. |
Step 5 |
Route each SGSN to the virtual templates on each associated Cisco GGSN, and to the GPRS load-balancing virtual server. |
(Required) Refer to the configuration guide for your SGSN for more details. |
Step 6 |
Configure a GSN idle timer. |
(Optional) This step is applicable only if GTP cause code inspection is enabled. See the "How to Configure a GSN Idle Timer" section for more information. |
How to Configure a GSN Idle Timer
Perform this task to configure a GPRS support node (GSN) idle timer.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb timers gtp gsn duration
DETAILED STEPS
GGSN-IOS SLB Messaging Task List
Perform this task to configure GGSN-IOS SLB messaging.
SUMMARY STEPS
1. Configure the GGSN to support GGSN-IOS SLB messaging.
2. Configure a server farm and a real server.
3. Configure a virtual server.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure the GGSN to support GGSN-IOS SLB messaging. |
When you configure GGSN-IOS SLB messaging support, configure all IOS SLB virtual servers that share the same GGSN to use the same NAT mode, either dispatched mode or directed mode, using the gprs slb mode command. The virtual servers cannot use a mix of dispatched mode and directed mode, because you can configure only one NAT mode on a given GGSN. For more information, refer to the Cisco IOS Mobile Wireless Configuration Guide for GGSN Release 5.0 for Cisco IOS Release 12.3(2)XU or later. |
Step 2 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for GGSN-IOS SLB messaging, to prevent IOS SLB from failing the current real server when reassigning the session to a new real server, disable automatic server failure detection by specifying the no faildetect inband command. |
Step 3 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for GGSN-IOS SLB messaging, specify the gtp notification cac command to limit the number of times IOS SLB can reassign a session to a new real server. |
How to Configure GPRS Load Balancing Maps
Perform this task to configure GPRS load balancing maps.
GPRS load balancing maps enable IOS SLB to categorize and route user traffic based on access point names (APNs). To enable maps for GPRS load balancing, you must define a GPRS Tunneling Protocol (GTP) map, then associate the map with a server farm.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb map map-id gtp | radius}
4. apn string
5. exit
6. ip slb vserver virtual-server
7. virtual ipv4-address [ipv4-netmask [group]] [ipv6 ipv6-address [prefix ipv6-prefix]] {tcp | udp} [port | any] [service service]
8. serverfarm primary-farm [backup backup-farm [sticky]] [ipv6-primary ipv6-primary-farm [ipv6-backup ipv6-backup-farm]] [map map-id priority priority]
DETAILED STEPS
How to Configure KAL-AP Agent Support
Perform this task to configure KeepAlive Application Protocol (KAL-AP) agent support.
KAL-AP agent support enables IOS SLB to perform load balancing in a global server load balancing (GSLB) environment.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb capp udp
4. peer [ip-address] port port
5. peer [ip-address] secret [encrypt] secret-string
6. exit
7. ip slb serverfarm server-farm
8. kal-ap domain tag
9. farm-weight setting
DETAILED STEPS
RADIUS Load Balancing Configuration Task List
Perform this task to configure RADIUS load balancing.
SUMMARY STEPS
1. Configure a server farm and a real server.
2. Configure a virtual server.
3. Enable IOS SLB to inspect packets for RADIUS framed-IP sticky routing.
4. Configure RADIUS load balancing maps.
5. Configure RADIUS load balancing accelerated data plane forwarding.
6. Increase the number of available Multilayer Switching (MLS) entries.
7. Configure a probe.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for RADIUS load balancing, keep the following considerations in mind: • • • |
Step 2 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for RADIUS load balancing, keep the following considerations in mind: • • If you configure the access interface route framed-ip command, you must also configure the virtual command with the service radius keywords specified. • • • |
Configure a virtual server. |
• If you configure the sticky radius framed-ip command, you must also configure the virtual command with the service radius keywords specified. • To prevent IOS SLB from purging entries in the IOS SLB RADIUS framed-IP sticky database upon receipt of an Accounting On or Off message, specify the no purge radius framed-ip acct on-off virtual server configuration command. • To prevent IOS SLB from purging entries in the IOS SLB RADIUS framed-IP sticky database upon receipt of an Accounting-Stop message, specify the no purge radius framed-ip acct stop virtual server configuration command. • To enable IOS SLB to create the IOS SLB RADIUS username sticky database and direct RADIUS requests from a subscriber to the same service gateway based on the username, specify the sticky command with the radius username keywords. If you configure the sticky radius calling-station-id command or the sticky radius username command, you must also configure the virtual command with the service radius keywords specified, and you must configure the sticky radius framed-ip command. You cannot configure both the sticky radius calling-station-id command and the sticky radius username command on the same virtual server. • To configure a timer for VSA correlation for an authentication virtual server, configure the radius inject auth timer command. To buffer VSAs for VSA correlation for an authentication virtual server, configure the radius inject auth vsa command. To configure a VSA correlation group for an accounting virtual server, and to enable Message Digest Algorithm Version 5 (MD5) authentication for VSA correlation, configure the radius inject acct command. |
|
Step 3 |
Enable IOS SLB to inspect packets for RADIUS framed-IP sticky routing. |
(Optional) See the "How to Enable IOS SLB to Inspect Packets for RADIUS Framed-IP Sticky Routing" section. |
Step 4 |
Configure RADIUS load balancing maps. |
(Optional) See the "How to Configure RADIUS Load Balancing Maps" section. |
Step 5 |
Configure RADIUS load balancing accelerated data plane forwarding. |
(Optional) See the "How to Configure RADIUS Load Balancing Accelerated Data Plane Forwarding" section. |
Step 6 |
Increase the number of available MLS entries. |
(Optional) If you are running IOS SLB in dispatched mode on a Cisco Catalyst 6500 series switch with Cisco Supervisor Engine 2, you can improve performance by configuring the no mls netflow command. This command increases the number of MLS entries available for hardware switching of end-user flows. Note For more information about configuring MLS NetFlow, refer to the Cisco Catalyst 6000 Family IOS Software Configuration Guide. |
Step 7 |
Configure a probe. |
See the "How to Configure a Probe" section. To verify the health of the server, configure a ping probe. |
How to Enable IOS SLB to Inspect Packets for RADIUS Framed-IP Sticky Routing
Perform this task to enable IOS SLB to inspect packets for RADIUS framed-IP sticky routing.
You can enable IOS SLB to inspect packets whose source IP addresses match a configured IP address and subnet mask. If the source IP address of an inspected packet matches an entry in the IOS SLB RADIUS framed-IP sticky database, IOS SLB uses that entry to route the packet. Otherwise, IOS routes the packet.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb route {framed-ip deny | ip-address netmask framed-ip | inter-firewall}
DETAILED STEPS
How to Configure RADIUS Load Balancing Maps
Perform this task to configure RADIUS load balancing maps.
RADIUS load balancing maps enable IOS SLB to categorize and route user traffic based on RADIUS calling station IDs and usernames. To enable maps for RADIUS load balancing, you must define a RADIUS map, then associate the map with a server farm.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb map map-id radius
4. calling-station-id string
5. username string
6. exit
7. ip slb vserver virtual-server
8. virtual ipv4-address [ipv4-netmask [group]] [ipv6 ipv6-address [prefix ipv6-prefix]] {tcp | udp} [port | any] [service service]
9. serverfarm primary-farm [backup backup-farm [sticky]] [ipv6-primary ipv6-primary-farm [ipv6-backup ipv6-backup-farm ]] [map map-id priority priority]
DETAILED STEPS
How to Configure RADIUS Load Balancing Accelerated Data Plane Forwarding
Perform this task to configure RADIUS load balancing accelerated data plane forwarding.
RADIUS load balancing accelerated data plane forwarding, also known as Turbo RADIUS load balancing, is a high-performance solution that uses basic policy-based routing (PBR) route maps to manage subscriber data-plane traffic in a Cisco Content Services Gateway (CSG) environment.
Prerequisites
Turbo RADIUS load balancing requires a server farm configured with predictor route-map on the accounting virtual server.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb serverfarm server-farm
4. predictor [roundrobin | leastconns | route-map mapname]
5. exit
6. ip slb vserver virtual-server
7. virtual ipv4-address [ipv4-netmask [group]] [ipv6 ipv6-address [prefix ipv6-prefix]] {tcp | udp} [port | any] [service service]
8. serverfarm primary-farm [backup backup-farm [sticky]] [ipv6-primary ipv6-primary-farm [ipv6-backup ipv6-backup-farm ]] [map map-id priority priority]
9. radius acct local-ack key [encrypt] secret-string
10. radius inject auth group-number {calling-station-id | username}
11. radius inject auth timer seconds
12. radius inject auth vsa vendor-id
DETAILED STEPS
Exchange Director for mSEF Configuration Task List
Perform this task to configure Exchange Director for mobile Service Exchange Framework (mSEF).
This section contains the following information:
•RADIUS Configuration for the Exchange Director
•Firewall Configuration for the Exchange Director
RADIUS Configuration for the Exchange Director
Perform this task to configure RADIUS load balancing for the Exchange Director.
SUMMARY STEPS
1. Configure a server farm and a real server.
2. Configure a virtual server.
3. Enable IOS SLB to inspect packets for RADIUS framed-IP sticky routing.
4. Configure RADIUS load balancing maps.
5. Increase the number of available MLS entries.
6. Configure a probe.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for RADIUS for the Exchange Director, keep the following considerations in mind: • • |
Step 2 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for RADIUS for the Exchange Director, keep the following considerations in mind: • • If you configure the access interface route framed-ip command, you must also configure the virtual command with the service radius keywords specified. • • • • If you configure the sticky radius framed-ip command, you must also configure the virtual command with the service radius keywords specified. |
Configure a virtual server. |
• To enable IOS SLB to create the IOS SLB RADIUS username sticky database and direct RADIUS requests from a subscriber to the same service gateway based on the username, specify the sticky command with the radius username keywords. If you configure the sticky radius calling-station-id command or the sticky radius username command, you must also configure the virtual command with the service radius keywords specified, and you must configure the sticky radius framed-ip command. You cannot configure both the sticky radius calling-station-id command and the sticky radius username command on the same virtual server. |
|
Step 3 |
Enable IOS SLB to inspect packets for RADIUS framed-IP sticky routing. |
(Optional) See the "How to Enable IOS SLB to Inspect Packets for RADIUS Framed-IP Sticky Routing" section. |
Step 4 |
Configure RADIUS load balancing maps. |
(Optional) See the "How to Configure RADIUS Load Balancing Maps" section. |
Step 5 |
Increase the number of available MLS entries. |
(Optional) If you are running IOS SLB in dispatched mode on a Cisco Catalyst 6500 series switch with Cisco Supervisor Engine 2, you can improve performance by configuring the no mls netflow command. This command increases the number of MLS entries available for hardware switching of end-user flows. Note For more information about configuring MLS NetFlow, refer to the Cisco Catalyst 6000 Family IOS Software Configuration Guide. |
Step 6 |
Configure a probe. |
See the "How to Configure a Probe" section. To verify the health of the server, configure a ping probe. |
Firewall Configuration for the Exchange Director
Perform this task to configure firewall load balancing for the Exchange Director.
This section lists the tasks used to configure firewalls for the Exchange Director. Detailed configuration information is contained in the referenced sections of this or other documents. Required and optional tasks are indicated.
•How to Configure a Firewall Farm (Required)
•How to Verify a Firewall Farm (Optional)
•How to Verify Firewall Connectivity (Optional)
•How to Configure a Probe (Required)
•How to Configure a Wildcard Search (Optional)
•How to Configure Protocol-Level Purging of MLS entries (Optional)
•How to Configure Connection Purge Request Behavior (Optional)
•How to Configure Sticky Connection Purge Request Behavior (Optional)
How to Configure a Firewall Farm
Perform the following required task to configure a firewall farm.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb firewallfarm firewall-farm
4. real ip-address
5. probe probe
6. weight setting
7. inservice
8. exit
9. access [source source-ip netmask] [destination destination-ip netmask]| inbound inbound-interface | outbound outbound-interface]
10. predictor hash address [port]
11. purge connection
12. purge sticky
13. replicate casa listen-ip remote-ip port [interval] [password [[encrypt] secret-string [timeout]]]
14. protocol tcp
15. delay duration
16. idle duration
17. maxconns maximum-number
18. sticky seconds [netmask netmask] [source | destination]
19. exit
20. protocol datagram
21. idle duration
22. maxconns maximum-number
23. sticky seconds [netmask netmask] [source | destination]
24. exit
25. inservice
DETAILED STEPS
How to Verify a Firewall Farm
Perform the following optional task to verify a firewall farm.
SUMMARY STEPS
1. show ip slb real
2. show ip slb firewallfarm
DETAILED STEPS
Step 1 The following show ip slb reals command displays the status of firewall farm FIRE1, the associated real servers, and their status:
Router# show ip slb real
real farm name weight state conns
--------------------------------------------------------------------
10.1.1.2 FIRE1 8 OPERATIONAL 0
10.1.2.2 FIRE1 8 OPERATIONAL 0
Step 2 The following show ip slb firewallfarm command displays the configuration and status of firewall farm FIRE1:
Router# show ip slb firewallfarm
firewall farm hash state reals
------------------------------------------------
FIRE1 IPADDR INSERVICE 2
How to Verify Firewall Connectivity
Perform the following optional task to verify firewall connectivity.
SUMMARY STEPS
1. Ping the external real servers.
2. Ping the internal real servers.
3. show ip slb stats
4. show ip slb real detail
5. show ip slb conns
DETAILED STEPS
To verify that IOS SLB firewall load balancing is configured and operating correctly, perform the following steps:
Step 1 Ping the external real servers (the ones outside the firewall) from the IOS SLB firewall load-balancing device.
Step 2 Ping the internal real servers (the ones inside the firewall) from the clients.
Step 3 Use the show ip slb stats command to display information about the IOS SLB firewall load-balancing network status:
Router# show ip slb stats
Pkts via normal switching: 0
Pkts via special switching: 0
Pkts dropped: 0
Connections Created: 1911871
Connections Established: 1967754
Connections Destroyed: 1313251
Connections Reassigned: 0
Zombie Count: 0
Connections Reused: 59752
Connection Flowcache Purges:1776582
Failed Connection Allocs: 17945
Failed Real Assignments: 0
•Normal switching exists when IOS SLB packets are managed on normal IOS switching paths (CEF, fast switching, and process level switching).
•Special switching exists when IOS SLB packets are managed on hardware-assisted switching paths.
Step 4 Use the show ip slb real detail command to display detailed information about the IOS SLB firewall load-balancing real server status:
Router# show ip slb reals detail
172.16.88.5, SF1, state = OPERATIONAL, type = server
ipv6 = 2342:2342:2343:FF04:2388:BB03:3223:8912
conns = 0, dummy_conns = 0, maxconns = 4294967295
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
reassign = 3, retry = 60
failconn threshold = 8, failconn count = 0
failclient threshold = 2, failclient count = 0
total conns established = 0, total conn failures = 0
server failures = 0
Step 5 Use the show ip slb conns command to display information about active IOS SLB firewall load-balancing connections:
Router# show ip slb conns
vserver prot client real state nat
-------------------------------------------------------------------------------
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
FirewallTCP TCP 80.80.50.187:40000 10.1.1.4 ESTAB none
For additional commands used to verify IOS SLB networks and connections, see the "How to Monitor and Maintain the Cisco IOS SLB Feature" section.
How to Configure a Probe
Perform the following required task to configure a probe.
SUMMARY STEPS
1. Configure a probe on each real server in the firewall farm.
DETAILED STEPS
The Exchange Director uses probes to detect and recover from failures. You must configure a probe on each real server in the firewall farm.
•We recommend ping probes for each real server in a firewall farm. For more details, see the "How to Configure a Ping Probe" section.
•If a firewall does not allow ping probes to be forwarded, use HTTP probes instead. For more details, see the "How to Configure an HTTP Probe" section.
•You can configure more than one probe, in any combination of supported types (DNS, HTTP, TCP, or ping), for each firewall in a firewall farm.
How to Configure a Wildcard Search
Perform the following optional task to configure a wildcard search.
SUMMARY STEPS
1. mls ip slb wildcard search rp
DETAILED STEPS
Use the mls ip slb wildcard search rp command to reduce the probability of exceeding the capacity of the Telecommunications Access Method (TCAM) on the Policy Feature Card (PFC).
How to Configure Protocol-Level Purging of MLS entries
Perform the following task to configure protocol-level purging of MLS entries from active TCP and UDP flow packets.
SUMMARY STEPS
1. mls ip slb purge global
DETAILED STEPS
Use the mls ip slb purge global command to enable purge throttling on TCP and UDP flow packets. (This is the default setting.)
To disable purge throttling on TCP and UDP flow packets, use the no form of this command.
How to Configure Connection Purge Request Behavior
Perform the following task to enable IOS SLB firewall load balancing to send purge requests for connections.
SUMMARY STEPS
1. purge connection
DETAILED STEPS
Use the purge connection command to enable IOS SLB firewall load balancing to send purge requests for connections. (This is the default setting.)
To completely stop the sending of purge requests, use the no form of this command.
How to Configure Sticky Connection Purge Request Behavior
Perform the following task to enable IOS SLB firewall load balancing to send purge requests for sticky connections when the sticky timer expires.
SUMMARY STEPS
1. purge sticky
DETAILED STEPS
Use the purge sticky command to enable IOS SLB firewall load balancing to send purge requests for sticky connections when the sticky timer expires. (This is the default setting.)
To completely stop the sending of purge requests for sticky connections, use the no form of this command.
VPN Server Load Balancing Configuration Task List
Perform the following task to configure VPN server load balancing.
SUMMARY STEPS
1. Configure a server farm and a real server.
2. Configure a virtual server.
3. Configure a probe.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for VPN server load balancing, specify the IP addresses of the real servers acting as VPN terminators using the real command. |
Step 2 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for VPN server load balancing of IPSec flows, keep the following considerations in mind: • • • When you configure the virtual server for VPN server load balancing of Point-to-Point Tunneling Protocol (PPTP) flows, keep the following considerations in mind: • • • |
Step 3 |
Configure a probe. |
See the "How to Configure a Probe" section. To verify the health of the server, configure a ping probe. |
ASN Load Balancing Configuration Task List
Perform the following task to configure load balancing across a set of Access Service Network (ASN) gateways.
SUMMARY STEPS
1. Configure the base station.
2. Configure a server farm and a real server.
3. Configure a virtual server.
4. Configure a probe.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure the base station. |
To enable IOS SLB to manage requests from the Mobile Subscriber Station (MSS), configure the base station with the virtual IP address of the IOS SLB device. |
Step 2 |
Configure a probe. |
See the "How to Configure a Probe" section. To verify the health of the server, configure a ping probe. |
Step 3 |
Associate a server farm and a real server with the probe. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for ASN load balancing, keep the following considerations in mind: • • |
Step 4 |
Associate a virtual server with the server farm. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for ASN load balancing, keep the following considerations in mind: • • • • • |
Home Agent Director Configuration Task List
Perform the following task to configure the Home Agent Director.
SUMMARY STEPS
1. Configure a server farm and a real server.
2. Configure a virtual server.
3. Configure the virtual IP address as a loopback on each of the home agents in the servers.
4. Configure Dynamic Feedback Protocol (DFP).
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure a server farm and a real server. |
See the "How to Configure a Server Farm and a Real Server" section. When you configure the server farm and real server for the Home Agent Director, keep the following considerations in mind: • • |
Step 2 |
Configure a virtual server. |
See the "How to Configure a Virtual Server" section. When you configure the virtual server for the Home Agent Director using the virtual command, keep the following considerations in mind: • • • • |
Step 3 |
Configure the virtual IP address as a loopback on each of the home agents in the servers. |
(Required for dispatched mode) This step is required only if you are using dispatched mode. Refer to the "Configuring a Loopback Interface" section in the Cisco IOS Interface Configuration Guide, Release 12.2 for more information. |
Step 4 |
Configure DFP. |
(Optional) See the "How to Configure DFP" section. When you configure DFP for the Home Agent Director, keep the following considerations in mind: • • • For information about these Mobile IP commands, refer to the Cisco Mobile Wireless Home Agent Release 2.0 feature module. |
How to Configure NAT
Perform the following task to configure the IOS SLB Network Address Translation (NAT) client address pool for client NAT.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb natpool pool start-ip end-ip [netmask netmask | prefix-length leading-1-bits] [entries init-address [max-address]]
4. nat {client pool | server}
DETAILED STEPS
You must also specify either NAT client translation mode or NAT server address translation mode on the server farm, using the nat command. See the "How to Configure a Server Farm and a Real Server" section for more details. When you configure the virtual server for NAT, remember that you cannot configure client NAT for an ESP or GRE virtual server.
How to Configure Static NAT
Perform the following task to configure static NAT.
Static NAT enables you to allow some users to use NAT and allow other users on the same Ethernet interface to continue with their own IP addresses. This option enables you to provide a default NAT behavior for real servers, differentiating between responses from a real server, and connection requests initiated by the real server.
Note To avoid unexpected results, make sure your static NAT configuration mirrors your virtual server configuration.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb static {drop | nat {virtual | virtual-ip [per-packet | sticky]}}
4. real ip-address [port]
DETAILED STEPS
Stateless Backup Configuration Task List
Perform the following task to configure stateless backup over VLANs between IOS SLB devices.
Note For active standby, in which multiple IOS SLB devices share a virtual IP address, you must use exclusive client ranges and you must use policy routing to forward flows to the correct IOS SLB device.
SUMMARY STEPS
1. Configure required and optional IOS SLB functions.
2. Configure firewall load balancing.
3. Configure the IP routing protocol.
4. Configure the VLAN between the IOS SLB devices.
5. Verify the stateless backup configuration.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure required and optional IOS SLB functions. |
(Required for server load balancing) See the "How to Configure Required and Optional IOS SLB Functions" section. |
Step 2 |
Configure firewall load balancing. |
(Required for firewall load balancing) See the "How to Configure Firewall Load Balancing" section. |
Step 3 |
Configure the IP routing protocol. |
Refer to the "IP Routing Protocols" chapter of the Cisco IOS IP Configuration Guide, Release 12.2 for details. |
Step 4 |
Configure the VLAN between the IOS SLB devices. |
Refer to the "Virtual LANs" chapter of the Cisco IOS Switching Services Configuration Guide, Release 12.2 for details. |
Step 5 |
Verify the stateless backup configuration. |
(Optional) See the "How to Verify the Stateless Backup Configuration" section. |
How to Verify the Stateless Backup Configuration
Perform the following task to verify the stateless backup configuration.
SUMMARY STEPS
1. show ip slb vservers
2. show ip slb vservers detail
3. show ip slb firewallfarm
4. show ip slb firewallfarm details
DETAILED STEPS
For server load balancing, to verify that stateless backup has been configured and is operating correctly, use the following show ip slb vservers commands to display information about the IOS SLB virtual server status:
Router# show ip slb vservers
slb vserver prot virtual state conns
-------------------------------------------------------------------
VS1 TCP 10.10.10.12:23 OPERATIONAL 2
VS2 TCP 10.10.10.18:23 OPERATIONAL 2
Router# show ip slb vservers detail
VS1, state = OPERATIONAL, v_index = 10
virtual = 10.10.10.12:23, TCP, service = NONE, advertise = TRUE
server farm = SERVERGROUP1, delay = 10, idle = 3600
sticky timer = 0, sticky subnet = 255.255.255.255
sticky group id = 0
synguard counter = 0, synguard period = 0
conns = 0, total conns = 0, syns = 0, syn drops = 0
standby group = None
VS2, state = INSERVICE, v_index = 11
virtual = 10.10.10.18:23, TCP, service = NONE, advertise = TRUE
server farm = SERVERGROUP2, delay = 10, idle = 3600
sticky timer = 0, sticky subnet = 255.255.255.255
sticky group id = 0
synguard counter = 0, synguard period = 0
conns = 0, total conns = 0, syns = 0, syn drops = 0
standby group = None
For firewall load balancing, to verify that stateless backup has been configured and is operating correctly, use the following show ip slb firewallfarm commands to display information about the IOS SLB firewall farm status:
Router# show ip slb firewallfarm
firewall farm hash state reals
------------------------------------------------
FIRE1 IPADDR INSERVICE 2
Router# show ip slb firewallfarm details
FIRE1, hash = IPADDRPORT, state = INSERVICE, reals = 2
FirewallTCP:
sticky timer = 0, sticky subnet = 255.255.255.255
idle = 3600, delay = 10, syns = 1965732, syn drop = 0
maxconns = 4294967295, conns = 597445, total conns = 1909512
FirewallUDP:
sticky timer = 0, sticky subnet = 255.255.255.255
idle = 3600
maxconns = 1, conns = 0, total conns = 1
Real firewalls:
10.1.1.3, weight = 10, OPERATIONAL, conns = 298823
10.1.1.4, weight = 10, OPERATIONAL, conns = 298622
Total connections = 597445
Stateful Backup of Redundant Route Processors Configuration Task List
Perform the following task to configure stateful backup of redundant route processors.
SUMMARY STEPS
1. Configure the replication message rate for slave replication.
2. Configure required and optional IOS SLB functions.
3. Configure firewall load balancing.
DETAILED STEPS
|
|
|
|
|---|---|---|
Step 1 |
Configure the replication message rate for slave replication. |
Specify the ip slb replicate slave rate command in global configuration mode. |
Step 2 |
Configure required and optional IOS SLB functions. |
(Required for server load balancing) See the "How to Configure Required and Optional IOS SLB Functions" section. When you configure the virtual server for stateful backup of redundant route processors, keep the following considerations in mind: • • |
Step 3 |
Configure firewall load balancing. |
(Required for firewall load balancing) See the "How to Configure Firewall Load Balancing" section. When you configure the firewall farm for stateful backup of redundant route processors, keep the following considerations in mind: • • |
How to Configure Database Entries
Perform the following task to configure database entries.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb entries [conn [init-conn [max-conn]] | frag [init-frag [max-frag] | lifetime timeout] | gtp {gsn [init-gsn [max-gsn] | nsapi [init-nsapi [max-nsapi]} | sticky [init-sticky [max-sticky]]]
DETAILED STEPS
How to Configure Buffers for the Fragment Database
Perform the following task to configure buffers for the fragment database.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb maxbuffers frag buffers
DETAILED STEPS
How to Clear Databases and Counters
Perform the following task to clear databases and counters.
SUMMARY STEPS
1. clear ip slb connections [firewallfarm firewall-farm | serverfarm server-farm | vserver virtual-server]
2. clear ip slb counters [kal-ap]
3. clear ip slb sessions [firewallfarm firewall-farm | serverfarm server-farm | vserver virtual-server]
4. clear ip slb sticky asn msid msid
5. clear ip slb sticky gtp imsi [id imsi]
6. clear ip slb sticky radius {calling-station-id [id string] | framed-ip [framed-ip [netmask]]}
DETAILED STEPS
How to Configure a Wildcard Search
Perform the following task to configure a wildcard search.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# mls ip slb search {wildcard [pfc | rp] | icmp}
DETAILED STEPS
How to Configure Protocol-Level Purging of MLS Entries
Perform the following task to specify protocol-level purging of MLS entries from active TCP and UDP flow packets.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# mls ip slb purge global
DETAILED STEPS
How to Purge and Reassign Connections
Perform the following task to purge and reassign connections.
You can enable IOS SLB to automatically remove connections to failed real servers and firewalls from the connection database even if the idle timers have not expired. This function is useful for applications that do not rotate the source port (such as IKE), and for protocols that do not have ports to differentiate flows (such as ESP).
You can also enable IOS SLB to automatically reassign to a new real server or firewall RADIUS sticky objects that are destined for a failed real server or firewall.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb serverfarm server-farm
4. failaction [purge | asn purge | gtp purge | radius reassign]
5. exit
6. ip slb firewallfarm firewall-farm
7. failaction purge
DETAILED STEPS
How to Disable Automatic Server Failure Detection
Perform the following task to disable automatic server failure detection.
If you have configured all-port virtual servers (that is, virtual servers that accept flows destined for all ports except GTP ports), flows can be passed to servers for which no application port exists. When the servers reject these flows, IOS SLB might fail the servers and remove them from load balancing. This situation can also occur in slow-to-respond AAA servers in RADIUS load-balancing environments. To prevent this situation, you can disable automatic server failure detection.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip slb serverfarm server-farm
4. real ipv4-address [ipv6 ipv6-address] [port]
5. no faildetect inband
DETAILED STEPS
How to Monitor and Maintain the Cisco IOS SLB Feature
Perform the following task to obtain and display runtime information about IOS SLB.
SUMMARY STEPS
1. show ip slb conns
2. show ip slb dfp
3. show ip slb firewallfarm
4. show ip slb fragments
5. show ip slb gtp
6. show ip slb map
7. show ip slb natpool
8. show ip slb probe
9. show ip slb reals
10. show ip slb replicate
11. show ip slb serverfarms
12. show ip slb sessions
13. show ip slb static
14. show ip slb stats
15. show ip slb sticky
16. show ip slb vservers
17. show ip slb wildcard
DETAILED STEPS
Step 1 show ip slb conns [vserver virtual-server | client ip-address | firewall firewall-farm] [detail]
Displays all connections managed by IOS SLB, or, optionally, only those connections associated with a particular virtual server or client. The following is sample output from this command:
Router# show ip slb conns
vserver prot client real state
----------------------------------------------------------------------------
TEST TCP 10.150.72.183:328 10.80.90.25:80 INIT
TEST TCP 10.250.167.226:423 10.80.90.26:80 INIT
TEST TCP 10.234.60.239:317 10.80.90.26:80 ESTAB
TEST TCP 10.110.233.96:747 10.80.90.26:80 ESTAB
TEST TCP 10.162.0.201:770 10.80.90.30:80 CLOSING
TEST TCP 10.22.225.219:995 10.80.90.26:80 CLOSING
TEST TCP 10.2.170.148:169 10.80.90.30:80
Step 2 show ip slb dfp [agent agent-ip port | manager manager-ip | detail | weights]
Displays information about Dynamic Feedback Protocol (DFP) and DFP agents, and about the weights assigned to real servers. The following is sample output from this command:
Router# show ip slb dfp
DFP Manager:
Current passwd:NONE Pending passwd:NONE
Passwd timeout:0 sec
Agent IP Port Timeout Retry Count Interval
--------------------------------------------------------------
172.16.2.34 61936 0 0 180 (Default)
Step 3 show ip slb firewallfarm [detail]
Displays information about firewall farms. The following is sample output from this command:
Router# show ip slb firewallfarm
firewall farm hash state reals
------------------------------------------------
FIRE1 IPADDR OPERATIONAL 2
Step 4 show ip slb fragments
Displays information from the IOS SLB fragment database. The following is sample output from this command:
Router# show ip slb fragments
ip src id forward src nat dst nat
---------------------------------------------------------------------
10.11.2.128 12 10.11.2.128 10.11.11.11 10.11.2.128
10.11.2.128 13 10.11.2.128 10.11.11.11 10.11.2.128
10.11.2.128 14 10.11.2.128 10.11.11.11 10.11.2.128
10.11.2.128 15 10.11.2.128 10.11.11.11 10.11.2.128
10.11.2.128 16 10.11.2.128 10.11.11.11 10.11.2.128
Step 5 show ip slb gtp {gsn [gsn-ip-address] | nsapi [nsapi-key] [detail]
Displays IOS SLB GPRS Tunneling Protocol (GTP) information. The following is sample output from this command:
Router# show ip slb gtp gsn 10.0.0.0
type ip recovery-ie purging
------------------------------------------
SGSN 10.0.0.0 UNKNOWN N
Step 6 show ip slb map [map-id]
Displays information about IOS SLB protocol maps. The following is sample output from this command:
Router# show ip slb map
ID: 1, Service: GTP
APN: Cisco.com, yahoo.com
PLMN ID(s): 11122, 444353
SGSN access list: 100
ID: 2, Service: GTP
PLMN ID(s): 67523, 345222
PDP Type: IPv4, PPP
ID: 3, Service: GTP
PDP Type: IPv6
ID: 4, Service: RADIUS
Calling-station-id: "?919*"
ID: 5, Service: RADIUS
Username: ". .778cisco.*"
Step 7 show ip slb natpool [name pool] [detail]
Displays information about the IOS SLB NAT configuration. The following is sample output from this command:
Router# show ip slb natpool
nat client B 209.165.200.225 1.1.1.6 1.1.1.8 Netmask 255.255.255.0
nat client A 10.1.1.1 1.1.1.5 Netmask 255.255.255.0
Step 8 show ip slb probe [name probe] [detail]
Displays information about probes defined to IOS SLB. The following is sample output from this command:
Router# show ip slb probe
Server:Port State Outages Current Cumulative
----------------------------------------------------------------
10.10.4.1:0 OPERATIONAL 0 never 00:00:00
10.10.5.1:0 FAILED 1 00:00:06 00:00:06
Step 9 show ip slb reals [sfarm server-farm] [detail]
Displays information about the real servers defined to IOS SLB. The following is sample output from this command:
Router# show ip slb reals
real farm name weight state conns
--------------------------------------------------------------------
10.80.2.112 FRAG 8 OUTOFSERVICE 0
10.80.5.232 FRAG 8 OPERATIONAL 0
10.80.15.124 FRAG 8 OUTOFSERVICE 0
10.254.2.2 FRAG 8 OUTOFSERVICE 0
10.80.15.124 LINUX 8 OPERATIONAL 0
10.80.15.125 LINUX 8 OPERATIONAL 0
10.80.15.126 LINUX 8 OPERATIONAL 0
10.80.90.25 SRE 8 OPERATIONAL 220
10.80.90.26 SRE 8 OPERATIONAL 216
10.80.90.27 SRE 8 OPERATIONAL 216
10.80.90.28 SRE 8 TESTING 1
10.80.90.29 SRE 8 OPERATIONAL 221
10.80.90.30 SRE 8 OPERATIONAL 224
10.80.30.3 TEST 100 READY_TO_TEST 0
10.80.30.4 TEST 100 READY_TO_TEST 0
10.80.30.5 TEST 100 READY_TO_TEST 0
10.80.30.6 TEST 100 READY_TO_TEST 0
Step 10 show ip slb replicate
Displays information about the IOS SLB replication configuration. The following is sample output from this command:
Router# show ip slb replicate
VS1, state = NORMAL, interval = 10
Slave Replication: Enabled
Slave Replication statistics:
unsent conn updates: 0
conn updates received: 0
conn updates transmitted: 0
update messages received: 0
update messages transmitted: 0
Casa Replication:
local = 10.1.1.1 remote = 10.2.2.2 port = 1024
current password = <none> pending password = <none>
password timeout = 180 sec (Default)
Casa Replication statistics:
unsent conn updates: 0
conn updates received: 0
conn updates transmitted: 0
update packets received: 0
update packets transmitted: 0
failovers: 0
Step 11 show ip slb serverfarms [name server-farm] [detail]
Displays information about the server farms defined to IOS SLB. The following is sample output from this command:
Router# show ip slb serverfarms
server farm predictor reals bind id
-------------------------------------------------
FRAG ROUNDROBIN 4 0
LINUX ROUNDROBIN 3 0
SRE ROUNDROBIN 6 0
TEST ROUNDROBIN 4 0
Step 12 show ip slb sessions [asn | gtp [ipv6] | gtp-inspect | ipmobile | radius] [vserver virtual-server] [client ipv4-address netmask] [detail]
Displays information about sessions managed by IOS SLB. The following is sample output from this command:
Router# show ip slb sessions radius
Source Dest Retry
Addr/Port Addr/Port Id Count Real Vserver
------------------------------------------------------------------------------
10.10.11.1/1645 10.10.11.2/1812 15 1 10.10.10.1 RADIUS_ACCT
Step 13 show ip slb static
Displays information about the IOS SLB server Network Address Translation (NAT) configuration. The following is sample output from this command:
Router# show ip slb static
real action address counter
---------------------------------------------------------------
10.11.3.4 drop 0.0.0.0 0
10.11.3.1 NAT 10.11.11.11 3
10.11.3.2 NAT sticky 10.11.11.12 0
10.11.3.3 NAT per-packet 10.11.11.13 0
Step 14 show ip slb stats
Displays IOS SLB statistics. The following is sample output from this command:
Router# show ip slb stats
Pkts via normal switching: 779
Pkts via special switching: 0
Pkts via slb routing: 0
Pkts Dropped: 4
Connections Created: 4
Connections Established: 4
Connections Destroyed: 4
Connections Reassigned: 5
Zombie Count: 0
Connections Reused: 0
Connection Flowcache Purges: 0
Failed Connection Allocs: 0
Failed Real Assignments: 0
RADIUS Framed-IP Sticky Count: 0
RADIUS username Sticky Count: 0
RADIUS calling-station-id Sticky Count: 0
GTP IMSI Sticky Count: 0
Failed Correlation Injects: 0
Pkt fragments drops in ssv: 0
ASN MSID sticky count: 1
Step 15 show ip slb sticky [client ip-address netmask | radius calling-station-id [id string] | radius framed-ip [client ip-address netmask] | radius username [name string]]
Displays information about the sticky connections defined to IOS SLB. The following is sample output from this command:
Router# show ip slb sticky
client netmask group real conns
-----------------------------------------------------------------------
10.10.2.12 255.255.0.0 4097 10.10.3.2 1
Step 16 show ip slb vservers [name virtual-server] [redirect] [detail]
Displays information about the virtual servers defined to IOS SLB. The following is sample output from this command:
Router# show ip slb vservers
slb vserver prot virtual state conns
---------------------------------------------------------------------
TEST TCP 10.80.254.3:80 OPERATIONAL 1013
TEST21 TCP 10.80.254.3:21 OUTOFSERVICE 0
TEST23 TCP 10.80.254.3:23 OUTOFSERVICE 0
Step 17 show ip slb wildcard
Displays information about the wildcard representation for virtual servers defined to IOS SLB. The following is sample output from this command:
Router# show ip slb wildcard
Interface Source Address Port Destination Address Port Prot
ANY 0.0.0.0/0 0 3.3.3.3/32 2123 UDP
ANY 0.0.0.0/0 0 3.3.3.3/32 0 UDP
ANY 0.0.0.0/0 0 0.0.0.0/0 0 ICMP
Interface: ANY
Source Address [Port]: : :/0[0]
Destination Address [Port]: 2342:2342:2343:FF04:2341:AA03:2323:8912/128[0]
Protocol: ICMPV6
Interface: ANY
Source Address [Port]: : :/0[0]
Destination Address [Port]: 2342:2342:2343:FF04:2341:AA03:2323:8912/128[2123]
Protocol: UDP
Feedback