Enterasys Networks DFE-Gold Series Session Persistence, Sticky Persistence Configuration Considerations

Configuring Load Sharing Network Address Translation (LSNAT)

19-2 LSNAT Configuration

•WhendifferentvirtualserverIPs(VIPs)sharethesamerealserverindifferentserverfarms,

thepersistencelevelmustbesetthesame.

•Ingeneral,inordertoeditordeleteavirtualserverorrealserver(serverfarm)configuration,

thedevicesmustbefirstconfigured“outofservice”(noinservice)beforethechangeswillbe

allowed.

Session Persistence

LoadbalancingclientsconnecttoavirtualIPaddresswhich,inreality,isredirectedtooneof

severalphysicalserversinaloadbalancingserverfarmgroup.Inmanywebpagedisplay

applications,aclientmayhaveitsrequestsredirectedtoandservicedbydifferentserversinthe

group.Incertainsituations,however,itmaybecriticalthatalltrafficfortheclientbedirectedto

thesamephysicalserverforthedurationofthesession—thisistheconceptofsessionpersistence.

Whentherouterreceivesanewsessionrequestfromaclientforaspecificvirtualaddress,the

routercreatesabindingbetweentheclient(source)IPaddress/portsocketandthe(destination)IP

address/portsocketoftheloadbalancingserverselectedforthisclient.Subsequentpacketsfrom

clientsarecomparedtothelistofbindings.Ifthereisamatch,thepacketissenttothesameserver

previouslyselectedforthisclient.Ifthereisnotamatch,anewbindingiscreated.Howtherouter

determinesthebindingmatchforsessionpersistenceisconfiguredwiththepersistencelevel

commandwhenthevirtualserveriscreated.

Therearethreeconfigurablelevelsofsessionpersistence:

•TCPpersistence—abindingisdeterminedbythematchingthesourceIP/portaddressas

wellasthevirtualdestinationIP/portaddress.Forexample,requestsfromtheclientaddress

of134.141.176.10:1024tothevirtualdestinationaddress207.135.89.16:80isconsideredone

sessionandwouldbedirectedtothesameloadbalancingserver(forexample,theserverwith

IPaddress10.1.1.1).Arequestfromadifferentsourcesocketfromthesameclientaddressto

thesamevirtualdestinationaddresswouldbeconsideredanothersessionandmaybe

directedtoadifferentloadbalancingserver(forexample,theserverwithIPaddress10.1.1.2).

Thisisthedefaultlevelofsessionpersistence.

•SSLpersistence—abindingisdeterminedbymatchingthesourceIPaddressandthevirtual

destinationIP/portaddress.NotethatrequestsfromanysourcesocketwiththeclientIP

addressareconsideredpartofthesamesession.Forexample,requestsfromtheclientIP

addressof134.141.176.10:1024or134.141.176.10:1025tothevirtualdestinationaddress

207.135.89.16:80wouldbeconsideredonesessionandwouldbedirectedtothesameload

balancingserver(forexample,theserverwithIPaddress10.1.1.1).

•Stickypersistence—abindingisdeterminedbymatchingthesourceanddestinationIP

addressesonly.Thisallowsallrequestsfromaclienttothesamevirtualaddresstobedirected

tothesameloadbalancingserver.Forexample,bothHTTPandHTTPSrequestsfromthe

clientaddress134.141.176.10tothevirtualdestinationaddress207.135.89.16wouldbe

directedtothesameloadbalancingserver(forexample,theserverwithIPaddress10.1.1.1).

Stickypersistencefunctionalityprovideslesssecuritybutthemostflexiblecapabilityforusersto

loadbalanceallservicesthroughavirtualIPaddress.Inaddition,thisfunctionalityprovides

betterresourceusagebytheLSNATrouter,aswellasbetterperformanceforthesameclients

tryingtoreachthesamerealserversacrossdifferentservicesthroughavirtualserver.

Forexample,withstickypersistence,HTTP,HTTPS,TELNETandSSHrequestsfromaclient

(200.1.1.1)tothevirtualserveraddress(192.168.1.2)wouldallbedirectedtothesamerealserver.

Theclientalwaysgoestothesamerealserverforalltheservicesprovidedbythatserver,andit