Enterasys Networks DFE-Gold Series Configuring Direct Access to Real Servers, Service Verification

Configuring Load Sharing Network Address Translation (LSNAT)

Enterasys Matrix DFE-Gold Series Configuration Guide 19-3

wouldonlyrequiretheuseofonebindinghardwareresource(insteadofoneperserviceper

client).

Inordertousestickypersistence,thefollowingconfigurationcriteriaarerequired:

•Stickypersistencemustbeconfiguredfortheserverfarmgroup(withthestickycommand)as

wellasforthevirtualserver(withthepersistencelevelcommand).

•Therealserversinthisserverfarmaretobeusedforallservices.Theserversarenotallowed

tobeusedwithotherserverfarmstosupportothervirtualserverservices.Thereisone

exceptiontothisrule,describedinthenextbulletitem.

•StickymeansallTCPportsorallUDPportsonthevirtualserveraresupported,butnotboth.

YoucancreatetwovirtualserverswithdifferentIPaddresses(oneforTCPprotocolsandone

forUDPprotocols/ports)andusethesamerealservers(withdifferentserverfarmnames).

ThatwayallTCPandUDPportsaresupportedbythesamesetofrealservers.

•Port0inthevirtualserverhastobeusedtosupportthisserviceandisreservedforthis

purpose.

•TheserviceFTPconfigurationisnotneededforthistypeofpersistence.(Seethevirtual

command,“virtual”onpage 19‐22.)

Configuring Direct Access to Real Servers

WhentheLSNATrouterhasbeenconfiguredwithloadbalancingserverfarmgroups,withreal

serversandvirtualserversconfiguredand“inservice,”therealserversareprotectedfromdirect

clientaccessforallservices.Loadsharingclientscanonlyaccessspecificservicesonthereal

serversbymeansofthevirtualserversconfiguredtoprovidethoseservices.

Ifyoualsowanttoprovidedirectclientaccesstorealserversconfiguredaspartofaserverfarm

group,therearetwomechanismsthatcanprovidedirectclientaccess.

Thefirstmechanism,configuredwithinvirtualserverconfigurationmodewiththeallow

accessserverscommand,allowsyoutoidentifyspecificclientswhocansetupconnections

directlytoarealserver’sIPaddress,aswellascontinuetousethevirtualserverIPaddress.

Thesecondmechanism,configuredinGlobalconfigurationmodewiththeipslballowaccess_all

command,allowsallclientstodirectlyaccessallservicesprovidedbyrealservers,exceptforthose

servicesconfiguredtobeaccessedbymeansofaconfiguredvirtualserver.Therealserversarestill

protectedfromdirectclientaccessforconfiguredservicesonly.Forexample,usingthis

mechanism,ifyouconfiguredaloadbalancingservergroupcontaining“realserver1”and

“realserver2”toprovideHTTPservicethroughvirtualserver“vserver‐http,”clientscanonly

accesstheHTTPserviceonthoserealserversbymeansofthe“vserver‐http”virtualserver.

However,clientscandirectlyaccess“realserver1”and“realserver2”foranyservicesotherthan

HTTP.

Ifyoucombinethetwomechanisms,thatis,configureipslballowaccess_allattheGlobal

configurationmodeandalsoconfigureallowaccessserverswithinavirtualserver’sconfiguration

mode,theclientsidentifiedwiththeallowaccessserverscommandwillhavedirectaccesstothe

realserversforallservices(includingthoseprovidedbyavirtualserver)andbeblockedfrom

usingthevirtualserver.Soforexample,an“allowed”clientcanaccess“realserver1”and

“realserver2”directlyforallservices,includingHTTP,butcannotaccessthoseserversforHTTP

bymeansofthe“vserver‐http”virtualserver.

UPDportserviceverificationcanbeenabledononeormoreloadbalancingservers.Thefirmware

accomplishesthisbysendingaUDPpacketwith“\r\n”(CarriageReturn/LineFeed)asdatato