Enterasys Networks DFE-Gold Series Application Content Verification (ACV)

Configuring Load Sharing Network Address Translation (LSNAT)

19-4 LSNAT Configuration

theUDPport.IftheserverrespondswithanICMP“PortUnreachable”message,itisconcluded

thattheportisnotactiveandtheserverisreportedas“DOWN”.Otherwise,iftheservereither

getsdatabackfromtherequesttotheserverordoesnotgetanyresponseatall,itisassumedthat

theportisactiveandtheserverisreportedas“UP”.Thelackofaresponsecouldalsobethe

resultoftheserveritselfnotbeingavailableandcouldproduceanerroneousindicationofthe

serverbeing“UP”.ToavoidthiswhenrequestinganAPPUDPonaUDPport,anICMPpingis

issuedfirsttoinsurethattheserverisavailablebeforesubmittingtheAPPUDPrequest.This

preventsasituationwheretheUDPportwillnotreturna“PortUnreachable”becauseofthe

serveritselfbeingdown,resultinginLSNATrespondingwithafalseindicationthattheUDPport

is“UP”.

Application Content Verification (ACV)

ApplicationContentVerification(ACV)canbeenabledonaporttoverifythecontentofan

applicationononeormoreloadbalancingservers.ACVisamethodofensuringthatdatacoming

fromyourserversremainsintactanddoesnotchangewithoutyourknowledge.ACVcan

simultaneouslyprotectagainstserveroutages,accidentalfilemodificationordeletion,andservers

whosesecurityhavebeencompromised.Bynature,ACVisprotocolindependentandisdesigned

toworkwithanytypeofserverthatcommunicatesviaformattedASCIItextmessages,including

HTTP,FTP,andSMTP.ForACVverification,youspecifythefollowing:

•Astringthattheroutersendstoasingleserver.ThestringcanbeasimpleHTTPcommandto

getaspecificHTMLpage,oritcanbeacommandtoexecuteauser‐definedCGIscriptthat

teststheoperationoftheapplication.

•Thereplythattheapplicationoneachserversendsisbackusedbytheroutertovalidatethe

content.InthecasewhereaspecificHTMLpageisretrieved,thereplycanbeastringthat

appearsonthepage,suchas“OK”.IfaCGIscriptisexecutedontheserver,itshouldreturna

specificresponse(forexample,“OK”)thattheroutercanverify.

ACVworksbysendingacommandtoyourserverandsearchingtheresponseforacertainstring.

Ifitfindsthestring,theserverismarkedasUp.Ifthestringisnotfound,theserverismarkedas

Down.

Forexample,ifyousentthefollowingstringtoyourHTTPserver,“HEAD/HTTP/

1.1\\r\\nHost:www.enterasys.com\\r\\n\\r\\n”,youcouldexpecttogetaresponseofa

stringreturnedsimilartothefollowing:

HTTP/1.1 200 OK

Date: Tue, 11 Dec 2007 20:03:40 GMT

Server: Apache/2.0.40 (Red Hat Linux)

Last-Modified: Wed, 19 Sep 2007 13:56:03 GMT

ETag: “297bc-b52-65f942c0”

Accept-Ranges: bytes

Content-Length: 2898

Youcansearchforareplystringof“200OK”thiswouldresultinasuccessfulverificationofthe

service.

BecauseACVcansearchforastringinonlythefirst255bytesoftheresponse,inmostHTTPcases

theresponsewillhavetobeinthepacketʹsHTTPheader(i.e.,youwillnotbeabletosearchfora

stringcontainedinthewebpageitself).

SomeprotocolssuchasFTPorSMTPrequireuserstoissueacommandtoclosethesessionafter

makingtherequest.Afaildetectacv‐quitcommandallowsfortheinputofthequitstring

required.