Enterasys Matrix DFE-Gold Series

To Next Page

To Previous Page

Configuring Load Sharing Network Address Translation (LSNAT)

Enterasys Matrix DFE-Gold Series Configuration Guide 19-3

wouldonlyrequiretheuseofonebindinghardwareresource(insteadofoneperserviceper

client).

Inordertousestickypersistence,thefollowingconfigurationcriteriaarerequired:

•Stickypersistencemustbeconfiguredfortheserverfarmgroup(withthestickycommand)as

wellasforthevirtualserver(withthe

persistencelevelcommand).

•Therealserversinthisserverfarmaretobeusedforallservices.Theserversarenotallowed

tobeusedwithotherserverfarmstosupportothervirtualserverservices.Thereisone

exceptiontothisrule,describedinthenextbulletitem.

•Stickymeansall

TCPportsorallUDPportsonthevirtualserveraresupported,butnotboth.

YoucancreatetwovirtualserverswithdifferentIPaddresses(oneforTCPprotocolsandone

forUDPprotocols/ports)andusethesamerealservers(withdifferentserverfarmnames).

ThatwayallTCPandUDPports

aresupportedbythesamesetofrealservers.

•Port0inthevirtualserverhastobeusedtosupportthisserviceandisreservedforthis

purpose.

•TheserviceFTPconfigurationisnotneededforthistypeofpersistence.(Seethevirtual

command,“virtual”onpage 19‐22.)

Configuring Direct Access to Real Servers

WhentheLSNATrouterhasbeenconfiguredwithloadbalancingserverfarmgroups,withreal

serversandvirtualserversconfiguredand“inservice,”therealserversareprotectedfromdirect

clientaccessforallservices.Loadsharingclientscanonlyaccessspecificservicesonthereal

serversbymeansofthe

virtualserversconfiguredtoprovidethoseservices.

Ifyoualsowanttoprovidedirectclientaccesstorealserversconfiguredaspartofaserverfarm

group,therearetwomechanismsthatcanprovidedirectclientaccess.

Thefirstmechanism,configuredwithinvirtualserverconfigurationmodewiththeallow

accessserverscommand,

allowsyoutoidentifyspecificclientswhocansetupconnections

directlytoarealserver’sIPaddress,aswellascontinuetousethevirtualserverIPaddress.

Thesecondmechanism,configuredinGlobalconfigurationmodewiththeipslballowaccess_all

command,allowsallclientstodirectlyaccessallservices

providedbyrealservers,exceptforthose

servicesconfiguredtobeaccessedbymeansofaconfiguredvirtualserver.Therealserversarestill

protectedfromdirectclientaccessforconfiguredservicesonly.Forexample,usingthis

mechanism,ifyouconfiguredaloadbalancingservergroupcontaining“realserver1”and

“realserver2”

toprovideHTTPservicethroughvirtualserver“vserver‐http,”clientscanonly

accesstheHTTPserviceonthoserealserversbymeansofthe“vserver‐http”virtualserver.

However,clientscandirectlyaccess“realserver1”and“realserver2”foranyservicesotherthan

HTTP.

Ifyoucombinethetwomechanisms,thatis,configure

ipslballowaccess_allattheGlobal

configurationmodeandalsoconfigureallowaccessserverswithinavirtualserver’sconfiguration

mode,theclientsidentifiedwiththeallowaccessserverscommandwillhavedirectaccesstothe

realserversforallservices(includingthoseprovidedbyavirtualserver)andbeblockedfrom

using

thevirtualserver.Soforexample,an“allowed”clientcanaccess“realserver1”and

“realserver2”directlyforallservices,includingHTTP,butcannotaccessthoseserversforHTTP

bymeansofthe“vserver‐http”virtualserver.

Service Verification

UPDportserviceverificationcanbeenabledononeormoreloadbalancingservers.Thefirmware

accomplishesthisbysendingaUDPpacketwith“\r\n”(CarriageReturn/LineFeed)asdatato

Table of Contents

Related product manuals