Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

LSNAT Overview

September 8, 2010 Page 8 of 28

Youcansearchforareplystringof“200OK”.Thiswouldresultinasuccessfulverificationofthe

service.

BecauseACVcansearchforastringinonlythefirst255bytesoftheresponse,inmostHTTPcases

theresponsewillhavetobeinthepacketʹsHTTP

header(thatis,youwillnotbeabletosearchfor

astringcontainedinthewebpageitself).

SomeprotocolssuchasFTPorSMTPrequireuserstoissueacommandtoclosethesessionafter

makingtherequest.Afaildetectacv‐quitcommandallowsfortheinputofthe

quitstring

required.

The Virtual Server

Thevirtualserverfunctionsasapublicfacetotheclientfortherealservertheclientwishesto

access.TheclientaccessestherealserverbydirectingservicerequeststotheVirtualIP(VIP)

addressconfiguredonthevirtualserver.

Beforeenablingavirtualserveryoumustnameit,associate

itwithaserverfarm,andconfigure

theVIP.Optionallyyoucanrestrictaccesstothevirtualservertospecifiedclients,specifythetype

ofsessionpersistence,allowspecifiedclientsdirectaccesstoarealserver,andallowallclientsto

directlyaccessallservicesnotspecificallyaccessedthroughthe 

virtualserver.

YoumustconfigureavirtualserverwithaVIPforeachserverfarminyoursystem.ThesameIP

addresscanbeusedfortheVIPofmultiplevirtualserversprovidedadifferentportisspecified

foreachVIP.

Incaseswherethereisonlyoneloadbalancingdecisionmade

forthisclienttovirtualserverforall

TCP/UDPconnections,the“matchsource‐portany”bindingmodeallowsServerLoadBalancing

(SLB)connectionsthroughthevirtualservertocreateasinglebindingthatwillmatchanysource

porttheclientusesdestinedtothesamevirtualserverVIPaddressand

UDP/TCPport.Configure

the“matchsource‐portany”bindingmodeusingthebindingmatchsource‐portcommand.

Configuring Direct Access to Real Servers

WhentheLSNAT routerhasbeenconfiguredwithserverfarms,withrealserversandvirtual

serversconfiguredand“inservice,”therealserversareprotectedfromdirectclientaccessforall

services.

Ifyouwanttoprovidedirectclientaccesstorealserversconfiguredaspartofaserverfarm,there

aretwomechanismsthatcanprovidedirectclientaccess.

Thefirstmechanism,configuredwithinglobalconfigurationmodewiththeipslbreal‐server

accessclientcommand,allowsyoutoidentifyspecificclientnetworksthatcansetupconnections

directlytoarealserver’sIPaddress,aswellascontinuetouse

thevirtualserverIPaddress.

Thesecondmechanism,configuredinglobalconfigurationmodewiththeipslbreal‐server

accessunrestrictedcommand,allowsallclientstodirectlyaccessallservicesprovidedbyreal

servers.

The Source NAT Pool

LSNATsupportsNetworkAddressTranslating(NAT)oftheclientIPaddressasdescribedin

Section3.3ofRFC2391.AguidedetailingtheNATfeatureisavailableat:

http://secure.enterasys.com/support/manuals/.

WithastandardLSNATconnection,theclient’sIPaddressispassedthroughtherouter

un‐NATed.Theconsequenceofthisisthat

therealservermusthavearoutefortheclientIP