Using LSNAT on Your Network

LSNAT is a load balancing routing feature. It provides load sharing between multiple real servers that are grouped into server farms that can be tailored to an individual service or all services, without requiring any modification to clients or servers. Examples of well-known services are HTTP on port 80, SMTP (e-mail) on port 25, FTP on port 21, and TFTP on port 69. LSNAT is defined in RFC 2391.

The LSNAT configuration components are:

  • The virtual server, configured on the LSNAT router, that intercepts the service request and determines the physical (real) server the request will be forwarded to
  • The real servers that are the physical servers that makeup the server farm
  • The server farm that is a logical entity containing the multiple real servers, one of which will service the client‘s request

LSNAT is supported over any combination of VLAN, L3 tunnel, and L2 Tunnel interfaces.

The S-Series supports IPv4-to-IPv4, IPv6-to-IPv6, IPv4-to-IPv6, and IPv6-to-IPv4 addressing expressed as virtual server IP address (client side) to real server (server farm side). On the client side, the client and the virtual server IP address type must agree. On the server farm side, the real servers and the server farm IP address types must agree. Mixed IP addressing configuration allows for migrating an IPv4 LSNAT configuration to IPv6 by one side of the configuration (client or server) at a time.

LSNAT Overview provides the following example of an LSNAT deployment:

  1. A request for service is sent by the client to a virtual server. The client and the virtual server must both be either IPv4 or IPv6 addressed, – they can not be mixed.
  2. The destination address for the service request is the virtual server's unique Virtual IP (VIP) address. A VIP address is defined by an IP Address (or IP Address range), IP Protocol, and UDP/TCP port number. The same IP address can be used for multiple virtual servers if a different port address is used. This is called overloading. The LSNAT configured router recognizes the VIP address and knows that LSNAT must select a real server to forward the request to.
  3. Before forwarding the request, based upon the server load balancing process configured (round robin is displayed), LSNAT selects the real server for this request. LSNAT changes the destination IP address from the VIP address to the address of the selected real server member of the server farm associated with the virtual server address. The packet is then forwarded to the selected real server. The source address is taken from a configured source NAT pool.
  4. The real server sends a service response back to the client with its address as the response source address.
  5. At the router, LSNAT sees the real server address and knows it must first translate it back to the VIP address before forwarding the packet on to the client.
Click to expand in new window
LSNAT Overview
Graphics/WhatIsLSNAT.png

The need for load sharing arises when a single server is not able to cope with the service demand. Legacy load sharing schemes were often ad-hoc and platform-specific, having the problem of lengthy reordering times on the servers and the inability to account for server load variations. LSNAT configuration and operation is separate from the client and servers and therefore does not care which client, server, or service is involved, or which address type is used by the client or server. It merely maps a single VIP to multiple real server IP address and port combinations, based upon a configured load balancing algorithm, and forwards packets accordingly.

With load sharing over multiple servers, reliability is increased by allowing you to take an individual server offline for scheduled maintenance, without disrupting ongoing service operations. The servers are easily removed and replaced in the queue making maintenance a transparent activity, eliminating maintenance related downtime for the site.

Load sharing also provides redundancy in the case of a server failure. LSNAT automatically removes the failed server from the selection process. When the failed server becomes active again, LSNAT automatically adds the server back into the selection process.

Server and TCP/UDP port verification can ensure that the ports used by LSNAT are operational. TCP/UPD port service verification is capable of determining whether a server is active before creating a session. This feature eliminates the point of failure vulnerability by automatically recognizing a server is down and taking it out of the LSNAT load balancing process.

Security is improved since only the VIP is known, not the specific server addresses, ensuring that only the appropriate traffic goes to the servers.

LSNAT improves network performance by leveling traffic over many systems. Using LSNAT in conjunction with Aggregate Links removes the performance bottleneck and reliability concerns of one physical link to a server by bundling multiple links, with fail over if a link goes down. Utilizing the IP-Policy and QoS features of the S-Series device with the LSNAT feature further improves the performance and security of the network. When tied with the Virtual Redundant Router Protocol (VRRP), the network becomes even more reliable and secure.

For all these reasons, LSNAT is ideal for enterprise account web servers, application servers, or database servers.