direct access disable
hwangdonghyun
Member ✭
Hi everyone
Please check configuration , which can not be accessed by the client directly to server request in this feature , you must apply to a10 existing equipment alteon
from alteon to thunder 930(2.7.1 P6)
migration
thank you
Please check configuration , which can not be accessed by the client directly to server request in this feature , you must apply to a10 existing equipment alteon
from alteon to thunder 930(2.7.1 P6)
migration
thank you
Tagged:
0
Comments
Can you explain a little more about what you want to achieve?
Are you looking for a conversion of an Alteon configuration to A10?
Or is there a specific feature you have questions about?
Regarding configuration migrations, it woud be best if you contact the SE or Sales representative from your region so they can help finding the right resources.
For feature/configuration questions, please provide more details.
Greetings,
Diederik
I think, He wants to know if ACOS support the feature that blocking the connection from the client to the real server directly without access VIPs.
on Radware, It's called 'DAM(Direct Access Mode)' and disabled by default.
I'd like to know too if does ACOS have a option similar to DAM without using ACL.
Regards,
Kwitae
This depends a little on your exact setup.
In case you have your clients and real servers in different VLAN's/network segments, you can use "l3-vlan-fwd-disable" to disable the routing between different VLAN's.
Only connections to the VIP's will be allowed and only traffic redirected in this was will reach the real servers.
This seems to me the closest to the DAM functionality on the alteon.
When you are using filter based load balancing, you would be using wildcard VIP's on the A10, and then you have other options to achieve this.
Best would be to contact your local A10 team and have them look at your complete setup.
Do you know who to contact?
Greetings,
Diederik
Just to give a little more insight about "DAM":
As per AlteonOS design back in 90´s only partial information is stored in session/slb table, in particular, forward destination port is not included. This is OK for a basic scenario however when servers want to be reached directly by routing, Alteon is unable to distinguish between routed traffic and load balanced traffic going back and thus cannot make nat transformations accordingly.
To solve this problem Alteon included a "functionality" called "Direct Access Mode". When it is activated, forward port information is stored in an auxiliar table, this way it can distinguish between routed and SLB traffic.
In A10, among other details, full flow information is always stored in session table, so we can always distinguish between routed and SLB flows with no further workarounds or considerations for the user:
ACOS(config)#
show session ipv4 source-addr 1.0.4.147
Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash Flags
---------------------------------------------------------------------------------------
--------------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Total Sessions: 1
Keep in mind that only deactivating "DAM" in Alteon is not enough to prevent traffic to hit your servers, inbound traffic will still reach server side even when not consistently routed back. You still need ACL or disable forwarding in Alteon (same as in A10) to effectively protect them. As you can see "DAM" is not a functionality but more a workaround.
Regards
José Serrano