HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

211

212

213

214

215

216

217

218

219

220

204

Table 17 Configuration items

Item Descri

tion

Virtual Service Name

Set a virtual service name, which uniquely identifies a virtual service.

VPN Instance

Select the VPN instance to which the virtual service belongs.

Virtual Service IP

Specify the VSIP of the cluster. In server load balancing, users request services with

this IP address as the destination IP address.

• For firewall load balancing, you can configure only one VSIP.

• For NAT- and DR-mode server load balancing, you can configure multiple VSIPs.

Mask

Specify the VSIP mask.

For NAT- and DR-mode server load balancing, the mask length must be 32 bit.

Protocol

Select the protocol used by the cluster to provide services.

Enable Forced LB

When you select UDP as the protocol, set whether to enable the mechanism of

distributing services based on packets.

Packet exchange for some UDP-based services, such as DNS, RADIUS, and so on,

can be completed in one exchanging process, and in some specific scenarios, the

quintuple of packets is the same. In this case, load balancing cannot be

implemented on service packets based on the session-based load balancing mode.

Therefore, forced load balancing needs to be enabled to implement load balancing

of service packets according to the mechanism of distributing services based on

packets.

IMPORTANT:

Forced load balancing of fragmented packets is implemented based on virtual

fragment reassembly. Therefore, you must enable virtual fragment reassembly on the

zone to which the interfaces that process LB packets belong. For more information, see

"Managing sessions."

Port

Set the port number used by the cluster to provide services.

Forwarding Mode

Load balancing mode adopted:

• NAT—NAT-mode server load balancing.

• Direct Routing—DR-mode server load balancing.

• Firewall—Firewall load balancing.

IMPORTANT:

For NAT-mode server load balancing, to implement NAT internal server on the LB

device's interface attached to the user network, do not configure the VSIP as the

external IP address of the internal server. Otherwise, the two functions might conflict

with each other.

Enable SNAT

Enable source address NAT translation, which changes the source address of a

packet during load balancing.

This option can be set only when the forwarding mode is NAT.

IMPORTANT:

After you enable SNAT for the virtual service, do not configure NAT on the LB

device's interface connecting the real server for traffic matching the virtual service.

Otherwise, the two functions might conflict with each other.