LB旁路部署案例 一、 需求
- 为了实现服务器对外网用户提供服务的可靠性,客户在现网中部署了LB设备,LB采用旁路方式部署,要求外网主机访问时的流量经过LB轮询到内部服务器,一台服务器down机不影响其正常业务。
二、 拓扑环境
三、 配置思路 - 配置各个设备ip地址及路由,保证ip可达
- 配置检测模板
- 配置ip地址池
- 配置实服务组,调用检测模板和ip地址池
- 配置实服务,关联实服务组
- 配置虚服务器,关联实服务组
- 测试 四、 配置步骤 配置脚本如下所示: 出口NAT设备配置:
sysname NAT
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.34.4 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 100.1.46.4 255.255.255.0
nat outbound
nat server protocol tcp global 100.1.46.4 2323 inside 192.168.35.5 2323
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
ip route-static 0.0.0.0 0 100.1.46.6
ip route-static 192.168.1.0 24 192.168.34.3
ip route-static 192.168.2.0 24 192.168.34.3
ip route-static 192.168.35.0 24 192.168.34.3
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
`LB关键配置:`
interface GigabitEthernet1/0/1 port link-mode route combo enable copper ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet1/0/2 port link-mode route combo enable copper ip address 192.168.35.5 255.255.255.0
loadbalance snat-pool pool ip range start 192.168.35.5 end 192.168.35.5
server-farm sf snat-pool pool probe t1
real-server rs1 ip address 192.168.1.1 port 23 weight 150 server-farm sf
real-server rs2
ip address 192.168.2.2
port 23
weight 120
server-farm sf
virtual-server vs type tcp port 2323 virtual ip address 192.168.35.5 default server-farm sf service enable
ip route-static 0.0.0.0 0 192.168.35.3
acl basic 2000 rule 0 permit security-zone name Trust import interface GigabitEthernet1/0/2
security-zone name DMZ
security-zone name Untrust
security-zone name Management
zone-pair security source Any destination Any packet-filter 2000
return
五、 测试
外网主机telnet外网映射到LB的地址和端口,看是否可以访问到内部服务器
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...
<ServerA>
<ServerA>
<ServerA>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 down down -- --
GE0/1 up up 192.168.1.1 --
测试后可以正常访问到服务器A
退出登录后再尝试登录下,测试看是否可以轮询到另一个服务器
<ServerA>quit
The connection was closed by the remote host!
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...
<ServerB>
<ServerB>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 up up 192.168.2.2 --
LB>dis real-server statistics
Slot 1:
Real server: rs1
Total connections: 7
Active connections: 0
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 13601 bytes
Server output: 15872 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 3612 bytes/s
Max inbound throughput: 1359 bytes/s
Max outbound throughput: 2253 bytes/s
Received packets: 252
Sent packets: 238
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0
Real server: rs2
Total connections: 8
Active connections: 1
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 15552 bytes
Server output: 17213 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 288
Sent packets: 264
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0
<LB>dis virtual-server statistics
Slot 1:
Virtual server: vs
Total connections: 15
Active connections: 1
Max connections: 2
Connections per second: 0
Max connections per second: 1
Client input: 29257 bytes
Client output: 33165 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 542
Sent packets: 504
Dropped packets: 0
六、 注意事项
- 该拓扑图中,如果只是单纯配置服务器负载均衡,不针对外网进来的源做snat的话,是无法访问到服务器的,原因是,外网终端向LB发起访问,但是数据包回复时却是内网服务器直接给予的回应,服务器回包时,数据包到核心设备,直接按照缺省路由去做转发了,即使客户端收到数据包,由于发起和回应的地址不一致,则会认为数据包不是自己想要的,会直接丢弃
- 配置LB时,新建实服务,关联实服务组,最后在虚服务器下做关联时,设备会根据检测模板去轮询看是否和服务器可达,如果可达,将处于active状态,如果检测不可达,处于Probe-failed
-----
