LB旁路部署案例
一、 需求
- 为了实现服务器对外网用户提供服务的可靠性,客户在现网中部署了LB设备,LB采用旁路方式部署,要求外网主机访问时的流量经过LB轮询到内部服务器,一台服务器down机不影响其正常业务。
二、 拓扑环境
三、 配置思路 - 配置各个设备ip地址及路由,保证ip可达
- 配置检测模板
- 配置ip地址池
- 配置实服务组,调用检测模板和ip地址池
- 配置实服务,关联实服务组
- 配置虚服务器,关联实服务组
- 测试
四、 配置步骤
配置脚本如下所示:
出口NAT设备配置:sysname NAT # system-working-mode standard xbar load-single password-recovery enable lpu-type f-series # vlan 1 # interface Serial1/0 # interface Serial2/0 # interface Serial3/0 # interface Serial4/0 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 192.168.34.4 255.255.255.0 # interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.1.46.4 255.255.255.0 nat outbound nat server protocol tcp global 100.1.46.4 2323 inside 192.168.35.5 2323 # interface GigabitEthernet0/2 port link-mode route combo enable copper # interface GigabitEthernet5/0 port link-mode route combo enable copper # interface GigabitEthernet5/1 port link-mode route combo enable copper # interface GigabitEthernet6/0 port link-mode route combo enable copper # interface GigabitEthernet6/1 port link-mode route combo enable copper # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-operator # line con 0 user-role network-admin # line vty 0 63 user-role network-operator # ip route-static 0.0.0.0 0 100.1.46.6 ip route-static 192.168.1.0 24 192.168.34.3 ip route-static 192.168.2.0 24 192.168.34.3 ip route-static 192.168.35.0 24 192.168.34.3 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system
LB关键配置:
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 192.168.35.5 255.255.255.0
loadbalance snat-pool pool
ip range start 192.168.35.5 end 192.168.35.5
#
server-farm sf
snat-pool pool
probe t1
#
real-server rs1
ip address 192.168.1.1
port 23
weight 150
server-farm sf
#
real-server rs2
ip address 192.168.2.2
port 23
weight 120
server-farm sf
#
virtual-server vs type tcp
port 2323
virtual ip address 192.168.35.5
default server-farm sf
service enable
#
ip route-static 0.0.0.0 0 192.168.35.3
#
acl basic 2000
rule 0 permit
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
zone-pair security source Any destination Any
packet-filter 2000
#
return
五、 测试
外网主机telnet外网映射到LB的地址和端口,看是否可以访问到内部服务器
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...
<ServerA>
<ServerA>
<ServerA>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 down down -- --
GE0/1 up up 192.168.1.1 --
测试后可以正常访问到服务器A
退出登录后再尝试登录下,测试看是否可以轮询到另一个服务器
<ServerA>quit
The connection was closed by the remote host!
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...
<ServerB>
<ServerB>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 up up 192.168.2.2 --
LB>dis real-server statistics
Slot 1:
Real server: rs1
Total connections: 7
Active connections: 0
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 13601 bytes
Server output: 15872 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 3612 bytes/s
Max inbound throughput: 1359 bytes/s
Max outbound throughput: 2253 bytes/s
Received packets: 252
Sent packets: 238
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0
Real server: rs2
Total connections: 8
Active connections: 1
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 15552 bytes
Server output: 17213 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 288
Sent packets: 264
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0
<LB>dis virtual-server statistics
Slot 1:
Virtual server: vs
Total connections: 15
Active connections: 1
Max connections: 2
Connections per second: 0
Max connections per second: 1
Client input: 29257 bytes
Client output: 33165 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 542
Sent packets: 504
Dropped packets: 0
六、 注意事项
- 该拓扑图中,如果只是单纯配置服务器负载均衡,不针对外网进来的源做snat的话,是无法访问到服务器的,原因是,外网终端向LB发起访问,但是数据包回复时却是内网服务器直接给予的回应,服务器回包时,数据包到核心设备,直接按照缺省路由去做转发了,即使客户端收到数据包,由于发起和回应的地址不一致,则会认为数据包不是自己想要的,会直接丢弃
- 配置LB时,新建实服务,关联实服务组,最后在虚服务器下做关联时,设备会根据检测模板去轮询看是否和服务器可达,如果可达,将处于active状态,如果检测不可达,处于Probe-failed
原文地址:https://blog.51cto.com/14648383/2462793