新西兰服务器

LB 服务器负载均衡【旁路部署】


LB 服务器负载均衡【旁路部署】

发布时间:2020-08-06 12:30:42 来源:网络 阅读:361 作者:阿_立 栏目:安全技术

LB旁路部署案例
一、 需求

  • 为了实现服务器对外网用户提供服务的可靠性,客户在现网中部署了LB设备,LB采用旁路方式部署,要求外网主机访问时的流量经过LB轮询到内部服务器,一台服务器down机不影响其正常业务。
    二、 拓扑环境

    三、 配置思路

  • 配置各个设备ip地址及路由,保证ip可达
  • 配置检测模板
  • 配置ip地址池
  • 配置实服务组,调用检测模板和ip地址池
  • 配置实服务,关联实服务组
  • 配置虚服务器,关联实服务组
  • 测试
    四、 配置步骤
    配置脚本如下所示:
    出口NAT设备配置:
     sysname NAT # system-working-mode standard xbar load-single password-recovery enable lpu-type f-series # vlan 1 # interface Serial1/0 # interface Serial2/0 # interface Serial3/0 # interface Serial4/0 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route combo enable copper ip address 192.168.34.4 255.255.255.0 # interface GigabitEthernet0/1 port link-mode route combo enable copper ip address 100.1.46.4 255.255.255.0 nat outbound nat server protocol tcp global 100.1.46.4 2323 inside 192.168.35.5 2323 # interface GigabitEthernet0/2 port link-mode route combo enable copper # interface GigabitEthernet5/0 port link-mode route combo enable copper # interface GigabitEthernet5/1 port link-mode route combo enable copper # interface GigabitEthernet6/0 port link-mode route combo enable copper # interface GigabitEthernet6/1 port link-mode route combo enable copper # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line aux 0 user-role network-operator # line con 0 user-role network-admin # line vty 0 63 user-role network-operator # ip route-static 0.0.0.0 0 100.1.46.6 ip route-static 192.168.1.0 24 192.168.34.3 ip route-static 192.168.2.0 24 192.168.34.3 ip route-static 192.168.35.0 24 192.168.34.3 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role #               role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system

LB关键配置:

interface GigabitEthernet1/0/1  port link-mode route  combo enable copper  ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/2  port link-mode route  combo enable copper  ip address 192.168.35.5 255.255.255.0  loadbalance snat-pool pool  ip range start 192.168.35.5 end 192.168.35.5 # server-farm sf  snat-pool pool  probe t1 # real-server rs1  ip address 192.168.1.1  port 23  weight 150  server-farm sf # real-server rs2  ip address 192.168.2.2  port 23  weight 120      server-farm sf # virtual-server vs type tcp  port 2323   virtual ip address 192.168.35.5  default server-farm sf  service enable  #  ip route-static 0.0.0.0 0 192.168.35.3 # acl basic 2000  rule 0 permit security-zone name Trust  import interface GigabitEthernet1/0/2 # security-zone name DMZ # security-zone name Untrust # security-zone name Management # zone-pair security source Any destination Any  packet-filter 2000 # return

五、 测试
外网主机telnet外网映射到LB的地址和端口,看是否可以访问到内部服务器
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 …
Press CTRL+K to abort
Connected to 100.1.46.4 …

<ServerA>
<ServerA>
<ServerA>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 down down — —
GE0/1 up up 192.168.1.1 —
测试后可以正常访问到服务器A

退出登录后再尝试登录下,测试看是否可以轮询到另一个服务器
<ServerA>quit

The connection was closed by the remote host!
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 …
Press CTRL+K to abort
Connected to 100.1.46.4 …

<ServerB>
<ServerB>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 up up 192.168.2.2 —

LB>dis real-server statistics
Slot 1:
Real server: rs1
Total connections: 7
Active connections: 0
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 13601 bytes
Server output: 15872 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 3612 bytes/s
Max inbound throughput: 1359 bytes/s
Max outbound throughput: 2253 bytes/s
Received packets: 252
Sent packets: 238
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

Real server: rs2
Total connections: 8
Active connections: 1
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 15552 bytes
Server output: 17213 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 288
Sent packets: 264
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

<LB>dis virtual-server statistics
Slot 1:
Virtual server: vs
Total connections: 15
Active connections: 1
Max connections: 2
Connections per second: 0
Max connections per second: 1
Client input: 29257 bytes
Client output: 33165 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 542
Sent packets: 504
Dropped packets: 0
六、 注意事项

  • 该拓扑图中,如果只是单纯配置服务器负载均衡,不针对外网进来的源做snat的话,是无法访问到服务器的,原因是,外网终端向LB发起访问,但是数据包回复时却是内网服务器直接给予的回应,服务器回包时,数据包到核心设备,直接按照缺省路由去做转发了,即使客户端收到数据包,由于发起和回应的地址不一致,则会认为数据包不是自己想要的,会直接丢弃
  • 配置LB时,新建实服务,关联实服务组,最后在虚服务器下做关联时,设备会根据检测模板去轮询看是否和服务器可达,如果可达,将处于active状态,如果检测不可达,处于Probe-failed

[微信提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。

[图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]
[