LB旁路部署案例
一、 需求

晉中ssl適用于網(wǎng)站、小程序/APP、API接口等需要進(jìn)行數(shù)據(jù)傳輸應(yīng)用場(chǎng)景，ssl證書未來市場(chǎng)廣闊！成為創(chuàng)新互聯(lián)建站的ssl證書銷售渠道，可以享受市場(chǎng)價(jià)格4-6折優(yōu)惠！如果有意向歡迎電話聯(lián)系或者加微信：13518219792（備注：SSL證書合作）期待與您的合作！

• 為了實(shí)現(xiàn)服務(wù)器對(duì)外網(wǎng)用戶提供服務(wù)的可靠性，客戶在現(xiàn)網(wǎng)中部署了LB設(shè)備，LB采用旁路方式部署，要求外網(wǎng)主機(jī)訪問時(shí)的流量經(jīng)過LB輪詢到內(nèi)部服務(wù)器，一臺(tái)服務(wù)器down機(jī)不影響其正常業(yè)務(wù)。
  二、 拓?fù)洵h(huán)境
  
  三、 配置思路
• 配置各個(gè)設(shè)備ip地址及路由，保證ip可達(dá)
• 配置檢測(cè)模板
• 配置ip地址池
• 配置實(shí)服務(wù)組，調(diào)用檢測(cè)模板和ip地址池
• 配置實(shí)服務(wù)，關(guān)聯(lián)實(shí)服務(wù)組
• 配置虛服務(wù)器，關(guān)聯(lián)實(shí)服務(wù)組
• 測(cè)試
  四、 配置步驟
  配置腳本如下所示：
  出口NAT設(shè)備配置：

  
  sysname NAT
  #
  system-working-mode standard
  xbar load-single
  password-recovery enable
  lpu-type f-series
  #
  vlan 1
  #
  interface Serial1/0
  #
  interface Serial2/0
  #
  interface Serial3/0
  #
  interface Serial4/0
  #
  interface NULL0
  #
  interface GigabitEthernet0/0
  port link-mode route
  combo enable copper
  ip address 192.168.34.4 255.255.255.0
  #
  interface GigabitEthernet0/1
  port link-mode route
  combo enable copper
  ip address 100.1.46.4 255.255.255.0
  nat outbound
  nat server protocol tcp global 100.1.46.4 2323 inside 192.168.35.5 2323
  #
  interface GigabitEthernet0/2
  port link-mode route
  combo enable copper
  #
  interface GigabitEthernet5/0
  port link-mode route
  combo enable copper
  #
  interface GigabitEthernet5/1
  port link-mode route
  combo enable copper
  #
  interface GigabitEthernet6/0
  port link-mode route
  combo enable copper
  #
  interface GigabitEthernet6/1
  port link-mode route
  combo enable copper
  #
  scheduler logfile size 16
  #
  line class aux
  user-role network-operator
  #
  line class console
  user-role network-admin
  #
  line class tty
  user-role network-operator
  #
  line class vty
  user-role network-operator
  #
  line aux 0
  user-role network-operator
  #
  line con 0
  user-role network-admin
  #
  line vty 0 63
  user-role network-operator
  #
  ip route-static 0.0.0.0 0 100.1.46.6
  ip route-static 192.168.1.0 24 192.168.34.3
  ip route-static 192.168.2.0 24 192.168.34.3
  ip route-static 192.168.35.0 24 192.168.34.3
  #
  domain system
  #
  domain default enable system
  #
  role name level-0
  description Predefined level-0 role
  #
  role name level-1
  description Predefined level-1 role
  #
  role name level-2
  description Predefined level-2 role
  #
  role name level-3
  description Predefined level-3 role
  #
  role name level-4
  description Predefined level-4 role
  #
  role name level-5
  description Predefined level-5 role
  #
  role name level-6
  description Predefined level-6 role
  #
  role name level-7
  description Predefined level-7 role
  #
  role name level-8
  description Predefined level-8 role
  #
  role name level-9
  description Predefined level-9 role
  #              
  role name level-10
  description Predefined level-10 role
  #
  role name level-11
  description Predefined level-11 role
  #
  role name level-12
  description Predefined level-12 role
  #
  role name level-13
  description Predefined level-13 role
  #
  role name level-14
  description Predefined level-14 role
  #
  user-group system

LB關(guān)鍵配置：

interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.35.5 255.255.255.0

loadbalance snat-pool pool
 ip range start 192.168.35.5 end 192.168.35.5
#
server-farm sf
 snat-pool pool
 probe t1
#
real-server rs1
 ip address 192.168.1.1
 port 23
 weight 150
 server-farm sf
#
real-server rs2
 ip address 192.168.2.2
 port 23
 weight 120    
 server-farm sf
#
virtual-server vs type tcp
 port 2323 
 virtual ip address 192.168.35.5
 default server-farm sf
 service enable
 #
 ip route-static 0.0.0.0 0 192.168.35.3
#
acl basic 2000
 rule 0 permit
security-zone name Trust
 import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
zone-pair security source Any destination Any
 packet-filter 2000
#
return

五、 測(cè)試
外網(wǎng)主機(jī)telnet外網(wǎng)映射到LB的地址和端口，看是否可以訪問到內(nèi)部服務(wù)器
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...

<ServerA>
<ServerA>
<ServerA>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 down down -- --
GE0/1 up up 192.168.1.1 --
測(cè)試后可以正常訪問到服務(wù)器A

退出登錄后再嘗試登錄下，測(cè)試看是否可以輪詢到另一個(gè)服務(wù)器
<ServerA>quit

The connection was closed by the remote host!
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...

<ServerB>
<ServerB>dis ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP Address Description
GE0/0 up up 192.168.2.2 --

LB>dis real-server statistics
Slot 1:
Real server: rs1
Total connections: 7
Active connections: 0
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 13601 bytes
Server output: 15872 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 3612 bytes/s
Max inbound throughput: 1359 bytes/s
Max outbound throughput: 2253 bytes/s
Received packets: 252
Sent packets: 238
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

Real server: rs2
Total connections: 8
Active connections: 1
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 15552 bytes
Server output: 17213 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 288
Sent packets: 264
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

<LB>dis virtual-server statistics
Slot 1:
Virtual server: vs
Total connections: 15
Active connections: 1
Max connections: 2
Connections per second: 0
Max connections per second: 1
Client input: 29257 bytes
Client output: 33165 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 542
Sent packets: 504
Dropped packets: 0
六、 注意事項(xiàng)

• 該拓?fù)鋱D中，如果只是單純配置服務(wù)器負(fù)載均衡，不針對(duì)外網(wǎng)進(jìn)來的源做snat的話，是無法訪問到服務(wù)器的，原因是，外網(wǎng)終端向LB發(fā)起訪問，但是數(shù)據(jù)包回復(fù)時(shí)卻是內(nèi)網(wǎng)服務(wù)器直接給予的回應(yīng)，服務(wù)器回包時(shí)，數(shù)據(jù)包到核心設(shè)備，直接按照缺省路由去做轉(zhuǎn)發(fā)了，即使客戶端收到數(shù)據(jù)包，由于發(fā)起和回應(yīng)的地址不一致，則會(huì)認(rèn)為數(shù)據(jù)包不是自己想要的，會(huì)直接丟棄
• 配置LB時(shí)，新建實(shí)服務(wù)，關(guān)聯(lián)實(shí)服務(wù)組，最后在虛服務(wù)器下做關(guān)聯(lián)時(shí)，設(shè)備會(huì)根據(jù)檢測(cè)模板去輪詢看是否和服務(wù)器可達(dá)，如果可達(dá)，將處于active狀態(tài)，如果檢測(cè)不可達(dá)，處于Probe-failed

文章名稱：LB服務(wù)器負(fù)載均衡【旁路部署】
鏈接URL：http://chinadenli.net/article12/goipgc.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供網(wǎng)站維護(hù)、虛擬主機(jī)、網(wǎng)站排名、ChatGPT、Google、手機(jī)網(wǎng)站建設(shè)

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源： 創(chuàng)新互聯(lián)