温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

LB旁路部署案例分析

发布时间:2020-04-16 16:55:50 来源:亿速云 阅读:340 作者:三月 栏目:安全技术

下文给大家带来LB旁路部署案例分析,希望能够给大家在实际运用中带来一定的帮助,负载均衡涉及的东西比较多,理论也不多,网上有很多书籍,今天我们就用亿速云在行业内累计的经验来做一个解答。

LB旁路部署案例
一、  需求

  • 为了实现云服务器对外网用户提供服务的可靠性,客户在现网中部署了LB设备,LB采用旁路方式部署,要求外网主机访问时的流量经过LB轮询到内部云服务器,一台云服务器down机不影响其正常业务。
    二、  拓扑环境
    LB旁路部署案例分析
    三、  配置思路
  • 配置各个设备ip地址及路由,保证ip可达
  • 配置检测模板
  • 配置ip地址池
  • 配置实服务组,调用检测模板和ip地址池
  • 配置实服务,关联实服务组
  • 配置虚服务器,关联实服务组
  • 测试
    四、  配置步骤
    配置脚本如下所示:
    出口NAT设备配置:
    sysname NAT
    #
    system-working-mode standard
    xbar load-single
    password-recovery enable
    lpu-type f-series
    #
    vlan 1
    #
    interface Serial1/0
    #
    interface Serial2/0
    #
    interface Serial3/0
    #
    interface Serial4/0
    #
    interface NULL0
    #
    interface GigabitEthernet0/0
    port link-mode route
    combo enable copper
    ip address 192.168.34.4 255.255.255.0
    #
    interface GigabitEthernet0/1
    port link-mode route
    combo enable copper
    ip address 100.1.46.4 255.255.255.0
    nat outbound
    nat server protocol tcp global 100.1.46.4 2323 inside 192.168.35.5 2323
    #
    interface GigabitEthernet0/2
    port link-mode route
    combo enable copper
    #
    interface GigabitEthernet5/0
    port link-mode route
    combo enable copper
    #
    interface GigabitEthernet5/1
    port link-mode route
    combo enable copper
    #
    interface GigabitEthernet6/0
    port link-mode route
    combo enable copper
    #
    interface GigabitEthernet6/1
    port link-mode route
    combo enable copper
    #
    scheduler logfile size 16
    #
    line class aux
    user-role network-operator
    #
    line class console
    user-role network-admin
    #
    line class tty
    user-role network-operator
    #
    line class vty
    user-role network-operator
    #
    line aux 0
    user-role network-operator
    #
    line con 0
    user-role network-admin
    #
    line vty 0 63
    user-role network-operator
    #
    ip route-static 0.0.0.0 0 100.1.46.6
    ip route-static 192.168.1.0 24 192.168.34.3
    ip route-static 192.168.2.0 24 192.168.34.3
    ip route-static 192.168.35.0 24 192.168.34.3
    #
    domain system
    #
    domain default enable system
    #
    role name level-0
    description Predefined level-0 role
    #
    role name level-1
    description Predefined level-1 role
    #
    role name level-2
    description Predefined level-2 role
    #
    role name level-3
    description Predefined level-3 role
    #
    role name level-4
    description Predefined level-4 role
    #
    role name level-5
    description Predefined level-5 role
    #
    role name level-6
    description Predefined level-6 role
    #
    role name level-7
    description Predefined level-7 role
    #
    role name level-8
    description Predefined level-8 role
    #
    role name level-9
    description Predefined level-9 role
    #              
    role name level-10
    description Predefined level-10 role
    #
    role name level-11
    description Predefined level-11 role
    #
    role name level-12
    description Predefined level-12 role
    #
    role name level-13
    description Predefined level-13 role
    #
    role name level-14
    description Predefined level-14 role
    #
    user-group system

LB关键配置:

interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.35.5 255.255.255.0

loadbalance snat-pool pool
 ip range start 192.168.35.5 end 192.168.35.5
#
server-farm sf
 snat-pool pool
 probe t1
#
real-server rs1
 ip address 192.168.1.1
 port 23
 weight 150
 server-farm sf
#
real-server rs2
 ip address 192.168.2.2
 port 23
 weight 120    
 server-farm sf
#
virtual-server vs type tcp
 port 2323 
 virtual ip address 192.168.35.5
 default server-farm sf
 service enable
 #
 ip route-static 0.0.0.0 0 192.168.35.3
#
acl basic 2000
 rule 0 permit
security-zone name Trust
 import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
zone-pair security source Any destination Any
 packet-filter 2000
#
return

五、  测试
外网主机telnet外网映射到LB的地址和端口,看是否可以访问到内部服务器
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...

<ServerA>
<ServerA>
<ServerA>dis ip int brief
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
GE0/0                    down     down     --              --
GE0/1                    up       up       192.168.1.1     --
测试后可以正常访问到服务器A

退出登录后再尝试登录下,测试看是否可以轮询到另一个服务器
<ServerA>quit

The connection was closed by the remote host!
<Client>telnet 100.1.46.4 2323
Trying 100.1.46.4 ...
Press CTRL+K to abort
Connected to 100.1.46.4 ...

<ServerB>
<ServerB>dis ip int brief
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
GE0/0                    up       up       192.168.2.2     --

LB>dis real-server statistics
Slot 1:
Real server: rs1
Total connections: 7
Active connections: 0
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 13601 bytes
Server output: 15872 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 3612 bytes/s
Max inbound throughput: 1359 bytes/s
Max outbound throughput: 2253 bytes/s
Received packets: 252
Sent packets: 238
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

Real server: rs2
Total connections: 8
Active connections: 1
Max connections: 1
Connections per second: 0
Max connections per second: 1
Server input: 15552 bytes
Server output: 17213 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 288
Sent packets: 264
Dropped packets: 0
Received requests: 0
Dropped requests: 0
Sent responses: 0
Dropped responses: 0
Connection failures: 0

<LB>dis virtual-server statistics
Slot 1:
Virtual server: vs
Total connections: 15
Active connections: 1
Max connections: 2
Connections per second: 0
Max connections per second: 1
Client input: 29257 bytes
Client output: 33165 bytes
Throughput: 0 bytes/s
Inbound throughput: 0 bytes/s
Outbound throughput: 0 bytes/s
Max throughput: 5796 bytes/s
Max inbound throughput: 2451 bytes/s
Max outbound throughput: 3345 bytes/s
Received packets: 542
Sent packets: 504
Dropped packets: 0
六、  注意事项

  • 该拓扑图中,如果只是单纯配置服务器负载均衡,不针对外网进来的源做snat的话,是无法访问到服务器的,原因是,外网终端向LB发起访问,但是数据包回复时却是内网服务器直接给予的回应,服务器回包时,数据包到核心设备,直接按照缺省路由去做转发了,即使客户端收到数据包,由于发起和回应的地址不一致,则会认为数据包不是自己想要的,会直接丢弃
  • 配置LB时,新建实服务,关联实服务组,最后在虚服务器下做关联时,设备会根据检测模板去轮询看是否和服务器可达,如果可达,将处于active状态,如果检测不可达,处于Probe-failed
  • 看了以上关于LB旁路部署案例分析,如果大家还有什么地方需要了解的可以在亿速云行业资讯里查找自己感兴趣的或者找我们的专业技术工程师解答的,亿速云技术工程师在行业内拥有十几年的经验了。

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI