CLI方式:入方向链路负载均衡典型配置
使用版本
本举例是在F5000-AI-55-G的E9900版本上进行配置和验证的。
组网需求
如下图所示,管理员从两个运营商ISP 1和ISP 2处分别租用了链路Link 1和Link 2,这两条链路的路由器跳数、带宽和成本均相同。通过配置入方向链路负载均衡,使Client host访问Internal server时,如果遇到其中一条链路故障的情况,可以优先选择这两条链路中的可用链路。其中,Internal server对外提供服务的域名为l.example.com,实际主机名为www.example.com。
配置步骤
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/3
[Device-security-zone-Trust] quit
配置安全策略
配置安全策略放行Untrust与Trust安全域、Untrust与Local安全域、Local与Untrust安全域之间的流量,用于用户访问外网服务器。
# 配置名称为lbrule1的安全策略规则,使用户可以访问内网服务器,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name lbrule1
[Device-security-policy-ip-1-lbrule1] source-zone untrust
[Device-security-policy-ip-1-lbrule1] destination-zone trust
[Device-security-policy-ip-1-lbrule1] destination-ip-subnet 192.168.1.0 255.255.255.0
[Device-security-policy-ip-1-lbrule1] action pass
[Device-security-policy-ip-1-lbrule1] quit
# 配置名称为lblocalin的安全策略规则,使用户可以访问DNS监听器,具体配置步骤如下。
[Device-security-policy-ip] rule name lblocalin
[Device-security-policy-ip-2-lblocalout] source-zone untrust
[Device-security-policy-ip-2-lblocalout] destination-zone local
[Device-security-policy-ip-2-lblocalout] destination-ip-subnet 10.1.1.1 255.255.255.255
[Device-security-policy-ip-2-lblocalout] destination-ip-subnet 20.1.1.1 255.255.255.255
[Device-security-policy-ip-2-lblocalout] action pass
[Device-security-policy-ip-2-lblocalout] quit
# 配置名称为lblocalout的安全策略规则,使Device可以向链路下一跳发送健康检测报文,具体配置步骤如下。
[Device-security-policy-ip] rule name lblocalout
[Device-security-policy-ip-3-lblocalout] source-zone local
[Device-security-policy-ip-3-lblocalout] destination-zone untrust
[Device-security-policy-ip-3-lblocalout] destination-ip-subnet 10.1.1.0 255.255.255.0
[Device-security-policy-ip-3-lblocalout] destination-ip-subnet 20.1.1.0 255.255.255.0
[Device-security-policy-ip-3-lblocalout] action pass
[Device-security-policy-ip-3-lblocalout] quit
[Device-security-policy-ip] quit
配置链路
# 创建ICMP类型的NQA模板t1。
[Device] nqa template icmp t1
[Device-nqatplt-icmp-t1] quit
# 创建名为link1的链路,指定链路出方向的下一跳IP地址为10.1.1.2,并引用ICMP类型的NQA模板t1。
[Device] loadbalance link link1
[Device-lb-link-link1] router ip 10.1.1.2
[Device-lb-link-link1] probe t1
[Device-lb-link-link1] quit
# 创建名为link2的Link,指定链路出方向的下一跳IP地址为20.1.1.2,并引用ICMP类型的NQA模板t1。
[Device] loadbalance link link2
[Device-lb-link-link2] router ip 20.1.1.2
[Device-lb-link-link2] probe t1
[Device-lb-link-link2] quit
配置实服务组
# 创建实服务组sf。
[Device] server-farm sf
[Device-sfarm-sf] quit
配置实服务器
# 创建实服务器rs,配置其IPv4地址为192.168.1.10,并加入实服务组sf。
[Device] real-server rs
[Device-rserver-rs] ip address 192.168.1.10
[Device-rserver-rs] server-farm sf
[Device-rserver-rs] quit
配置虚服务器
# 创建HTTP类型的虚服务器vs1,配置其VSIP为10.1.1.3,端口为80,指定其缺省主用实服务组为sf,并开启此虚服务器。
[Device] virtual-server vs1 type http
[Device-vs-http-vs1] virtual ip address 10.1.1.3
[Device-vs-http-vs1] port 80
[Device-vs-http-vs1] default server-farm sf
[Device-vs-http-vs1] service enable
[Device-vs-http-vs1] quit
# 创建HTTP类型的虚服务器vs2,配置其VSIP为20.1.1.3,端口为80,指定其缺省主用实服务组为sf,并开启此虚服务器。
[Device] virtual-server vs2 type http
[Device-vs-http-vs2] virtual ip address 20.1.1.3
[Device-vs-http-vs2] port 80
[Device-vs-http-vs2] default server-farm sf
[Device-vs-http-vs2] service enable
[Device-vs-http-vs2] quit
配置虚服务器池
# 创建虚服务器池vsp,并添加虚服务器vs1、vs2,虚服务器分别关联链路link1、link2。
[Device] loadbalance virtual-server-pool vsp
[Device-lb-vspool-vsp] virtual-server vs1 link link1
[Device-lb-vspool-vsp] virtual-server vs2 link link2
[Device-lb-vspool-vsp] quit
配置DNS监听器
# 创建DNS监听器dl1,配置其IPv4地址为10.1.1.1,并开启DNS监听服务。
[Device] loadbalance dns-listener dl1
[Device-lb-dl-dl1] ip address 10.1.1.1
[Device-lb-dl-dl1] service enable
[Device-lb-dl-dl1] quit
# 创建DNS监听器dl2,配置其IPv4地址为20.1.1.1,并开启DNS监听服务。
[Device] loadbalance dns-listener dl2
[Device-lb-dl-dl2] ip address 20.1.1.1
[Device-lb-dl-dl2] service enable
[Device-lb-dl-dl2] quit
配置DNS映射
# 创建DNS映射dm,配置其域名为www.example.com,指定虚服务器池vsp,并开启DNS映射。
[Device] loadbalance dns-map dm
[Device-lb-dm-dm] domain-name www.example.com
[Device-lb-dm-dm] service enable
[Device-lb-dm-dm] virtual-server-pool vsp
[Device-lb-dm-dm] quit
配置DNS正向区域
# 创建域名为example.com的DNS正向区域。
[Device] loadbalance zone example.com
# 配置CNAME资源记录,为主机www.example.com指定别名l.example.com。
[Device-lb-zone-example.com] record cname alias l.example.com. canonical www.example.com. ttl 600
[Device-lb-zone-example.com] quit
验证配置
# 显示所有DNS监听器的信息。
[Device] display loadbalance dns-listener
DNS listener name:dl1
Service state:Enabled
IPv4 address: 10.1.1.1
Port: 53
IPv6 address: --
IPv6 Port: 53
Fallback: Reject
VPN instance:
DNS listener name: dl2
Service state: Enabled
IPv4 address: 20.1.1.1
Port: 53
IPv6 address: --
IPv6 Port: 53
Fallback: Reject
VPN instance:
# 显示所有DNS映射的信息。
[Device] display loadbalance dns-map
DNS mapping name: dm
Service state: Enabled
TTL: 3600
Domain name list: www.example.com
Virtual server pool: vsp
# 显示所有DNS正向区域的信息。
[Device]display loadbalance zone
Zone name: example.com
TTL: 3600s
SOA:
Record list:
Type TTL RDATA
CNAME 600s l.example.com. www.example.com.
# 显示所有虚服务器池的简要信息。
[Device] display loadbalance virtual-server-pool brief
Predictor: RR - Round robin, RD - Random, LC - Least connection,
TOP - Topology, PRO - Proximity
BW - Bandwidth, MBW - Max bandwidth,
IBW - Inbound bandwidth, OBW - Outbound bandwidth,
MIBW - Max inbound bandwidth, MOBW - Max outbound bandwidth,
HASH(SIP) - Hash address source IP,
HASH(DIP) - Hash address destination IP,
HASH(SIP-PORT) - Hash address source IP-port
VSpool Pre Alt Fbk BWP Total Active
vsp RR -- -- Enabled 0 0
# 显示所有虚服务器池的详细信息。
[Device] display loadbalance virtual-server-pool
Virtual-server pool: vsp
Predictor:
Preferred RR
Alternate --
Fallback --
Bandwidth busy-protection:Disabled
Total virtual servers: 2
Active virtual servers: 2
Virtual server list:
Name State Address Port Weight Link
vs1 Active 10.1.1.3 80 100 link1
vs2 Active 20.1.1.3 80 100 link2
# 显示所有实服务器的简要信息。
[Device] display real-server brief
Real server Address Port State VPN instance Server farm
rs 192.168.1.10 0 Active sf
# 显示所有链路的简要信息。
[Device] display loadbalance link brief
link Router IP State VPN instance Link group
link1 10.1.1.2 Active
link2 20.1.1.2 Probe-failed
# 显示所有实服务组的详细信息。
[Device] display server-farm
Server farm: sf
Description:
Predictor: Round robin
Proximity: Enabled
NAT: Enabled
SNAT pool:
Failed action: Keep
Active threshold: Disabled
Slow-online: Disabled
Selected server: Disabled
Probe information:
Probe success criteria: All
Probe method:
t1
Total real server: 1
Active real server: 1
Real server list:
Name State VPN instance Address Port Weight Priority
rs Active 192.168.1.10 0 100 4
# 显示所有虚服务器的简要信息。
[Device] display virtual-server brief
Virtual server State Type VPN instance Virtual address Port
vs1 Active HTTP 10.1.1.3/32 80
vs2 Active HTTP 20.1.1.3/32 80
完成上述配置后,当Client Host访问域名l.example.com时,可以解析到10.1.1.1,使用ISP 1的链路访问内网服务器,也可以解析到20.1.1.1,使用ISP 2的链路访问内网服务器。
配置文件
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 192.168.1.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
#
security-policy ip
rule 1 name lbrule1
action pass
source-zone untrust
destination-zone trust
destination-ip-subnet 192.168.1.0 255.255.255.0
rule 2 name lblocalin
action pass
source-zone untrust
destination-zone local
destination-ip-host 10.1.1.1
destination-ip-host 20.1.1.1
rule 3 name lblocalout
action pass
source-zone local
destination-zone untrust
destination-ip-subnet 10.1.1.0 255.255.255.0
destination-ip-subnet 20.1.1.0 255.255.255.0
#
nqa template icmp t1
#
loadbalance link link1
router ip 10.1.1.2
probe t1
#
loadbalance link link2
router ip 20.1.1.2
probe t1
#
server-farm sf
#
real-server rs
ip address 192.168.1.10
server-farm sf
#
virtual-server vs1 type http
virtual ip address 10.1.1.3
default server-farm sf
service enable
#
virtual-server vs2 type http
virtual ip address 20.1.1.3
default server-farm sf
service enable
#
loadbalance virtual-server-pool vsp
virtual-server vs1 link link1
virtual-server vs2 link link2
#
loadbalance dns-listener dl1
ip address 10.1.1.1
service enable
#
loadbalance dns-listener dl2
ip address 20.1.1.1
service enable
#
loadbalance dns-map dm
domain-name www.example.com
service enable
virtual-server-pool vsp
#
loadbalance zone example.com
record cname alias l.example.com. canonical www.example.com. ttl 600
#