CLI example: Configuring basic Layer 7 server load balancing

Network configuration

In Figure-1, physical servers Server A, Server B, and Server C provide HTTP services, and are in descending order of hardware configuration.

Configure server load balancing on the device to distribute user requests among the servers based on their hardware performance, and use health monitoring to monitor reachability of the servers.

Figure-1 Network diagram

Software versions used

This configuration example was created and verified on E9900 of the F5000-AI-55-G device.

Procedure

Configure the device:

  1. Assign IP addresses to interfaces:

    # Assign an IP address to interface GigabitEthernet 1/0/1.

    <Device> system-view

    [Device] interface gigabitethernet 1/0/1

    [Device-GigabitEthernet1/0/1] ip address 61.159.4.100 255.255.255.0

    [Device-GigabitEthernet1/0/1] quit

    # Assign IP addresses to other interfaces in the same way. (Details not shown.)

  2. Configure settings for routing.

    This example configures a static route, and the next hop in the route is 61.159.4.1.

    [Device] ip route-static 1.1.1.1 24 61.159.4.1

  3. Add interfaces to security zones.

    [Device] security-zone name untrust

    [Device-security-zone-Untrust] import interface gigabitethernet 1/0/1

    [Device-security-zone-Untrust] quit

    [Device] security-zone name trust

    [Device-security-zone-Trust] import interface gigabitethernet 1/0/2

    [Device-security-zone-Trust] quit

  4. Configure a security policy:

    Configure rules to permit traffic from the Untrust security zone to the Local security zone and traffic from the Local security zone to the Trust security zone, so the users can access the servers:

    # Configure a rule named lblocalin to allow the users to send packets to the device.

    [Device] security-policy ip

    [Device-security-policy-ip] rule name lblocalin

    [Device-security-policy-ip-1-lblocalin] source-zone untrust

    [Device-security-policy-ip-1-lblocalin] destination-zone local

    [Device-security-policy-ip-1-lblocalin] destination-ip-subnet 61.159.4.0 255.255.255.0

    [Device-security-policy-ip-1-lblocalin] action pass

    [Device-security-policy-ip-1-lblocalin] quit

    # Configure a rule named lblocalout to allow the device to send packets to the servers.

    [Device-security-policy-ip] rule name lblocalout

    [Device-security-policy-ip-2-lblocalout] source-zone local

    [Device-security-policy-ip-2-lblocalout] destination-zone trust

    [Device-security-policy-ip-2-lblocalout] destination-ip-subnet 192.168.1.0 255.255.255.0

    [Device-security-policy-ip-2-lblocalout] action pass

    [Device-security-policy-ip-2-lblocalout] quit

    [Device-security-policy-ip] quit

  5. Configure a server farm.

    # Create the HTTP-type NQA template t1.

    [Device] nqa template http t1

    [Device-nqatplt-http-t1] quit

    # Create server farm sf, and specify the scheduling algorithm as weighted round robin and health monitoring method as t1.

    [Device] server-farm sf

    [Device-sfarm-sf] predictor round-robin

    [Device-sfarm-sf] probe t1

    [Device-sfarm-sf] quit

  6. Configure real servers.

    # Create the real server rs1 with IPv4 address 192.168.1.1, port number 8080, and weight 150, and add it to the server farm sf.

    [Device] real-server rs1

    [Device-rserver-rs1] ip address 192.168.1.1

    [Device-rserver-rs1] port 8080

    [Device-rserver-rs1] weight 150

    [Device-rserver-rs1] server-farm sf

    [Device-rserver-rs1] quit

    # Create the real server rs2 with IPv4 address 192.168.1.2, port number 8080, and weight 120, and add it to the server farm sf.

    [Device] real-server rs2

    [Device-rserver-rs2] ip address 192.168.1.2

    [Device-rserver-rs2] port 8080

    [Device-rserver-rs2] weight 120

    [Device-rserver-rs2] server-farm sf

    [Device-rserver-rs2] quit

    # Create the real server rs3 with IPv4 address 192.168.1.3, port number 8080, and weight 80, and add it to the server farm sf.

    [Device] real-server rs3

    [Device-rserver-rs3] ip address 192.168.1.3

    [Device-rserver-rs3] port 8080

    [Device-rserver-rs3] weight 80

    [Device-rserver-rs3] server-farm sf

    [Device-rserver-rs3] quit

  7. Configure a virtual server.

    # Create the HTTP virtual server vs with VSIP 61.159.4.200, specify its default master server farm sf, and enable the virtual server.

    [Device] virtual-server vs type http

    [Device-vs-http-vs] virtual ip address 61.159.4.200

    [Device-vs-http-vs] default server-farm sf

    [Device-vs-http-vs] service enable

    # Specify an interface for sending gratuitous ARP packets and ND packets (if the interface IP address on the device and the VSIP belong to the same subnet).

    [Device-vs-http-vs] arp-nd interface gigabitethernet 1/0/1

    [Device-vs-http-vs] quit

Configure the physical servers:

# Specify the default gateway 192.168.1.100 for physical servers Server A, Server B, and Server C. (Details not shown.)

Verifying the configuration

# Display brief information about all real servers.

[Device] display real-server brief

Real server Address Port State VPN instance Server farm

rs1 192.168.1.1 8080 Active sf

rs2 192.168.1.2 8080 Active sf

rs3 192.168.1.3 8080 Active sf

# Display detailed information about all server farms.

[Device] display server-farm

Server farm: sf

Description:

Predictor: Round robin

Proximity: Disabled

NAT: Enabled

SNAT pool:

Failed action: Keep

Active threshold: Disabled

Slow-online: Disabled

Selected server: Disabled

Probe information:

Probe success criteria: All

Probe method:

t1

Total real server: 3

Active real server: 3

Real server list:

Name State VPN instance Address Port Weight Priority

rs1 Active 192.168.1.1 8080 150 4

rs2 Active 192.168.1.2 8080 120 4

rs3 Active 192.168.1.3 8080 80 4

# Display detailed information about all virtual servers.

[Device] display virtual-server

Virtual server: vs

Description:

Type: HTTP

State: Active

VPN instance:

Virtual IPv4 address: 61.159.4.200/32

Virtual IPv6 address: --

Port: 80

Primary server farm: sf (in use)

Backup server farm:

Sticky:

LB policy:

HTTP parameter profile:

Connection limit: --

Rate limit:

Connections: --

Bandwidth: --

Inbound bandwidth: --

Outbound bandwidth: --

SSL server policy:

SSL client policy:

Redirect relocation:

Redirect return-code: 302

Sticky synchronization: Disabled

Bandwidth busy protection: Disabled

Interface bandwidth statistics: Disabled

Route advertisement: Disabled

Configuration files

#

interface GigabitEthernet1/0/1

ip address 61.159.4.100 255.255.255.0

#

interface GigabitEthernet1/0/2

ip address 192.168.1.100 255.255.255.0

#

security-zone name Untrust

import interface GigabitEthernet1/0/1

#

security-zone name Trust

import interface GigabitEthernet1/0/2

#

security-policy ip

rule 1 name lblocalin

action pass

source-zone untrust

destination-zone local

source-ip-subnet 61.159.4.0 255.255.255.0

rule 2 name lblocalout

action pass

source-zone local

destination-zone trust

destination-ip-subnet 192.168.1.0 255.255.255.0

#

nqa template http t1

#

server-farm sf

probe t1

#

real-server rs1

ip address 192.168.1.1

port 21

weight 150

server-farm sf

#

real-server rs2

ip address 192.168.1.2

port 8080

weight 120

server-farm sf

#

real-server rs3

ip address 192.168.1.3

port 8080

weight 80

server-farm sf

#

virtual-server vs type http

virtual ip address 61.159.4.200

default server-farm sf

arp-nd interface GigabitEthernet1/0/1

service enable

#