目的NAT slb(sever load balancing)服务器负载分担
解决多个服务器负载均衡问题
原理:
当用户访问服务器时,slb可以使用户的包平均分摊到每隔服务器上,让服务器物有所值,负载均衡
当防火墙上配置了slb后,slb会产生静态的server-map表,业务数据来了之后,slb会与自己的server-map表进行匹配以及根据自己的配置进行相关业务的转发
配置:
*
*sw1(trust区域的switch)
vlan batch 10 20
int vlan 10
ip add 192.168.10.254 24
int vlan 20
ip add 192.168.20.254 24
int g0/0/1
port link-type access
port default vlan 10
int g0/0/2
port link-type access
port default vlan 20
int g0/0/3
port link-type access
port default vlan 20
int g0/0/4
port link-type access
port default vlan 20
ip router-static 0.0.0.0 0 192.168.10.1
**______________________________________________
sw2(untrust的switch)
vlan batch 10 20 30 40
int vlan 10
ip add 202.1.1.254 24
int vlan 20
ip add 6.6.6.254 24
int vlan 30
ip add 7.7.7.254 24
int vlan 40
ip add 8.8.8.254 24
int g0/0/1
port link-type access
port default vlan 10
int g0/0/2
port link-type access
port default vlan 20
int g0/0/3
port link-type access
port default vlan 30
int g0/0/4
port link-type access
port default vlan 40
ip router-static 0.0.0.0 0 202.1.1.1
_______________________________________________
sw3(dmz区域的switch)
vlan batch 10 20
int vlan 10
ip add 172.16.1.254 24
int vlan 20
ip add 172.16.100.254 24
int g0/0/1
port link-type access
port default vlan 10
int g0/0/2
port link-type access
port default vlan 20
int g0/0/3
port link-type access
port default vlan 20
int g0/0/4
port link-type access
port default vlan 20
ip router-static 0.0.0.0 0 172.16.1.1
________________________________________________
fw1(防火墙)
int g1/0/0
ip add 192.168.10.1 24
server-mange ping permit
int g1/0/1
ip add 202.1.1.1 24
server-mange ping permit
int g1/0/2
ip add 172.16.1.1 24
server-mange ping permit
filewall zone trust
add int g1/0/0
filewall zone untrust
add int g1/0/1
filewall zone dmz
add int g1/0/2
ip router-static 0.0.0.0 0 172.16.1.254
ip router-static 0.0.0.0 0 202.1.1.254
ip router-static 0.0.0.0 0 192.168.10.254
————————————————————————
slb enable
[ngfw-slb](在slb视图下)
group web
metric weight-roundrobin(算法)
health-check type icmp(健康检查机制,模拟器不支持更精确的检查机制)
rserver 0 rip 172.16.100.1 port 80 weight 1(权值)
rserver 1 rip 172.16.100.2 port 80 weight 1
rserver 2 rip 172.16.100.3 port 80 weight 2
真实的服务器组,将服务器的真实ip加入到组里,并且用加权给予分配任务量
vserver vweb
vip 0 100.1.1.100(服务器虚拟地址)
protocol any
group web(与虚拟地址绑定)
security-policy
rule name 1
source-zone local
destination-zone dmz(健康检查机制会5s发一次ICMP的包,检查链路是否正常)
source-address 172.16.1.1 32
destination-address 172.16.100.0 24
action permit
——————————————————————————————
rule name 2
source-zone trust
destination-zone dmz
source-address 192.168.20.0 24
destination-address 100.1.1.100 32(根据匹配顺序,防火墙先匹配目的nat,所以这里应该是转换前的ip)
service http
action permit
——————————————————————————
server-map表
从本地发出的健康检查机制的会话