RADWARE之鏈路負(fù)載均衡配置解析

RADWARE之鏈路負(fù)載均衡配置解析網(wǎng)絡(luò)描述：網(wǎng)絡(luò)出口共有3條公網(wǎng)線路接入，一臺(tái)RADWARE直接連接三個(gè)出口ISP做鏈路負(fù)載均衡，來(lái)實(shí)現(xiàn)對(duì)內(nèi)部服務(wù)器訪問(wèn)和內(nèi)部對(duì)外訪問(wèn)流量的多鏈路負(fù)載均衡。設(shè)計(jì)方案：1、RADWARELINKPROOF設(shè)備部署在防火墻外面，直接連接出口ISP2、防火墻全部修改為私有IP地址，用RADWARELINKPROOF負(fù)責(zé)將私有IP地址轉(zhuǎn)換成公網(wǎng)IP地址；3、防火墻的DMZ區(qū)跑路由模式，保證DMZ區(qū)服務(wù)器的正常訪問(wèn)；4、RADWARELINKPROOF利用SmartNAT技術(shù)，分別在每鏈路上配置NAT地址，保證內(nèi)部服務(wù)器的聯(lián)網(wǎng)。WWW.2CTCCOM業(yè)務(wù)系統(tǒng)IH—WWW.2CTCCOM業(yè)務(wù)系統(tǒng)IH—IIIII亠一一**1;!-.實(shí)施過(guò)程（關(guān)鍵步驟）：1、配置公網(wǎng)接口地址InterfaceParametersCreateIPAddress.Ne-two^kIf{Jumber:FwdBroadcast:EnableBroadcastASdrVLANT赳OneIp(RculerInterfaceOnly)PefirAddressIjVWVWIPAddress.Ne-two^kIf{Jumber:FwdBroadcast:EnableBroadcastASdrVLANT赳OneIp(RculerInterfaceOnly)PefirAddressIjVWVWr2CT0.CCMG-1:63/40聯(lián)通G-2:2/28鐵通G-3:2/40電信G-4:G-4:/內(nèi)聯(lián)接口地址，連接防火墻2、配置默認(rèn)路由現(xiàn)網(wǎng)共有3條ISP鏈路，要將每條鏈路的網(wǎng)關(guān)進(jìn)行添加，具體如下:命令行配置LP-Master#Lprouteadd61Lprouteadd1Lprouteadd13、配置內(nèi)網(wǎng)回指路由netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i144、配置地址轉(zhuǎn)換地址轉(zhuǎn)換主要包括內(nèi)部用戶的聯(lián)網(wǎng)和服務(wù)器被訪問(wèn)兩部分，這兩部分在負(fù)載均衡上面分別采用DynamicNAT和StaticPAT這兩種NAT來(lái)實(shí)現(xiàn)，把內(nèi)部的IP地址和服務(wù)器的IP地址分別對(duì)應(yīng)每條ISP都轉(zhuǎn)換成相應(yīng)的公網(wǎng)IP地址。

DynamicNAT是多對(duì)一的映射，并且改變用戶的源端口，而且是單向的，只能出,不能進(jìn)。LinkProof>SmartNAT>DynamicNATTable>CreateFileGlobalCcrtli0uratronFileranrisBridgeRouterLi/ikPrOOfHealthMonlonngReportingSecurity日陽(yáng)ChasesPejformancBSe<vi?$ServereBridgeRouterLi/ikPrOOfHealthMonlonngReportingSecurity日陽(yáng)ChasesPejformancBSe<vi?$ServereC?n!en(LBPara[W?l?rsFlowManagemeptCliantsrsServtr?p'ServerJPDynamicNAfIPRedundancyMode?、SmartNAT?NoNATTablePraximity*StaticMATTabl^DNSConfigLrrsiionBa^icNATTableGdBalancingAlgariihmeD}<iam：cNATTableMappedIPTabi&DynamicMATTableCreateRoutersServersFirewallServersFromLocalIPFromLocalIPToLocalIPSeiverIP：SeiverIP：21828G3U1DynamicMATIP000-QRedundancyModsReguhf〒Cance：WWW2CTOCOMCance：WWW2CTOCOMFromlocalIP:被轉(zhuǎn)換地址的起始地址;TolocalIP：被轉(zhuǎn)換地址的結(jié)束地址；ServerIP：對(duì)應(yīng)的ISP的網(wǎng)關(guān)；DynamicNATIP：轉(zhuǎn)換后的公網(wǎng)地址。命令行配置LP-Master#lpsmartnatdynamic-natcreate5512lpsmartnatdynamic-natcreate5512

lpsmartnatdynamic-natcreateO.O.O.l556162StaticPAT是從外到內(nèi)的一對(duì)多的映射，用來(lái)將同一公網(wǎng)IP的不同端口映射到不同的內(nèi)網(wǎng)服務(wù)器，而且是單向的，只能進(jìn)，不能出。LinkProof>SmartNAT>StaticPATTable>CreateStaticPATTableCreateFiuuteifServeisFiiewaflServersFiuuteifServeisFiiewaflServersIrrtemalIPProtocol:ExternalIPFnternalPort.ServerIP：ExlernalPori&1f0Stoti-cPATIrrtemalIPProtocol:ExternalIPFnternalPort.ServerIP：ExlernalPori&1f0Stoti-cPATMad-o:RogularStaticPATCancelWWW2CT0COM命令行配置LP-Master#lpsmartnatstatic-patcreate3110tcp30110-pn110maillpsmartnatstatic-patcreate088tcp616888-pn88xinlpsmartnatstatic-patcreate380tcp617080-pn80gonglpsmartnatstatic-patcreate321tcp617021-pn21ftplpsmartnatstatic-patcreate480tcp10:80-pn80ser5、就近性(Proixmity)配置就近性(Proiximity)，可以為用戶帶來(lái)更好的網(wǎng)絡(luò)訪問(wèn)服務(wù)。內(nèi)網(wǎng)用戶訪問(wèn)Internet,radwarelinkproof可以檢測(cè)到目的地最快的鏈路；外網(wǎng)用戶訪問(wèn)內(nèi)網(wǎng)服務(wù)器，radwarelinkproof可以解析最佳鏈路上的公網(wǎng)IP給用戶。全局配置

首先我們需要全局開(kāi)啟Proximity,默認(rèn)是NoProximity。如果只使用靜態(tài)態(tài)表,則選擇StaticProximity；如果只使用出向流量，則選擇FullProximityOutbound；只使用入向，則選擇FullProximityInbound；如果同時(shí)使用雙向，動(dòng)態(tài)和靜態(tài)同時(shí)使用，則選擇FullProximityBoth,—般情況都選擇這個(gè)。LinkProof>Proximity>ProximityParameter>GeneralFife0扁購(gòu)BridgePouterHeslthMofifoiingReportingS^cuiicyewwClause?Fife0扁購(gòu)BridgePouterHeslthMofifoiingReportingS^cuiicyewwClause?P^rfoimanctG毗*1C哋u圖血KFamrrsk:卜C<>nlerilLBParameters*FIqw^si「申界m*訊卜Ciienls吶11MlIP?MsppeifIP7aH?SntanNAT?Pfix舟ityDNSCoiafigur^tiQnI1■-GeneralpfoxmftyStaticP'OKinnitjFullProxirnhyBothGeneralParameter?ProximityAgingPeriod(min}:1440'Useroutermodedecisionsinsideproximity:ena&l&v.BackupDNS'ProximitySubnetMask:256256.2480WWW2CTOCOMProximityParameters-GeneralBackupDNS'ProximitySubnetMask:256256.2480WWW2CTOCOMProximityMode:FullProximityBoth卜MainDNS0.00.0ProximityMode:FullProximityBothProximityAgingPeriod(min):1440//這里配置為1天，默認(rèn)為2880分鐘,2天。ProximitySubnetMask://就近表?xiàng)l目網(wǎng)絡(luò)地址的最小單位6、靜態(tài)就近表配置有時(shí)候，在鏈路穩(wěn)定的情況下，我們更多地希望使用靜態(tài)的就近表，即訪問(wèn)電信的IP只從電信的鏈路出去訪問(wèn)；訪問(wèn)聯(lián)通的網(wǎng)站只從聯(lián)通鏈路出去。這時(shí)，我們可以設(shè)置靜態(tài)就近表。如果靜態(tài)就近表的內(nèi)容查到，則按靜態(tài)表的規(guī)則去訪問(wèn)。如果

沒(méi)查到，如果配置的是FullProximity,radwarelinkproof則發(fā)起動(dòng)態(tài)就近性檢查；如果配置的是StaticProximity,則radwarelinkproof就做負(fù)載均衡，沒(méi)有就近性。LinkProof>Proximity>StaticProximityFileDevreeBridgeRouterLinkProofFileDevreeBridgeRouterLinkProofHealthMonitoringReportingSecurity8WMClassesPerformancejjlobalConfiguration?Farm^卜Server^'ContentLBParamstVFiowManagement卜Clients卜■VirtualIPMappedIPTableSmart.忖AT卜Proximity?DNE!：Qonfiguration卜iNHR1NHR2NHR3Proximity'Parameters-卜StaticProximity'D&l&teStaticFrojdmityTableCreateNHR1:NHR3:FromAddress:ToAddress:NHR2:54WWW2CTO.COMNHR1:NHR3:FromAddress:ToAddress:NHR2:54WWW2CTO.COM7、特殊應(yīng)用會(huì)話老化時(shí)間配置比如有一些特殊應(yīng)用端口，比如游戲端口，QQ,MSN等特殊應(yīng)用，它們的會(huì)話表老化時(shí)間會(huì)比一般應(yīng)用的要長(zhǎng)許多，如果把這類應(yīng)用的會(huì)話表按常規(guī)處理，可能會(huì)帶來(lái)訪問(wèn)的問(wèn)題。比如某個(gè)游戲一開(kāi)始使用電信IP訪問(wèn)，會(huì)話表老化后，由于負(fù)載均衡的策略，這個(gè)會(huì)話轉(zhuǎn)而使用聯(lián)通的IP去訪問(wèn)，遠(yuǎn)端服務(wù)器有可能對(duì)用戶的IP進(jìn)行驗(yàn)證，從而造成訪問(wèn)的問(wèn)題。這時(shí)候我們需要將這類應(yīng)用的會(huì)話表老化時(shí)間調(diào)長(zhǎng)。如果直接將所有會(huì)話表的時(shí)間都調(diào)長(zhǎng)，則會(huì)造成會(huì)話表過(guò)大，影響性能和負(fù)載均衡的效果。相反，對(duì)于DNS類的應(yīng)用，我們可以將其調(diào)整得短一些。LinkProof〉GlobalConfiguration>AgingByApplicationPortFileDeviceBudgeFileDeviceBudgeRouterUnkPnaofHealthMonitoringR-enortinaGloball-omigurstionJGe?n?r$ilFarms卜ClientTable?GensrslS-eivers卜DelayedBiirrdA^ingByA.p[jl-ic3iiQ：iPonCnntpntLBParstrrifit?Tweaks^.00口FluwM^nagem^rntRulesTableClients紅嚶AL邂VirtuitFIPPonLBSutusWWW2CTO.COM命令行配置如下:LP-Master#lpglobalclient-tableapplication-aging-timecreate<應(yīng)用端口號(hào)〉-at〈時(shí)長(zhǎng)〉lpglobalclient-tableapplication-aging-timecreate4000-at1800lpglobalclient-tableapplication-aging-timecreate8000-at1800lpglobalclient-tableapplication-aging-timecreate443-at(600lpglobalclient-tableapplication-aging-timecreate5555-at600lpglobalclient-tableapplication-aging-timecreate7005-at600lpglobalclient-tableapplication-aging-timecreate7206-at600lpglobalclient-tableapplication-aging-timecreate7207-at600