RADWARE之鏈路負(fù)載均衡配置解析

RADWAR之鏈路負(fù)載均衡配置解析網(wǎng)絡(luò)描述：網(wǎng)絡(luò)出口共有3條公網(wǎng)線路接入，一臺(tái)RADWAF直接連接三個(gè)出口ISP做鏈路負(fù)載均衡，來實(shí)現(xiàn)對(duì)內(nèi)部服務(wù)器訪問和內(nèi)部對(duì)外訪問流量的多鏈路負(fù)載均衡。1、RADWARELINKPROOF備部署在防火墻外面，直接連接出口 ISP2、防火墻全部修改為私有IP地址，用RADWARELINKPROO負(fù)責(zé)將私有IP地址轉(zhuǎn)換成公網(wǎng)IP地址；3、 防火墻的DMZ區(qū)跑路由模式，保證DMZ區(qū)服務(wù)器的正常訪問；4、RADWARELINKPROO利用SmartNAT技術(shù)，分別在每鏈路上配置NAT地址，保證內(nèi)部服務(wù)器的聯(lián)網(wǎng)。網(wǎng)絡(luò)拓?fù)?

網(wǎng)絡(luò)拓?fù)?實(shí)施過程（關(guān)鍵步驟）1、配置公網(wǎng)接口地址G-1:G-1:63/40G-2:2/28G-3:2/40G-4:/IPAddg琴00.00HNumberG-1 -THetwafkMaskGOODFwdBroadcastEnable*BrcadcasiAddrONEFILL▼VLANTag■:QOneIp{RouterInterfaceOnly)電-PeerA4dfes^lxit遍Set■CancelWWW2CT0COM聯(lián)通鐵通電信內(nèi)聯(lián)接口地址，連接防火墻2、配置默認(rèn)路由現(xiàn)網(wǎng)共有3條ISP鏈路，要將每條鏈路的網(wǎng)關(guān)進(jìn)行添加，具體如下：命令行配置LP-Master#Lprouteadd61Lprouteadd1Lprouteadd13、 配置內(nèi)網(wǎng)回指路由netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i14netroutetablecreate-i144、 配置地址轉(zhuǎn)換地址轉(zhuǎn)換主要包括內(nèi)部用戶的聯(lián)網(wǎng)和服務(wù)器被訪問兩部分，這兩部分在負(fù)載均衡上面分別采用DynamicNAT和StaticPAT這兩種NAT來實(shí)現(xiàn)，把內(nèi)部的IP地址和服務(wù)器的IP地址分別對(duì)應(yīng)每條ISP都轉(zhuǎn)換成相應(yīng)的公網(wǎng)IP地址。

DynamicNAT是多對(duì)一的映射，并且改變用戶的源端口，而且是單向的，只能出,不能進(jìn)。LinkProof>SmartNAT>DynamicNATTable>CreateFdeDeviceBndg?RovtflfLtnkProofHeahhMantaringRfpCflingFdeDeviceBndg?RovtflfLtnkProofHeahhMantaringRfpCflingSecutrtyBWMClasse5PerformafitsServic&sFarms?Sewrs5憎MIBPer■呻州FlowM?ChantsfVirtualIPMappedIPT融kSmartNAT卜proximilyDNSCcnfi^urslion?LoiJBalancingAlgodknsGlobalConeuralionNoMA7TableSiatitIIATTqIdIeBasicHATTab怙OydBm-LMATTableServersDynamkNATTableCreateRoutersServerFirewaHServersFromLoc^lIP0DynamkNATTableCreateRoutersServerFirewaHServersFromLoc^lIP0000S?(verIP 21828閱161 -ToLocsEIP€000DynamicIJATIP0000RedundancyMode *SetRedundancyMode *Set■Cance!ux収見WWW.2CTQ.COMFromlocalIP :被轉(zhuǎn)換地址的起始地址;TolocalIP :被轉(zhuǎn)換地址的結(jié)束地址；ServerIP:對(duì)應(yīng)的ISP的網(wǎng)關(guān)；DynamicNATIP:轉(zhuǎn)換后的公網(wǎng)地址。命令行配置LP-Master#Ipsmartnatdynamic-natcreate5512lpsmartnatdynamic-natcreate5512

Ipsmartnatdynamic-natcreate556162StaticPAT是從外到內(nèi)的一對(duì)多的映射，用來將同一公網(wǎng) IP的不同端口映射到不同的內(nèi)網(wǎng)服務(wù)器，而且是單向的，只能進(jìn)，不能出。LinkProof>SmartNAT>StaticPATTable>CreateSUticPATTableCreateRutEleibSeivefsFItfewdlISeivetsInternalIP 0000Pratocoil InternalIP 0000Pratocoil IRl^FI■FxtemplIP €000StaticPAT R?guhrSewerIP2102063161 ▼matPort0StaticPATNamogb岌it嗯CWWW.2CTO.COMtnternalPort 0命令行配置LP-Master#lpsmartnatstatic-patcreate3110tcp30110-pn110maillpsmartnatstatic-patcreate088tcp616888-pn88xinlpsmartnatstatic-patcreate380tcp617080-pn80gonglpsmartnatstatic-patcreate321tcp617021-pn21ftplpsmartnatstatic-patcreate480tcp1080-pn80ser5、就近性(Proixmity)配置就近性(Proiximity)，可以為用戶帶來更好的網(wǎng)絡(luò)訪問服務(wù)。內(nèi)網(wǎng)用戶訪問Internet，radwarelinkproof 可以檢測(cè)到目的地最快的鏈路；外網(wǎng)用戶訪問內(nèi)網(wǎng)服務(wù)器，radwarelinkproof 可以解析最佳鏈路上的公網(wǎng) IP給用戶。全局配置

首先我們需要全局開啟 Proximity，默認(rèn)是NoProximity。如果只使用靜態(tài)態(tài)表,則選擇StaticProximity;如果只使用出向流量，則選擇 FullProximityOutbound;只使用入向，則選擇FullProximityInbound ;如果同時(shí)使用雙向，動(dòng)態(tài)和靜態(tài)同時(shí)使用，則選擇 FullProximityBoth ，一般情況都選擇這個(gè)。LinkProof>Proximity>ProximityParameter>GeneralFiteSridgiiRQUtEFMcnfonngRtpaitinQSecu'rtjBWhlClassedGMhICw<gurii：jnFarmsStnffrsFiteSridgiiRQUtEFMcnfonngRtpaitinQSecu'rtjBWhlClassedGMhICw<gurii：jnFarmsStnffrsFlffw 航mg玳CllMlft-G?n?ralFulProxtfnrt^Both)000EnuriNAT!> P?FMn?Un?l?enaralDNSCCitrfgur^iOftI w沁,l;p甌pfoxnitly?55255246CProximityParameters-GeneralProximityMade.FullProximityBothProximityAgingPeriod(min)'1440IUserouterrnodedecisionsinsideuroxinirty:enablevMainDfJS000.00.00.0BackupDNS:2552552480ProximitySubnetr,u1ask:Set▽W(xué)?/VW2CTO.COMProximityMode:FullProximityBothProximityAgingPeriod(min):1440 //2天。ProximitySubnetMask://這里配置為1天，默認(rèn)為2880分鐘,就近表?xiàng)l目網(wǎng)絡(luò)地址的最小單位6、靜態(tài)就近表配置有時(shí)候，在鏈路穩(wěn)定的情況下，我們更多地希望使用靜態(tài)的就近表，即訪問電信的IP只從電信的鏈路出去訪問；訪問聯(lián)通的網(wǎng)站只從聯(lián)通鏈路出去。這時(shí)，我們可以設(shè)置靜態(tài)就近表。如果靜態(tài)就近表的內(nèi)容查到，則按靜態(tài)表的規(guī)則去訪問。如果

沒查到，如果配置的是 FullProximity,radwarelinkproof 則發(fā)起動(dòng)態(tài)就近性檢查；如果配置的是StaticProximity ，貝Uradwarelinkproof 就做負(fù)載均衡，沒有就近性。GfobalConfiguration?Farms?Servers?ContentLBParameters?FlawManagement?ClienisVirtualIP卜MappedIPTableSmartMATkPraxlmity?DNSConfiguration>「卡半■ 7和ProximityParameters?StaticProximilyLinkProof>「卡半■ 7和ProximityParameters?StaticProximilyFileDeviceBridgeRouterLinkProofHealthMonitoringRepottingSecurityBWMClassesPerformanceWWW2CT0C0MStaticProximityTableCreateWWW2CT0C0MFromAddress.NHR1-NHR3:7、特殊應(yīng)用會(huì)話老化時(shí)間配置比如有一些特殊應(yīng)用端口，比如游戲端口， QQMSN等特殊應(yīng)用，它們的會(huì)話表老化時(shí)間會(huì)比一般應(yīng)用的要長(zhǎng)許多，如果把這類應(yīng)用的會(huì)話表按常規(guī)處理，可能會(huì)帶來訪問的問題。比如某個(gè)游戲一開始使用電信 IP訪問，會(huì)話表老化后，由于負(fù)載均衡的策略，這個(gè)會(huì)話轉(zhuǎn)而使用聯(lián)通的 IP去訪問，遠(yuǎn)端服務(wù)器有可能對(duì)用戶的 IP進(jìn)行驗(yàn)證，從而造成訪問的問題。這時(shí)候我們需要將這類應(yīng)用的會(huì)話表老化時(shí)間調(diào)長(zhǎng)。如果直接將所有會(huì)話表的時(shí)間都調(diào)長(zhǎng)，則會(huì)造成會(huì)話表過大，影響性能和負(fù)載均衡的效果。相反，對(duì)于DNS類的應(yīng)用，我們可以將其調(diào)整得短一些。LinkProof>GlobalConfiguration>AgingByApplicationPortF険DevicetJudgeRouterLintF険DevicetJudgeRouterLint：ProofMor-itDringRvMtirtinuGlobalContigurationkGeineTailFarm*bGhentTable*Servers?CoEorrtL日P^ramofarekFlcrw srn-erilkTableCliRnls卜AliasPorinVirtualIP卜PoriLBSlamsGen?r$!AyinuByApuhc^liunPurlWWW.2CTO.COM命令行配置如下:應(yīng)用端LP-Master#lpglobalclient-tableapplication-aging-timecreate<應(yīng)用端口號(hào)＞-at＜時(shí)長(zhǎng)＞lpglobalclient-tableapplication-aging-timecreate4000-at1800lpglobalclient-tableapplication-aging-timecreate8000-at1800lpglobalclient-tableapplication-aging-timecreate443-at600lpglobalclient-tableapplication-aging-timecreate5555-at600lpglobalclient-tableapplication-aging-timecreate7005-at600lpglobalclient-tableapplication-aging-timecreate7206-at600lpglobalclient-tableapplication-aging-timecreate7207-at600lpglobalclient-table