出链路负载均衡搭配nat server场景下配置
- 0关注
- 1收藏 147浏览
组网及说明
左侧pc为内网主机,出口防火墙对外配置三个物理接口,分别配置三个公网ip地址。
在防火墙公网口0/1口上面配置nat server,公网ip为1.1.1.10,映射私网ip为pc1的192.168.0.2.
配置步骤
<H3C>dis current-configuration
#
version 7.1.064, Alpha 7164
#
sysname H3C
#
nqa template icmp icmp_test
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
nat server protocol icmp global 1.1.1.10 inside 192.168.0.2 rule ServerRule_1 counting
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 2.2.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 3.3.3.1 255.255.255.0
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
ip address 192.168.15.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/23
#
ip route-static 192.168.1.0 24 GigabitEthernet1/0/1 1.1.1.2
#
acl advanced 3101
rule 1 permit ip source 192.168.0.2 0
#
loadbalance link-group out-2
predictor random
fail-action reschedule
transparent enable
success-criteria at-least 1
link 1..1.1.1
success-criteria at-least 1
probe icmp_test
link 2.2.2.1
success-criteria at-least 1
probe icmp_test
link 3.3.3.1
success-criteria at-least 1
probe icmp_test
#
loadbalance class "nat serverl test" type link-generic match-any
match 1 source ip address 192.168.0.2
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
link-group out-2
#
loadbalance action "ob$action$#for#nat serverl test" type link-generic
forward all
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
class "nat serverl test" action "ob$action$#for#nat serverl test"
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
bandwidth interface statistics enable
service enable
#
loadbalance link 1..1.1.1
router ip 1.1.1.2
#
loadbalance link 1.1.1.1
router ip 1.1.1.2
#
loadbalance link 2.2.2.1
router ip 2.2.2.2
#
loadbalance link 3.3.3.1
router ip 3.3.3.2
#
security-policy ip
rule 0 name anypass
action pass
#
配置关键点
由于出接口链路负载配置的是0.0.0.0 /0 ,代表着所有流量都会触发走负载路由,此时会发现外网ping防火墙外网接口地址会概率不通,或者外网访问nat server地址也会概率不通,但是dis查看会话发现来回报文实际都有的,这是因为回包走负载走到了别的接口上,导致来回报文走了不同的口,回包错误转发导致业务不通。
此时有三种解决方案
第一种:
外网接口下都绑定如下命令:
ip last-hop hold
第二种:
策略路由实现控制内网nat server服务器的流量走nat server绑定的物理口
例如上面目的nat访问,可以针对回包如下配置:
第三种:
配置负载均衡类,匹配回包流量不走负载工作,但是同时要保证路由可以把它送出去。(上述配置为此种方案)
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作