客户私网IP 192.168.10.6/24,网关指向小区出口路由器,小区出口路由配置了SNAT转换。整个骨干网之间模拟运行了OSPF获取全网路由,私网地址没有宣告进骨干网,所以小区私网和企业内网之间是不通的。企业出口路由器也配置了SNAT转换,实现内网用户访问公网。
企业内网提供的web服务器及LVS调度器是通过本地Vmware虚拟出来的。通过ENSP的cloud设备实现了桥接。
acl number 2000 rule 5 permit source 192.168.10.0 0.0.0.255 interface GigabitEthernet0/0/1 ip address 100.1.1.1 255.255.255.252 nat outbound 2000 ospf 10 area 0.0.0.0 network 100.1.1.0 0.0.0.255
#ISP运营商 interface GigabitEthernet0/0/0 ip address 100.1.1.2 255.255.255.252 # interface GigabitEthernet0/0/1 ip address 200.1.1.1 255.255.255.252 ospf 10 area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255
(使企业内网用户可以访问公网)
和DNAT(提供内网服务供外网访问)
配置,DNAT地址指向的是LVS调度器的VIP地址。acl number 2000 rule 5 permit source 10.0.1.0 0.0.0.255 ospf 10 area 0.0.0.0 network 200.1.1.0 0.0.0.255 interface GigabitEthernet0/0/0 ip address 10.0.0.254 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 200.1.1.2 255.255.255.252 nat static protocol tcp global current-interface www inside 10.0.0.100 www netm ask 255.255.255.255 nat outbound 2000
web1主机 关闭lo口arp响应和广播,配置网关指向出口路由器
[root@maple-c8-n2 ~]# ifconfig lo:1 10.0.0.100/32 [root@maple-c8-n2 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore [root@maple-c8-n2 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce [root@maple-c8-n2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce [root@maple-c8-n2 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore [root@maple-c8-n2 ~]# sysctl -a | grep arp_announce net.ipv4.conf.all.arp_announce = 2 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.lo.arp_announce = 2 [root@maple-c8-n2 ~]# sysctl -a | grep arp_ignore net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.lo.arp_ignore = 1 [root@maple-c8-n2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=10.0.0.18 PREFIX=24 GATEWAY=10.0.0.254 nmcli conn reload nmcli conn up eth0
web2主机
[root@maple-c8-n3 ~]# ifconfig lo:1 10.0.0.100/32 [root@maple-c8-n3 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore [root@maple-c8-n3 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce [root@maple-c8-n3 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce [root@maple-c8-n3 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore [root@maple-c8-n3 ~]# sysctl -a | grep arp_ignore net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.lo.arp_ignore = 1 [root@maple-c8-n3 ~]# sysctl -a | grep arp_announce net.ipv4.conf.all.arp_announce = 2 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.lo.arp_announce = 2 [root@maple-c8-n3 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=10.0.0.28 PREFIX=24 GATEWAY=10.0.0.254 nmcli conn reload nmcli conn up eth0
[root@maple-c8-n1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=10.0.0.8 GATEWAY=10.0.0.254 PREFIX=24 [root@maple-c8-n1 ~]#ifconfig lo:1 10.0.0.100/32 #网卡加载生效 nmcli conn reload nmcli conn up eth0 nmcli conn up eth1 #开启路由转发功能 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p #lvs配置 ipvsadm -A -t 10.0.0.100:80 -s rr #添加集群 ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.28:80 -g #集群中追加web节点 ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.18:80 -g ipvsadm -S > /etc/sysconfig/ipvsadm #规则保存到文件中 systemctl enable --now ipvsadm
上面vip和实际ip是同一网段情况,如 VIP:10.0.0.100 和实际IP10.0.0.8
也可以配置成不同网段。如VIP:172.16.0.100和实际IP10.0.0.8
改写步骤如下:
web1和web2主机:
ifconfig lo:1 172.16.0.100/32
lvs主机:
ifconfig lo:1 172.16.0.100/32 ipvsadm -C ipvsadm -A -t 172.16.0.100:80 -s rr ipvsadm -a -t 172.16.0.100:80 -r 10.0.0.18:80 -g ipvsadm -a -t 172.16.0.100:80 -r 10.0.0.28:80 -g
企业出口路由器:
interface GigabitEthernet0/0/0 ip address 10.0.0.254 255.255.255.0 ip address 172.16.0.254 255.255.255.0 sub interface GigabitEthernet0/0/1 ip address 200.1.1.2 255.255.255.252 nat static protocol tcp global current-interface www inside 172.16.0.100 www netmask 255.255.255.255 nat outbound 2000
客户端测试正常通过…
Director和各RS都配置有VIP
确保前端路由器将目标IP为VIP的请求报文发往Director
不支持端口映射(端口不能修改)
无需开启 ip_forward
RS网关指向出口路由器,请求会经过Director,响应报文不会经过Director,直接发送到出口。因为每个RS都配置有VIP地址。
RS和Director要在同一个物理网络