![图片[1]-3.12 防火墙-服务负载均衡-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片70-1.png)
1.FW1区域配置
firewall zone trust
add interface GigabitEthernet1/0/2
firewall zone untrust
add interface GigabitEthernet1/0/0
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
2.FW1配置默认静态路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
3.FW1配置安全策略
security-policy
rule name t_2_dmz
source-zone trust
destination-zone dmz
source-address 192.168.2.0 24
destination-address 192.168.1.0 24
action permit
4.防火墙-服务器-负载均衡-LAB -内网访问配置
1)开启服务器负载均衡
slb enable
2)配置服务器组
slb
group 1 grp1
metric weight-roundrobin
rserver 0 rip 192.168.1.1 weight 1
rserver 1 rip 192.168.1.2 weight 1
rserver 2 rip 192.168.1.3 weight 1
action optimize
3)虚拟服务器-集群IP
slb
vserver 1 vs1
vip 1 192.168.1.100
protocol tcp
vport 80
group grp1
4)查看server-map表
display firewall server-map
Type: SLB, ANY -> 192.168.1.100:80[vs1/1], Zone:---, protocol:tcp
Vpn: public -> public
5)查看slb vserver
display slb vserver
Virtual Server Name : vs1
Virtual Server ID : 1
Virtual Server IP : 192.168.1.100
Protocol : tcp
Virtual Server Port : 80
Http X-forward Enable : Disable
Virtual Server Max-conn : --
Group Name : grp1
Group ID : 1
6)查看group grp1
display slb group grp1
Group Name : grp1
Group ID : 1
Metric : weight-roundrobin
Source-nat Type : NA
Real Server Number : 3
RserverID IP Address Weight Max-connection Status
0 192.168.1.1 1 - Admin-Active
1 192.168.1.2 1 - Admin-Active
2 192.168.1.3 1 - Admin-Active
7)客户机1访问服务器抓包
![图片[2]-3.12 防火墙-服务负载均衡-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片71-1-1024x403.png)
5.防火墙-服务器-负载均衡-LAB -外网访问配置
1)配置安全策略
security-policy
rule name un_2_dmz
source-zone untrust
destination-zone dmz
destination-address 12.1.1.100 mask 255.255.255.255
action permit
#destination-address 必须是虚拟服务器地址/所在网段
2)FW1配置组及集群
slb
group 1 grp1
metric weight-roundrobin
metric weight-roundrobin
rserver 0 rip 192.168.1.1 port 80 weight 1
rserver 1 rip 192.168.1.2 port 80 weight 1
rserver 2 rip 192.168.1.3 port 80 weight 1
action optimize
vserver 1 vs1
vip 1 192.168.1.100
protocol tcp
vport 80
group grp1
vserver 2 vs2
vip 1 12.1.1.100
protocol tcp
vport 8080
group grp1
3)客户机2访问服务器抓包
![图片[3]-3.12 防火墙-服务负载均衡-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片72-1-1024x388.png)
6.防火墙-服务器-负载均衡-LAB -健康状态检查
#如果不设置健康状态检查,会导致防火墙负载均衡服务把流量发送到非健康状态的服务器。
1)配置健康检查
slb
group 1 grp1
metric weight-roundrobin
health-check type icmp tx-interval 3
rserver 0 rip 192.168.1.1 port 80 weight 1
rserver 1 rip 192.168.1.2 port 80 weight 1
rserver 2 rip 192.168.1.3 port 80 weight 1
action optimize
vserver 1 vs1
vip 1 192.168.1.100
protocol tcp
vport 80
group grp1
vserver 2 vs2
vip 1 12.1.1.100
protocol tcp
vport 8080
group grp1
2)关闭SW1GigabitEthernet 0/0/2端口
stp edged-port default
interface GigabitEthernet 0/0/2
shutdown
3)防火墙查看group grp1
dis slb group grp1
RserverID IP Address Weight Max-connection Status
0 192.168.1.1 1 - Active
1 192.168.1.2 1 - Inactive
2 192.168.1.3 1 - Active
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容