3.12 防火墙-服务负载均衡-大赛人网

1.FW1区域配置

firewall zone trust
 add interface GigabitEthernet1/0/2

firewall zone untrust
 add interface GigabitEthernet1/0/0

firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1

2.FW1配置默认静态路由

ip route-static 0.0.0.0 0.0.0.0 12.1.1.1

3.FW1配置安全策略

security-policy
 rule name t_2_dmz
  source-zone trust
  destination-zone dmz
  source-address 192.168.2.0 24
  destination-address 192.168.1.0 24
  action permit

4.防火墙-服务器-负载均衡-LAB -内网访问配置

1）开启服务器负载均衡
slb enable

2）配置服务器组
 slb
  group 1 grp1
   metric weight-roundrobin
   rserver 0 rip 192.168.1.1 weight 1
   rserver 1 rip 192.168.1.2 weight 1
   rserver 2 rip 192.168.1.3 weight 1
   action optimize

3）虚拟服务器-集群IP
 slb
 vserver 1 vs1
   vip 1 192.168.1.100
   protocol tcp
   vport 80
   group grp1

4）查看server-map表
display firewall server-map
Type: SLB,  ANY -> 192.168.1.100:80[vs1/1],  Zone:---,  protocol:tcp
 Vpn: public -> public 

5）查看slb vserver
display slb vserver
 Virtual Server Name      : vs1
  Virtual Server ID        : 1
  Virtual Server IP        : 192.168.1.100  
  Protocol                 : tcp
  Virtual Server Port      : 80
  Http X-forward Enable    : Disable
  Virtual Server Max-conn  : --
  Group Name               : grp1
  Group ID                 : 1

6）查看group  grp1
display slb  group  grp1
 Group Name               : grp1
  Group ID                 : 1
  Metric                   : weight-roundrobin
  Source-nat Type          : NA
  Real Server Number       : 3  
    RserverID  IP Address       Weight  Max-connection  Status            
    0          192.168.1.1      1       -               Admin-Active      
    1          192.168.1.2      1       -               Admin-Active      
    2          192.168.1.3      1       -               Admin-Active   
7）客户机1访问服务器抓包

5.防火墙-服务器-负载均衡-LAB -外网访问配置

1）配置安全策略
security-policy
  rule name un_2_dmz
  source-zone untrust
  destination-zone dmz
  destination-address 12.1.1.100 mask 255.255.255.255
  action permit
#destination-address 必须是虚拟服务器地址/所在网段

2）FW1配置组及集群
slb
  group 1 grp1
   metric weight-roundrobin
  metric weight-roundrobin
 rserver 0  rip 192.168.1.1 port 80 weight 1
 rserver 1  rip 192.168.1.2 port 80 weight 1
 rserver 2  rip 192.168.1.3 port 80 weight 1
   action optimize
  vserver 1 vs1
   vip 1 192.168.1.100
   protocol tcp
   vport 80
   group grp1
  vserver 2 vs2
   vip 1 12.1.1.100
   protocol tcp
   vport 8080
   group grp1

3）客户机2访问服务器抓包

6.防火墙-服务器-负载均衡-LAB -健康状态检查

#如果不设置健康状态检查，会导致防火墙负载均衡服务把流量发送到非健康状态的服务器。
1）配置健康检查
 slb
  group 1 grp1
   metric weight-roundrobin
   health-check type icmp tx-interval 3
   rserver 0 rip 192.168.1.1 port 80 weight 1
   rserver 1 rip 192.168.1.2 port 80 weight 1
   rserver 2 rip 192.168.1.3 port 80 weight 1
   action optimize
  vserver 1 vs1
   vip 1 192.168.1.100
   protocol tcp
   vport 80
   group grp1
  vserver 2 vs2
   vip 1 12.1.1.100
   protocol tcp
   vport 8080
   group grp1
2）关闭SW1GigabitEthernet 0/0/2端口
stp edged-port default
interface GigabitEthernet 0/0/2
shutdown 

3）防火墙查看group  grp1
dis slb group  grp1
RserverID  IP Address       Weight  Max-connection  Status            
    0          192.168.1.1      1       -               Active            
    1          192.168.1.2      1       -               Inactive          
    2          192.168.1.3      1       -               Active

文章版权归作者所有，未经允许请勿转载。

THE END

网络安全