思科接口和模块 : 思科内容交换模块

具有一个CSM的防火墙负载均衡配置示例

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文为设置只使用一个内容交换模块(CSM)的Firewall Load Balancing (FWLB)提供一个配置示例。FWLB要求防火墙组群被负载平衡器包围。这是为了保证单个会话的入站和出站流量被负载被均衡到同一个防火墙。当使用一个CSM时,您能使用同一个模块做两个负载平衡器的工作。本文介绍您如何实现。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行版本3.x的CSM

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

在此部分中,正如本文所描述的,提供为FWLB配置CSM的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用以下网络设置:

/image/gif/paws/47881/fwlb_csm.jpg

配置

本文档使用以下配置:

运行版本3.x的CSM
module ContentSwitchingModule 4 
 vlan 499 client

!--- Outside world or client side.

  ip address 192.168.10.97 255.255.254.0
  gateway 192.168.10.1
!
 vlan 500 server

!--- Inside world or server side.

  ip address 192.168.20.97 255.255.254.0
!
 vlan 168 server

!--- Firewall outside interface.

  ip address 192.168.168.97 255.255.255.0
!
 vlan 169 server

!--- Firewall inside interface.

  ip address 192.168.169.97 255.255.255.0
!
!
 serverfarm FORWARD

!--- Serverfarm to simply forward the traffic with no NATing.

  no nat server 
  no nat client
  predictor forward
!
 serverfarm FWLB_IN2OUT

!--- Firewall farm used for outbound traffic from inside to outside.

  no nat server 
  no nat client
  real 192.168.169.1
   backup real 192.168.169.2

!--- Use a backup real if your firewalls support stateful failover.

   inservice
  real 192.168.169.2
   backup real 192.168.169.1
   inservice
!
 serverfarm FWLB_OUT2IN

!--- Firewall farm for inbound traffic from outside to inside.

  no nat server 
  no nat client
  real 192.168.168.1
   backup real 192.168.168.2
   inservice
  real 192.168.168.2
   backup real 192.168.168.1
   inservice


!--- The default is round robin load balancing.
!--- If you need to guarantee *parent* connections are going 
!--- to the same firewall, you may need to issue the 
!--- predictor hash address command or sticky with reverse sticky.



!
 vserver FW2SERV

!--- Vserver to catch traffic coming from the firewall and forward it to the server.

  virtual 192.168.20.0 255.255.254.0 any

!--- The Virtual IP (VIP) is a subnet that matches the internal network.

  vlan 169

!--- Specify that the vserver only applies to traffic from VLAN 169.

  serverfarm FORWARD
  persistent rebalance
  inservice
!
 vserver IN2OUT

!--- Vserver to catch traffic coming from the firewall and
!--- forward it to the outside.

  virtual 0.0.0.0 0.0.0.0 any
  vlan 168
  serverfarm FORWARD

!--- Serverfarm to forward traffic with no load balancing and no NATing.

  persistent rebalance
  inservice
!
 vserver OUT2IN

!--- Vserver to catch traffic from the outside world and load balance it to the firewall.

  virtual 192.168.20.0 255.255.254.0 any
  vlan 499

!--- Limit the vserver to traffic on VLAN 499 only.

  serverfarm FWLB_OUT2IN

!--- Use the firewall farm define in FWLB_OUT2IN.

  persistent rebalance
  inservice
!         
 vserver SERV2FW

!--- Vserver to catch the server response and load balance it to the firewall.

  virtual 0.0.0.0 0.0.0.0 any
  vlan 500
  serverfarm FWLB_IN2OUT
  persistent rebalance
  inservice
!      


!--- Same rules, however, for FTP traffic.
!--- This is recommended in order to tie the control channel
!--- with the data channel.

!
 vserver FTP_FW2SERV
  virtual 192.168.20.0 255.255.254.0 tcp ftp service ftp
  vlan 169
  serverfarm FORWARD
  persistent rebalance
  inservice
!
 vserver FTP_OUT2IN
  virtual 192.168.20.0 255.255.254.0 tcp ftp service ftp
  vlan 499
  serverfarm FWLB_OUT2IN
  persistent rebalance
  inservice
!   

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

  • show mod csm slot vserver

    show mod csm 4 vservers       
    
    vserver         type  prot virtual                  vlan state        conns
    ---------------------------------------------------------------------------
    OUT2IN          SLB   any  192.168.20.0/23:0        499  OPERATIONAL  0       
    FW2SERV         SLB   any  192.168.20.0/23:0        169  OPERATIONAL  0       
    SERV2FW         SLB   any  0.0.0.0/0:0              500  OPERATIONAL  0       
    IN2OUT          SLB   any  0.0.0.0/0:0              168  OPERATIONAL  0       
    FTP_OUT2IN      SLB   TCP  192.168.20.0/23:21       499  OPERATIONAL  1       
    FTP_FW2SERV     SLB   TCP  192.168.20.0/23:21       169  OPERATIONAL  1 
  • show mod csm slot vserver name name detail

    show mod csm 4 vservers name FTP_OUT2IN
    
    vserver         type  prot virtual                  vlan state        conns
    ---------------------------------------------------------------------------
    FTP_OUT2IN      SLB   TCP  192.168.20.0/23:21       499  OPERATIONAL  1       
    cpu0#show mod csm 4 vservers name FTP_OUT2IN det
    FTP_OUT2IN, type = SLB, state = OPERATIONAL, v_index = 26
      virtual = 192.168.20.0/23:21 bidir, TCP, service = ftp, advertise = FALSE
      idle = 3600, replicate csrp = none, vlan = 499, pending = 30
      max parse len = 2000, persist rebalance = TRUE
      ssl sticky offset = 0, length = 32
      conns = 1, total conns = 1
      Default policy:
        server farm = FWLB_OUT2IN, backup = <not assigned>
        sticky: timer = 0, subnet = 0.0.0.0, group id = 0
      Policy          Tot matches  Client pkts  Server pkts
      -----------------------------------------------------
      (default)       1            11           10   
    
  • show mod csm slot conns detail

    sho mod csm 4 conns detail 
    
        prot vlan source                destination           state       
    ----------------------------------------------------------------------
    In  TCP  499  192.168.11.46:2830    192.168.21.240:0      ESTAB       
    Out TCP  168  192.168.21.240:0      192.168.11.46:2830    ESTAB       
        vs = (n/a), ftp = Data, csrp = False
    
    In  TCP  169  192.168.11.46:2830    192.168.21.240:0      ESTAB       
    Out TCP  500  192.168.21.240:0      192.168.11.46:2830    ESTAB       
        vs = (n/a), ftp = Data, csrp = False
    
    In  TCP  169  192.168.11.46:2829    192.168.21.240:21     ESTAB       
    Out TCP  500  192.168.21.240:21     192.168.11.46:2829    ESTAB       
        vs = FTP_FW2SERV, ftp = Control, csrp = False
    
    In  TCP  499  192.168.11.46:2829    192.168.21.240:21     ESTAB       
    Out TCP  168  192.168.21.240:21     192.168.11.46:2829    ESTAB       
        vs = FTP_OUT2IN, ftp = Control, csrp = False
    

故障排除

本部分提供的信息可用于对配置进行故障排除。

如果遇到此设置的问题,要做的第一件事就是通过发出show mod csm slot vserver命令,检查在vservers上是否有命中。如果看不到命中,请确保vserver是在使用中。使用嗅探器跟踪,确保流量发送到CSM。当您看到命中时,请发出show mod csm slot conns detail命令验证有一个条目为您所寻找的连接而创建。然后您将需要再次使用嗅探器,确保流量发送到正确的防火墙(您也可以使用任意一种防火墙的log功能)。继续这样做,跟随流量的路径。


相关信息


Document ID: 47881