F5负载平衡实施方案

Internet出口链路优化项目实施方案ConfidentialPage1of10Internet出口链路优化项目实施方案2005-09-28Internet出口链路优化项目实施方案ConfidentialPage2of10目录Chapter1网络拓扑结构................................................................................................................................................................31.1.网络拓扑图..................................................................................................................................................................................31.2.IP地址规划.................................................................................................................................................................................3Chapter2实施过程........................................................................................................................................................................42.1.实施计划的完善..........................................................................................................................................................................42.2.F5LinkController的离线配置..............................................................................................................................................4用户访问dns的过程.................................................................................................................................................................................7在dns服务器上设置的更改................................................................................................................................................................82.3.防火墙配置更改..........................................................................................................................................................................9A)IP地址分配.............................................................................................................................................................................9B)路由配置.................................................................................................................................................................................9增加规则设置.......................................................................................................................................................................................92.4.对网络结构进行调整、接线、设备上线...................................................................................................................................92.5.修改DNS服务器设置................................................................................................................................................................92.6.业务流程检查............................................................................................................................................................................102.7.配置回滚过程............................................................................................................................................................................10Chapter3实施时间表..................................................................................................................................................................10Internet出口链路优化项目实施方案ConfidentialPage3of10Chapter1网络拓扑结构1.1.网络拓扑图Internet出口链路优化方案的网络拓扑图见下图:改造后的网络拓扑图：1.2.IP地址规划(1)F5链路控制器公网IP地址规划:新增F5链路控制器在两条ISP链路分配公网ip地址。原来公网ip终结到F5链路控制器上，而F5链路控制器的内网vlan与防火墙通过私有地址相连。而新增的电信网与F5链路控制器电信网vlan相连。InternetFirewallIsp1ISP2DMZRouterFirewallBIG-IPController1000HeartbeatCableL2Switch内部网ServerVLANDBClusterAPPInternalDNSClientClientVLANL3SWDMZDNS1出口链路优化项目实施方案ConfidentialPage4of10(2)F5链路控制器私网IP地址规划:沿有原有的内网地址划分，地址分配以尽可能少地改动内网地址设置为原则。172.31.1.0/27:LinkController内网与核心交换机相连网段使用;Chapter2实施过程项目实施步骤分为以下几步2.1.实施计划的完善完善本配置计划中的不完备信息、LinkController以外设备的配置方案、上线失败后的回滚计划是否准备充分。2.2.F5LinkController的离线配置A)F5硬件自检、license激活B)F5vlan划分、ip地址分配VlanHostNameIPAddress网通（cnc）PortAssignment:1.11.2Lc1RealIP电信网（telecom）PortAssignment:1.3.14Lc1RealIPInternalPortAssignment:2.11.5-1.8,L4Switch#1RealIPLc1.f5.com.cnC)路由配置LinkController默认网关：cnc:221.4.104.193telecom:202.104.115.94内网网关：10.0.0.0/8via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)内网网关：9.0.0.0/8via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)内网网关：172.30.30/24via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)D)outbound访问配置内网普通用户的访问将按设定的链路选择办法（负载均衡算法）在两条链路上进行选择，并将访问包的源地址转换成相应ISP链路的IP地址。InternetInternet出口链路优化项目实施方案ConfidentialPage5of10WildCastVirtual服务器0.0.0.0:internal/0配置:Virtual服务器IP1:0.0.0.0ServicePort:0PoolName:Default_GW_PoolLoadBalancingPolicy:RoundRobinPoolMemberAddress:;202.104.115.94221.4.104.193E)特定用户对internet的访问某些用户访问外网特定的服务器时，外网的服务器要对访问的源地址进行限定。因此在LinkController上要对上述用户的地址转换设定特定的规则：SNAT规则用途源地址要求转换成的地址F)特定应用使用指定的链路特定应用使用指定链路应用、服务、端口指定的链路对应的GatewayPoolInternalserver10.2.1.0/24IntranetNetworkAddressTranslationPrivateIPAddressClientsPublicIPAddressInternetMapstoCheckporintFwDefault_GW_Pool:;LoadBalancingMethod:RoundRobin;SNATAutoMapL2switchVLAN:edu_netIP:EnableSNATAutomapVLAN:tel_netIP:EnableSNATAutomapIPDefaultGW:VLAN:InternalInternet出口链路优化项目实施方案C