Server Load Balancing – FortiBalancer

Leave a reply

6.3.4.2 Single-arm Network Topology

Configuration Guidelines

Same as two-arm scenario, new routes need to be configured in the client, server and firewalls for packet forwarding:

Client route:

route add -net 172.16.167.0 172.16.162.70 -netmask 255.255.255.0

Server routes:

route ADD 172.16.162.0 MASK 255.255.255.0 172.16.167.73 route ADD 172.16.163.0 MASK 255.255.255.0 172.16.167.73 route ADD 172.16.164.0 MASK 255.255.255.0 172.16.167.73

Firewall1 route:

route add default 172.16.163.70

Firewall2 route:

route add default 172.16.164.70

 

Figure 6-14 IP/MAC-based Load Balancing – Single-arm Network

The general settings for single-arm network are the same as the settings for two-arm network.

Configuration Example via CLI

Then we begin to configure FortiBalancer according to the above figure. Ø             Step 1 Assign IP address to relative interfaces

FortiBalancer(config)#ip address “port1” 172.16.162.70 255.255.255.0

FortiBalancer(config)#ip address “port2” 172.16.163.70 255.255.255.0

FortiBalancer(config)#ip address “port3” 172.16.164.70 255.255.255.0 FortiBalancer(config)#ip address “port4” 172.16.167.73 255.255.255.0

  • Step 2 Define Layer 2 real services
FortiBalancer(config)#slb real l2ip “r1” 172.16.163.71 FortiBalancer(config)#slb real l2ip “r2” 172.16.164.71 or

FortiBalancer(config)#slb real l2mac r1 00:e0:81:03:36:e4 port2

FortiBalancer(config)#slb real l2mac r2 00:30:48:81:54:9c port3
  • Step 3 Define the group for the real service

FortiBalancer(config)#slb group method “g1” “rr” “route”

  • Step 4 Add the real services into the group

FortiBalancer(config)#slb group member “g1” “r1” 1

FortiBalancer(config)#slb group member “g1” “r2” 1 or

FortiBalancer(config)#slb group member “g1” “r1”

FortiBalancer(config)#slb group member “g1” “r2”

  • Step 5 Define Layer 2 virtual service

FortiBalancer(config)#slb virtual l2ip “v1” 172.16.162.70 FortiBalancer(config)#slb virtual l2ip “v2” 172.16.167.73

  • Step 6 Define the SLB policy

FortiBalancer(config)#slb policy default “v1” “g1”

FortiBalancer(config)#slb policy default “v2” “g1”

  • Step 7 Add the additional health check on the backend server

FortiBalancer(config)#slb real health a1 r1 172.16.163.71 0 icmp FortiBalancer(config)#slb real health a1 r2 172.16.164.71 0 icmp or

FortiBalancer(config)#slb real health a1 r1 172.16.163.70 0 icmp

FortiBalancer(config)#slb real health a1 r2 172.16.164.70 0 icmp

6.3.5 Layer 3 IP-based Load Balancing

6.3.5.1 Configuration Guidelines

The commands used to configure Layer 3 SLB are summarized in the following table: Table 6-9 General Settings of Layer 3 IP-based Load Balancing

Operation Command
Configure real services slb real ip <real_name> <ip> [max_conn] [icmp|none] [hc_up] [hc_down] [udp_timeout]
Define group methods lb group method <group_name> {rr|pu|sr}

slb group method <group_name> lc [threshold] [yes|no]

slb group method <group_name> pi [hash_bits] [rr|sr|lc] [threshold] slb group method <group_name> hi [hash_bits] slb group method <group_name> chi [hash_bits] slb group method <group_name> prox [rr|sr|lc] [threshold] slb group method <group_name> snmp [weight|cpu] [community] [oidcount] [oid1] [oidweight1] [oid2] [oidweight2] [check_interval]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual ip <virtual_name> <vip>
Bind the group (or the real service) to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name}

6.3.5.2 Configuration Example via CLI

  • Step 1 Create real services

FortiBalancer(config)#slb real ip rip0 10.3.14.10

FortiBalancer(config)#slb real ip rip1 10.3.14.20 1000 none

The health check of rip0 defaults to “icmp”.

  • Step 2 Define a group for Layer 3 load balancing by using the “slb group method” command

FortiBalancer(config)#slb group method gip0

  • Step 3 Add the real services into the group

FortiBalancer(config)#slb group member “gip0” “rip0” 1 FortiBalancer(config)#slb group member “gip0” “rip1” 1

  • Step 4 Create a virtual service

FortiBalancer(config)#slb virtual ip vip0 10.3.14.56

  • Step 5 Associate a group with a virtual service

You may associate the group or the real service to the virtual service of Layer 3 load balancing by using the command “slb policy default” or associate the real service to the virtual service by the command “slb policy static”.

FortiBalancer(config)#slb policy default vip0 gip0 Or

FortiBalancer(config)#slb policy static vip0 rip0

6.3.6 Port Range Load Balancing

6.3.6.1 Configuration Guidelines

The commands used to configure Port Range SLB are summarized in the following table:

Table 6-10 General Settings of Port Range Load Balancing

Operation Command
Configure real services slb real tcp <real_name> <ip> <port> [max_conn]

[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns|ldap] [hc_up]

[hc_down]

slb real http <real_name> <ip> [port] [max_conn]

[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real udp <real_name> <ip> <port> [max_conn] [hc_up] [hc_down]

[timeout]

[icmp|script-tcp|script-udp|radius-auth|radius-acct|sip-tcp|sip-udp|dns] slb real https <real_name> <ip> [port] [max_conn]

[https|tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns]

[hc_up] [hc_down]

slb real tcps <real_name> <ip> <port> [max_conn]

[tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up]

[hc_down]

slb real dns <real_name> <ip> <port> [max_conn]

[dns|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] [timeout]
Define group methods slb group method <group_name> [algorithm]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]

[arp|noarp] [max_conn] slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp] [max_conn]

Operation Command
  slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp]

[max_conn]

slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn]
Define the port range of a virtual service slb virtual portrange <virtual_name> <min_port> <max_port> [protocol] [dst|src]
Bind the group (or the real service) to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name}

6.3.6.2 Configuration Example via CLI

Herein we use HTTP protocol as an example. The configurations of other protocols are similar. Ø         Step 1 Define static or port range real services When the real services are static:

FortiBalancer(config)#slb real http rhttp0 10.3.14.10

The port of HTTP type real service defaults to 80.

FortiBalancer(config)#slb real http rhttp1 10.3.14.11 90

The port of “rhttp1” is specified to 90.

When the real services are port range services, the health check can only be “icmp” or “none”.

FortiBalancer(config)#slb real http rhttp0 10.3.14.10 0 1000 icmp

FortiBalancer(config)#slb real http rhttp1 10.3.14.11 0 1000 none

  • Step 2 Define a group

FortiBalancer(config)#slb group method ghttp1

  • Step 3 Add the real services into the group

FortiBalancer(config)#slb group member ghttp1 rhttp0 FortiBalancer(config)#slb group member ghttp1 rhttp1

  • Step 4 Create a virtual service

FortiBalancer(config)#slb virtual http vhttp0 10.3.14.50 0

  • Step 5 Define the port range for the virtual service

At most three port ranges can be defined for an SLB virtual service.

FortiBalancer(config)#slb virtual portrange vhttp0 80 90

FortiBalancer(config)#slb virtual portrange vhttp0 8000 9000

In the above example, all data packets with destination IP address to be “10.3.14.50” and port falling into the range 80-90 or 8000-9000 will be handled by the port range virtual service “vhttp0”.

Note: Port range real services and static real services can not be added into one group.

  • Step 6 Associate a group or a real service with a virtual service

Associate the group to the port-range virtual service with the command “slb policy default” and associate the real service to the port-range virtual service with the command “slb policy static”.

FortiBalancer(config)#slb policy default vhttp0 ghttp1 Or

FortiBalancer(config)#slb policy static vhttp0 rhttp1

6.3.7 Terminal Server Load Balancing

6.3.7.1 Configuration Guidelines

The commands used to configure Terminal Server Load Balancing are summarized in the following table:

Table 6-11 General Settings of Terminal Server Load Balancing

Operation Command
Create RDP real services slb real rdp <real_name> <ip> [port] [maxconn] [tcp|icmp] [hc_up] [hc_down]
Create RDP groups slb group method <group_name> rdprt [rr|sr|lc]
Add the real services into the group slb group member <group_name> <real_name>
Create RDP virtual services slb virtual rdp <virtual_name> <vip> [vport] [arp|noarp] [max_conn]
Associate the real server group with virtual services slb policy default {virtual_name|vlink_name} {group_name|vlink_name}

6.3.7.2 Configuration Example via CLI

  • Step 1 Create RDP real services

The default port number for RDP real services is 3389.

FortiBalancer(config)#slb real rdp rs1 172.16.69.191 3389 1000 icmp 3 3

FortiBalancer(config)#slb real rdp rs2 172.16.69.192 3389 1000 icmp 3 3

Note: For the RDP real services, only the “icmp” and “tcp” types of health check can be used.

  • Step 2 Create RDP groups

FortiBalancer(config)#slb group method g1 rdprt rr

  • Step 3 Add the real service into the group

FortiBalancer(config)#slb group member g1 rs1

FortiBalancer(config)#slb group member g1 rs2

  • Step 4 Create RDP virtual services

The default port number for RDP virtual services is 3389.

FortiBalancer(config)#slb virtual rdp vs1 172.16.69.171 3389 arp 0

  • Step 5 Associate the RDP group with the virtual services

FortiBalancer(config)#slb policy default vs1 g1

Note: RDP only supports the Default group policy.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.