Server Load Balancing – FortiBalancer

Leave a reply

6.3.2 SIP Load Balancing

This section gives a configuration example on basic SIP load balancing.

6.3.2.1 Configuration Guidelines

In this section, the example is a one-arm case. The default Gateway of two servers is FortiBalancer appliance (i.e. 172.16.30.170). The server subnet (VLAN 30) and client subnet (VLAN 10) are connected by router 172.16.30.1.

 

Figure 6-10 SIP Load Balancing

Table 6-5 General Settings of SIP Load Balancing

Operation Command
Configure real services slb real siptcp <real_name> <ip> [port] [max_conn]

[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real sipudp <real_name> <ip> [port] [max_conn]

[icmp|script-tcp|script-udp|radius-auth|radius-acct|sip-tcp|sip-udp|dns|none] [hc_up] [hc_down] [timeout]
Define group methods slb group method <group_name> {sipcid|sipuid} [rr|sr|lc] [threshold] slb group method <group_name> {rr|pu|sr}

slb group method <group_name> lc [threshold] [{yes|no}] slb group method <group_name> pi [hash_bits] [rr|sr|lc] [threshold] slb group method <group_name> hi [hash_bits] slb group method <group_name> chi [hash_bits] slb group method <group_name> prox [rr|sr|lc] [threshold] slb group method <group_name> snmp [weight|cpu] [community] [oidcount] [oid1] [oidweight1] [oid2] [oidweight2] [check_interval]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]

[arp|noarp] [max_conn]

slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp]

[max_conn]

slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp] [max_conn]

Operation Command
  slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn]
Bind the group to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name}

6.3.2.2 Configuration Example via CLI

  • Step 1 Define SIPUDP real services

FortiBalancer(config)#slb real sipudp “r1” 172.16.32.253 5060 1000 sip-udp 3 3 60

FortiBalancer(config)#slb real sipudp “r2” 172.16.32.189 5060 1000 sip-udp 3 3 60

  • Step 2 Create a group for SIP load balancing by using the “slb group method” command

FortiBalancer(config)#slb group method “g1” sipuid rr

  • Step 3 Add SIPUDP real services into the group

FortiBalancer(config)#slb group member “g1” “r1” 1 FortiBalancer(config)#slb group member “g1” “r2” 1

  • Step 4 Create virtual services

Then you can define the SIPUDP virtual services by using the “slb virtual siptcp” or “slb virtual sipudp” command.

FortiBalancer(config)#slb virtual sipudp “v1” 172.16.30.171 5060

  • Step 5 Associate the group to the virtual service for SIP SLB

FortiBalancer(config)#slb policy default “v1” “g1”

  • Step 6 Configure SIP Multi-register

If the backend servers do not share database, turn on the multi-register function.

FortiBalancer(config)#sip multireg on

  • Step 7 Configure SIP NAT

To handle network traffic originated from real servers, you need to set the SIP NAT rules for the defined SIP real services.

FortiBalancer(config)#sip nat 172.16.30.171 5060 172.16.32.253 5060 udp 60 callid FortiBalancer(config)#sip nat 172.16.30.171 5060 172.16.32.189 5060 udp 60 callid

6.3.3 RTSP Load Balancing

6.3.3.1 Configuration in Redirect mode

Configuration Guidelines

In our example, the client sends a request “rtsp://10.5.1.80/test.mp3” to virtual service “vs_rtsp1” (10.5.1.80). FortiBalancer appliance chooses a real service according to some policy and method.

In redirect mode, FortiBalancer appliance responds the client with the chosen real server’s URL “rtsp://audio2.example.com:554/test.mp3”. The FortiBalancer appliance and the client get disconnected, and the client begins to communicate with the real server

“audio2.example.com:554” In this mode, all the real servers should have public IP addresses which can be accessible from Internet clients.

 

Figure 6-11 RTSP Load Balancing – Redirect Mode

Table 6-6 General Settings of RTSP Load Balancing

Operation Command
Configure real services slb real rtsp <real_name> <ip> [port] [max_conn]

[rtsp-tcp|tcp|icmp|script-tcp|script-udp|dns] [hc_up] [hc_down] [timeout]
Define group methods slb group method <group_name> {rr|pu|sr}

slb group method <group_name> lc [threshold] [yes|no]

slb group method <group_name> pi [hash_bits] [rr|sr|lc] [threshold] slb group method <group_name> hi [hash_bits] slb group method <group_name> chi [hash_bits] slb group method <group_name> prox [rr|sr|lc] [threshold] slb group method <group_name> snmp [weight|cpu] [community] [oidcount] [oid1] [oidweight1] [oid2] [oidweight2] [check_interval]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]

[arp|noarp] [max_conn] slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp]

[max_conn]

slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp]

[max_conn]

slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn]
Bind the group to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name} slb policy filetype <policy_name> <vs_name> <group> <filetype>

Configuration Example for Redirect Mode via CLI

  • Step 1 Define RTSP real services by using the command “slb real rtsp

When the virtual service mode is “Redirect”, the real service name should be “real IP[:port]” or “domainname[:port]”.

FortiBalancer(config)#slb real rtsp “10.5.1.90” 10.5.1.90 554 1000 rtsp-tcp 3 3

FortiBalancer(config)#slb real rtsp “10.5.1.91:554” 10.5.1.91 554

FortiBalancer(config)#slb real rtsp “audio1.example.com” 10.5.1.92 554

FortiBalancer(config)#slb real rtsp “audio2.example.com:554” 10.5.1.93 554

  • Step 2 Define RTSP real service groups

We can use rr (Round Robin), pi (Persistent IP), hi (Hash IP), chi (Consistent Hash IP), snmp method to choose RTSP real service in one group.

FortiBalancer(config)#slb group method “mp3_group” rr

FortiBalancer(config)#slb group member “mp3_group” “10.5.1.90”

FortiBalancer(config)#slb group member “mp3_group” “10.5.1.91:554”

 

FortiBalancer(config)#slb group method “song” rr

FortiBalancer(config)#slb group member “song” “audio1.example.com”

FortiBalancer(config)#slb group member “song” “audio2.example.com:554”

  • Step 3 Add the real services into the groups

FortiBalancer(config)#slb group member “mp3_group” “10.5.1.90”

FortiBalancer(config)#slb group member “mp3_group” “10.5.1.91:554”

 

FortiBalancer(config)#slb group member “song” “audio1.example.com”

FortiBalancer(config)#slb group member “song” “audio2.example.com:554”

  • Step 4 Define an RTSP virtual service

The default mode of the RTSP virtual service is “Redirect”, and the port is 554.

FortiBalancer(config)#slb virtual rtsp “vs_rtsp1” 10.5.1.80

FortiBalancer(config)#slb virtual rtsp “vs_rtsp2” 10.5.1.81 554 “redirect”

  • Step 5 Define a filetype policy to choose a group by file extension

If you add default policy, you will choose that group when you can not find available real services by filetype policy.

FortiBalancer(config)#slb policy filetype “p1” “vs_rtsp1” “mp3_group” “mp3”

FortiBalancer(config)#slb policy default “vs_rtsp1” “song”

6.3.3.2 Configuration in Dynamic NAT Mode

Configuration Guidelines

In NAT mode, all the RTSP control messages will be balanced to multiple backend media servers across the FortiBalancer appliance. Packets originated from backend media servers (normally the media data) will be NATTed to outside clients. Different from redirect mode, the real servers do not have to use public IP addresses. The internal private IP addresses will be translated into global IP address on FortiBalancer appliance.

 

Figure 6-12 RTSP Load Balancing – Dynamic NAT Mode

Table 6-7 General Settings of RTSP Load Balancing

Operation Command
Configure real services slb real rtsp <real_name> <ip> [port] [max_conn]

[rtsp-tcp|tcp|icmp|script-tcp|script-udp|dns] [hc_up] [hc_down] [timeout]
Define group methods slb group method <group_name> {rr|pu|sr}

slb group method <group_name> lc [threshold] [yes|no]

slb group method <group_name> pi [hash_bits] [rr|sr|lc] [threshold] slb group method <group_name> hi [hash_bits] slb group method <group_name> chi [hash_bits] slb group method <group_name> prox [rr|sr|lc] [threshold] slb group method <group_name> snmp [weight|cpu] [community] [oidcount] [oid1] [oidweight1] [oid2] [oidweight2] [check_interval]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]

[arp|noarp] [max_conn] slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp]

[max_conn] slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp]

[max_conn]

slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn]
Bind the group to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name} slb policy filetype <policy_name> <vs_name> <group> <filetype>

Configuration Example via CLI

  • Step 1 Define RTSP real services by using the command “slb real rtsp

FortiBalancer(config)#slb real rtsp “rs_rtsp1” 10.5.14.90 554 1000 rtsp-tcp 3 3 60 FortiBalancer(config)#slb real rtsp “rs_rtsp2” 10.5.14.91 554 1000 rtsp-tcp 3 3 60

  • Step 2 Define RTSP real service groups

We can use rr (Round Robin), pi (Persistent IP), hi (Hash IP), chi (Consistent Hash IP), and snmp method to choose RTSP real service in one group.

FortiBalancer(config)#slb group method “grt1” rr

FortiBalancer(config)#slb group member “grt1” “rs_rtsp1” 1 FortiBalancer(config)#slb group member “grt1” “rs_rtsp2” 1

  • Step 3 Add the real services into the group

FortiBalancer(config)#slb group member “grt1” “rs_rtsp1” 1 FortiBalancer(config)#slb group member “grt1” “rs_rtsp2” 1

  • Step 4 Define RTSP virtual services

FortiBalancer(config)#slb virtual rtsp “vs_rtsp1” 10.3.14.90 554 nat

FortiBalancer(config)#slb virtual rtsp “vs_rtsp2” 10.3.14.91 7070 nat

  • Step 5 Set the policy

Static policy has higher priority than the default policy.

FortiBalancer(config)#slb policy default “vs_rtsp1” “grt1”

FortiBalancer(config)#slb policy static “vs_rtsp2” “rs_rtsp1”

6.3.4 Layer 2 IP/MAC-based Load Balancing

6.3.4.1 Two-arm Network Topology

Configuration Guidelines

Before we show how to set this up, we should describe the relative concepts in our system. Let’s begin to setup the environment for firewall load balance. We will describe several different cases.

To make Layer 2 SLB work, the clients, servers and firewalls should have the default gateway or some static route gateway configured as one of the FortiBalancer appliance’s IP addresses so that the traffic can be forwarded to the FortiBalancer appliance.

For example, the following routes can be added for the clients, servers and firewalls respectively:

Client route:

route add –net 172.16.167.0 172.16.162.70 -netmask 255.255.255.0

Server route:

route add –net 172.16.162.0 172.16.167.73 -netmask 255.255.255.0

Firewall1 routes:

route add -net 172.16.167.0 172.16.165.73 -netmask 255.255.255.0 route add -net 172.16.162.0 172.16.163.70 -netmask 255.255.255.0

Firewall2 routes:

route add -net 172.16.167.0 172.16.166.73 -netmask 255.255.255.0 route add -net 172.16.162.0 172.16.164.70 -netmask 255.255.255.0

Note: We assume all the systems are Unix-alike. For Windows, different versions of route commands may need to be applied.

Figure 6-13 Layer 2 IP/MAC-based Load Balancing – Two-arm Network

Note: One real service can only be included by one real service group. Layer 3 real service and Layer 2 real service can not be on the same interface.

Table 6-8 General Settings of Layer 2 IP/MAC-based Load Balancing

Operation Command
Configure real services slb real l2ip <real_name> <real_ip>

slb real l2mac <real_name> <real_mac> <output_interface>
Define group methods slb group method <group_name> {hi|rr|chi} [route|direct]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual l2ip <virtual_name> <vip> [gateway_ip]
Bind the group to the virtual service slb policy default {virtual_name|vlink_name} {group_name|vlink_name}
Define the additional health check slb real health <add_hc_name> <real_name> <ip> <port>

[http|https|tcp|icmp|dns|ldap|script-tcp|script-udp|script-tcps|sip-tcp|sip-u dp|rtsp-tcp] [hc_up] [hc_down]
Configure reflector health ipreflect <reflector_name> <ip_address> <port> [protocol]

Configuration Example via CLI

Then we begin to configure the left box FortiBalancer1 according to the above figure. Ø             Step 1 Assign IP address to relative interfaces:

FortiBalancer(config)#ip address port1 172.16.162.70 255.255.255.0

FortiBalancer(config)#ip address port2 172.16.163.70 255.255.255.0

FortiBalancer(config)#ip address port3 172.16.164.70 255.255.255.0

  • Step 2 Define Layer 2 real services We can use IP address to define a real service.

FortiBalancer(config)#slb real l2ip rs1 172.16.163.71

FortiBalancer(config)#slb real l2ip rs2 172.16.164.71

On the other hand, we can use MAC address to define a real service as well.

FortiBalancer(config)#slb real l2mac rs1 00:e0:81:03:36:e4 port2

FortiBalancer(config)#slb real l2mac rs2 00:30:48:81:54:9c port3

Note: To get the MAC address, please use relative IP address command for your specific system. For example, if you use Linux, then you can use the command “ifconfig -u” to get the MAC address of NIC.

  • Step 3 Define the group for the real service and add its members to the group

FortiBalancer(config)#slb group method g1 rr direct

Note: Layer 2 SLB supports three methods for the group: rr, hi and chi.

When the “slb group method” command is used to define a Layer 2 SLB group, a new parameter is introduced as the last argument: “route mode”. This parameter is used to route a data packet coming from a Layer 2 real service. Possible values for route mode are: direct and route. “direct” the data packet from a Layer 2 real service will be sent out from the related Layer 2 virtual service’s interface directly without bothering any route settings. On the contrary, if the route mode is valued “route”, route settings will be used to send the data packet.

  • Step 4 Add the real services to the group

FortiBalancer(config)#slb group member g1 rs1 1

FortiBalancer(config)#slb group member g1 rs2 1

Or

FortiBalancer(config)#slb group member g1 rs1

FortiBalancer(config)#slb group member g1 rs2

  • Step 5 Define Layer 2 virtual service

FortiBalancer(config)#slb virtual l2ip vs1 172.16.162.70

  • Step 6 Define the SLB policy

FortiBalancer(config)#slb policy default vs1 g1

Note: Layer 2 SLB only supports default policy.

  • Step 7 Add the additional health check on the backend server

FortiBalancer(config)#slb real health a1 rs1 172.16.165.73 80 tcp

FortiBalancer(config)#slb real health a1 rs2 172.16.166.73 80 tcp

Here, we have finished the configuration on FortiBalancer1 for the Layer 2 IP/MAC based SLB. Now we will begin to configure FortiBalancer2:

  • Step 1 Assign IP address to relative interfaces

FortiBalancer(config)#ip address port1 172.16.165.73 255.255.255.0

FortiBalancer(config)#ip address port2 172.16.166.73 255.255.255.0

FortiBalancer(config)#ip address port3 172.16.164.73 255.255.255.0

  • Step 2 Define Layer 2 real services

FortiBalancer(config)#slb real l2ip rs1 172.16.165.72

FortiBalancer(config)#slb real l2ip rs2 172.16.166.72

Or

FortiBalancer(config)#slb real l2mac rs1 00:e0:81:03:36:e5 port1

FortiBalancer(config)#slb real l2mac rs2 00:30:48:81:54:9d port2

  • Step 3 Define the group for the real service

FortiBalancer(config)#slb group method g1 rr direct

FortiBalancer(config)#slb group member g1 rs1 1

FortiBalancer(config)#slb group member g1 rs2 1

Or

FortiBalancer(config)#slb group method g1 hi direct

FortiBalancer(config)#slb group member g1 rs1

FortiBalancer(config)#slb group member g1 rs2

  • Step 4 Add its members to the group

FortiBalancer(config)#slb group member g1 rs1 1

FortiBalancer(config)#slb group member g1 rs2 1

Or

FortiBalancer(config)#slb group member g1 rs1

FortiBalancer(config)#slb group member g1 rs2

  • Step 5 Define Layer 2 virtual service

FortiBalancer(config)#slb virtual l2ip vs1 172.16.167.73

  • Step 6 Define the SLB policy

FortiBalancer(config)#slb policy default vs1 g1

  • Step 7 Add the additional health check on the backend server

FortiBalancer(config)#slb real health a1 rs1 172.16.163.70 80 tcp

FortiBalancer(config)#slb real health a1 rs2 172.16.164.70 80 tcp

  • Step 8 Configure reflector for Layer 2 SLB TCP health check

FortiBalancer(config)#health ipreflect aa 0.0.0.0 80 tcp


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.