1、Page 1,AppDirector Training 1.06.09-1.07.11,Page 2,Radware 业务智能网络解决方案,业务感知,应用访问,Inflight-mirror分析,AppDirector,AppXcel-加速,LinkProof,LinkProof Branch,DefensePro,SIP Director,AppXML-安全防火墙,Virtual Director-流量分析,CID-安全设备负载均衡,Page 3,高可用性:健康检查:对整个交易路径上的所有服务器群集和应用。提供丰富的 预定义检查方式,独有的多种检查结果的“与/或”绑定判断,确保业界 最佳的应
2、用感知。 流量重定向(L47):避免阻塞,优化资源并实现全面的冗余性。交易(对话)保持:确保交易的完整性。GSLB: 站点灾备,AppDirector解决方案,高性能:服务器集群:提高整体性能和扩展能力GSLB解决方案:提供就近响应,提高服务品质,高安全:入侵防范DoS 攻击保护:可以保障服务器、应用和用户的安全,Page 4,AD部署方式,Page 5,标准架构,Switch,Switch,Backup AppDirector,Active AppDirector,Router,Page 6,One Leg Topology(推荐组网),Switch,Backup AppDirector,A
3、ctive AppDirector,Router,Server,Server,Server,Server,Page 7,本地三角-Local Triangulation,AppDirector,Router 192.168.1.254,IP = 192.168.1.30 Loop back = 192.168.1.100 Default Gateway = 192.168.1.254,VIP = 192.168.1.100,IP = 192.168.1.10 Loop back = 192.168.1.100 Default Gateway = 192.168.1.254,Load Balan
4、cing Decision,Source IP Client Destination IP VIP Destination MAC - Server,Triangle,Source IP Client Destination IP VIP Destination MAC - AppDirector,Page 8,AD初始化和全局配置管理,Page 9,通过console线连接AD,Page 10,初始化菜单,Page 11,默认配置,Page 12,Web管理登陆,默认用户名:radware 默认密码:radware,Page 13,设备名称管理,Page 14,设备时间管理,NTP Serv
5、er:NTP服务器的IP地址; NTP Timezone:所在地的时区,如中国应为+08:00; NTP Status:改为Enable。,Page 15,基础网络 IP地址管理,Router IP Router Interface Parameters Create,Page 16,基础网络 路由管理,Router Routing Table Create,Page 17,实验一,Page 18,实验一,实验内容: 使用Console连接设备; 清空设备配置; 完成初始化; 使用Web浏览器观察设备信息; 使用Web浏览器更改设备名称 使用Web浏览器设置NTP和设备名称; 使用Web关闭和
6、打开Telnet管理方式; 使用Console或Telnet删除乱码; 使用Console或Telnet更改命令行提示符; 配置管理端口IP;改变管理IP对应的物理端口; 为设备添加默认路由;添加静态路由。,Page 19,实验一,192.168.0.11/24,192.168.0.21/24,192.168.0.31/24,192.168.0.61/24,192.168.0.51/24,192.168.0.41/24,10.1.1.1/24,20.1.1.1/24,30.1.1.1/24,60.1.1.1/24,50.1.1.1/24,40.1.1.1/24,Page 20,业务管理,Pag
7、e 21,Client =192.168.1.50,VIP (6.6.6.100),Client 4.3.2.1,Server 1 192.168.1.10,Server 2 192.168.1.11,Server 3 192.168.1.12,Load Balancing Decision,VIP,负载均衡基础概念,Page 22,Farm是一组提供相同服务的服务器群组,Farm,AppDirector,Server Farm,Clients,VIP,Page 23,Farm参数,进入 AppDirector Farms Farm Table Create,Page 24,Farm参数-续,
8、Aging Time:Client Table中的Session保持时间,Dispatch Method: 负载均衡算法 Cyclic (Round Robin):轮循 Weighted Cyclic :基于权重的轮循方式(通过手工静态地来定义包分发比重) Least Traffic :最少流量 Least Number of Users:最少用户连接数 Response Time Load Balancing:最快反应时间,需启用健康检查模块配合使用 NT SNMP Parameters:根据Windows服务器SNMP参数取到的值选择服务器,仅对Windows服务器有效,并且Windows
9、服务器需要打开SNMP功能 User-Configurable SNMP Parameters:任何提供SNMP的服务器,用户需要设置相关的SNMP OID值及权重作为健康检查对象 Hashing:哈希算法, 根据源地址选择服务器, 同一地址无论任何时候访问VIP都会分配到同一台服务器, 当需要做长时间会话保持时, 使用该算法不需要增加会话表的超时时间,有助于减少会话表的条目,同是不影响会话保持,Page 25,Farm参数连通性检查,Server 1,Server 2,AppDirector,连通性性检查: Ping TCP 或 UDP端口 HTTP 页面 HTTP页面内容 Radius R
10、TSP,Page 26,AppDirector会话保持是基于client table的,Client table mode 简单来说有三种: Regluar: 3层会话表模式,只记录用户源IP, 目标IP和目标端口. 一个用户,无论打开多少会话,只要源IP不变,AppDirector只记录一条会话. Entry Per Session: 4层会话表模式, 记录用户源IP, 源端口,目标IP和目标端口. 对于同一源IP地址,负载均衡算法只执行第一次请求, 同一用户后续请求,无论新开多少会话,都去到相同的服务器,但每个新的会话,都会记录在Client table中. Server Per Sess
11、ion: 4层会话表模式, 记录用户源IP, 源端口,目标IP和目标端口. AppDirector对每个新的会话,都进行负载均衡算法计算. 同一用户后续请求,可能会去到不同的服务器,每个新的会话,都会记录在Client table中.,Farm参数 Session mode,Page 27,Server1,Server2,Server3,Regular Session Mode,Page 28,Server1,Server2,Server3,Entry Per Session Mode,Page 29,Server1,Server2,Server3,Server Per Session Mod
12、e,Page 30,Server管理,AppDirector Servers Application Servers Table Create,Page 31,重要参数,Farm Name: Farm名称 Server Address: 服务器的真实IP地址 Server Port: 服务器的真实端口号,如果服务器的真实端口号与VIP对外提供服务的端口号一致,就保持默认值None;如果服务器真实端口为8080,对外服务端口为80,则配置为8080 Server Name: 标识服务器的名称 Server Weight: 权重,越大分担的用户数量越多,Page 32,Active and Bac
13、kup Server settings allow administrators to have servers in a farm that wont be used unless all other servers become unavailable.,AppDirector,Active1,Active2,Backup,重要参数-Operation Mode,Page 33,Graceful Shutdown of Servers existing users connected to a single server are allowed to time-out naturally.
14、 Allows for planned maintenance or troubleshooting of servers.,Current Users Connected to Server #3,Radware,Trap No more users on Server #3,Server #3 can now be taken down without disconnecting any users,Admin Status - Shutdown,Page 34,L4 策略(VIP),Layer 4 Policies farm selection based on network leve
15、l parameters,Farm a group of servers that provide a service,Layer 7 Policies farm selection based on application level parameters,Virtual IP address,Page 35,本地负载均衡- L4策略,FTP Farm,WEB Farm,DNSFarm,L34 分类 L4 协议: TCP UDP / ICMP L4 端口: TCP 和 UDP端口 用户IP,Page 36,L4策略管理,AppDirector Layer 4 Farm Selection L
16、ayer 4 Policy Table Create,Page 37,策略匹配参数 Virtual IP: VIP used for classification of incoming traffic L4 Protocol: TCP / UDP / ICMP / Other / Any L4 Port: TCP or UDP dest port 客户地址: From / To 动作参数 Farm Name Application: Defines how to treat the classified packets, for example: port 8081 is HTTP, por
17、t 444 is SSL, etc Redundancy Status: Active or Backup,重要参数,Page 38,虚拟网关,特殊L4策略-Virtual IP Interface L4 Protocol:Any L4 Port:Any Farm:None Application:Virtual IP Interface,Page 39,实验二,Page 40,实验二,192.168.0.11/24,192.168.0.21/24,192.168.0.31/24,192.168.0.61/24,192.168.0.51/24,192.168.0.41/24,10.1.1.1/
18、24,20.1.1.1/24,30.1.1.1/24,60.1.1.1/24,50.1.1.1/24,40.1.1.1/24,SV1:192.168.0.101,SV2:192.168.0.102,VIP:10.1.1.10,VIP:20.1.1.10,VIP:30.1.1.10,VIP:40.1.1.10,VIP:50.1.1.10,VIP:60.1.1.10,Page 41,实验二,建立3个Farm,分别包含图示两台服务器 Farm1:健康检查-Ping,端口-any,轮询,Regular Farm2:健康检查TCP 80,端口-80,最少连接,EntryPerSession Farm3:
19、HTTP网页,端口-any,最少连接,ServerPerSession 建立4个VIP VIP1:图示IP,ICMP,Farm1; VIP2:图示IP,TCP,8080,Farm2; VIP3:图示IP,TCP,any,Farm3 VIP4:192.168.0.x5,Virtual IP Interface 验证健康检查; 验证Session Model; 验证服务器管理;,Page 42,NAT,Page 43,NAT,Radware AD有三种NAT方式Server NAT:当服务器对外主动发起访问时,AD做源地址转换,只将服务器发送的请求数据包的源地址IP翻译为L4 Policy的IP地
20、址,源端口保留;Client NAT:当用户对VIP发起请求时, AD做源地址转换,AD将用户请求的数据包的源地址转换为指定IP地址,源端口做动态转换;OutboundNAT:当服务器或AD内部的其他IP对外主动发起访问时,AD做源地址转换,将服务器发送的请求数据包的源地址IP翻译为指定的IP地址,源端口做动态转换;,Page 44,192.168.1.10,192.168.1.11,192.168.1.12,4.3.2.1,VIP 1.1.1.100,Server NAT 未启动,Page 45,192.168.1.10,192.168.1.11,192.168.1.12,4.3.2.1,V
21、IP 1.1.1.100,Server NAT 已启动,Page 46,Server NAT 配置,AppDirector NAT Server NAT Global Parameters,0.0.0.0 使用Server隶属的Farm IP或Superfarm IP 列表中选择 所有服务器都使用该IP,必须Enable,Page 47,Server1,Server2,Server3,Client IP = 6.5.4.3,VIP,Server “sees” Clients Actual Source IP,Client NAT 未启动,Page 48,Client NAT 已启动,Serve
22、r1,Server2,Server3,Client IP = 6.5.4.3,VIP,Server “sees” an address from AppDirector,NAT,Page 49,Web Server1,Web Server2,App Server1,Client,Web VIP,Web Farm,App Server2,App Farm,App VIP,Client Access to Web Servers,Web2 is a “client” to App Farm,?,Client NAT 使用场景 问题,Page 50,Web Server1,Web Server2,A
23、pp Server1,Client,Web VIP,Web Farm,App Server2,App Farm,App VIP,Client Access to Web Servers,Web2 is a “client” to App Farm,App 1 “sees” NAT address from AppDirector,NAT,Client NAT 使用场景 解决方案,Page 51,Client NAT Configuration -Tuning,Services Tuning Device, 0,检查内存重新启动设备,Page 52,Client NAT Configuratio
24、n - Global,AppDirector NAT Client NAT Global Parameters,定义被NAT的用户范围,必须Enable,定义NAT后的地址范围,Page 53,Client NAT Configuration - Intercept,AppDirector NAT Client NAT Intercept Table,Page 54,Client NAT Configuration - NAT,AppDirector NAT Client NAT NAT Table,Page 55,Client NAT Configuration Farm,AppDirect
25、or Farm Additional Parameters Table,Page 56,Client NAT Configuration - Server,AppDirector Server Application Servers table,Farm内的每台服务器:设置为Enable,Page 57,实验三 ClientNAT,Page 58,实验二,192.168.0.11/24,192.168.0.21/24,192.168.0.31/24,192.168.0.61/24,192.168.0.51/24,192.168.0.41/24,SV1:192.168.0.101,SV2:192
26、.168.0.102,VIP:192.168.0.18 CNAT:192.168.0.19,VIP:192.168.0.28 CNAT:192.168.0.29,VIP:192.168.0.38 CNAT:192.168.0.39,VIP:192.168.0.68 CNAT:192.168.0.69,VIP:192.168.0.58 CNAT:192.168.0.59,VIP:192.168.0.48 CNAT:192.168.0.49,Client:192.168.0.x7/24,Page 59,实验二,建立1个新VIP VIP4:图示IP,any,any,Farm1; Ping 验证 HT
27、TP验证 ClientNAT配置,如如图所示; 验证ClientNAT功能 Ping验证 HTTP验证 Server上观察连接验证,Page 60,冗余机制,Page 61,Radware设备支持两种冗余机制: Proprietary (using ARP) VRRP (RFC:2338 Virtual Router Redundancy Protocol),冗余机制,Page 62,Pairs of AppDirectors can operate in Active / Active Configuration,Radware Device A,Radware Device B,Serve
28、r Farm A,Server Farm B,Active Active冗余模式,Page 63,Proprietary Redundancy uses ARP,Active AppDirector,Backup AppDirector,Server Farm,冗余 - Proprietary,Page 64,Proprietary Redundancy uses ARP,Active AppDirector,Backup AppDirector,Server Farm,冗余 - Proprietary,Page 65,VR (Virtual Router)是虚拟的MAC地址 对应一个VR,只
29、有一台设备为主用Master,其他的为备用Backup IP地址和VR关联 “associated”,端口IP、虚拟IP等. 如果Master设备停止广播宣告自己的存在, Backup 设备将接管VR和与之关联的IP,冗余 - VRRP,Page 66,冗余 - VRRP,Virtual Router (MAC) Redundancy Protocol Virtual Routers,Active AppDirector,Backup AppDirector,Server Farm,Associated IPs: 1.1.1.100 1.1.1.1,Associated IPs: 192.16
30、8.1.1,Page 67,冗余 - VRRP,Virtual Router (MAC) Redundancy Protocol Virtual Routers,Active AppDirector,Backup AppDirector,Server Farm,Associated IPs: 1.1.1.100 1.1.1.1,Associated IPs: 192.168.1.1,Page 68,VRRP 配置步骤,VRRP Global VRRP Virtual Route add (down)Associate IP to VRRP router IDVRRP Virtual Route
31、 Set to UP,Page 69,VRRP Configuration - Global,AppDirector Redundancy Global Configuration,VRRP:主/备,Enable:主 Disable:备,Page 70,VRRP Configuration - VRID,AppDirector Redundancy VRRP Virtual Router Create,端口:主/备,主:255 备: 255,主/备相同,主:自身端口IP 备:自身端口IP,Page 71,VRRP Configuration Associated IP,AppDirector
32、Redundancy VRRP Associated IP Create,端口:主/备,主/备相同,主设备端口 Farm IP L4 Policy IP Virtual DNS Client NAT,Page 72,VRRP Configuration VRID Activity,AppDirector Redundancy VRRP Virtual Router,选择 UP,Page 73,实验四 VRRP冗余,Page 74,实验四,192.168.0.11/24,192.168.0.21/24,192.168.0.31/24,192.168.0.61/24,192.168.0.51/24
33、,192.168.0.41/24,SV1:192.168.0.101,SV2:192.168.0.102,VIP:192.168.0.68 Virtual IPInterface:192.167.0.67 CNAT:192.168.0.69,VIP:192.168.0.58 Virtual IPInterface:192.167.0.57 CNAT:192.168.0.59,VIP:192.168.0.48 Virtual IPInterface:192.167.0.47 CNAT:192.168.0.49,Page 75,实验四,建立2个新VIP VIP:图示IP,any,any,Farm1; Virtual IP Interface :图示IP ClientNAT配置,如如图所示; 验证冗余 命令行提示 Client Table,Page 76,谢谢,
