6.3.4.2 Single-arm Network Topology
Configuration Guidelines
Same as two-arm scenario, new routes need to be configured in the client, server and firewalls for packet forwarding:
Client route:
route add -net 172.16.167.0 172.16.162.70 -netmask 255.255.255.0
Server routes:
route ADD 172.16.162.0 MASK 255.255.255.0 172.16.167.73 route ADD 172.16.163.0 MASK 255.255.255.0 172.16.167.73 route ADD 172.16.164.0 MASK 255.255.255.0 172.16.167.73
Firewall1 route:
route add default 172.16.163.70
Firewall2 route:
route add default 172.16.164.70
Figure 6-14 IP/MAC-based Load Balancing – Single-arm Network
The general settings for single-arm network are the same as the settings for two-arm network.
Configuration Example via CLI
Then we begin to configure FortiBalancer according to the above figure. Ø Step 1 Assign IP address to relative interfaces
FortiBalancer(config)#ip address “port1” 172.16.162.70 255.255.255.0
FortiBalancer(config)#ip address “port2” 172.16.163.70 255.255.255.0
FortiBalancer(config)#ip address “port3” 172.16.164.70 255.255.255.0 FortiBalancer(config)#ip address “port4” 172.16.167.73 255.255.255.0
- Step 2 Define Layer 2 real services
| FortiBalancer(config)#slb real l2ip “r1” 172.16.163.71 FortiBalancer(config)#slb real l2ip “r2” 172.16.164.71 or
FortiBalancer(config)#slb real l2mac r1 00:e0:81:03:36:e4 port2 FortiBalancer(config)#slb real l2mac r2 00:30:48:81:54:9c port3 |
- Step 3 Define the group for the real service
FortiBalancer(config)#slb group method “g1” “rr” “route”
- Step 4 Add the real services into the group
FortiBalancer(config)#slb group member “g1” “r1” 1
FortiBalancer(config)#slb group member “g1” “r2” 1 or
FortiBalancer(config)#slb group member “g1” “r1”
FortiBalancer(config)#slb group member “g1” “r2”
- Step 5 Define Layer 2 virtual service
FortiBalancer(config)#slb virtual l2ip “v1” 172.16.162.70 FortiBalancer(config)#slb virtual l2ip “v2” 172.16.167.73
- Step 6 Define the SLB policy
FortiBalancer(config)#slb policy default “v1” “g1”
FortiBalancer(config)#slb policy default “v2” “g1”
- Step 7 Add the additional health check on the backend server
FortiBalancer(config)#slb real health a1 r1 172.16.163.71 0 icmp FortiBalancer(config)#slb real health a1 r2 172.16.164.71 0 icmp or
FortiBalancer(config)#slb real health a1 r1 172.16.163.70 0 icmp
FortiBalancer(config)#slb real health a1 r2 172.16.164.70 0 icmp
6.3.5 Layer 3 IP-based Load Balancing
6.3.5.1 Configuration Guidelines
The commands used to configure Layer 3 SLB are summarized in the following table: Table 6-9 General Settings of Layer 3 IP-based Load Balancing
| Operation | Command |
| Configure real services | slb real ip <real_name> <ip> [max_conn] [icmp|none] [hc_up] [hc_down] [udp_timeout] |
| Define group methods | lb group method <group_name> {rr|pu|sr}
slb group method <group_name> lc [threshold] [yes|no] slb group method <group_name> pi [hash_bits] [rr|sr|lc] [threshold] slb group method <group_name> hi [hash_bits] slb group method <group_name> chi [hash_bits] slb group method <group_name> prox [rr|sr|lc] [threshold] slb group method <group_name> snmp [weight|cpu] [community] [oidcount] [oid1] [oidweight1] [oid2] [oidweight2] [check_interval] |
| Add the real servers into the group | slb group member <group_name> <real_name> [weight] |
| Define virtual services | slb virtual ip <virtual_name> <vip> |
| Bind the group (or the real service) to the virtual service | slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>
slb policy backup {virtual_name|vlink_name} {group_name|vlink_name} |
6.3.5.2 Configuration Example via CLI
- Step 1 Create real services
FortiBalancer(config)#slb real ip rip0 10.3.14.10
FortiBalancer(config)#slb real ip rip1 10.3.14.20 1000 none
The health check of rip0 defaults to “icmp”.
- Step 2 Define a group for Layer 3 load balancing by using the “slb group method” command
FortiBalancer(config)#slb group method gip0
- Step 3 Add the real services into the group
FortiBalancer(config)#slb group member “gip0” “rip0” 1 FortiBalancer(config)#slb group member “gip0” “rip1” 1
- Step 4 Create a virtual service
FortiBalancer(config)#slb virtual ip vip0 10.3.14.56
- Step 5 Associate a group with a virtual service
You may associate the group or the real service to the virtual service of Layer 3 load balancing by using the command “slb policy default” or associate the real service to the virtual service by the command “slb policy static”.
FortiBalancer(config)#slb policy default vip0 gip0 Or
FortiBalancer(config)#slb policy static vip0 rip0
6.3.6 Port Range Load Balancing
6.3.6.1 Configuration Guidelines
The commands used to configure Port Range SLB are summarized in the following table:
Table 6-10 General Settings of Port Range Load Balancing
| Operation | Command |
| Configure real services | slb real tcp <real_name> <ip> <port> [max_conn]
[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns|ldap] [hc_up] [hc_down] slb real http <real_name> <ip> [port] [max_conn] [http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real udp <real_name> <ip> <port> [max_conn] [hc_up] [hc_down] [timeout] [icmp|script-tcp|script-udp|radius-auth|radius-acct|sip-tcp|sip-udp|dns] slb real https <real_name> <ip> [port] [max_conn] [https|tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real tcps <real_name> <ip> <port> [max_conn] [tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real dns <real_name> <ip> <port> [max_conn] [dns|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] [timeout] |
| Define group methods | slb group method <group_name> [algorithm] |
| Add the real servers into the group | slb group member <group_name> <real_name> [weight] |
| Define virtual services | slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]
[arp|noarp] [max_conn] slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp] [max_conn] |
| Operation | Command |
| slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp]
[max_conn] slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn] |
|
| Define the port range of a virtual service | slb virtual portrange <virtual_name> <min_port> <max_port> [protocol] [dst|src] |
| Bind the group (or the real service) to the virtual service | slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>
slb policy backup {virtual_name|vlink_name} {group_name|vlink_name} |
6.3.6.2 Configuration Example via CLI
Herein we use HTTP protocol as an example. The configurations of other protocols are similar. Ø Step 1 Define static or port range real services When the real services are static:
FortiBalancer(config)#slb real http rhttp0 10.3.14.10
The port of HTTP type real service defaults to 80.
FortiBalancer(config)#slb real http rhttp1 10.3.14.11 90
The port of “rhttp1” is specified to 90.
When the real services are port range services, the health check can only be “icmp” or “none”.
FortiBalancer(config)#slb real http rhttp0 10.3.14.10 0 1000 icmp
FortiBalancer(config)#slb real http rhttp1 10.3.14.11 0 1000 none
- Step 2 Define a group
FortiBalancer(config)#slb group method ghttp1
- Step 3 Add the real services into the group
FortiBalancer(config)#slb group member ghttp1 rhttp0 FortiBalancer(config)#slb group member ghttp1 rhttp1
- Step 4 Create a virtual service
FortiBalancer(config)#slb virtual http vhttp0 10.3.14.50 0
- Step 5 Define the port range for the virtual service
At most three port ranges can be defined for an SLB virtual service.
FortiBalancer(config)#slb virtual portrange vhttp0 80 90
FortiBalancer(config)#slb virtual portrange vhttp0 8000 9000
In the above example, all data packets with destination IP address to be “10.3.14.50” and port falling into the range 80-90 or 8000-9000 will be handled by the port range virtual service “vhttp0”.
Note: Port range real services and static real services can not be added into one group.
- Step 6 Associate a group or a real service with a virtual service
Associate the group to the port-range virtual service with the command “slb policy default” and associate the real service to the port-range virtual service with the command “slb policy static”.
FortiBalancer(config)#slb policy default vhttp0 ghttp1 Or
FortiBalancer(config)#slb policy static vhttp0 rhttp1
6.3.7 Terminal Server Load Balancing
6.3.7.1 Configuration Guidelines
The commands used to configure Terminal Server Load Balancing are summarized in the following table:
Table 6-11 General Settings of Terminal Server Load Balancing
| Operation | Command |
| Create RDP real services | slb real rdp <real_name> <ip> [port] [maxconn] [tcp|icmp] [hc_up] [hc_down] |
| Create RDP groups | slb group method <group_name> rdprt [rr|sr|lc] |
| Add the real services into the group | slb group member <group_name> <real_name> |
| Create RDP virtual services | slb virtual rdp <virtual_name> <vip> [vport] [arp|noarp] [max_conn] |
| Associate the real server group with virtual services | slb policy default {virtual_name|vlink_name} {group_name|vlink_name} |
6.3.7.2 Configuration Example via CLI
- Step 1 Create RDP real services
The default port number for RDP real services is 3389.
FortiBalancer(config)#slb real rdp rs1 172.16.69.191 3389 1000 icmp 3 3
FortiBalancer(config)#slb real rdp rs2 172.16.69.192 3389 1000 icmp 3 3
Note: For the RDP real services, only the “icmp” and “tcp” types of health check can be used.
- Step 2 Create RDP groups
FortiBalancer(config)#slb group method g1 rdprt rr
- Step 3 Add the real service into the group
FortiBalancer(config)#slb group member g1 rs1
FortiBalancer(config)#slb group member g1 rs2
- Step 4 Create RDP virtual services
The default port number for RDP virtual services is 3389.
FortiBalancer(config)#slb virtual rdp vs1 172.16.69.171 3389 arp 0
- Step 5 Associate the RDP group with the virtual services
FortiBalancer(config)#slb policy default vs1 g1
Note: RDP only supports the Default group policy.