Internet出口链路优化项目实施方案ConfidentialPage1of12Internet出口链路优化项目实施方案2005-09-28Internet出口链路优化项目实施方案ConfidentialPage2of12目录Chapter1网络拓扑结构................................................................................................................................31.1.网络拓扑图...............................................................................................................................................31.2.IP地址规划..............................................................................................................................................4Chapter2实施过程........................................................................................................................................42.1.实施计划的完善.......................................................................................................................................42.2.F5LinkController的离线配置..........................................................................................................4用户访问dns的过程...........................................................................................................................................8在dns服务器上设置的更改...........................................................................................................................92.3.防火墙配置更改.....................................................................................................................................10A)IP地址分配.........................................................................................................................................10B)路由配置.............................................................................................................................................10增加规则设置.................................................................................................................................................102.4.对网络结构进行调整、接线、设备上线.............................................................................................112.5.修改DNS服务器设置...........................................................................................................................112.6.业务流程检查.........................................................................................................................................112.7.配置回滚过程.........................................................................................................................................11Chapter3实施时间表..................................................................................................................................11Internet出口链路优化项目实施方案ConfidentialPage3of12Chapter1网络拓扑结构1.1.网络拓扑图Internet出口链路优化方案的网络拓扑图见下图:改造后的网络拓扑图:InternetFirewallIsp1ISP2DMZRouterFirewallBIG-IPController1000HeartbeatCableL2Switch内部网ServerVLANDBClusterAPPInternalDNSClientClientVLANL3SWDMZDNS1出口链路优化项目实施方案ConfidentialPage4of121.2.IP地址规划(1)F5链路控制器公网IP地址规划:新增F5链路控制器在两条ISP链路分配公网ip地址。原来公网ip终结到F5链路控制器上,而F5链路控制器的内网vlan与防火墙通过私有地址相连。而新增的电信网与F5链路控制器电信网vlan相连。(2)F5链路控制器私网IP地址规划:沿有原有的内网地址划分,地址分配以尽可能少地改动内网地址设置为原则。172.31.1.0/27:LinkController内网与核心交换机相连网段使用;Chapter2实施过程项目实施步骤分为以下几步2.1.实施计划的完善完善本配置计划中的不完备信息、LinkController以外设备的配置方案、上线失败后的回滚计划是否准备充分。2.2.F5LinkController的离线配置A)F5硬件自检、license激活B)F5vlan划分、ip地址分配VlanHostNameIPAddress网通(cnc)PortAssignment:1.11.2Lc1RealIP电信网(telecom)PortAssignment:1.3.14Lc1RealIPInternalPortAssignment:2.11.5-1.8,L4Switch#1RealIPLc1.f5.com.cnC)路由配置LinkController默认网关:cnc:221.4.104.193telecom:202.104.115.94内网网关:10.0.0.0/8via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)内网网关:9.0.0.0/8via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)内网网关:172.30.30/24via172.31.1.1(防火墙与F5linkcontroller内网相连的地址)D)outbound访问配置内网普通用户的访问将按设定的链路选择办法(负载均衡算法)在两条链路上进行选择,并将访问包的源地址转换成相应ISP链路的IP地址。Internet出口链路优化项目实施方案ConfidentialPage5of12WildCastVirtual服务器0.0.0.0:internal/0配置:Virtual服务器IP1:0.0.0.0ServicePort:0PoolName:Default_GW_PoolLoadBalancingPolicy:RoundRobinPoolMemberAddress:;202.104.115.94Internalserver10.2.1.0/24IntranetInternetNetworkAddressTranslationPrivateIPAddressClientsPublicIPAddressInternetMapstoCheckporintFwDefault_GW_Pool:;LoadBalancingMethod:RoundRobin;SNATAutoMapL2switchVLAN:edu_netIP:EnableSNATAutomapVLAN:tel_netIP:EnableSNATAutomapIPDefaultGW:VLAN:InternalInternet出口链路优化项目实施方案ConfidentialPage6of12221.4.104.193E)特定用户对internet的访问某些用户访问外网特定的服务器时,外网的服务器要对访问的源地址进行限定。因此在LinkController上要对上述用户的地址转换设定特定的规则:SNAT规则用途源地址要求转换成的地址F)特定应用使用指定的链路特定应用使用指定链路应用、服务、端口指定的链路对应的GatewayPoolInternet出口链路优化项目实施方案ConfidentialPage7of12G)虚拟服务器的配置VirtualServer配置示例:Virtual服务器IP1:221.4.104.216ServicePort:80PoolName:Onlinebank_webLoadBalancingPolicy:RoundRobinPoolMemberAddress:172.30.30.30Persistence:EnableSimplePersistenceVirtualSever设置原始数据服务器功能内网地址端口公网地址(cnc)公网地址(telecom)域名ClientInternetNetworkAddressTranslationRealServerAddressVLAN:cncVirtualServerIP1:221.4.104.216NodesVLAN:InternalPool:web172.30.30.30VirtualServerAddressVirtualServerMapstoTransparentAccessVirtualServerIP120.96.135.116172.30.30.30FirewallRouterSwitchInternet出口链路优化项目实施方案ConfidentialPage8of12用户访问dns