《企业运维之云上网络原理与实践》——第二章 负载均衡 CLB——配套实验:访问4层&7层CLB场景对比(5) https://developer.aliyun.com/article/1230668?groupCode=supportservice
9. 在CLB监听的后端服务器上测试ECS1访问4层CLB的8080端口,并在ECS内部抓包
• 访问时建议需要使用curl,因为7层监听是http层面的动作,如果只用telnet来测试,三次握手建立好了之后,客户端和proxy集群(tengine集群)进行了连接,没有发起任何数据的时候,在CLB部分集群上不会向后端ECS建立连接发送数据的,所以必须用curl实际的发送一些7层的数据。
• 抓包时我们关注的信息有哪些?
• 除了192开头的IP,我们还可以看到来自100网段的IP数据包,这些数据包正是7层监听交互的表现
14:24:03.135859 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [S], seq 1995438430, win 29200, options [mss 1460,sackOK,TS val 3146156 ecr 0,nop,wscale 7], length 0 14:24:03.137054 IP 192.168.11.175.8080 > 192.168.11.181.34290: Flags [S.], seq 2376897256, ack 1995438431, win 29200, options [mss 1440,nop,nop,sackOK,nop,wscale 9], length 0 14:24:03.137071 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [.], ack 1, win 229, length 0 14:24:03.137179 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [P.], seq 1:84, ack 1, win 229, length 83: HTTP: GET / HTTP/1.1 14:24:03.138336 IP 192.168.11.175.8080 > 192.168.11.181.34290: Flags [.], ack 84, win 58, length 0 14:24:03.139023 IP 100.122.64.142.2292 > 192.168.11.181.80: Flags [S], seq 1176088477, win 28480, options [mss 1424,sackOK,TS val 4003383056 ecr 0,nop,wscale 9], length 0 14:24:03.139038 IP 192.168.11.181.80 > 100.122.64.142.2292: Flags [S.], seq 2293269875, ack 1176088478, win 28960, options [mss 1460,sackOK,TS val 3146159 ecr 4003383056,nop,wscale 7], length 0 14:24:03.140054 IP 100.122.64.142.2292 > 192.168.11.181.80: Flags [.], ack 1, win 56, options [nop,nop,TS val 4003383058 ecr 3146159], length 0 14:24:03.140073 IP 100.122.64.142.2292 > 192.168.11.181.80: Flags [P.], seq 1:162, ack 1, win 56, options [nop,nop,TS val 4003383058 ecr 3146159], length 161: HTTP: GET / HTTP/1.1 14:24:03.140078 IP 192.168.11.181.80 > 100.122.64.142.2292: Flags [.], ack 162, win 235, options [nop,nop,TS val 3146160 ecr 4003383058], length 0 14:24:03.140254 IP 192.168.11.181.80 > 100.122.64.142.2292: Flags [FP.], seq 1:264, ack 162, win 235, options [nop,nop,TS val 3146160 ecr 4003383058], length 263: HTTP: HTTP/1.1 200 OK 14:24:03.141713 IP 100.122.64.142.2292 > 192.168.11.181.80: Flags [F.], seq 162, ack 265, win 58, options [nop,nop,TS val 4003383059 ecr 3146160], length 0 14:24:03.141732 IP 192.168.11.181.80 > 100.122.64.142.2292: Flags [.], ack 163, win 235, options [nop,nop,TS val 3146161 ecr 4003383059], length 0 14:24:03.141742 IP 192.168.11.175.8080 > 192.168.11.181.34290: Flags [P.], seq 1:247, ack 84, win 58, length 246: HTTP: HTTP/1.1 200 OK 14:24:03.141754 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [.], ack 247, win 237, length 0 14:24:03.141889 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [F.], seq 84, ack 247, win 237, length 0 14:24:03.143047 IP 192.168.11.175.8080 > 192.168.11.181.34290: Flags [F.], seq 247, ack 85, win 58, length 0 14:24:03.143056 IP 192.168.11.181.34290 > 192.168.11.175.8080: Flags [.], ack 248, win 237, length 0
三、 实验分析
1. 实验结果
从以上的实验结果来看,ECS1访问CLB的80端口,会出现时通时不通的表现,而访问CLB的8080端口,则是100%连通。
2. 实验分析
• 由于四层CLB下,CLB会将客户端的原始链接转发到后端服务器上,因此在这种情况下,ECS1访问CLB内网地址的80端口时相当于访问自己的80端口,从抓包可看到源目IP都是自己,在回SYN_ACK时直接由lo网卡转发到本机,内核未看到SYN_ACK包对应五元组的SYN包,导致内核直接发送了RST;
• 七层CLB下,由于CLB在中间隔离了TCP链接,因此ECS1看到的源IP均为CLB的内网IP,因此地址不会冲突。
