NSX 환경에서 Native Load Balancer를 사용하실 때, Load Balancer를 거쳐가는 Packet을 수집하는 방법에 대해서 알아보겠습니다.
아래 내용은 L4(tcp/udp)를 위한 Load Balancer인 경우에 한하며, L7의 경우에는 다른 추가 내용들이 필요합니다.
[테스트 환경]
Client : 192.168.1.2
VIP : 172.31.1.10
Members
- 172.31.1.11
- 172.31.1.12
- 172.31.1.31
1. Load Balancer 관련 Packet을 수집할 Interface 확인
## One-arm Load Balancer를 위해서 생성된 T1 Gateway의 Interface 정보 조회
## Member가 속한 Segment와 연결된 T1 Gateway의 Interface 정보 조회
## SR uplink interface와 SR backplane interface 그리고 DR downlink interface 확인
| edge-node-02> get logical-routers Sat Nov 04 2023 UTC 12:06:57.897 Logical Router UUID VRF LR-ID Name Type Ports Neighbors 736a80e3-23f6-5a2d-81d6-bbefb2786666 0 0 TUNNEL 4 6/5000 75dffe6b-faa4-4190-bbd3-9b4c0161999b 1 3 SR-tier0-01 SERVICE_ROUTER_TIER0 6 2/50000 064b8812-743c-427a-b0b6-801570118070 3 9 SR-tier1-01 SERVICE_ROUTER_TIER1 5 2/50000 92045476-c754-48e1-a86a-1ac4f9961112 4 8 DR-tier1-01 DISTRIBUTED_ROUTER_TIER1 4 4/50000 ### <-- !! T1-DR for segment 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 5 1026 SR-one-arm SERVICE_ROUTER_TIER1 5 4/50000 ### <-- !! T1-SR for Load Balancer 73bdcf75-0251-4927-9c80-68a6d7265911 6 1 DR-tier0-01 DISTRIBUTED_ROUTER_TIER0 5 3/50000 edge-node-02> get logical-router 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 interfaces Sat Nov 04 2023 UTC 12:08:28.556 Logical Router UUID VRF LR-ID Name Type 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 5 1026 SR-one-arm SERVICE_ROUTER_TIER1 Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable) Interface : d1b04e3b-63d6-5a9d-850c-700a616cc2d1 Ifuid : 274 Mode : cpu Port-type : cpu Enable-mcast : false Interface : 5809e629-5b3d-5c7f-ac02-e7dee93d9e54 Ifuid : 275 Mode : blackhole Port-type : blackhole Interface : 57eac0e2-4f44-4212-9dcf-08d34223d354 ### <-- !! uplink, facing to T0 Ifuid : 284 Name : t1-one-arm-default-f7dc77b6-90e3-45df-9ce1-ddee3f95bca6-svclrp Fwd-mode : IPV4_ONLY Mode : lif Port-type : service IP/Mask : 172.31.1.254/24 MAC : 02:50:56:00:5c:00 VNI : 67585 Access-VLAN : untagged LS port : 55964e1f-3cbf-451d-9e74-54e38e497ab3 Urpf-mode : STRICT_MODE DAD-mode : LOOSE RA-mode : SLAAC_DNS_THROUGH_RA(M=0, O=0) Admin : up Op_state : up Enable-mcast : False MTU : 1500 arp_proxy : 172.31.1.10 Interface : 8dc23df0-eaf0-460f-8b83-dd3403a1023e Ifuid : 285 Mode : loopback Port-type : loopback IP/Mask : 127.0.0.1/8;172.31.1.10/32;::1/128(NA) ### <-- !! LB VIP Interface : 6b76910b-859b-4236-8d9f-c545a86f7361 ### <-- !! backplane interface(downlink), facing to T1-DR Ifuid : 292 Name : bp-sr0-port Fwd-mode : IPV4_ONLY Mode : lif Port-type : backplane IP/Mask : 169.254.0.2/28;fe80::50:56ff:fe56:5300/64(NA) MAC : 02:50:56:56:53:00 Access-VLAN : untagged LS port : 00000000-0000-0000-0000-000000000000 Urpf-mode : NONE DAD-mode : LOOSE RA-mode : RA_INVALID Admin : down Op_state : up Enable-mcast : True MTU : 1500 arp_proxy : edge-node-02> get logical-router 92045476-c754-48e1-a86a-1ac4f9961112 interfaces Sat Nov 04 2023 UTC 12:10:53.772 Logical Router UUID VRF LR-ID Name Type 92045476-c754-48e1-a86a-1ac4f9961112 4 8 DR-tier1-01 DISTRIBUTED_ROUTER_TIER1 Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable) Interface : a69fbf2f-f4c6-5da9-9479-ca465099c846 Ifuid : 272 Mode : cpu Port-type : cpu Enable-mcast : false Interface : a6281bc0-8795-5b05-a774-f43910cc4daa Ifuid : 273 Mode : blackhole Port-type : blackhole Interface : e674a6ec-ba06-4442-b303-81c5da4ae6f2 Ifuid : 282 Name : bp-dr-port Fwd-mode : IPV4_ONLY Mode : lif Port-type : backplane IP/Mask : 169.254.0.1/28;fe80::50:56ff:fe56:4452/64(NA) MAC : 02:50:56:56:44:52 VNI : 66560 Access-VLAN : untagged LS port : ec5c44bd-a85f-4f85-9791-227fba216782 Urpf-mode : PORT_CHECK DAD-mode : LOOSE RA-mode : RA_INVALID Admin : up Op_state : up Enable-mcast : True MTU : 1500 arp_proxy : Interface : ed6f81d5-d520-4fd6-9bce-1fb980b76ff7 ### <-- T1-DR downlink facing to segment Ifuid : 289 Name : infra-overlay-seg-3101-dlrp Fwd-mode : IPV4_ONLY Mode : lif Port-type : downlink IP/Mask : 172.31.1.1/24 MAC : 02:50:56:56:44:52 VNI : 67585 Access-VLAN : untagged LS port : fe79606b-0572-428b-b35a-63cf922c931b Urpf-mode : STRICT_MODE DAD-mode : LOOSE RA-mode : SLAAC_DNS_THROUGH_RA(M=0, O=0) Admin : up Op_state : up Enable-mcast : True MTU : 1500 arp_proxy : Logical Router UUID VRF LR-ID Name Type 064b8812-743c-427a-b0b6-801570118070 3 9 SR-tier1-01 SERVICE_ROUTER_TIER1 Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable) Interface : fa2373fe-c7d2-5c24-841b-09ae7a48830f Ifuid : 270 Mode : cpu Port-type : cpu Enable-mcast : false Interface : 7cd6efc0-5ea7-5e0f-b83e-d6808c5bc745 Ifuid : 271 Mode : blackhole Port-type : blackhole Interface : c6354b9d-9749-4b03-b989-672c3dd497b8 Ifuid : 287 Name : tier0-01-tier1-01-t1_lrp Fwd-mode : IPV4_ONLY Mode : lif Port-type : uplink IP/Mask : 100.64.0.1/31;fe80::50:56ff:fe56:4455/64(NA);fc14:9b49:677c:6c00::2/64(NA) MAC : 02:50:56:56:44:55 VNI : 74753 Access-VLAN : untagged LS port : 57ce7468-fdfd-4c36-824a-fae3ba5df6b5 Urpf-mode : NONE DAD-mode : LOOSE RA-mode : SLAAC_DNS_THROUGH_RA(M=0, O=0) Admin : up Op_state : up Enable-mcast : False MTU : 1500 arp_proxy : Interface : 677cd5b2-09a1-4f00-b3a1-354081b7aad7 Ifuid : 288 Mode : loopback Port-type : loopback IP/Mask : 127.0.0.1/8;::1/128(NA) Interface : 3f340ce8-eecb-4de6-b7fc-66f1a03ae599 Ifuid : 290 Name : bp-sr0-port Fwd-mode : IPV4_ONLY Mode : lif Port-type : backplane IP/Mask : 169.254.0.2/28;fe80::50:56ff:fe56:5300/64(NA) MAC : 02:50:56:56:53:00 VNI : 66560 Access-VLAN : untagged LS port : af64ecbb-fb0e-4e0a-b08b-e112dfa283f8 Urpf-mode : NONE DAD-mode : LOOSE RA-mode : RA_INVALID Admin : up Op_state : up Enable-mcast : True MTU : 1500 arp_proxy : |
2. L4 Session Table 확인
## NAT 정보는 Firewall에서 확인 필요
## 아래 결과를 보면, 192.168.1.2 → 172.31.1.10:443으로 향하는 Packet이 172.31.1.254:5761 → 172.31.1.11:443으로 변경
| edge-node-02> get firewall interfaces Sat Nov 04 2023 UTC 14:59:07.167 Interface : 3f340ce8-eecb-4de6-b7fc-66f1a03ae599 Type : BACKPLANE Sync enabled : true Name : bp-sr0-port VRF ID : 3 Context entity : 064b8812-743c-427a-b0b6-801570118070 Context name : SR-tier1-01 Interface : d09e3cdf-7538-4f06-a85c-4e143d550804 Type : BACKPLANE Sync enabled : true Name : bp-sr1-port VRF ID : 1 Context entity : 75dffe6b-faa4-4190-bbd3-9b4c0161999b Context name : SR-tier0-01 Interface : f6534080-6e5a-5f4a-9071-0758da2af81b Type : DOWNLINK Sync enabled : true Name : tier0-01-tier1-01-t0_lrp VRF ID : 6 Context entity : 73bdcf75-0251-4927-9c80-68a6d7265911 Context name : DR-tier0-01 Interface : c6354b9d-9749-4b03-b989-672c3dd497b8 Type : UPLINK Sync enabled : true Name : tier0-01-tier1-01-t1_lrp VRF ID : 3 Context entity : 064b8812-743c-427a-b0b6-801570118070 Context name : SR-tier1-01 Interface : a5446c2c-1fb3-443c-98c7-79732fe29f4a Type : UPLINK Sync enabled : true Name : edge02-uplink01 VRF ID : 1 Context entity : 75dffe6b-faa4-4190-bbd3-9b4c0161999b Context name : SR-tier0-01 Interface : ed6f81d5-d520-4fd6-9bce-1fb980b76ff7 Type : DOWNLINK Sync enabled : true Name : infra-overlay-seg-3101-dlrp VRF ID : 4 Context entity : 92045476-c754-48e1-a86a-1ac4f9961112 Context name : DR-tier1-01 Interface : 6b76910b-859b-4236-8d9f-c545a86f7361 ### <-- !! Type : BACKPLANE Sync enabled : true Name : bp-sr0-port VRF ID : 5 Context entity : 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 Context name : SR-one-arm Interface : 57eac0e2-4f44-4212-9dcf-08d34223d354 ### <-- !! Type : SVC_LINK Sync enabled : true Name : t1-one-arm-default-f7dc77b6-90e VRF ID : 5 Context entity : 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 Context name : SR-one-arm Interface : 3d0cc9c5-1f2e-4f50-85a4-223d5701b744 Type : UPLINK Sync enabled : true Name : edge02-uplink02 VRF ID : 1 Context entity : 75dffe6b-faa4-4190-bbd3-9b4c0161999b Context name : SR-tier0-01 edge-node-02> get firewall 6b76910b-859b-4236-8d9f-c545a86f7361 connection Sat Nov 04 2023 UTC 15:03:55.854 Connection count: 0 edge-node-02> get firewall 57eac0e2-4f44-4212-9dcf-08d34223d354 connection Sat Nov 04 2023 UTC 15:01:02.742 Connection count: 1 0x02000000b6024de3: 172.31.1.254:5737 -> 172.31.1.12:443 (172.31.1.10:443) dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 2024:0 edge-node-02> get load-balancers Sat Nov 04 2023 UTC 16:20:16.669 Load Balancer Applied To : Logical Router Id : 2798bb6d-914f-40a5-95b2-6466d4af87ab Service Router Id : 0a35807f-c32a-4d6c-a58d-a0b73858fbf2 Display Name : one-arm-lb Enabled : True UUID : 9178e238-cb6a-479d-ae95-fd5a62f5787d ### <-- !! Log Level : LB_LOG_LEVEL_INFO Relax Scale Validation : False Size : SMALL Virtual Server Id : 61932e37-7798-4f25-a98d-6a7b70ddf27c edge-node-02> get load-balancer 9178e238-cb6a-479d-ae95-fd5a62f5787d snat-pools Sat Nov 04 2023 UTC 16:33:33.230 SNAT : nat_2887713278_1 Min Port : 4096 Max Port : 65535 Port Overload Factor : 32 Random Port : False Snat IP : 172.31.1.254 Allocated Port: 25 edge-node-02> get load-balancer 9178e238-cb6a-479d-ae95-fd5a62f5787d session-tables Sat Nov 04 2023 UTC 15:54:33.219 Session-Tables TABLE ID PROTO CADDR CPORT VADDR VPORT SADDR SPORT DADDR DPORT <snip> l4lb-0 000000000000163c tcp 192.168.1.2 58078 172.31.1.10 443 172.31.1.254 5761 172.31.1.11 443 |
3. Interface에서 Packet 수집
## edge NSX CLI 이용
| ## T1-SR uplink interface start capture interface 57eac0e2-4f44-4212-9dcf-08d34223d354 |
4. T1-SR uplink interface packet
## T1-SR uplink interface에서 수집된 Pakcet을 보면, 원본 Packet인 192.168.1.2 → 172.31.1.10:443이 172.31.1.254 → 172.31.1.11:443으로 NAT 되는 것을 확인할 수 있음
| edge-node-02> start capture interface 57eac0e2-4f44-4212-9dcf-08d34223d354 expression host 172.31.1.254 or host 192.168.1.2 and port 443 16:45:37.018703 02:50:56:56:44:52 > 02:50:56:00:5c:00, ethertype IPv4 (0x0800), length 66: 192.168.1.2.58416 > 172.31.1.10.443: Flags [SEW], seq 3902049669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 <base64>AlBWAFwAAlBWVkRSCABFAgA0pARAAH0G6unAqAECrB8BCuQwAbvolI2FAAAAAIDC+vCohQAAAgQFtAEDAwgBAQQC</base64> 16:45:37.021063 02:50:56:00:5c:00 > 00:50:56:a1:c1:87, ethertype IPv4 (0x0800), length 66: 172.31.1.254.5834 > 172.31.1.11.443: Flags [SEW], seq 3902049669, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 <base64>AFBWocGHAlBWAFwACABFAgA0pARAAHwG/3WsHwH+rB8BCxbKAbvolI2FAAAAAIDC+vCJeAAAAgQFtAEDAwgBAQQC</base64> 16:45:37.021781 00:50:56:a1:c1:87 > 02:50:56:00:5c:00, ethertype IPv4 (0x0800), length 66: 172.31.1.11.443 > 172.31.1.254.5834: Flags [S.], seq 3591548319, ack 3902049670, win 65001, options [mss 1383,nop,nop,sackOK,nop,wscale 7], length 0 <base64>AlBWAFwAAFBWocGHCABFAAA0AABAAD8G4HysHwELrB8B/gG7FsrWEq2f6JSNhoAS/ekDygAAAgQFZwEBBAIBAwMH</base64> 16:45:37.021793 02:50:56:00:5c:00 > 02:50:56:56:44:52, ethertype IPv4 (0x0800), length 66: 172.31.1.10.443 > 192.168.1.2.58416: Flags [S.], seq 3591548319, ack 3902049670, win 65001, options [mss 1383,nop,nop,sackOK,nop,wscale 7], length 0 <base64>AlBWVkRSAlBWAFwACABFAAA0AABAAD4GzfCsHwEKwKgBAgG75DDWEq2f6JSNhoAS/eki1wAAAgQFZwEBBAIBAwMH</base64> 16:45:37.022368 02:50:56:56:44:52 > 02:50:56:00:5c:00, ethertype IPv4 (0x0800), length 54: 192.168.1.2.58416 > 172.31.1.10.443: Flags [.], ack 1, win 8211, length 0 <base64>AlBWAFwAAlBWVkRSCABFAAAopAVAAH0G6vbAqAECrB8BCuQwAbvolI2G1hKtoFAQIBNBMwAA</base64> 16:45:37.022372 02:50:56:00:5c:00 > 00:50:56:a1:c1:87, ethertype IPv4 (0x0800), length 54: 172.31.1.254.5834 > 172.31.1.11.443: Flags [.], ack 1, win 8211, length 0 <base64>AFBWocGHAlBWAFwACABFAAAopAVAAHwG/4KsHwH+rB8BCxbKAbvolI2G1hKtoFAQIBMiJgAA</base64> 16:45:37.024519 02:50:56:56:44:52 > 02:50:56:00:5c:00, ethertype IPv4 (0x0800), length 240: 192.168.1.2.58416 > 172.31.1.10.443: Flags [P.], seq 1:187, ack 1, win 8211, length 186 <base64>AlBWAFwAAlBWVkRSCABFAADipAZAAH0G6jvAqAECrB8BCuQwAbvolI2G1hKtoFAYIBNywAAAFgMDALUBAACxAwNlRnU6dFvxuKr35utBpyhCt6pc7xf9mSrldVK3bsPV+wAAKsAswCvAMMAvAJ8AnsAkwCPAKMAnwArACcAUwBMAnQCcAD0APAA1AC8ACgEAAF4AAAAUABIAAA92cmEuY29udG9zby5jb20ACgAIAAYAHQAXABgACwACAQAADQAUABIEAQUBAgEEAwUDAgMCAgYBBgMAIwAAABAACwAJCGh0dHAvMS4xABcAAP8BAAEA</base64> 16:45:37.024559 02:50:56:00:5c:00 > 00:50:56:a1:c1:87, ethertype IPv4 (0x0800), length 240: 172.31.1.254.5834 > 172.31.1.11.443: Flags [P.], seq 1:187, ack 1, win 8211, length 186 <base64>AFBWocGHAlBWAFwACABFAADipAZAAHwG/sesHwH+rB8BCxbKAbvolI2G1hKtoFAYIBNTswAAFgMDALUBAACxAwNlRnU6dFvxuKr35utBpyhCt6pc7xf9mSrldVK3bsPV+wAAKsAswCvAMMAvAJ8AnsAkwCPAKMAnwArACcAUwBMAnQCcAD0APAA1AC8ACgEAAF4AAAAUABIAAA92cmEuY29udG9zby5jb20ACgAIAAYAHQAXABgACwACAQAADQAUABIEAQUBAgEEAwUDAgMCAgYBBgMAIwAAABAACwAJCGh0dHAvMS4xABcAAP8BAAEA</base64> 16:45:37.025045 00:50:56:a1:c1:87 > 02:50:56:00:5c:00, ethertype IPv4 (0x0800), length 60: 172.31.1.11.443 > 172.31.1.254.5834: Flags [.], ack 187, win 507, length 0 <base64>AlBWAFwAAFBWocGHCABFAAAo4tNAAD8G/bSsHwELrB8B/gG7FsrWEq2g6JSOQFAQAfs/hAAAAAAAAAAA</base64> 16:45:37.025070 02:50:56:00:5c:00 > 02:50:56:56:44:52, ethertype IPv4 (0x0800), length 54: 172.31.1.10.443 > 192.168.1.2.58416: Flags [.], ack 187, win 507, length 0 <base64>AlBWVkRSAlBWAFwACABFAAAo4tNAAD4G6yisHwEKwKgBAgG75DDWEq2g6JSOQFAQAftekQAA</base64> <snip> |
'Networking' 카테고리의 다른 글
| [NSX] Basic Check #2 (0) | 2023.12.11 |
|---|---|
| [NSX] Basic Check #1 (1) | 2023.12.11 |
| Load Balancer 정보 조회 (0) | 2023.11.05 |
| One-arm Load Balancer 생성 (0) | 2023.10.30 |
| Packets are dropped due to DFW rule described in dvfilter (1) | 2023.10.08 |
