Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Transparent DNS proxy configuration | 409.14 KB |
Configuring transparent DNS proxies
Transparent DNS proxy on the LB device
Restrictions and guidelines: Transparent DNS proxy configuration
Transparent DNS proxy tasks at a glance
Configuring a transparent DNS proxy
Transparent DNS proxy tasks at a glance
Creating a transparent DNS proxy
Specifying an IP address and port number
Specifying the default DNS server pool
Enabling the link protection feature
Specifying an iShell script file
Enabling the transparent DNS proxy
Adding and configuring a DNS server pool member
Configuring a scheduling algorithm for a DNS server pool
Creating a DNS server and specifying a DNS server pool
Specifying an IP address and port number
Enabling the device to automatically obtain the IP address of a DNS server
Associating a link with a DNS server
Configuring a forwarding LB action
Configuring the ToS field in IP packets sent to the DNS server
Specifying the default LB action
Disabling traffic distribution rule deployment
Enabling load balancing logging
Enabling load balancing NAT logging
Enabling load balancing link busy state logging
Displaying and maintaining transparent DNS proxy
Configuring transparent DNS proxies
About transparent DNS proxies
In the scenario where an enterprise rents multiple outbound links, the transparent DNS proxy feature solves the issue of uneven outbound traffic distribution caused by uneven DNS server address configurations on clients.
Application scenario
As shown in Figure 1, intranet users of an enterprise can access external servers A and B through link 1 of ISP 1 and link 2 of ISP 2. External servers A and B provide the same services. All DNS requests of intranet users are forwarded to DNS server A, which returns the resolved IP address of external server A to the requesting users. In this way, all traffic of intranet users is forwarded on one link. Link congestion might occur.
The transparent DNS proxy feature can solve this problem by forwarding DNS requests to DNS servers in different ISPs. All traffic from intranet users is evenly distributed on multiple links. This feature can prevent link congestion and ensure service continuity upon a link failure.
Figure 1 Transparent DNS proxy working mechanism
Workflow
The transparent DNS proxy is implemented by changing the destination IP address of DNS requests.
Figure 2 Transparent DNS proxy workflow
Table 1 Workflow description
|
Step |
Source IP address |
Destination IP address |
|
1. An intranet user on the client host sends a DNS request to the device. |
Host IP address |
IP address of DNS server A |
|
2. The device selects a DNS server to forward the DNS request according to the scheduling algorithm. |
N/A |
N/A |
|
3. The device changes the destination IP address of the DNS request as the IP address of the selected DNS server. |
Host IP address |
IP address of DNS server B |
|
4. The DNS server processes the DNS request and replies with a DNS response. |
IP address of DNS server B |
Host IP address |
|
5. The device changes the source IP address of the DNS response as the destination IP address of the DNS request. |
IP address of DNS server A |
Host IP address |
|
6. The device forwards the DNS response to the intranet user. |
IP address of DNS server A |
Host IP address |
|
7. The intranet user accesses the external server according to the resolved IP address in the DNS response. |
Host IP address |
IP address of Web server B |
|
8. The external server responds to the intranet user. |
IP address of DNS server B |
Host IP address |
Transparent DNS proxy on the LB device
The LB device distributes DNS requests to multiple links by changing the destination IP address of DNS requests.
As shown in Figure 3, the LB device contains the following elements:
· Transparent DNS proxy—The LB device performs transparent DNS proxy for a DNS request only when the port number of the DNS request matches the port number of the transparent DNS proxy.
· DNS server pool—A group of DNS servers.
· DNS server—Entity that processes DNS requests.
· Link—Physical link provided by an ISP.
· LB class—Classifies packets to implement load balancing based on packet type.
· LB action—Drops, forwards, or modifies packets.
· LB policy—Associates an LB class with an LB action. An LB policy can be referenced by the transparent DNS proxy.
Figure 3 Transparent DNS proxy on the LB device
If the destination IP address and port number of a DNS request match those of the transparent DNS proxy, the LB device processes the DNS request as follows:
1. The LB device finds the DNS server pool associated with the transparent DNS proxy.
2. The LB device selects a DNS server according to the scheduling algorithm configured for the DNS server pool.
3. The LB device uses the IP address of the selected DNS server as the destination IP address of the DNS request, and sends the request to the DNS server.
4. The DNS server receives and processes the DNS request, and replies with a DNS response.
The intranet user can now access the external server after receiving the DNS response.
Scheduling algorithms
The LB device calculates the DNS servers that process DNS requests based on the scheduling algorithm specified for the DNS server pool. The device supports the following scheduling algorithms:
Random algorithm
This algorithm randomly assigns DNS requests to DNS servers. After a period of time, the number of connections on each DNS server is roughly the same.
Use the random algorithm in the scenarios where the DNS servers have similar performances and each flow has roughly the same load.
Weighted round-robin algorithm
You can assign different weight values to DNS servers based on their performances. This algorithm assigns DNS requests to DNS servers according to their weight values.
For example, you can assign weight values 2 and 1 to DNS server A and DNS server B, respectively. This algorithm distributes two DNS requests to DNS server A and then distributes one DNS request to DNS server B.
Use the weighted round-robin algorithm in the scenarios where servers have different performances but the sessions have similar service load.
Hash algorithms
Based on different packet information, transparent DNS proxy supports the source IP address hash algorithm, source IP address and port number hash algorithm, and destination IP address hash algorithm.
· Source IP address hash algorithm—Hashes the source IP address of DNS requests and distributes DNS requests to DNS servers according to the hash values. This hash algorithm makes sure DNS requests with the same source IP address are distributed to the same DNS server.
· Source IP address and port hash algorithm—Hashes the source IP address and port number of DNS requests and distributes DNS requests to DNS servers according to the hash values. This hash algorithm makes sure DNS requests with the same source IP address and port number are distributed to the same DNS server.
· Destination IP address hash algorithm—Hashes the destination IP address of DNS requests and distributes DNS requests to DNS servers according to the hash values. This hash algorithm makes sure DNS requests with the same destination IP address are distributed to the same DNS server.
Bandwidth algorithm
This algorithm distributes DNS requests to DNS servers according to the product of the weights and remaining bandwidths of the DNS servers. If the remaining bandwidths of the DNS servers are the same, this algorithm is equivalent to the round-robin algorithm. If the weights of the DNS servers are the same, this algorithm always distributes DNS requests to the DNS server that has the largest remaining bandwidth. If both weights and remaining bandwidths of the DNS servers are different, they both determine DNS server scheduling.
For example, DNS server A and DNS server B correspond to links lk1 and lk2, respectively. If the remaining bandwidth is 150 kbps for link lk1 and 250 kbps for link lk2, and the weight is 5 for DNS server A and 6 for DNS server B, the traffic distribution ratio of DNS server A to DNS server B is 150 × 5:250 × 6, which is 1:2.
Maximum bandwidth algorithm
This algorithm always distributes DNS requests to an idle DNS server that has the largest remaining bandwidth.
For example, DNS server A and DNS server B correspond to links lk1 and lk2, respectively. The maximum bandwidth is 1000 Mbps for link lk1 and 500 Mbps for link lk2. If the request traffic is 1000 Mbps, the maximum bandwidth algorithm distributes 750 Mbps traffic to link lk1 and 250 Mbps traffic to link lk2. Each link has a remaining bandwidth of 250 Mbps.
LB policies
An LB policy associates a class with an action to guide packet forwarding. In an LB policy, you can configure an action for packets matching the specified class to implement load balancing in a more flexible way.
LB classes
You can specify multiple LB classes for an LB policy. Packets match the LB classes in the order the LB classes are configured.
· For an LB class of the match-any type, the specified action is taken on the packets when they match any rule. If no rule is matched, no action is taken.
· For an LB class of the match-all type, the specified action is taken only when the packets match all rules.
LB actions
LB actions include the following modes:
· Forwarding mode—Determines whether and how to forward packets. If no forwarding action is specified, packets are dropped.
· Modification mode—Modifies packets. To prevent the device from dropping the modified packets, the modification action must be used together with a forwarding action.
To drop matching packets, create an LB action without specifying any of the previous action modes.
Sticky groups
A sticky group uses a sticky method to distribute similar sessions to the same DNS server based on sticky entries. The sticky method applies to the first packet of a session. The device distributes subsequent packets of the session to the same DNS server, reducing repeated calculations with the scheduling algorithm and enhancing forwarding efficiency.
A sticky group processes packets as follows:
1. Upon receiving a request with certain attributes for the first time, the device assigns the request to a DNS server according to the scheduling algorithm. In addition, the device generates a sticky entry according to the sticky method.
2. Before the sticky entry ages, if the device receives a request with the same attributes again, it directly forwards the request to the previously selected DNS server without performing repeated scheduling calculations.
Health monitoring
Health monitoring periodically detects links and DNS servers to make sure they can provide services correctly. The LB device actively sends probe packets to links and DNS servers to detect their states in real time. This prevents service interruption caused by traffic assignment to faulty links and DNS servers.
As shown in Figure 4, if the device detects that all DNS servers and links are in normal state, it assigns request traffic to each DNS server based on the scheduling algorithm. (In this example, the same weight value is configured for all DNS servers, and the weighted round-robin algorithm is used.)
Figure 4 Health monitoring diagram (all DNS servers are in normal state)
Upon detecting a DNS server failure, the device immediately stops assigning traffic to the DNS server, and schedules traffic to other DNS servers in normal state.
As shown in Figure 5, upon detecting a DNS server failure, the device immediately stops assigning traffic to the DNS server, and schedules traffic to the DNS server in normal state. The link corresponds to the DNS server is also in normal state.
Figure 5 Health monitoring diagram (a DNS server becomes faulty)
As shown in Figure 6, upon detecting a link failure, the device immediately stops assigning traffic to the corresponding DNS server even if the DNS server is in normal state, and schedules traffic to the normal DNS server with a normal link.
Figure 6 Health monitoring diagram (a link becomes faulty)
After a period of time, if the faulty DNS server and link recover, the device will update the health monitoring states of the DNS server and link, so that the DNS server can participate in scheduling again.
You can specify an NQA template for health monitoring. For information about NQA templates, see NQA configuration in Network Management and Monitoring Configuration Guide.
Restrictions and guidelines: Transparent DNS proxy configuration
The transparent DNS proxy feature is manually exclusive with the DNS transparent proxy feature. For more information about the DNS transparent proxy feature, see DNS configuration in Layer 3—IP Services Configuration Guide.
Transparent DNS proxy tasks at a glance
To configure the transparent DNS proxy feature, perform the following tasks:
1. Configuring a transparent DNS proxy
2. Configuring a DNS server pool
5. (Optional.) Configuring an LB policy
6. (Optional.) Configuring a sticky group
7. (Optional.) Disabling traffic distribution rule deployment
8. (Optional.) Enabling load balancing logging
Configuring a transparent DNS proxy
About transparent DNS proxies
By configuring a transparent DNS proxy, you can load balance DNS requests that match the transparent DNS proxy.
Restrictions and guidelines
To prevent DNS requests that match a transparent DNS proxy from being dropped, you must specify the default DNS server pool or an LB policy for the transparent DNS proxy.
If both the "Specifying the default DNS server pool" and "Specifying an LB policy" tasks are configured, packets are processed by the LB policy first. If the processing fails, the packets are processed by the default DNS server pool.
Transparent DNS proxy tasks at a glance
To configure a transparent DNS proxy, perform the following tasks:
1. Creating a transparent DNS proxy
2. Specifying an IP address and port number
3. Configuring a packet processing policy
Choose the following tasks as needed:
¡ Specifying the default DNS server pool
4. (Optional.) Specifying a VPN instance
5. (Optional.) Enabling the link protection feature
6. (Optional.) Configuring hot backup
7. (Optional.) Specifying an iShell script file
8. Enabling the transparent DNS proxy
Creating a transparent DNS proxy
1. Enter system view.
system-view
2. Create a transparent DNS proxy and enter its view.
loadbalance dns-proxy dns-proxy-name type udp
Specifying an IP address and port number
Restrictions and guidelines
As a best practice, configure an all-zero IP address for a transparent DNS proxy. In this case, all DNS requests are processed by the transparent DNS proxy.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Specify an IP address for the transparent DNS proxy.
IPv4:
ip address ipv4-address [ mask-length | mask ]
IPv6:
ipv6 address ipv6-address [ prefix-length ]
By default, no IP address is specified for a transparent DNS proxy.
4. Specify the port number for the transparent DNS proxy.
port port-number
By default, the port number is 53 for a transparent DNS proxy.
Specifying the default DNS server pool
About this task
After you specify the default DNS server pool for a transparent DNS proxy, DNS requests that match the transparent DNS proxy are forwarded through the DNS server pool. If you specify a sticky group corresponding to the DNS server pool, the DNS server pool works as follows:
1. Upon receiving a user request with certain attributes for the first time, the device assigns the request to a DNS server according to the scheduling algorithm. In addition, the device generates a sticky entry according to the sticky method.
2. Before the sticky entry ages, if the device receives a user request with the same attributes again, it directly forwards the request to the previously selected DNS server without performing repeated scheduling calculations.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Specify the default DNS server pool for the transparent DNS proxy.
default dns-server-pool pool-name [ sticky sticky-name ]
By default, no default DNS server pool is specified for a transparent DNS proxy.
Specifying an LB policy
About this task
By referencing an LB policy, the transparent DNS proxy load balances matching DNS requests based on the packet contents. For more information about configuring an LB policy, see "Configuring an LB policy."
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Specify an LB policy for the transparent DNS proxy.
lb-policy policy-name
By default, a transparent DNS proxy does not reference any LB policies.
Specifying a VPN instance
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Specify a VPN instance for the transparent DNS proxy.
vpn-instance vpn-instance-name
By default, a transparent DNS proxy belongs to the public network.
Enabling the link protection feature
About this task
This feature enables a transparent DNS proxy to select a DNS server based on the link bandwidth ratio. If the bandwidth ratio of a link is exceeded, the DNS server is not selected. For more information about the link bandwidth ratio, see "Configuring a linkConfiguring a link."
If the traffic volume on the link to a DNS server exceeds the maximum expected bandwidth multiplied by the bandwidth ratio, the DNS server is busy and will not be selected. If the traffic volume drops below the maximum expected bandwidth multiplied by the bandwidth recovery ratio, the DNS server participates in scheduling again.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Enable the link protection feature.
bandwidth busy-protection enable
By default, the link protection feature is disabled.
Configuring hot backup
About this task
To implement hot backup for two LB devices, you must enable synchronization for session extension information and sticky entries to avoid service interruption.
Restrictions and guidelines
For successful sticky entry synchronization, if you want to specify a sticky group, enable sticky entry synchronization before specifying a sticky group on both LB devices. You can specify a sticky group by using the sticky sticky-name option when specifying the default DNS server pool.
If you do not specify the global keyword when enabling sticky entry synchronization, failover group-based synchronization is performed. Sticky entries are synchronized between cards in the failover group. If you specify the global keyword, sticky entries are synchronized among all failover groups.
The device deletes existing sticky entries and generates new ones when the following events occur:
· Sticky entry synchronization is disabled.
· Sticky entry synchronization is changed from failover group-based synchronization to global synchronization.
· Sticky entry synchronization is changed from global synchronization to failover group-based synchronization.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Enable session extension information synchronization.
connection-sync enable
By default, session extension information synchronization is disabled.
4. Enable sticky entry synchronization.
sticky-sync enable [ global ]
By default, sticky entry synchronization is disabled.
Specifying an iShell script file
About this task
Based on the Lua script language, an iShell script file is an extensible script programming interface. By embedding the interface in load balancing services, you can flexibly implement service processing control. By specifying an iShell script file in transparent DNS proxy view, you can process traffic matching the transparent DNS proxy based on the script definition.
The device has some predefined events and interfaces for reference. The administrator can download and view the iShell help document on the Web interface of the device.
Restrictions and guidelines
Before you specify an iShell script file, use FTP or TFTP to upload the Lua script file to a directory of a file system on the device. For more information about FTP, TFTP, and file system management, see FTP and TFTP configuration and file system management configuration in Fundamentals Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Specify an iShell script file.
ishell filename
By default, no iShell script files are specified.
Enabling the transparent DNS proxy
About this task
After configuring a transparent DNS proxy, you must enable the transparent DNS proxy for it to work.
Procedure
1. Enter system view.
system-view
2. Enter transparent DNS proxy view.
loadbalance dns-proxy dns-proxy-name
3. Enable the transparent DNS proxy.
service enable
By default, a transparent DNS proxy is disabled.
Configuring a DNS server pool
About DNS server pools
By configuring a DNS server pool, you can perform centralized management on DNS servers that have similar functions.
Creating a DNS server pool
1. Enter system view.
system-view
2. Create a DNS server pool and enter its view.
loadbalance dns-server-pool pool-name
3. (Optional.) Configure a description for the DNS server pool.
description text
By default, no description is configured for a DNS server pool.
Adding and configuring a DNS server pool member
About this task
Perform this task to create a DNS server pool member or add an existing DNS server as a DNS server pool member in DNS server pool view. You can also specify a DNS server pool for a DNS server in DNS server view to achieve the same purpose (see "Creating a DNS server and specifying a DNS server poolCreating a DNS server and specifying a DNS server pool").
After you add a DNS server pool member, you can configure the following parameters and features for the DNS server in the DNS server pool:
· Weight.
· Priority.
· Health monitoring.
The member-based scheduling algorithm selects the optimal DNS server based on these configurations.
Health monitoring detects the state and performance of DNS server pool members to ensure their availability. The health monitoring configuration uses NQA templates. For more information about NQA templates, see NQA configuration in Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
The health monitoring method configurations in the following views are in ascending order of priority: DNS server view, DNS server pool view, and DNS server pool member view.
The health monitoring result for a DNS server affects the availability of a DNS server pool member. The health monitoring result for a DNS server pool member does not affect the availability of a DNS server.
Procedure
1. Enter system view.
system-view
2. Enter DNS server pool view.
loadbalance dns-server-pool pool-name
3. Create a DNS server pool member and enter its view.
dns-server dns-server-name port port-number
If the DNS server already exists, the command adds the existing DNS server as a DNS server pool member.
4. (Optional.) Configure a description for the DNS server pool member.
description text
By default, no description is configured for the DNS server pool member.
5. Set the weight of the DNS server pool member.
weight weight-value
The default setting is 100.
6. (Optional.) Set the priority of the DNS server pool member.
priority priority
The default setting is 4.
7. (Optional.) Configure health monitoring for the DNS server pool member.
a. Specify a health monitoring method for the DNS server pool member.
probe template-name
By default, no health monitoring method is specified for the DNS server pool member.
b. Specify the health monitoring success criteria for the DNS server pool member.
success-criteria { all | at-least min-number }
By default, health monitoring succeeds only when all the specified health monitoring methods succeed.
Configuring a scheduling algorithm for a DNS server pool
About this task
The LB device calculates the DNS servers that process DNS requests based on the scheduling algorithm specified for the DNS server pool. For more information about scheduling algorithms, see "Scheduling algorithms."
Restrictions and guidelines
By default, only the DNS servers with the highest priority in the DNS server pool participate in scheduling. You can use this feature to limit the number of DNS servers that can participate in scheduling.
· If the number of DNS servers that can participate in scheduling is less than the min-number setting, more DNS servers are selected by priority in descending order.
· If the number of DNS servers that can participate in scheduling exceeds the max-number setting, the max-number setting applies.
Procedure
1. Enter system view.
system-view
2. Enter DNS server pool view.
loadbalance dns-server-pool pool-name
3. Specify a scheduling algorithm for the DNS server pool.
predictor hash address { destination | source | source-ip-port } [ mask mask-length ] [ prefix prefix-length ]
predictor { random | round-robin | { bandwidth | max-bandwidth } [ inbound | outbound ] }
By default, the scheduling algorithm for a DNS server pool is weighted round robin.
4. Specify the number of DNS servers to participate in scheduling.
selected-server min min-number max max-number
By default, the DNS servers with the highest priority participate in scheduling.
Configuring health monitoring
About this task
Perform this task to enable health monitoring to detect the availability of DNS servers in a DNS server pool.
Restrictions and guidelines
The health monitoring method configurations in the following views are in ascending order of priority: DNS server view, DNS server pool view, and DNS server pool member view.
You can specify an NQA template for health monitoring. For information about NQA templates, see NQA configuration in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter DNS server pool view.
loadbalance dns-server-pool pool-name
3. Specify a health monitoring method for the DNS server pool.
probe template-name
By default, no health monitoring method is specified for a DNS server pool.
4. Specify the health monitoring success criteria for the DNS server pool.
success-criteria { all | at-least min-number }
By default, health monitoring succeeds only when all the specified health monitoring methods succeed.
Configuring a DNS server
About DNS servers
Perform this task to configure an entity on the LB device for processing DNS requests. DNS servers configured on the LB device correspond to DNS servers in ISP networks. A DNS server can belong to multiple DNS server pools. A DNS server pool can contain multiple DNS servers.
DNS server tasks at a glance
To configure a DNS server, perform the following tasks:
1. Creating a DNS server and specifying a DNS server pool
2. Configuring an IP address for a DNS server
Choose one of the following tasks:
¡ Specifying an IP address and port number
¡ Enabling the device to automatically obtain the IP address of a DNS server
4. Associating a link with a DNS server
5. (Optional.) Configuring health monitoring
Creating a DNS server and specifying a DNS server pool
1. Enter system view.
system-view
2. Create a DNS server and enter its view.
loadbalance dns-server dns-server-name
3. (Optional.) Configure a description for the DNS server.
description text
By default, no description is configured for a DNS server.
4. Specify a DNS server pool for the DNS server.
dns-server-pool pool-name
By default, a DNS server does not belong to any DNS server pool.
Specifying an IP address and port number
1. Enter system view.
system-view
2. Enter DNS server view.
loadbalance dns-server dns-server-name
3. Specify an IP address for the DNS server.
IPv4:
ip address ipv4-address
IPv6:
ipv6 address ipv6-address
By default, no IP address is specified for a DNS server.
4. Specify the port number for the DNS server.
port port-number
By default, the port number of a DNS server is 0. Packets use their own port numbers.
Specifying a VPN instance
1. Enter system view.
system-view
2. Enter DNS server view.
loadbalance dns-server dns-server-name
3. Specify a VPN instance for the DNS server.
vpn-instance vpn-instance-name
By default, a DNS server belongs to the public network.
Enabling the device to automatically obtain the IP address of a DNS server
About this task
In scenarios where IP addresses are obtained through PPPoE, an LB device can dynamically obtain the IP address of a DNS server.
Before configuring this task, you must specify the outgoing interface for the link associated with the DNS server. Otherwise, the IP address of the DNS server cannot be obtained.
Procedure
1. Enter system view.
system-view
2. Enter DNS server view.
loadbalance dns-server dns-server-name
3. Enable the device to automatically obtain the IP address of the DNS server.
auto-alloc address
By default, the device does not automatically obtain the IP address of a DNS server.
Associating a link with a DNS server
Restrictions and guidelines
A DNS server can be associated with only one link. A link can be associated with multiple DNS servers.
Procedure
1. Enter system view.
system-view
2. Enter DNS server view.
loadbalance dns-server dns-server-name
3. Associate a link with the DNS server.
link link-name
By default, no link is associated with a DNS server.
Configuring health monitoring
About this task
Perform this task to enable health monitoring to detect the availability of a DNS server.
Restrictions and guidelines
The health monitoring method configurations in the following views are in ascending order of priority: DNS server view, DNS server pool view, and DNS server pool member view.
The health monitoring result for a DNS server affects the availability of a DNS server pool member. The health monitoring result for a DNS server pool member does not affect the availability of a DNS server.
Procedure
1. Enter system view.
system-view
2. Enter DNS server view.
loadbalance dns-server dns-server-name
3. Specify a health monitoring method for the DNS server.
probe template-name
By default, no health monitoring method is specified for a DNS server.
4. Specify the health monitoring success criteria for the DNS server.
success-criteria { all | at-least min-number }
By default, health monitoring succeeds only when all the specified health monitoring methods succeed.
Configuring a link
About this task
A link is a physical link provided by an ISP. To ensure correct traffic direction, perform either of the following tasks:
· Specify an outbound next hop for a link in the view of the link.
· Specify an outgoing interface for a link. An LB device can dynamically obtain the outbound next hop IP address through the specified outgoing interface. This method is applicable to scenarios where outbound links use PPPoE to dynamically obtain IP addresses.
Health monitoring detects the quality and status of links to ensure their availability. The health monitoring configuration uses NQA templates. For more information about NQA templates, see NQA configuration in Network Management and Monitoring Configuration Guide.
The maximum bandwidth of a link refers to the highest data transmission rate supported by the link. You can configure the maximum bandwidth for a link to limit its rate.
The maximum expected bandwidth of a link refers to the upper limit for the uplink/downlink bandwidth that the link can bear. The configured maximum expected bandwidth is used for link protection and calculating the remaining bandwidth in the bandwidth algorithm and maximum bandwidth algorithm.
The bandwidth busy rate of a link is the ratio of the actual bandwidth to maximum expected bandwidth. If you do not limit the maximum expected bandwidth, its configurable maximum value applies.
· Bandwidth busy rate—Determines whether a link is busy. If the ratio of the actual bandwidth to maximum expected bandwidth of a link exceeds the bandwidth busy rate, the link is considered busy and excluded from scheduling.
· Bandwidth recovery rate—Determines whether a link recovers from the busy state. If the ratio of the actual bandwidth to maximum expected bandwidth of a link drops to or below the bandwidth recovery rate, the link is considered not busy and included in scheduling again.
Restrictions and guidelines
Configuration or modification of the maximum expected bandwidth, bandwidth busy rate, and bandwidth recovery rate of a link takes affect only on new traffic (excluding traffic that matches sticky entries) and does not take effect on existing connections.
If no maximum expected bandwidth is configured for a link in the maximum bandwidth algorithm and bandwidth algorithm, the maximum bandwidth configured for the link is used for calculating the remaining bandwidth.
Procedure
1. Enter system view.
system-view
2. Create a link and enter its view.
loadbalance link link-name
3. (Optional.) Configure a description for the link.
description text
By default, no description is configured for a link.
4. Specify an outbound next hop or outgoing interface for the link. Choose either of the options as needed:
¡ Specify an outbound next hop for the link.
IPv4:
router ip ipv4-address
IPv6:
router ipv6 ipv6-address
By default, no outbound next hop is specified for a link.
¡ Specify an outgoing interface for the link.
router interface interface-type interface-number
By default, no outgoing interface is specified for a link.
5. (Optional.) Specify a VPN instance for the link.
vpn-instance vpn-instance-name
By default, a link belongs to the public network.
6. (Optional.) Configure health monitoring for the link.
a. Specify a health monitoring method for the link.
probe template-name
By default, no health monitoring method is specified for a link.
b. Specify the health monitoring success criteria for the link.
success-criteria { all | at-least min-number }
By default, health monitoring succeeds only when all the specified health monitoring methods succeed.
7. (Optional.) Set the maximum bandwidth for the link.
rate-limit bandwidth [ inbound | outbound ] bandwidth-value kbps
By default, the maximum bandwidth for a link is not limited.
8. (Optional.) Set the bandwidth ratio and maximum expected bandwidth.
a. Set the bandwidth ratio.
bandwidth [ inbound | outbound ] busy-rate busy-rate-number [ recovery recovery-rate-number ]
By default, the total bandwidth ratio is 70.
b. Set the maximum expected bandwidth.
max-bandwidth [ inbound | outbound ] bandwidth-value kbps
By default, the maximum expected bandwidth is not limited.
Configuring an LB class
About this task
An LB class classifies packets by comparing packets against specific rules. Matching packets are further processed by LB actions. You can create a maximum of 65535 rules for an LB class.
Restrictions and guidelines
If the specified ACL does not exist, the ACL match rule does not take effect.
Procedure
1. Enter system view.
system-view
2. Create a DNS LB class and enter its view.
loadbalance class class-name type dns [ match-all | match-any ]
When you create an LB class, you must specify the class type. You can enter an existing LB class view without specifying the class type. If you specify the class type when entering an existing LB class view, the class type must be the one specified when you create the LB class.
3. (Optional.) Configure a description for the LB class.
description text
By default, no description is configured for an LB class.
4. Create match rules. Choose the options to configure as needed:
¡ Create a match rule that references an LB class.
match [ match-id ] class class-name
¡ Create a source IP address match rule.
match [ match-id ] source { ip address ipv4-address [ mask-length | mask ] | ipv6 address ipv6-address [ prefix-length ] }
¡ Create a destination IP address match rule.
match [ match-id ] destination { ip address ipv4-address [ mask-length | mask ] | ipv6 address ipv6-address [ prefix-length ] }
¡ Create an ACL match rule.
match [ match-id ] acl [ ipv6 ] { acl-number | name acl-name }
¡ Create a domain name match rule.
match [ match-id ] domain-name domain-name
By default, an LB class does not have any match rules.
Configuring an LB action
About LB actions
LB actions include the following modes:
· Forwarding mode—Determines whether and how to forward packets. If no forwarding action is specified, packets are dropped.
· Modification mode—Modifies packets. To prevent the LB device from dropping the modified packets, the modification action must be used together with a forwarding action.
If you create an LB action without specifying any of the previous action modes, packets are dropped.
Restrictions and guidelines
The following tasks are mutually exclusive:
· Configuring the forwarding mode
· Specifying a DNS server pool for guiding packet forwarding
· Skipping the current transparent DNS proxy
Configuring one task automatically cancels the other task that you have configured.
LB action tasks at a glance
To configure an LB action, perform the following tasks:
2. (Optional.) Configuring a forwarding LB action
¡ Configuring the forwarding mode
¡ Specifying a DNS server pool for guiding packet forwarding
¡ Skipping the current transparent DNS proxy
¡ Matching the next rule upon failure to find a DNS server
¡ (Optional.) Matching the next rule when all DNS servers are busy
3. (Optional.) Configuring a modification LB action
¡ Configuring the ToS field in IP packets sent to the DNS server
Creating an LB action
1. Enter system view.
system-view
2. Create a DNS LB action and enter LB action view.
loadbalance action action-name type dns
When you create an LB action, you must specify the action type. You can enter an existing LB action view without specifying the action type. If you specify the action type when entering an existing LB action view, the action type must be the one specified when you create the LB action.
3. (Optional.) Configure a description for the LB action.
description text
By default, no description is configured for an LB action.
Configuring a forwarding LB action
About this task
Three forwarding LB action types are available:
· Forward—Forwards matching packets.
· Specify a DNS server pool for guiding packet forwarding.
· Skip the current transparent DNS proxy—Skips the current transparent DNS proxy and match the next transparent DNS proxy or virtual server.
· Match the next rule upon failure to find a DNS server—If the device fails to find a DNS server according to the LB action, it matches the packet with the next rule in the LB policy.
· Match the next rule when all DNS servers are busy.
Configuring the forwarding mode
1. Enter system view.
system-view
2. Enter DNS LB action view.
loadbalance action action-name
3. Configure the forwarding mode.
forward all
By default, the forwarding mode is to discard packets.
This command does not apply to SIP virtual servers.
Specifying a DNS server pool for guiding packet forwarding
1. Enter system view.
system-view
2. Enter DNS LB action view.
loadbalance action action-name
3. Specify a DNS server pool for guiding packet forwarding.
dns-server-pool pool-name [ sticky sticky-name ]
By default, no DNS server pool is specified for guiding packet forwarding.
Skipping the current transparent DNS proxy
1. Enter system view.
system-view
2. Enter DNS LB action view.
loadbalance action action-name
3. Skip the current transparent DNS proxy.
skip current-dns-proxy
By default, the forwarding mode is to discard packets.
Matching the next rule upon failure to find a DNS server
1. Enter system view.
system-view
2. Enter DNS LB action view.
loadbalance action action-name
3. Match the next rule upon failure to find a DNS server.
fallback-action continue
By default, the next rule is not matched (packets are dropped) when no DNS servers are available for an LB action.
Matching the next rule when all DNS servers are busy
1. Enter system view.
system-view
2. Enter LB action view.
loadbalance action action-name
3. Match the next rule when all DNS servers are busy.
busy-action continue
By default, the device assigns DNS requests to DNS servers regardless of whether they are busy.
Configuring the ToS field in IP packets sent to the DNS server
1. Enter system view.
system-view
2. Enter DNS LB action view.
loadbalance action action-name
3. Configure the ToS field in IP packets sent to the DNS server.
set ip tos tos-number
By default, the ToS field in IP packets sent to the DNS server is not changed.
Configuring an LB policy
LB policy tasks at a glance
To configure an LB policy, perform the following tasks:
3. Specifying the default LB action
Creating an LB policy
1. Enter system view.
system-view
2. Create a DNS LB policy and enter LB action view.
loadbalance policy policy-name type dns
When you create an LB policy, you must specify the policy type. You can enter an existing LB policy view without specifying the policy type. If you specify the policy type when entering an existing LB policy view, the policy type must be the one specified when you create the LB policy.
3. (Optional.) Configure a description for the LB policy.
description text
By default, no description is configured for an LB policy.
Specifying an LB action
Restrictions and guidelines
A DNS LB policy can reference only DNS LB classes and DNS LB actions.
Procedure
1. Enter system view.
system-view
2. Enter DNS LB policy view.
loadbalance policy policy-name
3. Specify an LB action for an LB class.
class class-name [ insert-before before-class-name | insert-after [ after-class-name ] ] action action-name
By default, no LB action is specified for an LB class.
Specifying the default LB action
Restrictions and guidelines
The default LB action takes effect on packets that do not match any LB classes.
A DNS LB policy can reference only a DNS LB action as the default LB action.
Procedure
1. Enter system view.
system-view
2. Enter DNS LB policy view.
loadbalance policy policy-name
3. Specify the default LB action.
default-class action action-name
By default, no default LB action is specified.
Configuring a sticky group
About this task
A sticky group uses a sticky method to distribute similar sessions to the same DNS server according to sticky entries. The sticky method applies to the first packet of a session. Other packets of the session are distributed to the same DNS server.
Procedure
1. Enter system view.
system-view
2. Create an address- and port-type sticky group and enter sticky group view.
sticky-group group-name type address-port
When you create a sticky group, you must specify the group type. You can enter an existing sticky group view without specifying the group type. If you specify the group type when entering an existing sticky group view, the group type must be the one specified when you create the sticky group.
3. (Optional.) Configure a description for the sticky group.
description text
By default, no description is configured for a sticky group.
4. Configure the IP sticky method.
IPv4:
ip [ port ] { both | destination | source } [ mask mask-length ]
IPv6:
ipv6 [ port ] { both | destination | source } [ prefix prefix-length ]
By default, no IP sticky method is configured.
5. Configure the timeout time for sticky entries.
timeout timeout-value
By default, the timeout time for sticky entries is 60 seconds.
Disabling traffic distribution rule deployment
About this task
When LB traffic distribution rule deployment is enabled, the system automatically deploys traffic distribution rules based on the LB configuration. After you disable LB traffic distribution rule deployment, the system deletes the deployed traffic distribution rules, and does not deploy new traffic distribution rules. In this case, you must configure traffic redirection by using a QoS policy to ensure that the request and response packets are processed by one failover group. For information about configuring traffic redirection by using a QoS policy, see ACL and QoS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Disable traffic distribution rule deployment.
loadbalance flow-redirect disable
By default, traffic distribution rule deployment is enabled.
Enabling load balancing logging
About load balancing logging
For security auditing purposes, enable load balancing logging to record load balancing information. Load balancing logging includes NAT logging and link busy state logging.
NAT logging records NAT session information, including IP address and port translation information and access information.
Link busy state logging records busy states for all links.
Enabling load balancing NAT logging
1. Enter system view.
system-view
2. Enable load balancing NAT logging.
loadbalance log enable nat
By default, load balancing NAT logging is disabled.
Enabling load balancing link busy state logging
1. Enter system view.
system-view
2. Enable load balancing link busy state logging.
loadbalance log enable bandwidth-busy
By default, load balancing link busy state logging is disabled.
Displaying and maintaining transparent DNS proxy
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display DNS server pool information. |
display loadbalance dns-server-pool [ brief | name pool-name ] |
|
Display DNS server information. |
display loadbalance dns-server [ brief | name dns-server-name ] |
|
Display DNS server pool member information. |
display loadbalance dns-server dns-server-pool dns-server-pool-name [ name dns-server-name port port-number ] |
|
Display DNS server statistics. |
In standalone mode: display loadbalance dns-server statistics [ name dns-server-name ] [ slot slot-number ] In IRF mode: display loadbalance dns-server statistics [ name dns-server-name ] [ chassis chassis-number slot slot-number ] |
|
Display DNS server pool member statistics. |
In standalone mode: display loadbalance dns-server statistics dns-server-pool dns-server-pool-name [ name dns-server-name port port-number ] [ slot slot-number ] In IRF mode: display loadbalance dns-server statistics dns-server-pool dns-server-pool-name [ name dns-server-name port port-number ] [ chassis chassis-number slot slot-number ] |
|
Display transparent DNS proxy information. |
display loadbalance dns-proxy [ brief | name dns-proxy-name ] |
|
Display transparent DNS proxy statistics. |
In standalone mode: display loadbalance dns-proxy statistics [ name dns-proxy-name ] [ slot slot-number ] In IRF mode: display loadbalance dns-proxy statistics [ name dns-proxy-name ] [ chassis chassis-number slot slot-number ] |
|
Display link information. |
display loadbalance link [ brief | name link-name ] |
|
Display link statistics. |
In standalone mode: display loadbalance link statistics [ name link-name ] [ slot slot-number ] In IRF mode: display loadbalance link statistics [ name link-name] [ chassis chassis-number slot slot-number ] |
|
Display LB class information. |
display loadbalance class [ name class-name ] |
|
Display LB action information. |
display loadbalance action [ name action-name ] |
|
Display LB policy information. |
display loadbalance policy [ name policy-name ] |
|
Display sticky entry information for transparent DNS proxies. |
In standalone mode: display sticky dns-proxy [ dns-proxy-name dns-proxy-name ] [ class { class-name | default-class } | client-addr { ipv4-address | ipv6-address } | dns-server-addr { ipv4-address | ipv6-address } | dns-server-pool pool-name | dns-server-port port-number | key sticky-key ] * [ brief ] [ slot slot-number ] In IRF mode: display sticky dns-proxy [ dns-proxy-name dns-proxy-name ] [ class { class-name | default-class } | client-addr { ipv4-address | ipv6-address } | dns-server-addr { ipv4-address | ipv6-address } | dns-server-pool pool-name | dns-server-port port-number | key sticky-key ] * [ brief ] [ chassis chassis-number slot slot-number ] |
|
Display sticky group information. |
display sticky-group [ name group-name ] |
|
Display LB hot backup statistics. |
In standalone mode: display loadbalance hot-backup statistics [ slot slot-number ] In IRF mode: display loadbalance hot-backup statistics [ chassis chassis-number slot slot-number ] |
|
Clear DNS server statistics. |
reset loadbalance dns-server statistics [ dns-server-name ] |
|
Clear DNS server pool member statistics. |
reset loadbalance dns-server statistics dns-server-pool dns-server-pool-name [ name dns-server-name port port-number ] |
|
Clear transparent DNS proxy statistics. |
reset loadbalance dns-proxy statistics [ dns-proxy-name ] |
|
Clear link statistics. |
reset loadbalance link statistics [ link-name ] |
|
Clear LB hot backup statistics. |
reset loadbalance hot-backup statistics |
|
Clear sticky entry information for transparent DNS proxies. |
In standalone mode: reset sticky dns-proxy [ dns-proxy-name dns-proxy-name ] [ class { class-name | default-class } | client-addr { ipv4-address | ipv6-address } | dns-server-addr { ipv4-address | ipv6-address } | dns-server-pool pool-name | dns-server-port port-number | key sticky-key ] * [ slot slot-number ] In IRF mode: reset sticky dns-proxy [ dns-proxy-name dns-proxy-name ] [ class { class-name | default-class } | client-addr { ipv4-address | ipv6-address } | dns-server-addr { ipv4-address | ipv6-address } | dns-server-pool pool-name | dns-server-port port-number | key sticky-key ] * [ chassis chassis-number slot slot-number ] |
Transparent DNS proxy configuration examples
Example: Configuring transparent DNS proxy
Network configuration
In Figure 7, ISP 1 and ISP 2 provide two links with the same bandwidth: Link 1 and Link 2. The IP address of the DNS server of ISP 1 is 10.1.2.100. The IP address of the DNS server of ISP 2 is 20.1.2.100. Intranet users use domain name www.example.com to access Web server A and Web server B.
Configure a transparent DNS proxy on the device to evenly distribute user traffic to Link 1 and Link 2.
Procedure
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.100 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/3
[Device-security-zone-Untrust] quit
3. Configure a security policy:
Configure rules to permit traffic from the Trust security zone to the Untrust security zone and traffic from the Local security zone to the Untrust security zone, so the users can access the server:
# Configure a rule named lbrule1 to allow the users to access the server.
[Device] security-policy ip
[Device-security-policy-ip] rule name lbrule1
[Device-security-policy-ip-1-lbrule1] source-zone trust
[Device-security-policy-ip-1-lbrule1] destination-zone untrust
[Device-security-policy-ip-1-lbrule1] source-ip-subnet 192.168.1.0 255.255.255.0
[Device-security-policy-ip-1-lbrule1] action pass
[Device-security-policy-ip-1-lbrule1] quit
# Configure a rule named lblocalout to allow the device to send probe packets to the next hop.
[Device-security-policy-ip] rule 2 name lblocalout
[Device-security-policy-ip-2-lblocalout] source-zone local
[Device-security-policy-ip-2-lblocalout] destination-zone untrust
[Device-security-policy-ip-2-lblocalout] destination-ip-subnet 10.1.1.0 255.255.255.0
[Device-security-policy-ip-2-lblocalout] destination-ip-subnet 20.1.1.0 255.255.255.0
[Device-security-policy-ip-2-lblocalout] action pass
[Device-security-policy-ip-2-lblocalout] quit
[Device-security-policy-ip] quit
4. Configure links:
# Create the link link1 with next hop address 10.1.1.2.
[Device] loadbalance link link1
[Device-lb-link-link1] router ip 10.1.1.2
[Device-lb-link-link1] quit
# Create the link link2 with next hop address 20.1.1.2.
[Device] loadbalance link link2
[Device-lb-link-link2] router ip 20.1.1.2
[Device-lb-link-link2] quit
5. Create a DNS server pool named dsp.
[Device] loadbalance dns-server-pool dsp
[Device-lb-dspool-dsp] quit
6. Configure DNS servers:
# Create a DNS server named ds1, configure its IP address as 10.1.2.100, assign it to DNS server pool dsp, and associate it with link link1.
[Device] loadbalance dns-server ds1
[Device-lb-ds-ds1] ip address 10.1.2.100
[Device-lb-ds-ds1] dns-server-pool dsp
[Device-lb-ds-ds1] link link1
[Device-lb-ds-ds1] quit
# Create a DNS server named ds2, configure its IP address as 20.1.2.100, assign it to DNS server pool dsp, and associate it with link link2.
[Device] loadbalance dns-server ds2
[Device-lb-ds-ds2] ip address 20.1.2.100
[Device-lb-ds-ds2] dns-server-pool dsp
[Device-lb-ds-ds2] link link2
[Device-lb-ds-ds2] quit
7. Configure a transparent DNS proxy:
# Create a UDP transparent DNS proxy named dns-proxy1, configure its IP address as 0.0.0.0, specify DNS server pool dsp as its default DNS server pool, and enable the transparent DNS proxy.
[Device] loadbalance dns-proxy dns-proxy1 type udp
[Device-lb-dp-udp-dp] ip address 0.0.0.0 0
[Device-lb-dp-udp-dp] default dns-server-pool dsp
[Device-lb-dp-udp-dp] service enable
[Device-lb-dp-udp-dp] quit
Verifying the configuration
# Display brief information about all DNS servers.
[Device] display loadbalance dns-server brief
DNS server Address Port Link State DNS server pool
ds1 10.1.2.100 0 link1 Active dsp
ds2 20.1.2.100 0 link2 Active dsp
# Display detailed information about all DNS server pools.
[Device] display loadbalance dns-server-pool
DNS server pool: dsp
Description:
Predictor: Round robin
Selected server: Disabled
Probe information:
Probe success criteria: All
Probe method:
Total DNS servers: 2
Active DNS servers: 2
DNS server list:
Name State Address port Link Weight Priority
ds1 Active 10.1.2.100 0 link1 100 4
ds2 Active 20.1.2.100 0 link2 100 4
# Display detailed information about all transparent DNS proxies.
[Device] display loadbalance dns-proxy
DNS proxy: dns-proxy1
Type: UDP
State: Active
Service state: Enabled
VPN instance:
IPv4 address: 1.1.1.0/24
IPv6 address: --
Port: 53
DNS server pool: dsp
Sticky:
LB policy:
Connection synchronization: Enabled
Sticky synchronization: Enabled
Bandwidth busy protection: Disabled
After you complete the previous configuration, the LB device can evenly distribute DNS requests to DNS server A and DNS server B. Then, intranet user traffic is evenly distributed to Link 1 and Link 2.
