DNS LB on ACE.

Answered Question
Dec 12th, 2011
User Badges:
  • Silver, 250 points or more

Hi,


I would like to know if we can use sticky with DNS load balance using source IP address-


sticky ip-netmask 255.255.255.255 address both XXXXX

  timeout activeconns

  replicate sticky

  serverfarm XXXX


Also what would be the diffrent using -


probe dns and probe udp


Thanks

Ajay

Correct Answer by sachinga.hcl about 5 years 8 months ago

Hi Ajay,


You can use the sticky with DNS using Source IP address.



The following example shows a running configuration that load balances DNS traffic across multiple real servers, and transmits and receives UDP data that spans multiple packets. The configuration uses a UDP health probe. The UDP probe configuration eements appears in bold in the example.


access-list ACL1 line 10 extended permit ip any any


probe udp UDP

  interval 5

  passdetect interval 10

  description THIS PROBE IS INTENDED FOR LOAD BALANCING DNS TRAFFIC

  port 53

  send-data UDP_TEST


rserver host SERVER1

  ip address 192.168.252.245

  inservice

rserver host SERVER2

  ip address 192.168.252.246

  inservice

rserver host SERVER3

  ip address 192.168.252.247

  inservice


serverfarm host SFARM1

  probe UDP

  rserver SERVER1

    inservice

  rserver SERVER2

    inservice

  rserver SERVER3

    inservice


class-map match-all L4UDP-VIP_114:UDP_CLASS

   2 match virtual-address 192.168.120.114 udp eq 53


policy-map type loadbalance first-match L7PLBSF_UDP_POLICY

  class class-default

    serverfarm SFARM1


policy-map multi-match L4SH-Gold-VIPs_POLICY

    class L4UDP-VIP_114:UDP_CLASS

    loadbalance vip inservice

    loadbalance policy L7PLBSF_UDP_POLICY

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 120

    connection advanced-options 1SECOND-IDLE


interface vlan 120

  description Upstream VLAN_120 - Clients and VIPs

  ip address 192.168.120.1 255.255.255.0

  fragment chain 20

  fragment min-mtu 68

  access-group input ACL1

  nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat

  service-policy input L4SH-Gold-VIPs_POLICY

  no shutdown


ip route 10.1.0.0 255.255.255.0 192.168.120.254


-----------------------------------------------------------------------


Configuring a UDP Probe


Note When configuring a UDP probe, you must configure a management-based policy.


By default, the UDP probe sends a UDP packet to a server and marks the server as failed only if the server returns an ICMP Port Unreachable message. If the ACE does not receive any ICMP errors for the UDP request that was sent, the probe is marked as passed. Optionally, you can configure this probe to send specific data and expect a specific response to mark the server as passed.


If the real server is not directly connected to the ACE (for example, it is connected via a gateway) and the IP interface of the server is down or disconnected, the UDP probe by itself would not know that the UDP application is not reachable. If the real server is directly connected to the ACE and the IP interface of the server is down, then the UDP probe fails.


If the IP interface of the server is down or disconnected, the UDP probe by itself would not know that the UDP application is not reachable.


To create a UDP probe and access its configuration mode, use the probe udp name command.


For example, to define a UDP probe named PROBE2 and access its mode, enter:


host1/Admin(config)# probe udp PROBE2


host1/Admin(config-probe-udp)#



You can configure the following attributes for a UDP probe:


•To configure what the ACE expects as a response from the probe destination server, use the expect regex command.


•To configure the data sent on the connection for a UDP probe, use the send-data expression command.


Then, you can configure the attributes in the "Configuring General Probe Attributes" section.





-----------------------------------------


A DNS probe sends a request to a DNS server giving it a configured domain (by default, the domain is www.cisco.com). To determine if the server is up, the ACE must receive one of the configured IP addresses for that domain. To create a DNS probe and access its configuration mode, use the probe dns command. The syntax of this command is:


probe dns name


For the name argument, enter an identifier of the DNS probe as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


For example, to define a DNS probe named PROBE7 and access its mode, enter:


host1/Admin(config)# probe dns PROBE7


host1/Admin(config-probe-dns)#



You can configure attributes for a DNS probe, as described in the following sections:


•Configuring the Domain Name


•Configuring the Expected IP Address


Then, you can configure the attributes in the "Configuring General Probe Attributes" section.

Configuring the Domain Name


The DNS probe sends a domain name for the DNS server to resolve. By default, the probe uses the www.cisco.com domain. To configure the domain name that the probe sends to the server, use the domain command. The syntax of this command is:


domain name


The name argument is the domain that the probe sends to the DNS server. Enter an unquoted text string with a maximum of 255 characters.


For example, to configure the domain name of support.cisco.com, enter:


host1/Admin(config-probe-dns)# domain support.cisco.com



To reset the domain to www.cisco.com, use the no domain command. For example, enter:


host1/Admin(config-probe-dns)# no domain



Configuring the Expected IP Address


When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses. To configure the IP address that the ACE expects as a server response to a DNS request, use the expect address command. The syntax of this command is:


expect address ip_address


The ip_address argument is the expected returned IP address. Enter a unique IPv4 address in dotted-decimal notation (for example, 192.8.12.15).


You can specify multiple IP addresses with this command by entering the command with a different address separately. For example, to configure an expected IP address of 192.8.12.15 and 192.8.12.23, enter:


host1/Admin(config-probe-dns)# expect address 192.8.12.15


host1/Admin(config-probe-dns)# expect address 192.8.12.23



To remove an IP address, use the no expect address command. For example, enter:


host1/Admin(config-probe-dns)# no expect address 192.8.12.15


Configuring General Probe Attributes kindly refer:


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/probe.html#wp1031040


http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html


HTH


Sachin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
sachinga.hcl Tue, 12/13/2011 - 01:10
User Badges:
  • Silver, 250 points or more

Hi Ajay,


You can use the sticky with DNS using Source IP address.



The following example shows a running configuration that load balances DNS traffic across multiple real servers, and transmits and receives UDP data that spans multiple packets. The configuration uses a UDP health probe. The UDP probe configuration eements appears in bold in the example.


access-list ACL1 line 10 extended permit ip any any


probe udp UDP

  interval 5

  passdetect interval 10

  description THIS PROBE IS INTENDED FOR LOAD BALANCING DNS TRAFFIC

  port 53

  send-data UDP_TEST


rserver host SERVER1

  ip address 192.168.252.245

  inservice

rserver host SERVER2

  ip address 192.168.252.246

  inservice

rserver host SERVER3

  ip address 192.168.252.247

  inservice


serverfarm host SFARM1

  probe UDP

  rserver SERVER1

    inservice

  rserver SERVER2

    inservice

  rserver SERVER3

    inservice


class-map match-all L4UDP-VIP_114:UDP_CLASS

   2 match virtual-address 192.168.120.114 udp eq 53


policy-map type loadbalance first-match L7PLBSF_UDP_POLICY

  class class-default

    serverfarm SFARM1


policy-map multi-match L4SH-Gold-VIPs_POLICY

    class L4UDP-VIP_114:UDP_CLASS

    loadbalance vip inservice

    loadbalance policy L7PLBSF_UDP_POLICY

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 120

    connection advanced-options 1SECOND-IDLE


interface vlan 120

  description Upstream VLAN_120 - Clients and VIPs

  ip address 192.168.120.1 255.255.255.0

  fragment chain 20

  fragment min-mtu 68

  access-group input ACL1

  nat-pool 1 192.168.120.70 192.168.120.70 netmask 255.255.255.0 pat

  service-policy input L4SH-Gold-VIPs_POLICY

  no shutdown


ip route 10.1.0.0 255.255.255.0 192.168.120.254


-----------------------------------------------------------------------


Configuring a UDP Probe


Note When configuring a UDP probe, you must configure a management-based policy.


By default, the UDP probe sends a UDP packet to a server and marks the server as failed only if the server returns an ICMP Port Unreachable message. If the ACE does not receive any ICMP errors for the UDP request that was sent, the probe is marked as passed. Optionally, you can configure this probe to send specific data and expect a specific response to mark the server as passed.


If the real server is not directly connected to the ACE (for example, it is connected via a gateway) and the IP interface of the server is down or disconnected, the UDP probe by itself would not know that the UDP application is not reachable. If the real server is directly connected to the ACE and the IP interface of the server is down, then the UDP probe fails.


If the IP interface of the server is down or disconnected, the UDP probe by itself would not know that the UDP application is not reachable.


To create a UDP probe and access its configuration mode, use the probe udp name command.


For example, to define a UDP probe named PROBE2 and access its mode, enter:


host1/Admin(config)# probe udp PROBE2


host1/Admin(config-probe-udp)#



You can configure the following attributes for a UDP probe:


•To configure what the ACE expects as a response from the probe destination server, use the expect regex command.


•To configure the data sent on the connection for a UDP probe, use the send-data expression command.


Then, you can configure the attributes in the "Configuring General Probe Attributes" section.





-----------------------------------------


A DNS probe sends a request to a DNS server giving it a configured domain (by default, the domain is www.cisco.com). To determine if the server is up, the ACE must receive one of the configured IP addresses for that domain. To create a DNS probe and access its configuration mode, use the probe dns command. The syntax of this command is:


probe dns name


For the name argument, enter an identifier of the DNS probe as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


For example, to define a DNS probe named PROBE7 and access its mode, enter:


host1/Admin(config)# probe dns PROBE7


host1/Admin(config-probe-dns)#



You can configure attributes for a DNS probe, as described in the following sections:


•Configuring the Domain Name


•Configuring the Expected IP Address


Then, you can configure the attributes in the "Configuring General Probe Attributes" section.

Configuring the Domain Name


The DNS probe sends a domain name for the DNS server to resolve. By default, the probe uses the www.cisco.com domain. To configure the domain name that the probe sends to the server, use the domain command. The syntax of this command is:


domain name


The name argument is the domain that the probe sends to the DNS server. Enter an unquoted text string with a maximum of 255 characters.


For example, to configure the domain name of support.cisco.com, enter:


host1/Admin(config-probe-dns)# domain support.cisco.com



To reset the domain to www.cisco.com, use the no domain command. For example, enter:


host1/Admin(config-probe-dns)# no domain



Configuring the Expected IP Address


When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses. To configure the IP address that the ACE expects as a server response to a DNS request, use the expect address command. The syntax of this command is:


expect address ip_address


The ip_address argument is the expected returned IP address. Enter a unique IPv4 address in dotted-decimal notation (for example, 192.8.12.15).


You can specify multiple IP addresses with this command by entering the command with a different address separately. For example, to configure an expected IP address of 192.8.12.15 and 192.8.12.23, enter:


host1/Admin(config-probe-dns)# expect address 192.8.12.15


host1/Admin(config-probe-dns)# expect address 192.8.12.23



To remove an IP address, use the no expect address command. For example, enter:


host1/Admin(config-probe-dns)# no expect address 192.8.12.15


Configuring General Probe Attributes kindly refer:


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/probe.html#wp1031040


http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html


HTH


Sachin

Actions

This Discussion