一、实验拓扑
二、地址信息
三、配置出向链路
1)Server
slb server GW_bridge 192.168.3.1
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb server GW_dhcp 192.168.232.2
port 0 tcp
health-check-disable
port 0 udp
health-check-disable 2)NAT
ip nat pool bridge_NAT 192.168.3.200 192.168.3.200 netmask /32
!
ip nat pool dhcp_NAT 192.168.232.200 192.168.232.200 netmask /32
slb template port bridge_NAT_Temp
source-nat bridge_NAT
slb template port dhcp_NAT_Temp
source-nat dhcp_NAT 3)service-group
slb service-group SG_GW_bridge_tcp tcp
member GW_bridge 0
template bridge_NAT_Temp
!
slb service-group SG_GW_bridge_udp udp
member GW_bridge 0
template bridge_NAT_Temp
!
slb service-group SG_GW_dhcp_tcp tcp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_dhcp_udp udp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_ALL_tcp tcp
member GW_bridge 0
template bridge_NAT_Temp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_ALL_udp udp
member GW_bridge 0
template bridge_NAT_Temp
member GW_dhcp 0
template dhcp_NAT_Temp 四、使用Class-list建立域名匹配表;
1)命令行
class-list url-218 string
str taobao.com
!
class-list url-61 string
str jd.com 2)Web界面
五、配置两条线路上的DNS地址;
注释:由于是实验环境,两个DNS地址均是江苏电信的DNS地址,在生产环境上各运行商线路使用各自的DNS地址;
1)Server
slb server DNS_218 218.2.135.1
port 53 udp
!
slb server DNS_61 61.147.37.1
port 53 udp2)Service-group
slb service-group SG_DNS_218 udp
member DNS_218 53
template dhcp_NAT_Temp
!
slb service-group SG_DNS_61 udp
member DNS_61 53
template bridge_NAT_Temp 3)配置DNS地址到具体线路的精确路由
ip route 61.147.37.1 /32 192.168.3.1
ip route 218.2.135.1 /32 192.168.232.2六、编写Aflex,匹配Class-list中的域名,转发给指定的DNS组,并将查询到的IP存入table表;
注释:利用DNS_REQUEST事件控制Class-list中域名走指定DNS组,使用DNS_RESPONED事件中将域名解析得到的A记录保存到table表中;
table表说明:
table是一张可以动态创建,动态更新,全局调用的数据存储表,也就是说不同事件的Aflex可以调用通一张table中的数据,这就是table灵活强大之处,其外可以通过设置lifetime和timeout控制表中内容条目的存活时间。
AFLEX内容:
名称:DNS_AFLEX
针对于Aflex需要看懂逻辑关系就可以,编写的格式可以不去关心;
when DNS_REQUEST {
set flag 0
set host [string tolower [DNS::question name]]
if { [CLASS::match $host contains url-218] } {
set flag 1
pool SG_DNS_218
log "DNS REQUEST $host use GW_dhcp link"
}
if { [CLASS::match $host contains url-61] } {
set flag 2
pool SG_DNS_61
log "DNS REQUEST $host use GW_bridge link"
}
}
when DNS_RESPONSE {
if {$flag equals "1"} {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] equals "A" } {
set dip [DNS::rdata $rr]
if { [table lookup t-GWdhcp $dip] equals ""} {
table add t-GWdhcp $dip $host indef 86400
} else {
table replace t-GWdhcp $dip $host indef 86400
}
log "DNS RESPONSE $host use GW_dhcp link"
}
}
}
if {$flag equals "2"} {
set rrs [DNS::answer]
foreach rr $rrs {
if { [DNS::type $rr] equals "A" } {
set dip [DNS::rdata $rr]
if { [table lookup t-GWbridge $dip] equals ""} {
table add t-GWbridge $dip $host indef 86400
} else {
table replace t-GWbridge $dip $host indef 86400
}
log "DNS RESPONSE $host use GWbridge link"
}
}
}
}七:配置DNS七层代理Virtual-Server
注释:Virtual-Server 可以设置成Normal VS,也可以设置成Wildcare VS;引导域名解析,内网配置的DNS地址是192.168.5.200;
slb virtual-server VS_DNS2 192.168.5.200
port 53 dns-udp
aflex DNS_AFLEX 八、编写table表选路Aflex;
Aflex内容:
名称:Choose-Link-TCP
when CLIENT_ACCEPTED {
set Dip [IP::local_addr]
if { ([table lookup t-GWdhcp $Dip]!="") } {
pool SG_GW_dhcp_tcp
log "choose_link to-link-GW_dhcp --> $Dip"
}
if { ([table lookup t-GWbridge $Dip]!="") } {
pool SG_GW_bridge_tcp
log "choose_link to-link-GW_bridge --> $Dip"
}
}名称:Choose-Link-UDP
when CLIENT_ACCEPTED {
set Dip [IP::local_addr]
if { ([table lookup t-GWdhcp $Dip]!="") } {
pool SG_GW_dhcp_udp
log "choose_link to-link-GW_dhcp --> $Dip"
}
if { ([table lookup t-GWbridge $Dip]!="") } {
pool SG_GW_bridge_udp
log "choose_link to-link-GW_bridge --> $Dip"
}
}九、绑定选路aFlex到LLB Vserver
slb virtual-server LLB_VS_ALL 0.0.0.0 acl 180
port 0 others
aflex Choose-Link-UDP
use-rcv-hop-for-resp
no-dest-nat
port 0 tcp
clientip-sticky-nat
aflex Choose-Link-TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
clientip-sticky-nat
aflex Choose-Link-UDP
use-rcv-hop-for-resp
no-dest-nat 十、访问效果:
注释:访问中taobao.com jd.com的页面能够拿到core 200
十一、抓包查看域名是否由指定的DNS解析
十二、最终效果说明
通过配置,最终实现的效果是,用户访问taobao.com的域名,会走218.2.135.1查询,也就是dhcp线路,访问jd.com域名,会走61.148.37.1查询,是bridge线路;在该实验中,并没有过多的关注于健康检查、其他选路策略、以及特殊需求的模板,所以在生产环境中根据用户需求可以灵活调整;
一般配置七层域名解析选路,是由于国外的一些网站无法通过国内运营商线路访问初期,因此需要通过A10引导访问国外网站的流量走VPN专线,从而实现访问目的;
注意条件:
1、用户的域名DNS请求必须经过A10;
2、table的命名不能使用下划线“_”;
附:设备show run信息:
A10-1(NOLICENSE)# show run
!Current configuration: 1159 bytes
!Configuration last updated at 06:54:22 GMT Sun Nov 15 2020
!Configuration last saved at 07:33:21 GMT Sun Nov 15 2020
!64-bit Advanced Core OS (ACOS) version 4.1.4-GR1-P3, build 155 (Mar-28-2020,18:07)
!
access-list 180 permit ip object-group SUB_Network any
!
class-list url-218 string
str taobao.com
!
class-list url-61 string
str jd.com
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 20
untagged ethernet 2
router-interface ve 20
!
vlan 30
untagged ethernet 3
router-interface ve 30
!
hostname A10-1
!
!
web-service gui-timeout-policy idle 60
!
interface management
ip address 192.168.4.10 255.255.255.0
ip default-gateway 192.168.4.1
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
interface ethernet 4
!
interface ve 10
ip address 192.168.3.10 255.255.255.0
!
interface ve 20
ip address dhcp
!
interface ve 30
ip address 192.168.5.10 255.255.255.0
ip allow-promiscuous-vip
!
!
ip nat pool bridge_NAT 192.168.3.200 192.168.3.200 netmask /32
!
ip nat pool dhcp_NAT 192.168.232.200 192.168.232.200 netmask /32
!
ip route 0.0.0.0 /0 192.168.3.1
ip route 0.0.0.0 /0 192.168.232.2 10
!
ip route 61.147.37.1 /32 192.168.3.1
!
ip route 218.2.135.1 /32 192.168.232.2
!
slb template port bridge_NAT_Temp
source-nat bridge_NAT
!
slb template port dhcp_NAT_Temp
source-nat dhcp_NAT
!
slb server DNS_114 114.114.114.114
port 53 udp
!
slb server DNS_218 218.2.135.1
port 53 udp
!
slb server DNS_61 61.147.37.1
port 53 udp
!
slb server GW_bridge 192.168.3.1
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb server GW_dhcp 192.168.232.2
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb service-group SG_DNS_218 udp
member DNS_218 53
template dhcp_NAT_Temp
!
slb service-group SG_DNS_61 udp
member DNS_61 53
template bridge_NAT_Temp
!
slb service-group SG_GW_ALL_tcp tcp
member GW_bridge 0
template bridge_NAT_Temp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_ALL_udp udp
member GW_bridge 0
template bridge_NAT_Temp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_bridge_tcp tcp
member GW_bridge 0
template bridge_NAT_Temp
!
slb service-group SG_GW_bridge_udp udp
member GW_bridge 0
template bridge_NAT_Temp
!
slb service-group SG_GW_dhcp_tcp tcp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb service-group SG_GW_dhcp_udp udp
member GW_dhcp 0
template dhcp_NAT_Temp
!
slb virtual-server LLB_VS_ALL 0.0.0.0 acl 180
port 0 others
aflex Choose-Link-UDP
use-rcv-hop-for-resp
no-dest-nat
port 0 tcp
clientip-sticky-nat
aflex Choose-Link-TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
clientip-sticky-nat
aflex Choose-Link-UDP
use-rcv-hop-for-resp
no-dest-nat
!
slb virtual-server VS_DNS 0.0.0.0
port 53 dns-udp
aflex DNS_AFLEX
!
slb virtual-server VS_DNS2 192.168.5.200
port 53 dns-udp
aflex DNS_AFLEX
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
!
object-group network SUB_Network
192.168.0.0 0.0.255.255
172.16.0.0 0.15.255.255
10.0.0.0 0.255.255.255
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode
[END] 2020/11/15 15:55:21