Guest

Cisco CSS 11000 Series Content Services Switches

How to Configure the CSS to Load Balance DNS Servers and Use the DNS Scripted Keepalives

Document ID: 15049

Updated: Jan 31, 2006

   Print


Contents


Introduction

With the Cisco WebNS Software Releases 4.0 and later, customers have the ability to use scripted keepalives for nonstandard or specialized services, such as Domain Name System (DNS).

Because DNS queries are User Datagram Protocol (UDP)-based, you must configure a source group on the Content Services Switch (CSS) so that the responses from the DNS server appear to come from the same address from which the queries were originally sent (most likely the Virtual IP (VIP) address). When you activate this source group, the DNS scripted keepalives fail to work because the response to the keepalive query goes through Network Address Translation (NAT), causing the CSS to receive a response from a different IP address than the one to which you originally sent the request.

This configuration was developed and tested using the software and hardware versions below.

  • All CSS platforms (CSS11000 and CSS11500)
  • Cisco WebNS Software Releases 5.0 and later (scripted keepalives were not added until Release 4.0)

The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command on before using it.

Network Diagram

Using the DNS Scripted Keepalives

Tips for using the DNS scripted keepalives:

  • Access to Internet Domain Name System Root Servers is required for successful implementation of DNS scripted keepalives.

  • The service IP address has no bearing on the DNS service at all. Any address can be entered and it does not effect the state, however, an address must be entered or a "bad IP address" error appears.

  • The argument for the script must be either the IP address or the hostname of the DNS server you want to check. It is typically the IP address configured on the service.

  • The script is hard-coded to resolve www.cisco.com.  It does not matter if the DNS server can resolve this address or not, as long as a DNS response comes back that the service is alive.  This keepalive is only testing if a DNS server can respond to a query, not if it can resolve a specific name. The script queries from the CSS to DNS internal servers keep track of the availability of the DNS servers.

CSS ap-kal-dns Script
!no echo
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
! Filename: ap-kal-dns 
! Parameters: DNS_Server 
! 
! Description: !--- This script resolves a domain name from a specific DNS !--- server. This builds a UDP packet based on RFC 1035 leaving cisco.com. !
! Failure Upon: !--- Not resolving the hosts's IP from the domain name. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! if ${ARGS}[#] "NEQ" "1" echo "Usage: ap-kal-dns \'Hostname\'" exit script 1 endbranch ! Defines: set HostName "${ARGS}[1]" ! Connect to the remote host set EXIT_MSG "Connection failed" socket connect host ${HostName} port 53 udp !--- This may require a little explaination. Since we just want to see !--- if the DNS server is alive, we send a simple DNS Query. This !--- query is hard-coded in hexidecimal and sent raw to the DNS server. !--- The DNS request has a 12-byte header (as seen for the first 12 bytes !--- of hex) and then a DNS name (for example, www.cisco.com). !--- Lastly, it follows with some null termination and a few bytes !--- representing query type. !--- See RFC 1035 leaving cisco.com for more information. set EXIT_MSG "Send: failure" socket send ${SOCKET} "00020100000100000000000003777777057961686f6f03636f6d00000 10001" raw !--- Receive an unexplained response, but it is not important because !--- an unstable DNS server or a non-existant one would probably not send !--- back any data at all. set EXIT_MSG "Receive: Failed to receive data" socket waitfor ${SOCKET} "cisco" 4000 no set EXIT_MSG socket disconnect ${SOCKET} exit script 0

If DNS servers cannot respond to a query, then you need to create an ACL with this logic:

  • Anything sourced from one of the DNS servers destined for the CSS (circuit Virtual LAN (VLAN) IP address) bypasses all content rules and source groups.

  • Other traffic sourced from the DNS servers goes through the configured source group.

Configuration

CSS 11150 Running WebNS 4.01 Build 8
!*************************** GLOBAL ***************************
	
ip redundancy
no restrict xml
username predictive des-password xeocchdhdhnglhueig5csfbe4fievhjg
username admin des-password uezfqg6eoeic3e2d superuser
acl enable
ip route 0.0.0.0 0.0.0.0 200.1.1.1 1
	
!************************* INTERFACE *************************
	
interface ethernet-1
	bridge vlan 2
	phy 100Mbits-FD
interface ethernet-2
	bridge vlan 3
	phy 100Mbits-FD
	
!************************** CIRCUIT **************************
	
circuit VLAN2
	redundancy
	ip address 10.1.1.5 255.255.255.0
circuit VLAN3
	redundancy
	ip address 200.1.1.2 255.255.255.0
	
!************************** SERVICE **************************
	
service DNS1
	ip address 10.1.1.1
	keepalive type script ap-kal-dns "10.1.1.1"
	active
service DNS2
	ip address 10.1.1.2
	keepalive type script ap-kal-dns "10.1.1.2"
	active
service DNS3
	ip address 10.1.1.3
	keepalive type script ap-kal-dns "10.1.1.3"
	active
service DNS4
	ip address 10.1.1.4
	keepalive type script ap-kal-dns "10.1.1.4"
	active
service Router1
	ip address 200.1.1.1
	type redundancy-up
	active

!*************************** OWNER ***************************

owner L3_Owner
content L3_Rule
	vip address 200.1.1.3
	add service DNS1
	add service DNS2
	add service DNS3
	add service DNS4
	active

!*************************** GROUP ***************************

group dns
	vip address 200.1.1.3
	active

!**************************** ACL ****************************

acl 20
	clause 10 permit any any destination any
	apply circuit-(VLAN3)
acl 10
	clause 10 bypass any 10.1.1.1 255.255.255.255 destination 10.1.1.5 255.255.255.255
	clause 20 bypass any 10.1.1.2 255.255.255.255 destination 10.1.1.5 255.255.255.255
	clause 30 bypass any 10.1.1.3 255.255.255.255 destination 10.1.1.5 255.255.255.255
	clause 40 bypass any 10.1.1.4 255.255.255.255 destination 10.1.1 5 255.255.255.255
	clause 50 permit any 10.1.1.0 255.255.255.0 destination any sourcegroup dns
	clause 60 permit any any destination any
	apply circuit-(VLAN2) 

show Command Outputs

Samples of show command output:

show keepalive

52-css150-4# show keepalive
Keepalives:
Name: AUTO_nexthop00002 Index: 0 State: Alive
Description: Auto generated for service nexthop00002
Address: 200.1.1.1 Port: Any
Type: ICMP
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
nexthop00002

Name: AUTO_DNS1 Index: 1 State: Down
Description: Auto generated for service DNS1
Address: 10.1.1.1 Port: Any
Type: SCRIPT ap-kal-dns
Script Arguments: "10.1.1.1"
Script Error: Script error in line: 41 
!--- Note: This service has no access to root servers, which causes the error.
Script Run Time: 4 seconds Frequency: 5 Max Failures: 3 Retry Frequency: 5 Dependent Services: DNS1 Name: AUTO_DNS3 Index: 2 State: Alive Description: Auto generated for service DNS3 Address: 10.1.1.3 Port: Any Type: SCRIPT ap-kal-dns Script Arguments: "10.1.1.3" Script Error: None !--- Note: This service has access to Internet root servers. Script Run Time: 0 seconds Frequency: 5 Max Failures: 3 Retry Frequency: 5 Dependent Services: DNS3 Name: AUTO_DNS4 Index: 3 State: Alive Description: Auto generated for service DNS4 Address: 10.1.1.4 Port: Any Type: SCRIPT ap-kal-dns Script Arguments: "10.1.1.4" Script Error: None Script Run Time: 0 seconds Frequency: 5 Max Failures: 3 Retry Frequency: 5 Dependent Services: DNS4 Name: AUTO_Router1 Index: 4 State: Down Description: Auto generated for service Router1 Address: 200.1.1.1 Port: Any Type: ICMP Frequency: 5 Max Failures: 3 Retry Frequency: 5 Dependent Services: Router1 Name: AUTO_DNS2 Index: 5 State: Down Description: Auto generated for service DNS2 Address: 10.1.1.2 Port: Any Type: SCRIPT ap-kal-dns Script Arguments: "10.1.1.2" Script Error: Script error in line: 41 Script Run Time: 4 seconds Frequency: 5 Max Failures: 3 Retry Frequency: 5 Dependent Services: DNS2 52-css150-4#

show keepalive-summary

52-css150-4# show keepalive-summary
Keepalives:
AUTO_nexthop00002 State: Alive 200.1.1.1
AUTO_DNS1 State: Down 10.1.1.1
AUTO_DNS3 State: Alive 10.1.1.3
AUTO_DNS4 State: Alive 10.1.1.4
AUTO_Router1 State: Down 200.1.1.1
AUTO_DNS2 State: Down 10.1.1.2

show service summary

52-css150# show service summary

Service Name                     State     Conn  Weight  Avg   State
                                                         Load  Transitions

AUTO_DNS1                        Down          0      1     2       0
AUTO_DNS3                        Alive         0      1     2       1
AUTO_DNS4                        Alive         0      1   255       1
AUTO_DNS2                        Down          0      1   255       0


Related Information


Updated: Jan 31, 2006
Document ID: 15049