请参考配置关键点
接口起ip
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 10.0.0.2 255.255.255.0
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
nat outbound
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 2.1.1.1 255.255.255.0
nat outbound
接口加入安全域
security-zone name Trust
import interface GigabitEthernet1/0/1
security-zone name Untrust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
安全策略放通
security-policy ip
rule 0 name 0
action pass
配置路由
ip route-static 11.11.11.11 32 1.1.1.2
ip route-static 22.22.22.22 32 2.1.1.2
创建链路
loadbalance link link1
router ip 1.1.1.2
loadbalance link link2
router ip 2.1.1.2
配置dns服务器池
loadbalance dns-server-pool dns1
loadbalance dns-server-pool dns2
创建dns服务器,使得dns服务器ds1属于dns服务器池dns1
使得dns服务器ds2属于dns服务器池dns2
loadbalance dns-server ds1
dns-server-pool dns1
ip address 1.1.1.2
link link1
loadbalance dns-server ds2
dns-server-pool dns2
ip address 2.1.1.2
link link2
创建基于域名的dns选路策略
访问www.baidu.com的时候,去dns1:1.1.1.2解析
访问www.h3c.com的时候,去dns2:2.1.1.2解析
loadbalance class 1 type dns match-any
match 1 domain-name www.baidu.com
loadbalance class 2 type dns
match 1 domain-name www.h3c.com
loadbalance action 1 type dns
dns-server-pool dns1
loadbalance action 2 type dns
dns-server-pool dns2
loadbalance policy dnstest type dns
class 1 action 1
class 2 action 2
创建名为dns-proxy1的UDP类型的DNS透明代理,配置其IPv4地址为0.0.0.0,指定DNS服务器池为dsp,并开启DNS透明代理功能
loadbalance dns-proxy dns-proxy1 type udp
ip address 0.0.0.0 0
service enable
lb-policy dnstest
测试结果
PC访问www.baidu.com得到解析结果11.11.11.11
PC访问www.h3c.com得到解析结果22.22.22.22
<PC>ping www.baidu.com
Ping www.baidu.com (11.11.11.11): 56 data bytes, press CTRL+C to break
56 bytes from 11.11.11.11: icmp_seq=0 ttl=254 time=0.609 ms
56 bytes from 11.11.11.11: icmp_seq=1 ttl=254 time=0.622 ms
56 bytes from 11.11.11.11: icmp_seq=2 ttl=254 time=0.274 ms
56 bytes from 11.11.11.11: icmp_seq=3 ttl=254 time=0.849 ms
56 bytes from 11.11.11.11: icmp_seq=4 ttl=254 time=0.324 ms
--- Ping statistics for www.baidu.com ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.274/0.536/0.849/0.212 ms
<PC>ping www.h3c.com
Ping www.h3c.com (22.22.22.22): 56 data bytes, press CTRL+C to break
56 bytes from 22.22.22.22: icmp_seq=0 ttl=254 time=0.933 ms
56 bytes from 22.22.22.22: icmp_seq=1 ttl=254 time=0.940 ms
56 bytes from 22.22.22.22: icmp_seq=2 ttl=254 time=0.646 ms
56 bytes from 22.22.22.22: icmp_seq=3 ttl=254 time=0.960 ms
56 bytes from 22.22.22.22: icmp_seq=4 ttl=254 time=0.730 ms
--- Ping statistics for www.h3c.com ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.646/0.842/0.960/0.129 ms
<H3C>%Mar 20 21:06:15:398 2024 H3C PING/6/PING_STATISTICS: Ping statistics for www.h3c.com: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.646/0.842/0.960/0.129 ms.
<H3C>
<H3C>*Mar 20 21:06:09:823 2024 H3C LB/7/PACKET: -COntext=1; Input packet matched DNS proxy dns-proxy1: Pro=17, Src=10.0.0.1/48640, Dst=114.114.114.114/53, ID=1.
*Mar 20 21:06:09:823 2024 H3C LB/7/PACKET: -COntext=1; DNS server pool is selected according to policy: Pro=17, Src=10.0.0.1/48640, Dst=114.114.114.114/53, ID=1.
*Mar 20 21:06:09:823 2024 H3C LB/7/PACKET: -COntext=1; DNS server ds1 port 0 is selected according to predictor: Pro=17, Src=10.0.0.1/48640, Dst=114.114.114.114/53, ID=1.
*Mar 20 21:06:09:823 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing first packet with NAT enabled: Pro=17, Src=10.0.0.1/48640, Dst=1.1.1.2/53, ID=1.
*Mar 20 21:06:09:823 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing the packet with DNS proxy: Pro=17, Src=10.0.0.1/48640, Dst=1.1.1.2/53, ID=1.
*Mar 20 21:06:09:824 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing reverse packet with NAT enabled: Pro=17, Src=114.114.114.114/53, Dst=10.0.0.1/48640, ID=1.
*Mar 20 21:06:09:824 2024 H3C LB/7/PACKET: -COntext=1; Input packet not match virtual server Pro=1, Src=10.0.0.1/0, Dst=11.11.11.11/0, ID=2, vpn=0.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; Input packet matched DNS proxy dns-proxy1: Pro=17, Src=10.0.0.1/48641, Dst=114.114.114.114/53, ID=7.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; DNS server pool is selected according to policy: Pro=17, Src=10.0.0.1/48641, Dst=114.114.114.114/53, ID=7.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; DNS server ds2 port 0 is selected according to predictor: Pro=17, Src=10.0.0.1/48641, Dst=114.114.114.114/53, ID=7.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing first packet with NAT enabled: Pro=17, Src=10.0.0.1/48641, Dst=2.1.1.2/53, ID=7.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing the packet with DNS proxy: Pro=17, Src=10.0.0.1/48641, Dst=2.1.1.2/53, ID=7.
*Mar 20 21:06:14:506 2024 H3C LB/7/PACKET: -COntext=1; Succeeded in processing reverse packet with NAT enabled: Pro=17, Src=114.114.114.114/53, Dst=10.0.0.1/48641, ID=1.
*Mar 20 21:06:14:507 2024 H3C LB/7/PACKET: -COntext=1; Input packet not match virtual server Pro=1, Src=10.0.0.1/0, Dst=22.22.22.22/0, ID=8, vpn=0.
*Mar 20 21:06:19:303 2024 H3C LB/7/PACKET: -COntext=1; Input packet not match virtual server Pro=1, Src=10.0.0.1/0, Dst=22.22.22.22/0, ID=13, vpn=0.
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作