Forum Discussion

Tiger86_92132's avatar
Tiger86_92132
Icon for Nimbostratus rankNimbostratus
Apr 19, 2011

A simple load balancing network

Hi,   I'm using BIG-IP 1600 with LC module. I need to config a simple load balancing network (just need outbound load balance), here's my network:   - I have 2 VLAN external for 2 internet lines...
config
design
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jun 14, 2011
Here's an example which uses a subtable to cache the DNS lookups: 

when RULE_INIT {

    A unique name to store the DNS responses for each client IP
   set static::dns_table "dns_table"

    Cache timeout in seconds (5min for example)
   set static::cache_timeout 300

    DNS virtual server name or DNS server IP address.  A virtual server pointing to a pool of DNS servers is much preferred for reliability!
   set static::dns_server 4.2.2.1  
}
when CLIENT_ACCEPTED {
 
    Trigger a name lookup for new connections
   set do_lookup 1
   log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
 
    Check if we haven't done a lookup already on this connection
   if { $do_lookup }{

      log local0. "[IP::client_addr]:[TCP::client_port]: Checking [IP::client_addr] in cache"

       Check if a lookup already exists in the cache for this client IP
      set ptr [table lookup -subtable $static::dns_table [IP::client_addr]]

      if {$ptr eq ""}{

         log local0. "[IP::client_addr]:[TCP::client_port]: No cached value, doing a DNS lookup"

           Do a reverse lookup on the client IP address
         set ptr [RESOLV::lookup -ptr @$static::dns_server [IP::client_addr]]
         log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: $ptr"

      } else {
         log local0. "[IP::client_addr]:[TCP::client_port]: Cached result: $ptr"
      }
 
       Check if ptr record ends with .mil
      if { [string tolower $ptr] ends_with ".mil" } {
 
          Allow .mil addresses and track that we've done a lookup for this connection
         log local0. "[IP::client_addr]:[TCP::client_port]: Valid ptr, allowing request"
         table add -subtable $static::dns_table [IP::client_addr] $ptr $static::cache_timeout indef
         set do_lookup 0
 
      } else {
 
          PTR record does not end with ".mil", reject the connection
         log local0. "[IP::client_addr]:[TCP::client_port]: Invalid PTR, blocking HTTP request."
         HTTP::respond 403 content "Invalid PTR!\r\n"
         TCP::close  
      }
   }
}

Aaron