Applies To:
Show Versions3-DNS Controller versions 1.x - 4.x
- 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
10
Production Rules
- Controlling network traffic patterns with production rules
- Setting up production rules in the Configuration utility
- Working with the production rules scripting language
Controlling network traffic patterns with production rules
Production rules are a policy-based management tool that you can use to dynamically change how the 3-DNS distributes connections across the network. You can also use production rules to send system administrators notifications of specific events. Production rules are based on triggers, such as time of day, current traffic patterns, or current traffic volume. For example, you can configure a production rule that changes the load balancing mode to Quality of Service during your peak business hours, and you can configure a production rule that notifies you when the number of name resolution requests exceeds a specific number.
You can create production rules that apply to the system in general, or you can create production rules for specific wide IPs.
If you want to configure basic production rules, we recommend that you use the Configuration utility. If you want to create custom production rules, you should review the following section, Working with the production rules scripting language, on page 10-5 , which describes the scripting language you use to configure production rules from the command line. You may also want to contact a technical support engineer for additional assistance with complex configurations.
Setting up production rules in the Configuration utility
The Configuration utility uses a wizard-style format to help you set up production rules. The screen prompts that you see during the configuration process vary, depending on the items you select in each screen. However, to configure any production rule, you perform three basic steps:
- Define the type of rule
The two types of production rules are: global production rules, and wide IP production rules. - Define the rule trigger
The two types of rule triggers are: a set time or time interval, and a specific system event. - Define the action taken
The two basic types of rule actions are: to send user-definable messages to log files or email accounts, and to change specific load balancing settings.
The following sections discuss each production rule option in detail, and provide all of the information you need to complete the production rule using the wizard.
Viewing, adding, and deleting production rules
When you click Production Rules in the Configuration utility, the Production Rules wizard screen opens. The screen displays the list of existing global and wide IP production rules. You can add a new rule by clicking the Add Production Rule toolbar button, which starts the production rule wizard. The wizard prompts you to specify the various production rule options, and then allows you to review your selections before you save the production rule to the configuration.
Note that you can modify existing production rules by clicking the rule name in the list, and you can delete a production rule at any time by clicking the Delete button next to the rule name.
Choosing the rule type
The first step in the production rule wizard is to choose whether the production rule is a global production rule or a wide IP production rule.
- Global production rules
Global production rules send messages to log files or to specific email accounts, based on a set time interval or on standard events. The standard events are listed and described in Table 10.2, on page 10-8 . - Wide IP production rules
Wide IP production rules are based either on the time of day, or on standard events. Wide IP production rules can change the current load balancing modes for the preferred, alternate, or fallback methods; they can reconfigure ratio settings for individual virtual servers; and they can reconfigure the coefficients for Quality of Service mode. Wide IP production rules can also send messages to log files or email accounts.
After you choose a rule type, the wizard prompts you to name the rule and allows you to add a brief description of the rule.
Defining time-based triggers
The next step in the wizard prompts you to choose a trigger for the production rule. You can set up two basic types of triggers: time-based triggers and event-based triggers. This section describes the options for the time-based triggers, and the following section describes options for the event-based triggers. Once you review the information for the type of trigger you want to set up, go to Choosing the action taken, on page 10-4 .
Time-based triggers include two types: global production rules trigger on set time intervals, while wide IP production rules trigger at specific times on specific days. To set a time interval for a global production rule, you define the number of seconds that elapse between each action the production rule executes.
A wide IP production rule can trigger at a specific time of day, on a specific day of the week, on a specific date, or at a specific time on a specific date. The following procedures explain how to set up each type of time trigger, in the wizard, for wide IP production rules.
To apply a time of day variable
- From the Time Variable table, select Time.
- In the Start Time box, specify the hour and minute you want the production rule action to begin.
- In the Stop Time box, select the hour and minute you want the production rule action to stop.
Once you define the time of day that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a day of the week variable
- From the Time Variable table, select Day.
A table opens from which you select the day to start and stop the action. - From the Start Day box, select the day you want the production rule action to begin.
- From the Stop Day box, select the day you want the production rule action to stop.
Once you define the day of the week that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a date variable
- From the Time Variable table, select Date.
A table opens from which you select the date to start and stop the action. - In the Start Date box, type the date you want the production rule action to begin (mm/dd/yyyy).
- In the Stop Date box, type the date you want the production rule action to stop (mm/dd/yyyy).
Once you define the date that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a combined date and time variable
- From the Time Variable table, select Date/Time.
Two tables open and you select the start and stop dates and times. - In the Start Date box, type the date you want the production rule action to begin (mm/dd/yyyy).
- In the Stop Date box, type the date you want the production rule action to stop (mm/dd/yyyy).
- In the Start Time box, specify the hour and minute you want the production rule action to begin.
- In the Stop Time box, select the hour and minute you want the production rule action to stop.
Once you define the date and time that triggers the production rule, you continue with the wizard and begin to define the production rule action.
Defining event-based triggers
Both global production rules and wide IP production rules can be triggered by standard events, such as when a name resolution process begins. Wide IP production rules support two additional types of event-based triggers. You can set a wide IP production rule to trigger when a specific LDNS server makes a name resolution request, or to trigger when a user-specified number of name resolution requests are received by the 3-DNS.
The standard events that can trigger both global and wide IP production rules are described in Table 10.2, on page 10-8 .
Choosing the action taken
After you specify the production rule trigger, the wizard prompts you to choose the action that the production rule takes. Note that the actions that a production rule can take depend in part on whether the production rule is a global rule or a wide IP rule. For example, both global production rules and wide IP production rules can send user-defined messages to log files, or to specific email accounts, but only wide IP production rules can alter load balancing modes. The actions that you can choose for a production rule are:
- Sending user-defined messages
Both global and wide IP production rules can send user-defined messages to the syslog file, or to a specific email account. - Changing the load balancing mode settings
Wide IP production rules can change load balancing mode settings for the wide IP. You can change the preferred, alternate, and fallback methods, and you can change QOS coefficient settings. - Changing virtual server ratios
You can change virtual server ratios to alter the distribution load when the load balancing mode is set to Ratio. - Specifying a virtual server to return
You can specify that the 3-DNS returns a specific virtual server, rather than choosing a virtual server using load balancing.
Once you specify an action, the production rules wizard prompts you to review all of the production rule settings, and then saves the production rule to the configuration.
Working with the production rules scripting language
The production rules scripting language uses constructs and statements that are similar in syntax to Perl script and the C programming language. If you have a good working knowledge of Perl or C, you may want to create your own custom production rules. You can use the guidelines in this section in conjunction with the examples provided both here and in the sample wideip.conf file (installed on the 3-DNS).
If you need to add custom production rules to your configuration, but you do not want to work out the implementation yourself, you can contact your vendor for assistance.
Inserting production rules in the wideip.conf file
Production rules are part of the wideip.conf file, and you can either insert them directly in the file, or you can store them in a separate file and include them by reference. If you want to use the Configuration utility to manage the 3-DNS configuration, you must store production rules configured from the command line in a separate file, and include them by reference. If you attempt to use custom production rules in a file that you edit using the Configuration utility, the production rule syntax may become corrupt.
Warning: If you include custom production rules directly in the wideip.conf file, you must edit and maintain the wideip.conf file from the command line; you cannot use the Configuration utility for configuration administration.
Executing and managing production rules from the command line
The language that you use to specify production rules is 3dscript. Production rules must have the following attributes in 3dscript:
- Each production rule is uniquely identified by a label.
- Each production rule can be deleted using its label.
- All production rules at the global scope can be deleted.
- All production rules at the wide IP-pool scope can be deleted.
- Each production rule can be replaced.
- Each production rule can be annotated with a character string.
The 3dscript language manages and executes production rules according the following guidelines:
- The 3dscript language supports conditional execution of production rules using the if statement. You can use if statements in wide IP production rules, and in global production rules only if they are embedded within a when or an every statement.
- The 3dscript language supports event-driven execution of production rules using the when statement. You can use the when statement only in global production rules.
- The 3dscript language supports periodic execution of production rules using the every statement. You can use the every statement only in global production rules.
The following sections describe how to work with the components of the 3dscript language.
Working with the if statement
if(conditional-expression) { <action> ... } [ else { <action> ... } ]
The if statement is a standard statement that defines an event condition that triggers a production rule action. Typically you use if statements in wide IP production rules. An if statement must adhere to the following guidelines:
- The if statement can be specified in the scope of a wide IP pool statement.
- The if statement can be nested in another if statement.
- Multiple if statements can be specified in the same scope.
- The nesting of if statements is limited only by the memory capacity of the 3-DNS.
- The precedence of logical, relational, and unary operators is the same as in ANSI-c.
Working with the when statement
when(event) { <action> ... }
The when statement is a standard statement that defines a specific event condition that triggers a production rule action. A when statement can be used only in global production rules, and it must adhere to the following guidelines:
- The when statement can be specified at the top scope of the wideip.conf file, after the wide IP definition(s) and before the topology statement.
- Multiple when statements can be specified in the same scope.
- Nesting of when statements is not allowed.
The production rule event triggers are described in Table 10.2 .
Working with the every statement
every(<seconds>) { <action> ... }
The every statement is a standard statement that defines a time interval at which the production rule action triggers, such as every 60 seconds. An every statement can be used only for a global production rule, and it must adhere to the following guidelines:
- The every statement can be specified at the top scope of the wideip.conf file, after the wide IP definition(s) and before the topology statement.
- Multiple every statements can be specified in the same scope.
- Nesting of every statements is not allowed.
Defining production rule actions
The production rules language supports the following actions. Not all actions apply to all production rule types. For example, the actions that change load balancing settings are valid only for wide IP production rules. Actions such as defining a log string can be used in either global production rules or wide IP production rules. Each action below specifies which production rule types can use it.
Production rule examples
There are a variety of custom production rules that you may want to implement or expand on for your own network. Following are examples of these three custom production rules:
- Load balancing according to time of day
- Load balancing according to local DNS server
- Hacker detection
Using production rules to load balance according to time of day
You can set up production rules ahead of time to deal with future needs and client demands for events. For example, say your company has a software distribution scheduled for release next Tuesday at 5:00 p.m. Pacific Standard Time. The new software will be available for download from the FTP sites at that time, and you expect that during the first week, traffic will be 10 times what it normally is, with frequent bursts during standard work hours, 7 a.m. to 6 p.m. However, the client base spans four time zones with an FTP server farm on the east coast in New York (192.168.101.50), and another on the west coast in Los Angeles (192.168.102.50). The 3-DNS is located on the east coast and runs on Eastern Standard Time. You are willing to accept some network latency in return for guaranteed connections.
Figure 10.1 shows a sample production rule that handles the connections according to the anticipated load at specific times of the day.
Figure 10.1 Load balancing by time of day
wideip {
address 192.168.101.50:21
name "ftp.domain.com"
pool {
preferred ratio
address 192.168.101.50 ratio 2
address 192.168.102.50 ratio 1
rule "ftp_balance"
// Night time: qos
if(time > "21:00" && time < "07:00") {
preferred leastconn
}
else {
preferred ratio
// East Coast
rule "east" if(time < "10:00") {
vs.(192.168.101.50).ratio 3
vs.(192.168.102.50).ratio 1
}
// Both coasts are at peak demand
else {
rule "both" if(time < "18:00") {
vs.(192.168.101.50).ratio 1
vs.(192.168.102.50).ratio 1
}
// West Coast
else {
vs.(192.168.101.50).ratio 1
vs.(192.168.102.50).ratio 3
}
}
}
}
}
Using production rules to load balance according to LDNS
One interesting application of production rules is that you can create a rule that is activated when a specific local DNS server makes a name resolution request. The following example is based on a web site published in three languages: English, Spanish, and Japanese. Suppose that the addresses in the network 10.10.0.0 are allocated to Japanese speakers, and the addresses in the network 10.11.0.0 are allocated to Spanish speakers. The production rule shown in Figure 10.2 uses the address of the requesting LDNS to determine which virtual server should receive the connection.
Figure 10.2 Load balancing by IP address of LDNS
wideip {
address 192.168.101.50:80
name "www.domain.com"
pool {
rule "Japanese" if(isLdnsInNet(10.10.0.0, 255.255.0.0)) {
return_vs(192.168.103.50:80)
}
else {
rule "Spanish" if(isLdnsInNet(10.11.0.0, 255.255.0.0)) {
return_vs(192.168.102.50:80)
}
else { // assume English
return_vs(192.168.101.50:80)
}
}
address 192.168.101.50 // English
address 192.168.102.50 // Spanish
address 192.168.103.50 // Japanese
}
}
Using production rules for hacker detection
Another interesting example of triggering a production rule based on the requesting LDNS server is to take evasive action against known hackers attempting to access your system. The production rule shown in Figure 10.3 sends the hacker to a special server, rather than flat out rejecting the connection. As an alternative, you can change the rule to return a non-routable or non-existent address.
Figure 10.3 Sending a hacker to a specific server
when(ResolveNameBegin) {
rule "roach_motel" if(isLdnsInNet(10.20.30.4, 255.255.255.0)) {
// Send this guy to our "roach motel" for hackers.
// This address doesn't need to be listed in any wideip pool.
// This address is reserved for us to watch hackers under the microscope.
log2mail("Hacker $ldns_ip came back")
return_vs(192.168.1.46:80)
}
}
A related example, shown in Figure 10.4 , illustrates a production rule that deals with attacks against iQuery communications. The production rule would warn you if the 3-DNS detected a hack attempt against the iQuery protocol, based on a communication failure.
Figure 10.4 Detecting an iQuery failure due to potential attack
Rule "iQuery_hacked" when(CRC_Failure) {
log2mail("Got CRC Failure")
}