Per-host DNS override

The DNS address override is enabled or disabled using a RADIUS VSA (Alc-Host-DNAT-Override), which can be present in access-accept or the COA corresponding to a host. This provides the operator with the capability to force DNS packets of a device in vRGW to the DNS servers of its choice. DNS override is achieved by subjecting DNS traffic to destination NAT. The traffic that is subjected to destination NAT is selected by applying a NAT classifier.

Overriding of the DNS address on a per-host basis also adds support for RADIUS VSA (Alc-Host-DNAT-Default-Address-Override) to specify a per-host default address for overriding the address in DNS packets. This per-host default address is used if no IP address is configured as part of the DNAT action within the classifier entry. This per-host default address can also be overridden by the RADIUS COA directed at the host. The per-host default address from RADIUS using the VSA can only be associated with a single NAT policy.

The per-host DNAT override can be removed using the Alc-Remove-Override attribute, in which the host inherits the DNAT override state at the BRG level. The per-host default address for DNS address override can also be removed using Alc-Remove-Override.

Additionally, the per-host DNS override extends existing NAT classifier match criteria to include foreign IP addresses in the match for selecting traffic that goes through the DNAT. A foreign IP address is a destination IP address on the NAT inside service before translation. Following is a sample configuration:

*A:vSIM>config>service>nat# info
----------------------------------------------
            nat-classifier "dns-override" create
                entry 1 create
                    action dnat ip-address 12.12.12.3
                    match protocol udp
                        dst-port-range start 53 end 53
                        foreign-ip 8.8.8.8
                    exit
                exit
                entry 2 create
                    action dnat ip-address 12.12.12.4
                    match protocol udp
                        dst-port-range start 53 end 53
                        foreign-ip 8.8.8.9
                    exit
                exit
            exit

The show command for L2-aware hosts is extended to include the per-host DNS override and default DNAT address set using the RADIUS VSA.

======================================================================
Layer-2-Aware NAT hosts
======================================================================
Subscriber                  : sub-1-1
Inside IP address           : 10.1.1.1
----------------------------------------------------------------------
Policy                      : pol 2
Bypassing                   : false
VAS filter                  : N/A
Override DNAT               : enable
DNAT default addr. override : 2.2.2.2
Outside router              : 101
Outside IP address          : 40.101.2.1
Port block                  : N/A
----------------------------------------------------------------------
No. of hosts: 1
======================================================================