Cisco Global Site Selector Configuration Guide Book-Length PDF v1.1

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Cisco Global Site Selector Configuration GuideSoftware Version 1.1January 2004

Text Part Number: OL-4327-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco Global Site Selector Configuration GuideCopyright © 2003 Cisco Systems, Inc. All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

OL-4327-01

C O N T E N T S

Preface xix

Audience xx

How to Use This Guide xx

Related Documentation xxi

Symbols and Conventions xxii

Obtaining Documentation xxiv

Cisco.com xxiv

Documentation CD-ROM xxiv

Ordering Documentation xxv

Documentation Feedback xxv

Obtaining Technical Assistance xxvi

Cisco TAC Website xxvi

Opening a TAC Case xxvi

TAC Case Priority Definitions xxvii

Obtaining Additional Publications and Information xxviii

C H A P T E R 1 Introducing the Global Site Selector 1-1

GSS Overview 1-2

DNS Routing 1-3

DNS Name Servers 1-4

Request Resolution 1-5

GSLB Using the GSS 1-6

iiiCisco Global Site Selector Configuration Guide

Contents

GSS Architecture 1-9

Global Site Selectors and Global Site Selector Managers 1-10

GSS 1-10

Primary GSSM 1-10

Standby GSSM 1-11

DNS Rules 1-12

Hosted Domains and Domain Lists 1-13

Source Address and Source Address Lists 1-13

Answers and Answer Groups 1-14

VIP Answers 1-15

Name Server Answers 1-16

CRA Answers 1-16

Keepalives 1-17

ICMP 1-18

TCP 1-18

HTTP-HEAD 1-18

KAL-AP 1-19

CRA 1-19

Name Server 1-20

None 1-20

Adjusting Failure Detection Time for Keepalives 1-20

Balance Methods 1-24

Ordered List 1-24

Round-Robin 1-25

Weighted Round-Robin 1-25

Least Loaded 1-25

Hash 1-26

Boomerang (DNS Race) 1-26

Balance Method Options for Answer Groups 1-27

Locations and Regions 1-30

ivCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

Owners 1-30

GSS Network Deployment 1-31

Locating GSS Devices 1-31

Locating GSS Devices Behind Firewalls 1-32

Communication Between GSS Nodes 1-33

Deployment Within Data Centers 1-34

GSS Network Management 1-34

CLI-Based GSS Management 1-34

GUI-Based Primary GSSM Management 1-35

Understanding the Primary GSSM Graphical User Interface 1-36

Graphical User Interface Organization 1-38

List Pages 1-38

Details Pages 1-40

Navigation 1-41

Primary GSSM GUI Icons and Symbols 1-41

Primary GSSM GUI Online Help 1-47

Where to Go Next 1-48

C H A P T E R 2 Setting Up Your GSS 2-1

Accessing the GSS CLI 2-2

Accessing the CLI Using a Direct Serial Connection 2-2

Enabling Remote Access on a GSS Device 2-3

Accessing the CLI Using a Remote Connection 2-4

Accessing the GSS CLI Using a Private and Public Key Pair 2-5

Performing Network Configuration of the GSS 2-6

Configuring the GSS Using the Setup Script 2-8

Configuring the GSS from the CLI 2-10

Configuring a Primary GSSM or Standby GSSM 2-12

Configuring a Global Site Selector 2-14

vCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

Logging Into the Primary GSSM Graphical User Interface 2-15

Creating and Modifying GSS Devices 2-18

Activating GSS Devices 2-18

Modifying GSS Device Configuration 2-21

Deleting GSS Devices 2-22

Global Server Load-Balancing Summary 2-23


C H A P T E R 3 Configuring Resources 3-1

Organizing Your GSS Network 3-2

Creating and Modifying Locations and Regions 3-3

Creating Regions 3-3

Creating Locations 3-6

Modifying Regions 3-8

Modifying Locations 3-9

Deleting Locations and Regions 3-10

Creating and Modifying Owners 3-11

Creating Owners 3-11

Modifying Owners 3-14

Deleting Owners 3-15

Grouping GSS Resources by Location, Region, and Owner 3-16


C H A P T E R 4 Configuring Source Address Lists 4-1

Creating Source Address Lists 4-2

Modifying Source Address Lists 4-5

Deleting Source Address Lists 4-7


viCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

C H A P T E R 5 Configuring Domain Lists 5-1

Domain List Overview 5-1

Creating Domain Lists 5-2

Modifying Domain Lists 5-8

Deleting Domain Lists 5-10


C H A P T E R 6 Configuring KeepAlives 6-1

Modifying Global KeepAlive Properties 6-1

Global KeepAlive Configuration—ICMP 6-3

Global KeepAlive Configuration—TCP 6-6

Global KeepAlive Configuration—HTTP HEAD 6-9

Global KeepAlive Configuration—KAL-AP 6-12

Global KeepAlive Configuration—CRA 6-15

Global KeepAlive Configuration—Name Server 6-16

Configuring and Modifying Shared VIP KeepAlives 6-17

Creating a Shared VIP KeepAlive 6-17

Shared KeepAlive Configuration—ICMP 6-21

Shared KeepAlive Configuration—TCP 6-22

Shared KeepAlive Configuration—HTTP HEAD 6-24

Shared KeepAlive Configuration—KAL-AP 6-26

Modifying a Shared KeepAlive 6-28

Deleting a Shared KeepAlive 6-29


viiCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

C H A P T E R 7 Configuring Answers and Answer Groups 7-1

Configuring and Modifying Answers 7-1

Creating a VIP-Type Answer 7-2

VIP Answer—ICMP KeepAlive 7-7

VIP Answer—TCP KeepAlive 7-9

VIP Answer—HTTP HEAD KeepAlive 7-11

VIP Answer—KAL-AP KeepAlive 7-13

Creating a CRA-Type Answer 7-14

Creating a Name Server-Type Answer 7-17

Modifying an Answer 7-19

Suspending an Answer 7-20

Reactivating an Answer 7-21

Suspending or Reactivating All Answers in a Location 7-21

Deleting an Answer 7-22

Configuring and Modifying Answer Groups 7-23

Creating an Answer Group 7-24

Modifying an Answer Group 7-29

Suspending or Reactivating an Answer Group 7-30

Suspending or Reactivating All Answers in an Answer Group Associated with an Owner 7-32

Deleting an Answer Group 7-35


C H A P T E R 8 Building and Modifying DNS Rules 8-1

DNS Rule Configuration Overview 8-2

DNS Rule Wizard 8-2

DNS Rule Builder 8-4

viiiCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

Building DNS Rules Using the Wizard 8-5

DNS Rule Wizard—Source Address List Page 8-7

DNS Rule Wizard—Source Address List Page 2 8-8

DNS Rule Wizard—Source Address List Page 3 8-9

DNS Rule Wizard—Domain List Page 8-10

DNS Rule Wizard—Domain List Page 2 8-12

DNS Rule Wizard—Domain List Page 3 8-13

DNS Rule Wizard—Answer Group Page 8-15

DNS Rule Wizard - Answer Group Page 2 8-16



DNS Rule Wizard—Balance Method Page 8-22

DNS Rule Wizard—Summary 8-25

Building DNS Rules Using the DNS Rule Builder 8-27

Modifying DNS Rules 8-33

Suspending a DNS Rule 8-34

Reactivating a DNS Rule 8-35

Suspending or Reactivating All DNS Rules Belonging to an Owner 8-36

Deleting a DNS Rule 8-38

Configuring DNS Rule Filters 8-38

Removing DNS Rule Filters 8-42

Delegation to GSS Devices 8-42

C H A P T E R 9 GSS Administration and Troubleshooting 9-1

Performing Advanced GSS Configuration Tasks 9-2

Logically Removing a GSS or Standby GSSM from the Network 9-2

Changing the GSSM Role in the GSS Network 9-4

Switching the Roles of the Primary and Standby GSSMs 9-4

Reversing the Roles of the Interim Primary and Standby GSSMs 9-6

ixCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

Modifying Network Configuration Settings of a GSS 9-7

Changing the Startup and Running Configuration Files 9-8

Loading the Startup Configuration from an External File 9-9

Configuring the Primary GSSM Graphical User Interface 9-10

Printing and Exporting GSSM Data 9-12

Configuring GSS Security 9-13

Creating and Managing GSSM Login Accounts 9-13

Creating a GSSM GUI User Account 9-14

Modifying a GSSM GUI User Account 9-16

Removing a GSSM GUI User Account 9-17

Changing Your GSSM GUI Password 9-17

Creating and Managing GSS CLI Login Accounts 9-19

Creating a GSS User Account Using the CLI 9-19

Modifying a GSS User Account Using the CLI 9-20

Deleting a GSS User Account Using the CLI 9-20

Resetting the CLI Administrator Account Password 9-21

Segmenting GSS Traffic by Interface 9-22

Filtering GSS Traffic Using Access Lists 9-24

Creating an Access List 9-25

Associating an Access List with a GSS Interface 9-27

Disassociating an Access List from a GSS Interface 9-28

Adding Rules to an Access List 9-28

Removing Rules from an Access List 9-29

Viewing Access Lists 9-30

Deploying GSS Devices Behind Firewalls 9-30

Configuring SNMP on Your GSS Network 9-33

Configuring SNMP on Your GSS 9-34

Viewing SNMP Status 9-35

Viewing MIB Files on the GSS 9-36

xCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

Backing Up the GSSM 9-37

Determining When and What Type of Backup to Perform 9-39

When to Perform a Full Backup 9-39

When to Perform a Database Backup 9-39

Performing a Full GSSM Backup 9-39

Performing a GSSM Database Backup 9-40

Upgrading the Cisco GSS Software 9-41

Verifying the GSSM Role in the GSS Network 9-42

Backing up and Archiving the Primary GSSM 9-43

Obtaining the Software Upgrade 9-43

Upgrading Your GSS Devices 9-45

Downgrading and Restoring Your GSS Devices 9-48

Restoring an Earlier Software Version on Your GSS Devices 9-49

Restoring Your GSSM from a Full Backup 9-49

Restoring Your GSSM Database from a Database-Only Backup 9-52

Viewing Third-Party Software Versions 9-54

Primary GSSM Error Messages 9-56

Answer Error Messages 9-56

Answer Group Error Messages 9-60

DNS Rule Error Messages 9-61

Domain List Error Messages 9-68

Shared KeepAlive Error Messages 9-72

KeepAlive Error Messages 9-74

Location Error Messages 9-76

Owner Error Messages 9-77

Region Error Messages 9-77

GSSM Error Messages 9-78

Source Address List Error Messages 9-79

User Error Messages 9-81

xiCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

C H A P T E R 10 Monitoring GSS Performance 10-1

Monitoring GSS and GSSM Status 10-1

Monitoring the Online Status of GSS Devices from the CLI 10-2

Monitoring the Status of Your GSS Network from the CLI 10-3

Monitoring the Status of the Boomerang Server on Your GSS 10-3

Monitoring the Status of the DNS Server on Your GSS 10-4

Monitoring the Status of Keepalives on Your GSS 10-5

Monitoring GSS Device Status from the Primary GSSM GUI 10-6

Monitoring GSSM Database Status 10-6

Monitoring the Database Status 10-7

Validating Database Records 10-7

Creating a Database Validation Report 10-8

Monitoring Global Load-Balancing Status 10-9

Monitoring Answer Hit Counts 10-10

Monitoring Answer Keepalive Statistics 10-11

Monitoring Answer Status 10-14

Monitoring DNS Rule Statistics 10-15

Monitoring Domain Statistics 10-17

Monitoring Source Address Statistics 10-18

Monitoring Global Statistics 10-20

Viewing Log Files 10-22

Understanding GSS Logging Levels 10-22

Viewing Device Logs from the CLI 10-23

Viewing the gss.log File from the CLI 10-24

Viewing Subsystem Log Files from the CLI 10-25

Rotating Existing Log Files from the CLI 10-26

Viewing System Logs from the Primary GSSM GUI 10-28

Viewing System Logs from the GUI 10-28

Purging System Log Messages from the GUI 10-30

System Log Messages 10-31

xiiCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

GL O S S A R Y

IN D E X

xiiiCisco Global Site Selector Configuration Guide

OL-4327-01

Contents

xivCisco Global Site Selector Configuration Guide

OL-4327-01

F I G U R E S

Figure 1-1 Domain Name Space 1-3

Figure 1-2 DNS Request Resolution 1-5

Figure 1-3 GLSB Using the Cisco Global Site Selector 1-8

Figure 1-4 Effect of the Number of Retries Value on the Keepalive Transmission Interval 1-23

Figure 1-5 Primary GSSM Welcome Window 1-37

Figure 1-6 Answers List Page 1-39

Figure 1-7 Modifying Answer Details Page 1-40

Figure 1-8 GSSM Online Help 1-47

Figure 2-1 Primary GSSM Welcome Window 2-17

Figure 2-2 Global Site Selectors List Page - Inactive Status 2-19

Figure 2-3 Modifying GSS Details Page 2-20

Figure 2-4 Global Site Selectors List Page - Active Status 2-21

Figure 3-1 Regions List Page 3-4

Figure 3-2 Creating New Region Details Page 3-5

Figure 3-3 Locations List Page 3-6

Figure 3-4 Creating New Location Details Page 3-7

Figure 3-5 Modifying Region Details Page 3-8

Figure 3-6 Modifying Location Details Page 3-9

Figure 3-7 Owners List Page 3-12

Figure 3-8 Creating New Owner Details Page 3-13

Figure 3-9 Modifying Owner Details Page 3-14

Figure 4-1 Source Address Lists List Page 4-2

Figure 4-2 Creating New Source Address List - General Configuration 4-3

xiiiCisco Global Site Selector Configuration Guide

OL-4327-01

Figures

Figure 4-3 Creating New Source Address List - Add Addresses 4-4

Figure 4-4 Creating Source Address List - Current Members List 4-5

Figure 4-5 Modifying Source Address List - Remove Addresses 4-6

Figure 4-6 Modifying Source Address List - Delete Icon 4-8

Figure 5-1 Domain Lists Page 5-3

Figure 5-2 Creating New Domain List Details Page - General Configuration 5-4

Figure 5-3 Creating New Domain List - Add Domains 5-5

Figure 5-4 Creating Domain List - Current Members List 5-7

Figure 5-5 Modifying Domain List - Remove Domains 5-9

Figure 5-6 Modifying Domain List - Delete Icon 5-11

Figure 6-1 Configure Global KeepAlive Properties Details Page 6-2

Figure 6-2 ICMP Global KeepAlive—Standard KAL Type 6-3

Figure 6-3 ICMP Global KeepAlive—Fast KAL Type 6-4

Figure 6-4 TCP Global KeepAlive—Standard KAL Type 6-6

Figure 6-5 TCP Global KeepAlive—Fast KAL Type 6-7

Figure 6-6 HTTP HEAD Global KeepAlive—Standard KAL Type 6-9

Figure 6-7 HTTP HEAD Global KeepAlive—Fast KAL Type 6-10

Figure 6-8 KAL-AP Global KeepAlive—Standard KAL Type 6-12

Figure 6-9 KAL-AP Global KeepAlive—Fast KAL Type 6-13

Figure 6-10 Global KeepAlives Details Page—CRA KeepAlive 6-15

Figure 6-11 Global KeepAlives Details Page—Name Server KeepAlive 6-16

Figure 6-12 Shared KeepAlives Lists Page 6-18

Figure 6-13 Creating New Shared KeepAlives Details Page 6-19

Figure 6-14 Shared KeepAlives Details Page—ICMP KeepAlive (Fast KAL Type) 6-21

Figure 6-15 Shared KeepAlives Details Page—TCP KeepAlive (Fast KAL Type) 6-22

Figure 6-16 Shared KeepAlives Details Page—HTTP HEAD KeepAlive (Fast KAL Type) 6-24

Figure 6-17 Shared KeepAlives Details Page—KAL-AP KeepAlive (Fast KAL Type) 6-26

xivCisco Global Site Selector Configuration Guide

OL-4327-01

Figures

Figure 6-18 Modifying Shared KeepAlive Details Page 6-28

Figure 7-1 Answers List Page 7-3

Figure 7-2 Creating New Answer Details Page 7-4

Figure 7-3 Creating New Answer—VIP Details Page 7-5

Figure 7-4 Answer Details Page—ICMP KeepAlive VIP Answer 7-7

Figure 7-5 Answer Details Page—TCP KeepAlive VIP Answer 7-9

Figure 7-6 Answer Details Page—HTTP HEAD KeepAlive VIP Answer 7-11

Figure 7-7 Answer Details Page—KAL-AP Keepalive VIP Answer 7-13

Figure 7-8 Creating New Answer—CRA Answer 7-16

Figure 7-9 Creating New Answer—Name Server Answer 7-18

Figure 7-10 Modifying Answer Details Page 7-20

Figure 7-11 Answer Group List Page 7-24

Figure 7-12 Creating New Answer Group Details Page—General Configuration 7-25

Figure 7-13 Creating New Answer Group Details Page—Add Answers 7-27

Figure 7-14 Creating New Answer Group Details Page—Current Members 7-28

Figure 7-15 Modifying Answer Group - Remove Answers 7-30

Figure 7-16 Modifying Answer Group - Suspend Answers Icon 7-31


Figure 7-18 Modifying Owners Details Page 7-34

Figure 8-1 DNS Rule Wizard - Introduction Page 8-3

Figure 8-2 DNS Rule Builder Window 8-4

Figure 8-3 DNS Rules List Page 8-5

Figure 8-4 DNS Rule Wizard—Introduction Page 8-6

Figure 8-5 DNS Rule Wizard—Source Address List Page 1 8-7



Figure 8-8 DNS Rule Wizard—Domains List Page 1 8-11

xvCisco Global Site Selector Configuration Guide

OL-4327-01

Figures



Figure 8-11 DNS Rule Wizard—Answer Group Page 1 8-15




Figure 8-15 DNS Rule Wizard—Balance Method Page 8-22

Figure 8-16 DNS Rule Wizard—Summary Page 8-25

Figure 8-17 DNS Rules List Page 8-28

Figure 8-18 Create New DNS Rule Window 8-29


Figure 8-20 Modifying Owners Details Page 8-37

Figure 8-21 Configure DNS Rule List Filter Details Page 8-39

Figure 9-1 GUI Configuration Details Page 9-11

Figure 9-2 GSSM User Administration List Page 9-14

Figure 9-3 GSSM User Administration Details Page 9-15

Figure 9-4 GSSM Change Password Details Page 9-18

Figure 9-5 GSSM Third-Party Software List Page 9-55

Figure 10-1 Answer Hit Counts List Page 10-10

Figure 10-2 Answer Keepalive Statistics List Page 10-12

Figure 10-3 Answer Status List Page 10-14

Figure 10-4 DNS Rule Statistics List Page 10-16

Figure 10-5 Domain Hit Counts List Page 10-17

Figure 10-6 Source Address List Statistics List Page 10-19

Figure 10-7 Global Statistics List Page 10-20

Figure 10-8 System Log List Page 10-29

xviCisco Global Site Selector Configuration Guide

OL-4327-01

T A B L E S

Table 1-1 Keepalive Transmission Rates 1-21

Table 1-2 Balance Method Options for Answer Types 1-28

Table 1-3 GSSM GUI Icons and Symbols 1-42

Table 3-1 GSS Network Groupings 3-16

Table 8-1 DNS Rules Filter Parameters 8-40

Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic) 9-25

Table 9-2 Inbound Traffic Going Through a Firewall to the GSS 9-31

Table 9-3 Outbound Traffic Originating from the GSS 9-32

Table 10-1 Field Descriptions for Answer Hit Counts List Page 10-11

Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page 10-12

Table 10-3 Field Descriptions for Answer Status List Page 10-15

Table 10-4 Field Descriptions for DNS Rule Statistics List Page 10-16

Table 10-5 Field Descriptions for Domain Statistics List Page 10-18

Table 10-6 Field Descriptions for Source Address Statistics List Page 10-19

Table 10-7 Field Descriptions for Global Statistics List Page 10-21

Table 10-8 GSS Logging Levels 10-22

Table 10-9 System Log Messages 10-31

xviiCisco Global Site Selector Configuration Guide

OL-4327-01

Tables

xviiiCisco Global Site Selector Configuration Guide

OL-4327-01

Preface

This guide includes information on configuring the Cisco Global Site Selector (GSS). It provides procedures for the proper setup, global server load balancing configuration, administration, and monitoring of the GSS product. Steps for troubleshooting many common problems are also provided.

This preface describes the following topics:

• Audience

• How to Use This Guide

• Related Documentation

• Symbols and Conventions

• Obtaining Documentation

• Obtaining Technical Assistance

• Obtaining Additional Publications and Information

xixCisco Global Site Selector Configuration Guide

OL-4327-01

PrefaceAudience

AudienceTo use this configuration guide, you should be familiar with the Cisco Global Site Selector Series hardware. In addition, you should be familiar with basic TCP/IP and networking concepts, router configuration, Domain Name System (DNS), theBerkeley Internet Name Domain (BIND) software or similar DNS products, and your organization’s specific network configuration.

How to Use This GuideThis guide includes the following chapters:

Chapter/Title Description

Chapter 1, Introducing the Global Site Selector

Describes the basic concepts underlying the GSS product as well as important GSS-related terms.

Chapter 2, Setting Up Your GSS

Describes the process of configuring the Global Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or Global Site Selector (GSS) device.

Chapter 3, Configuring Resources

Instructions on organizing resources on your GSS network as locations, regions, and owners.

Chapter 4, Configuring Source Address Lists

Describes the creation and modification of source address lists.

Chapter 5, Configuring Domain Lists

Describes the creation and modification of domain lists.

Chapter 6, Configuring KeepAlives

Describes the modification of global keepalive parameters and the creation of shared keepalives.

Chapter 7, Configuring Answers and Answer Groups

Describes the creation of GSS answers and answer groups.

Chapter 8, Building and Modifying DNS Rules

Describes constructing the DNS rules that govern all global server load balancing on your GSS network.

xxCisco Global Site Selector Configuration Guide

OL-4327-01

PrefaceRelated Documentation

Related DocumentationIn addition to this document, the GSS documentation set includes the following:

Chapter 9, GSS Administration and Troubleshooting

Covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM database administration, and GSSM error messages.

Chapter 10, Monitoring GSS Performance

Describes the tools that you can use to monitor the status of your GSS devices and of global load balancing on your GSS network.

Chapter/Title Description

Document Title Description

Global Site Selector Hardware Installation Guide

Intended to help you install your Cisco Global Site Selector and get it ready for operation. It describes how to prepare your site for installation, how to install the GSS in an equipment rack, and how to maintain and troubleshoot the system hardware.

Release Note for the Cisco Global Site Selector

Provides information on operating considerations, caveats, and commands for the Global Site Selector software.

Cisco Global Site Selector Command Reference

Provides an alphabetical list of all GSS Command Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.

xxiCisco Global Site Selector Configuration Guide

OL-4327-01

PrefaceSymbols and Conventions

Symbols and ConventionsThis guide uses the following symbols and conventions to emphasize certain information.

Command descriptions use the following conventions:

Screen examples use the following conventions:

boldface font Commands and keywords are in boldface.

italic font Variables for which you supply values are in italics.

[ ] Elements in square brackets are optional.

{x | y | z} Alternative keywords are grouped in braces and separated by vertical bars.

[x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.

screen font Terminal sessions and information the system displays are in screen font.

boldface screen font

Information you must enter is in boldface screen font.

italic screen font

Variables for which you supply values are in italic screen font.

This pointer highlights an important line of text in an example.

^ The symbol ^ represents the key labeled Control—for example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

< > Nonprinting characters, such as passwords, are in angle brackets.

xxiiCisco Global Site Selector Configuration Guide

OL-4327-01

PrefaceSymbols and Conventions

Graphical user interface elements use the following conventions:

Caution A caution means that a specific action you take could cause a loss of data or adversely impact use of the equipment.

Note A note provides important related information, reminders, and recommendations.

1. A numbered list indicates that the order of the list items is important.

a. An alphabetical list indicates that the order of the secondary list items is important.

• A bulleted list indicates that the order of the list topics is unimportant.

– An indented list indicates that the order of the list subtopics is unimportant.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

boldface text Instructs the user to enter a keystroke or act on a GUI element.

Courier text Indicates text that appears in a command line, including the CLI prompt.

Courier bold

text

Indicates commands and text you enter in a command line.

italic text Directories and filenames are in italic font.

xxiiiCisco Global Site Selector Configuration Guide

OL-4327-01

PrefaceObtaining Documentation

Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.comYou can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:


International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROMCisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

xxivCisco Global Site Selector Configuration Guide

OL-4327-01

http://www.cisco.com/univercd/home/home.htm


http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html


PrefaceObtaining Documentation

Ordering DocumentationYou can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation FeedbackYou can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can send your comments in e-mail to [email protected].

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883

We appreciate your comments.

xxvCisco Global Site Selector Configuration Guide

OL-4327-01


http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

http://www.cisco.com/en/US/partner/ordering/index.shtml

PrefaceObtaining Technical Assistance

Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Cisco TAC WebsiteThe Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC CaseThe online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

xxviCisco Global Site Selector Configuration Guide

OL-4327-01

http://www.cisco.com/tac

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/tac/caseopen

PrefaceObtaining Technical Assistance

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority DefinitionsTo ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

• Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

• Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

• Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

• Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

xxviiCisco Global Site Selector Configuration Guide

OL-4327-01

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

PrefaceObtaining Additional Publications and Information

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/go/packet

• iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

xxviiiCisco Global Site Selector Configuration Guide

OL-4327-01

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

http://www.ciscopress.com

http://www.cisco.com/go/packet



• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

xxixCisco Global Site Selector Configuration Guide

OL-4327-01


http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

http://www.cisco.com/en/US/learning/index.html


xxxCisco Global Site Selector Configuration Guide

OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 1
Introducing the Global Site Selector
This chapter describes the Cisco Global Site Selector (GSS) and introduces you to the terms and concepts necessary to properly understand and operate the GSS product.

This chapter contains the following major sections:

• GSS Overview

• DNS Routing

• GSLB Using the GSS

• GSS Architecture

• GSS Network Deployment

• GSS Network Management

• Understanding the Primary GSSM Graphical User Interface

For background material on DNS-based global server load balancing (GSLB), as it applies to the GSS, refer to the Business Case for Global Server Load Balancing white paper available on Cisco.com.

1-1obal Site Selector Configuration Guide

Chapter 1 Introducing the Global Site SelectorGSS Overview

GSS Overview With the growth of the Internet and of Internet-based commerce, there is an increasing demand for high-end networking solutions that can handle sophisticated customer transactions and high traffic loads. Improved content routing is a core technology behind such networking solutions.

Global load-balancing devices such as the Cisco Content Services Switch (CSS) and Cisco Content Switching Module (CSM) can balance content requests among two or more servers containing the same content that are connected to a corporate LAN or the Internet. Server load balancing devices ensure that the content consumer is directed to the host that is best suited to handle that consumer’s request.

Increasingly, organizations with a global reach or businesses that provide web and application hosting services require network devices that can perform such complex request routing to two or more redundant, geographically dispersed data centers, improving response times while also providing disaster recovery and failover protection through so-called “global server load balancing,” or GSLB.

The Cisco Global Site Selector (GSS) is a next-generation networking product that provides these services, allowing customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability.

Inserted into the traditional DNS routing hierarchy and closely integrated with your Cisco CSS, Cisco CSM, or third-party server load balancers (SLBs), the GSS monitors the health and load of the SLBs in each of your data centers and then uses that information along with customer-controlled routing algorithms to select the best-suited and least-loaded data center in real time.

Just as important, the GSS is capable of detecting site outages, ensuring that web-based applications are always online and that customer requests to data centers that suddenly go offline are quickly rerouted to available resources.

Finally, the GSS offloads tasks from traditional DNS servers by taking control of the domain resolution process for parts of your domain name space. Because it can respond to requests at a rate of thousands of requests per second, the GSS greatly improves DNS responsiveness to those subdomains.

1-2Cisco Global Site Selector Configuration Guide

OL-4327-01

Chapter 1 Introducing the Global Site SelectorDNS Routing

DNS RoutingBefore you can begin using the GSS product, you must first understand content routing as it currently exists, including DNS and how the introduction of GSS devices on your network will affect content routing and delivery to your customers. This section explains some of the key DNS routing concepts behind the GSS product.

Since the early 1980s, content routing on the Internet has been handled using the Domain Name System (DNS), a distributed database of host information that maps domain names to IP addresses. A radical departure from the largely manual system of maintaining lists of domain names that preceded it, DNS vastly improved the ability of those responsible for maintaining the Internet to manage network traffic and load, as well as maintain a consistent and unique list of valid Internet hosts.

Almost all transactions that occur across the Internet rely on DNS, including electronic mail, remote terminal access such as Telnet, file transfers using FTP, and web surfing. DNS makes possible the use of easy-to-remember alphanumeric host names instead of numeric IP addresses that bear no relationship to the content on the host.

DNS is a robust and flexible system for managing a nearly infinite number of host names, called the domain name space (Figure 1-1). DNS is particularly effective in that it allows local administration of segments (individual domains) of the overall database, yet makes it possible for data in any segment to be available across the entire network, a process known as delegation.

Figure 1-1 Domain Name Space

com

cisco

ftp

vassar

admissions alumni

www

www

lnt net org gov mil edu

7866

4


OL-4327-01


DNS Name ServersInformation about the domain name space is stored on name servers that are distributed throughout the Internet, each server storing the complete information about its small part of the total domain name space, called a zone. End users requiring data from a particular domain or machine generate a recursive DNS request on their client that is sent first to the local name server (NS), sometimes called the D-proxy. The job of the D-proxy is to return the IP address of the requested domain to the end user.

The DNS structure is based on a hierarchical tree structure similar to common file systems. The key components in this infrastructure include:

• DNS Resolvers (DNSR)—Clients that access client name servers.

• Client Name Server (CNS)—A server running DNS software and has the responsibility of finding the requested web site. The CNS is sometimes called the client DNS proxy (D-proxy).

• Root Name Servers (RNS)—A server that resides at the top of the DNS hierarchy. The RNS knows how to locate every extension after the “.” in the host name. There are many top-level domains, the most common include .org, .edu, .net, .gov, and .mil. There are approximately 13 root servers worldwide for handling all Internet requests.

• Intermediate Name Server (INS)—A server that is used for scaling purposes. When the root name server does not have the IP address of the authoritative name server (ANS), it sends the requesting client name server to an intermediate name server. The intermediate name server then sends the client name server to the authoritative name server.

• Authoritative Name Server (ANS)—A server that is run by an enterprise or is outsourced to a service provider and is authoritative for the domain requested. The authoritative name server responds directly to the client name server (not to the client) with the requested IP address.


OL-4327-01


Request ResolutionIf the local D-proxy does not have the information requested by the end user, it sends out iterative requests to the name servers that it knows are authoritative for domains close to the requested domain.For example, a request for www.cisco.com causes the D-proxy to check first for another name server that is authoritative for www.cisco.com.

The process outlined below summarizes the sequence performed by the DNS infrastructure to return an IP address when a client tries to access the www.cisco.com website. Figure 1-2 illustrates how the DNS request resolution process works.

Figure 1-2 DNS Request Resolution

www.cisco.com

www.cisco.com?

www.cisco.com

com ns

cisco.com ns

"."

com

cisco

supporthr

softwaresvctac

Client Name Server(D-proxy)

Root Name Server

Intermediate Name Server(supporting .com)

Desktop system78

668

www.cisco.com

www.cisco.com

Authoritative Name Server(supporting Cisco.com andall sub-domains, such as

www.cisco.com)

www.cisco.com

1

5

2

3

4


OL-4327-01

Chapter 1 Introducing the Global Site SelectorGSLB Using the GSS

1. The resolver (client) sends a query for www.cisco.com to the local client name server (D-proxy).

2. The local D-proxy does not have the IP address for www.cisco.com so it sends a query to a root name server (“.”) asking for the IP address. The root name server responds by referring the D-proxy to the specific name server supporting the .com domain. The root name server can respond to the request in two different ways, the most common way, is to send the D-proxy directly to the authoritative name server for tac.support.cisco.com. Another method, called iterated query, is when the root name server sends the D-proxy to an intermediate name server that knows the address of the authoritative name server tac.support.cisco.com.

3. The local D-proxy sends a query to the intermediate name server which responds, referring the D-proxy to the authoritative name server for cisco.com and all the associated sub-domains.

4. The local D-proxy sends a query to the cisco.com authoritative name server. This name server is authoritative for cisco.com which is the top-level domain. www.cisco.com is a sub-domain of cisco.com so this name sever is authoritative for the requested domain and sends the IP address to the D-proxy.

5. The D-proxy sends the IP address (198.133.219.25) to the client browser. The browser uses this IP address and initiates a connection to the www.cisco.com web site

GSLB Using the GSSThe GSS addresses critical disaster recovery needs by globally load balancing distributed data centers. The GSS is designed to coordinate the efforts of SLBs, such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache or other geographically dispersed SLB in a global network deployment.

Running on a Cisco Global Site Selector Series platform, the GSS can support up to 256 unique SLBs and over 4000 separate VIP addresses. The GSS coordinates the activities of SLBs by acting as the authoritative DNS server for those devices under its control.


OL-4327-01


When the Cisco GSS is responsible for GSLB services, the DNS process migrates to the GSS. The DNS configuration is the same process as described in the “Request Resolution” section. The only exception is that the NS-records point to the GSSs located at each data center. Ultimately, the Cisco GSS device determines which data center site should receive the client traffic.

As the authoritative name server for a domain or subdomain, the GSS can consider additional information about the resources under its control when it receives requests from client name servers.

Among the additional factors that the GSS is capable of considering when responding to a request are:

• Availability—Which servers are online and available to respond to the query?

• Proximity—Which server responded the fastest to a query?

• Load—What type of traffic load is each server handling in the domain?

• Source of the Request—From which D-proxy did the content request originate?

• Preference—What is the first, second, or third choice of algorithm to use in responding to a query?

This type of load balancing helps to ensure not only that end users are always directed to resources that are online, but also that requests are forwarded to the most suitable device, resulting in increased response time for users.

In resolving DNS requests, the Cisco GSS performs a series of distinct operations that take into account the resources under its control and return the best possible answer to the requesting client’s D-proxy.

The process outlined below discuss how the GSS interacts with various clients as part of the website selection process to return the IP address of the requested content site. Figure 1-3 illustrates how this process works.


OL-4327-01


Figure 1-3 GLSB Using the Cisco Global Site Selector

1. A client starts to download an updated version of software from www.cisco.com and types www.cisco.com in the location or address field of the browser. This application is supported at three different data centers.

2. The request is processed by the DNS global control plane infrastructure and arrives at the Cisco GSS device.

9778

9

DNS GlobalControl Plane

DNS NameServer

1 2

45

IP GlobalForwarding Plane

3

6

Cisco GSS's ResponseClients DNS Requests

Cisco GSS TrackingGlobal ResourcesLayer 3 Communications

Data Center3

Data Center2

Data Center1

Client NameServers

(D-Proxy) GSS 1

GSS 2

Mobile

Fixed Wireless

Cable

DSL

Dedicated ATM/Frame Relay

ISDN/Dial

ClientsRequestingWeb sites


OL-4327-01

Chapter 1 Introducing the Global Site SelectorGSS Architecture

3. The Cisco GSS offloads the site selection process from the DNS global control plane. The request and site selection are based on the load and health information in conjunction with customer-controlled load-balancing algorithms. The Cisco GSS, in real time, selects a data center that is available and not overloaded.

4. The Cisco GSS sends the IP address of the “best” server load balancer at a specific data center, in this case the SLB at Data Center 2.

5. The web browser processes the transmitted IP address.

6. The client is directed to the SLB at Data Center 2 by the IP control and forwarding plane.

GSS ArchitectureThis section describes the key components of a GSS deployment, including hardware and software, as well as GSS networking concepts. It includes:

• Global Site Selectors and Global Site Selector Managers

• DNS Rules

• Hosted Domains and Domain Lists

• Source Address and Source Address Lists

• Answers and Answer Groups

• Keepalives

• Balance Methods

• Locations and Regions

• Owners


OL-4327-01


Global Site Selectors and Global Site Selector ManagersThe Global Site Selector solution relies on three distinct but closely related devices:

• GSS

• Primary GSSM

• Standby GSSM

GSS

The GSS is a Cisco Global Site Selector platform running GSS software and performing routing of DNS queries based on DNS rules and conditions configured using the GSSM.

Each GSS is known to and synchronized with the primary GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network must delegate authority to the parent domain GSS DNS server that serves the DNS requests.

Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device.

A device that acts as a GSS may also be serving as the primary GSSM for a GSS network.

Primary GSSM

The primary GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing content routing as well as centralized management functions for the GSS network.

The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. Configuration changes initiated on the primary GSSM using the graphical user interface are automatically communicated to each device that the primary GSSM manages.

Any GSS device can serve as a GSSM.


OL-4327-01


In addition to content routing configuration, a subset of device-monitoring and logging features is accessible from the GSSM GUI, though more extensive inquiries may require access to the GSS CLI for an individual device.

Communication between administrators and the primary GSSM uses secure HTTP (HTTPS), and access to the primary GSSM graphical user interface is password-protected.

Standby GSSM

The standby GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM go offline or become unavailable to communicate with other GSS devices.

As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM so that the two devices are never out of step.

The GUI is inaccessible on the standby GSSM until it is designated as the primary GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command. You must make sure that your original primary GSSM is offline before attempting to enable the standby GSSM as the new primary GSSM. Having two primary GSSMs active at the same time may result in the inadvertent loss of configuration changes for your GSS network. If this dual primary GSSM configuration occurs, the two primary GSSMs revert to standby mode and you will need to reconfigure one of the GSSMs as the primary GSSM.

The standby GSSM is capable of temporarily taking over the role as the primary GSSM is the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. The interim primary GSSM can be used to monitor GSS behavior and make configuration changes if necessary. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the “Logically Removing a GSS or Standby GSSM from the Network” section.


OL-4327-01


DNS RulesThe GSS uses DNS rules, as configured by the administrator through the primary GSSM GUI to:

• Provide you with centralized command and control of how the GSS will globally load balances a given hosted domain

• Define the IP address(es) to send to the client’s name server (D-proxy)

• Define the recovery method to use (using up to three load balance clauses)

DNS rules determine how the GSS responds to each query it receives by matching requests received from a known source, or D-proxy, to the most suitable member of a collection of name servers or virtual IP addresses (VIPs).

Each DNS rule takes into account four variables:

• The source IP address of the requesting D-proxy

• The requested hosted domain

• An answer group, which is a group of resources considered for the response

• A balance method, an algorithm for selecting the best server, together with an answer group, makes up a clause

A DNS rule defines how a request is handled by the GSS by answering the following question:

When traffic arrives from a DNS proxy, querying a specific domain name, what resources should be considered for the response, and how should they be balanced?

Each GSS network supports a maximum of 4000 DNS rules.

Up to three possible response answer group and balance method clauses are available for each DNS rule. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. These clauses are evaluated in order, with parameters established to determine when one clause should be skipped in the event that the first answer group and balance method specified does not yield an answer, and the next clause is used.


OL-4327-01


Hosted Domains and Domain ListsA hosted domain (HD) is any domain or subdomain that has been delegated to the GSS and configured using the primary GSSM GUI for DNS query responses. In other words, a hosted domain is a DNS domain name for which the GSS is authoritative.

All DNS queries must match a domain belonging to a configured domain list, or else they are denied by the GSS. Queries that do not match domains on any GSS domain lists can also be forwarded by the GSS to an external DNS name server for resolution.

Hosted domains may or may not correspond to standard third-level domain names but cannot exceed 128 characters in length. Domain names that use wildcards are supported by the GSS. The GSS supports POSIX 1003.2 extended regular expressions when matching wildcards.

The following examples could be domain or sub-domain names configured on the GSS:

cisco.comwww.cisco.comwww.support.cisco.com.*\.cisco\.com

Domain lists are groups of hosted domains that have been delegated to the GSS. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list.

Using the DNS rules feature of the primary GSSM graphical user interface, requests for any member of a domain list are matched to an answer—a resource hosting the content being requested—using one of a number of balance methods.

Refer to Chapter 5, Configuring Domain Lists for more information on configuring domain lists.

Source Address and Source Address ListsThe term source address refers to the source of DNS queries received by the GSS. Source addresses might point to an IP address or block of addresses representing client D-proxies from which queries originate.


OL-4327-01


Using DNS rules, the GSS matches source addresses to domains hosted by the GSS using one of a number of different balance methods.

Source addresses are taken from the D-proxy (the local name server) to which a requesting client issued a recursive request. The D-proxy iterates the client queries to multiple name servers, eventually querying the GSS, which matches the D-proxy address against its list of configured source addresses.

DNS queries received by the GSS do not have to match a specific D-proxy in order to be routed; default routing can be performed on requests that do not emanate from a known source address. A fail safe “Anywhere” source address list is provided by default. Incoming queries that do not match your configured source address lists are matched to this list.

In addition to specific IP addresses, source addresses can also be set up to represent address blocks using variable-prefix-length classless interdomain routing (CIDR) block masking. For example, the following would all be acceptable GSS source addresses:

192.168.1.110192.168.1.110/32192.168.1.0/24192.168.0.0/16

Source addresses are grouped into lists, referred to as source address lists, for the purposes of routing requests. Source address lists can contain between 1 and 30 source addresses, or unique address blocks. Each GSS supports up to 60 source address lists.

Answers and Answer GroupsIn a GSS network, the term answers refers to resources to which the GSS resolves DNS requests that it receives. There are three types of possible answers on a GSS network. These answers include:

• VIP—Virtual IP (VIP) addresses associated with an SLB such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache or other geographically dispersed SLBs in a global network deployment.

• Name Server—Configured DNS name server on your network that can answer queries that the GSS cannot resolve.

• CRA—Content routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a user’s D-proxy.


OL-4327-01


As with domains and source addresses, answers are configured using the primary GSSM GUI by identifying the IP address to which queries can be directed.

Once created, answers are grouped together as resource pools called answer groups, from which the GSS, using up to three possible response answer group and balance method clauses in a DNS rule, can choose the most appropriate resource to serve each user request. Each balance method provides a different algorithm for selecting one answer from a configured answer group. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group.

Depending on the type of answer, further intelligence can be applied to DNS queries to choose the best host. For example, a request that is routed to a VIP associated with a Cisco CSS is routed to the best resource based on load and availability, as determined by the CSS. A request that is routed to a CRA is routed to the best resource based on proximity, as determined in a DNS race conducted by the GSS.

VIP Answers

VIP answers are used by SLBs to represent content hosted on one or more servers under their control. The use of VIP answers allows for traffic to be balanced among multiple origin servers, application servers, or transaction servers in a way that results in faster response times for users and less network congestion for the host.

When queried by a client’s D-proxy for a domain associated with a VIP answer type, the GSS responds with the VIP address of the SLB best suited to handle that request. The requesting client then contacts the SLB, which load balances the request to the server best suited to respond.


OL-4327-01


Name Server Answers

A name server answer specifies the IP address of a DNS name server to which DNS queries are forwarded from the GSS.

Using the name server forwarding feature, queries are forwarded to an external (non-GSS) name server for resolution, with the answer passed back to the GSS name server and from there to the requesting D-proxy. As such, the name server answer type can act as a guaranteed fallback resource—a way to resolve requests that the GSS cannot resolve itself—because of the following reasons:

• The requested content is unknown to the GSS.

• The resources that typically handle such requests are unavailable.

• To use DNS server features that are not supported by the GSS, such as mail exchanger (type MX) records.

• To use a third-party content provider for failover and error recovery.

• To build a tiered DNS system.

CRA Answers

The CRA (content routing agent) answer relies on content routing agents and the GSS to choose a suitable answer for a given query based on the proximity of two or more possible hosts to the requesting D-proxy.

With the CRA answer, requests received from a particular D-proxy are served by the content server that responds first to the request. Response time is measured using a DNS race, coordinated by the GSS and content routing agents running on each content server. In the DNS race, multiple hosts respond simultaneously to an A-record request. The server with the fastest response time (the shortest network delay between itself and the client’s D-proxy) is chosen to serve the content.

For the GSS to initiate a DNS race it needs two pieces of information:

• The delay between the GSS and each of the CRAs in each data center. With this data the GSS computes how much time to delay the race from each data center so each CRA starts the race simultaneously.

• The online status of the CRA through the use of keepalives.

The boomerang balance method uses the DNS race to determine the best site. See the “Boomerang (DNS Race)” section for more information on this balance method.


OL-4327-01


KeepalivesIn addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource, a method by which the GSS can periodically check to see if the resource is still active. A keepalive is a specific interaction (handshake) between the GSS and another device using a commonly supported protocol. A keepalive is designed to test if a specific protocol on the device is functioning properly. If the handshake is successful, then the device is available, active, and able to receive traffic. If the handshake fails, then the device is considered to be unavailable and inactive. All answers are validated by configured keepalives and are not returned by the GSS to the D-proxy if the keepalive indicates that the answer is not viable.

The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of resource that you are configuring as a GSS answer (for example, a VIP address associated with a Cisco CSS or a virtual server IP address associated with a CSM), you have the option of configuring a keepalive for that answer that is used to monitor its online status continually and report that information to the GSSM. Routing decisions involving that answer consider that online status information.

The GSS also supports the use of shared keepalives to minimize traffic between the GSS and the SLBs that it is monitoring. A shared keepalive identifies a common address or resource that can provide status for multiple answers. Shared keepalives are not used with name server or CRA answers.

The sections that follow explain the various keepalive types supported by the GSS:

• ICMP

• TCP

• HTTP-HEAD

• KAL-AP

• CRA

• Name Server

• None

• Adjusting Failure Detection Time for Keepalives


OL-4327-01


ICMP

An ICMP keepalive is used when the GSS answer that you are testing is a VIP address, IP address, or a virtual server IP address. The Internet Control Message Protocol (ICMP) keepalive type monitors the health of resources by issuing queries containing ICMP packets to the configured VIP address (or a shared keepalive address) for the answer. Online status is determined by a response from the targeted address, indicating simple connectivity to the network. The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method. See the “Adjusting Failure Detection Time for Keepalives” section for details.

TCP

A TCP keepalive is used when the GSS answer that you are testing is to a GSLB devices that may be something other than a CSS or CSM. These GSLB remote devices could include webservers, LocalDirectors, WAP gateways, and other devices that can be checked using a TCP keepalive. The TCP keepalive initiates a TCP connection to the remote device by performing the three-way handshake sequence.

Once the TCP connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination).

The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method. Refer to the “Adjusting Failure Detection Time for Keepalives” section for details.

HTTP-HEAD

An HTTP HEAD keepalive is used when the GSS answer that you are testing is an HTTP web server acting as a standalone device or managed by an SLB device such as a Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, or Cisco LocalDirector. The HTTP-HEAD keepalive type sends a TCP formatted HTTP HEAD request to a web server at an address that you specify, returning the online status of the device in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK).


OL-4327-01


Once the HTTP HEAD connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination).

The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method. Refer to the “Adjusting Failure Detection Time for Keepalives” section for details.

KAL-AP

A KAL-AP (KeepAlive-Appliance Protocol) keepalive is used when the GSS answer that you are testing is a VIP associated with a Cisco CSS or a Cisco CSM. The KAL-AP keepalive type sends a detailed query to both a primary (master) and an optional secondary (backup) circuit address that you specify, returning the online status of each interface as well as information on load.

Depending on your GSS network configuration, the KAL-AP keepalive can be used to either query a VIP address directly (KAL-AP By VIP) or query an address by way of an alphanumeric tag (KAL-AP By Tag). Using a KAL-AP By Tag keepalive query can be particularly useful in the following cases:

• You are attempting to determine the online status of a device that is located behind a firewall that is performing Network Address Translation (NAT).

• There are multiple content rule choices on the SLB.

The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method. See the “Adjusting Failure Detection Time for Keepalives” section for details.

CRA

The CRA keepalive is used when you are testing a CRA answer that responds to DNS race requests. The CRA keepalive type tracks the time required (in milliseconds) for a packet of information to reach the CRA and return to the GSS. The GSS supports up to 200 CRA keepalives.


OL-4327-01


Name Server

The name server keepalive sends a query to the IP address of the name server for a query domain that you specify (for example, www.cisco.com). Online Status for the name server answer is determined by the ability of the name server or D-proxy for the query domain to respond to the query and assign the domain to an address. The GSS supports up to 100 name server keepalives.

None

With the keepalive set to None, the GSS assumes that the named answer is always online. Setting the keepalive type to None prevents your GSS from taking online status or load into account when routing. However, a keepalive of None can be useful under certain conditions, such as when adding devices to your GSS network that are not suited to other keepalive types. In general, ICMP is a simple and flexible keepalive type that works with most devices. Using ICMP is preferable to using the None option.

Adjusting Failure Detection Time for Keepalives

Failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurred (the answer resource goes offline) and when the GSS realized the failure occurred. The failure detection window is the window of time that the GSS may wait, once a keepalive cycle has been initiated, before determining that an answer has failed. If a response packet fails to arrive back to the GSS within this window the answer is marked offline.

The GSS supports two failure detection modes, standard and fast. The standard GSS detection time is typically 60 seconds before the GSS detects that a failure has occurred.

Standard mode allows adjustment of the following parameters:

• Response Timeout - The length of time allowed before the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.

• Minimum Interval - The minimum frequency with which the GSS attempts to schedule a keepalive. The valid entries are 40 to 255 seconds. The default is 40 seconds.


OL-4327-01


With fast mode, the GSS controls the failure detection time through use of the following keepalive transmission interval formula:

(# Ack’d Packets * (Response TO + (Retry TO * # of Retries))) + Timed Wait

where:

# Ack’d Packets = Number of packets that require some form of acknowledgement (how many packets require acknowledgement)

Response TO = Response Timeout (how long to wait for a reply for a packet that requires acknowledgement)

Retry TO = Retry Timeout (how long to wait for a reply for a retransmitted packet)

# of Retries = Number of Retries (how many times the GSS retransmits packets to a potentially failed device before declaring the device offline)

Timed Wait = Time for remote side of the connection to close (TCP-based keepalive only)

Table 1-1 summarizes how the GSS software calculates the fast keepalive transmission rates.

Table 1-1 Keepalive Transmission Rates

# Ack’d Packets(Fixed Value)

Response TO

(Fixed Value)

Retry TO(Fixed Value)

# of Retries (User

Selectable)

Timed Wait(Fixed Value)

TransmissionInterval

KAL-AP 1 2 seconds 2 seconds 1 0 4 seconds

ICMP 1 2 seconds 2 seconds 1 0 4 seconds

TCP (RST) 1 2 seconds 2 seconds 1 0 4 seconds

TCP (FIN) 2 2 seconds 1 second 1 2 seconds 10 seconds

HTTP HEAD (RST)

2 2 seconds 2 seconds 1 0 8 seconds

HTTP HEAD (FIN)

3 2 seconds 2 seconds 1 2 seconds 14 seconds


OL-4327-01


In the case of a TCP (RST) connection, the default transmission interval for a TCP keepalive would be:

(1 * (2 + (2 * 1))) + 0 = 4 seconds

You can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and KAL-AP keepalive types. The number of retries defines how many times the GSS retransmits packets to a potentially failed device before declaring the device offline. The range is 1 to 10 retries. The default is 1. As you adjust the number of retries, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect.

The number of retries value is associated with every packet that requires some form of acknowledgement before continuing with a keepalive cycle (ICMP requests, TCP SYN, or TCP FIN). For example, to fully complete a TCP-based keepalive cycle, the TCP-based keepalive retries the SYN packet for the specified number of retries, and then retries the FIN packet for the specified number of retries.

In the above example of a TCP (RST) connection, if you change the number of retries from the default value of 1 to a setting of 5 the transmission interval would be:

(1 * (2 + (2 * 5))) + 0 = 12 seconds

Figure 1-4 illustrates the effect on the keepalive transmission interval as you increase the number of retries value.


OL-4327-01


Figure 1-4 Effect of the Number of Retries Value on the Keepalive Transmission

Interval

You can also define the number of consecutive successful keepalive attempts (probes) that must occur before the GSS identifies that an offline answer is now online. The GSS monitors each keepalive attempt to determine whether it has been successful. The number of successful probes parameter identifies how many consecutive successful keepalive attempts must be recognized by the GSS before bringing an answer back online and reintroducing it back into the GSS network.

9778

8

Fast Keepalive Intervals

0

10

20

30

40

50

60

70

80

1 2 3 4 5 6 7 8 9 10Number of Retries

KA

L In

terv

al in

Sec

onds

KALAP, ICMP, & TCP (Reset) TCP (Standard Close)

HTTP-HEAD (Reset) HTTP-HEAD (Standard Close)

0


OL-4327-01


Balance MethodsThe GSS supports six unique balance methods that allow you to specify how a GSS answer should be selected to respond to a given DNS query. Each balance method provides a different algorithm for selecting one answer from a configured answer group. The sections that follow explain the various balance methods supported by the GSS:

• Ordered List

• Round-Robin

• Weighted Round-Robin

• Least Loaded

• Hash (based on source address or hosted domain)

• Boomerang (DNS race)

Ordered List

Using the ordered list balance method, each resource within an answer group (for example, an SLB VIP or a name server) is assigned a number that corresponds to the rank of that answer within the group. The number you assign represents the order of the answer on the list. Subsequent VIPs or name servers, on the list will only be used in the event that preceding VIPs or name server on the list are unavailable. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

Using the ranking of each answer, the GSS tries each resource in the order that has been prescribed, selecting the first available (“live”) answer to serve a user request. List members are given precedence and tried in order, and a member is not used unless all previous members fail to provide a suitable result.

The ordered list method is typically useful in managing resources across multiple content sites in which a deterministic method for selecting answers is required.


OL-4327-01


See the “Balance Method Options for Answer Groups” section for information on how the GSS determines which answer to select when using the ordered list balance method.

Round-Robin

Using the round-robin balance method, each resource within an answer group is tried in turn, with the GSS cycling through the list of answers, selecting the next answer in line for each request. In this way, the GSS can resolve requests by evenly distributing the load among possible answers.

The round-robin balance method is useful when balancing requests among multiple, active data centers that are hosting identical content; for example between SLBs at a primary and at an “active standby” site that serves requests.

See the “Balance Method Options for Answer Groups” section for information on how the GSS determines which answer to select when using the round-robin balance method.

Weighted Round-Robin

As with the round-robin balance method, the weighted round-robin method cycles through a list of defined answers, choosing each available answer in turn. However, with weighted round-robin, an additional “weight” factor is assigned to each answer, biasing the GSS toward certain servers, so that they are used more often.

See the “Balance Method Options for Answer Groups” section for information on how the GSS determines which answer to select when using the weighted round-robin balance method.

Least Loaded

Using the least loaded balance method, the GSS resolves requests to the least loaded of all resources, as reported by the KAL-AP keepalive process, which provides the GSS with detailed information on the SLB load and availability.

The least loaded balance method resolves the request by determining the least number of connections on a CSM or the least-loaded CSS.


OL-4327-01


See the “Balance Method Options for Answer Groups” section for information on how the GSS determines which answer to select when using the least loaded balance method.

Hash

Using the source address and domain hash balance method, elements of the client’s DNS proxy IP address and the requesting client’s domain are extracted and used to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query.

The use of hash values makes it possible to “stick” traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features such as online shopping baskets in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted.

The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

• By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.

• By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.

Boomerang (DNS Race)

The GSS supports the boomerang (DNS race) method of proximity routing, a type of DNS resolution that is initiated by the GSS and is designed to load balance between 2 and 20 sites.

Based on the concept that instantaneous proximity can be determined if a content routing agent (CRA) within each data center sends an A-record (IP address) at the exact same time to the client’s D-proxy, the DNS race method of DNS resolution gives all possible CRAs (which can be either Cisco Content Engines or Content Services Switches) a fair chance at resolving a client request and allows for proximity to be determined without probing the client’s D-proxy. Whatever A-record is received first by the D-proxy is by default the most proximate.


OL-4327-01


For the GSS to initiate a DNS race, it needs to establish two pieces of information for each CRA:

• The delay between the GSS and each of the CRAs in each data center. With this data, the GSS computes how long to delay the race from each data center, so that each CRA starts the race simultaneously.

• The online status of the CRAs. With this data, the GSS knows not to forward requests to any CRA that is not responding.

The Boomerang server on the GSS gathers this information by sending keepalive messages at predetermined intervals. This data, along with the IP addresses of the CRAs, is used to request the exact start time of the DNS race.

Finally, for the CRA response to be accepted by the D-proxy, each CRA must spoof the IP address of the GSS to which the DNS request was sent when responding.

Balance Method Options for Answer Groups

For most balance methods supported by the GSS, there are additional configuration options that you must consider when you group specific answers in an answer group. These configuration options ensure that the GSS properly applies the balance method for answers, and they ensure that you are getting the best possible results from your GSS device. Table 1-2 describes the available balance method options for each answer type (VIP, CRA, or NS).


OL-4327-01


The following sections explain each of the balance method options available for an answer in an answer group.

Order

The order option is used when the balance method for the answer group is Ordered List. Answers on the list are given precedence based upon their position in the list in responding to requests.

Weight

The weight option is used when the balance method for the answer group is weighted round-robin or least loaded. Weights are specified by a number between 1 and 10 and indicate the capacity of the answer to respond to requests. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A receives 10 requests for every 1 directed to Answer B.

Table 1-2 Balance Method Options for Answer Types

Answer Type Balance Methods Used Balance Method Options

VIP Hash

Least loaded

Ordered list

Round-robin

Weighted round-robin

Order

LT (Load Threshold)

Weight

Name server Hash

Ordered list

Round-robin

Weighted round-robin

Order

Weight

CRA Boomerang (DNS race) None


OL-4327-01


When used with the weighted round-robin balance method, the number listed is used by the GSS to create a ratio of the number of times the answer is used to respond before the next answer on the list is tried.

When used with the least-loaded balance method, the number listed is used by the GSS as the divisor in calculating the load number associated with the answer, which is used to create a bias in favor of answers with greater capacity.

Load Threshold

The load threshold is used when the answer type is VIP and the keepalive method is KAL-AP to determine whether an answer is available, regardless of the balance method used. The load threshold specifies a number between 2 and 254 that is compared to the load being reported by the answer device. If the answer’s load is greater than the specified threshold, the answer is considered offline and unavailable to serve further requests.

The load threshold value can also be used in conjunction with the weight assigned to an answer, with the weight acting as a divisor for the load threshold in calculating capacity. When there are multiple answers to choose from, the GSS software compares the load threshold to the load reported by the answer device to determine if the answer is available, and then selects the answer.


OL-4327-01


Locations and RegionsAs your GSS network grows, the job of organizing and administering your GSS resources—answers and answer groups, domain lists, and DNS rules—becomes a more complex problem. For that reason, the GSS makes features available to you that help you make sense of and organize your resources. Among these resources are:

• Locations—Logical groupings for GSS resources that correspond to geographical areas such as a city, data center, or content site

• Regions—Higher-level geographical groupings that contain one or more locations

In addition to allowing you to easily sort and navigate long lists of answers and DNS rules, the use of logical groupings such as locations and regions makes it easier to perform bulk administration of GSS resources. For example, in the primary GSSM, you can suspend or activate all answers linked to a particular GSS data center, shutting down a site for scheduled maintenance and then bringing it back online with only a few mouse clicks.

OwnersOwners serve a purpose similar to that of locations and regions in the GSS, providing a simple way to organize and identify groups of related GSS resources. However, whereas regions and locations are used to make geographical sense of your GSS network, owners are used to group resources according to other organizational schemes.

For example, a service provider using the GSS to manage multiple hosting sites might create an owner for each web or application hosting customer. With this organizational scheme, domain lists containing that customer’s hosted content as well as DNS rules, answer groups, and source address lists that specify how traffic to those domains should be processed, can all be associated with and managed through the owner.

Deployed on a corporate intranet, owners can be used to segregate GSS resources on a department-by-department basis, or to allocate specific resources to IT personnel. For example, you could create an owner for the finance, human resources, and sales departments so that resources corresponding to each can be viewed and managed together.


OL-4327-01

Chapter 1 Introducing the Global Site SelectorGSS Network Deployment

GSS Network DeploymentA typical GSS deployment may contain up to eight GSS devices deployed on a corporate intranet or the Internet. At least one GSS—and no more than two GSSs—must be configured as a primary GSSM and a standby GSSM. The GSSM monitors other GSS devices on the network and offers features for managing and monitoring request routing services using a GUI accessible through secure HTTP. Only one GSSM can be “active” at any time, with the second GSSM serving as a “standby,” or backup device.

The GSSM functionality is embedded on each GSS, and any GSS device can be configured to act as a primary GSSM or a standby GSSM. Refer to Chapter 2, Setting Up Your GSS for details.

Additional GSSs beyond the primary and standby GSSM that are configured on the GSS network respond to DNS requests and transmit periodic keepalives to provide resource state information about devices. These GSS devices do not perform GSS network management tasks.

This section describes a typical network deployment of the GSS and includes:

• Locating GSS Devices

• Locating GSS Devices Behind Firewalls

• Communication Between GSS Nodes

• Deployment Within Data Centers

Locating GSS DevicesAlthough it is your organization that determines where your GSS devices are deployed in your network, some general guidelines must be observed. Because the GSS serves as the authoritative name server for one or more domains, each GSS must be publicly or privately addressable on your enterprise network. That way, the D-proxy clients that are requesting content can find the GSSs that have been charged with handling requests for that content.


OL-4327-01


Options are available for delegating responsibility for your domain to your GSS devices, depending on traffic patterns to and from your domain. For example, given a network containing five GSS devices, you might choose to modify your parent domain DNS servers so that all traffic sent to your domain is directed to each of your GSS devices. Or you might choose to have a subset of your traffic delegated to one or more of your GSSs, with other devices handling other segments of your traffic.

Refer to Chapter 8, Building and Modifying DNS Rules, the “Delegation to GSS Devices” section for information on modifying your network’s DNS configuration to accommodate the addition of GSSs to your network.

Locating GSS Devices Behind FirewallsDeploying a firewall can be of immense benefit in preventing unauthorized access to your GSS network, as well as thwarting common denial of service (DoS) attacks on your GSS devices. Besides being deployed behind your corporate firewall, the GSS comes with robust packet-filtering features that enable GSS administrators to permit and disallow traffic to any GSS device.

When positioning your GSS behind a firewall or enabling packet filtering on the GSS itself, you must properly configure each device (the firewall and the GSS) to allow valid network traffic to reach the GSS device on specific ports. In addition to requiring HTTPS traffic to access the primary GSS graphical user interface, you may want to configure your GSSs to allow FTP, Telnet, and SSH access through certain ports. In addition, GSSs must be able to communicate their status to and receive configuration information from the GSSM. Finally, primary and standby GSSMs must be able to communicate and synchronize with one another.

Refer to Chapter 9, GSS Administration and Troubleshooting, the “Filtering GSS Traffic Using Access Lists” for the discussion of the access-list and access-group CLI commands for instructions on limiting incoming traffic. See the “Deploying GSS Devices Behind Firewalls” section in that chapter as well for information on which ports must be enabled and left open for the GSS to function properly.

Refer to the Cisco Global Site Selector Command Reference for detailed descriptions of the CLI commands required to create a firewall that blocks all non-GSS traffic to your GSS devices.


OL-4327-01


Communication Between GSS NodesThe primary GSSM serves as the organizing point of the GSS network, performing DNS queries and hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Configuration changes initiated on the primary GSSM using the GSSM graphical user interface are automatically communicated to each registered GSS device that the primary GSSM manages.

The standby GSSM performs GSLB functions for the GSS network. In addition, the standby GSSM is configured to act as the GSSM should the primary GSSM suddenly go offline or become unavailable to communicate with other GSS devices. The standby GSSM can be quickly enabled as the primary GSSM using the gss CLI command. GUI support is not available on a standby GSSM until it is configured as a primary GSSM.

Th e GSS also runs GSS software and performs routing of DNS queries based on DNS rules and conditions configured using the GSSM. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device. Each GSS on your network must delegate authority to the parent domain GSS DNS server that serves the DNS requests.

Each GSS is known to and synchronized with the GSSM, but individual GSSs do not report their presence or status to one another. Should a GSS unexpectedly go offline, other GSSs on the network responsible for the same resources are not affected.

With both a primary and a standby GSSM deployed on your GSS network, device configuration information and DNS rules are automatically synchronized between the primary GSSM and a data store maintained on the standby GSSM.

Synchronization occurs automatically between the two devices whenever the GSS network configuration changes. Updates are packaged and sent to the standby GSSM using a secure connection between the two devices.

Should the primary GSSM suddenly become unavailable, the GSS network continues to function and does not impact global server load balancing. If desired, you can manually enable the standby GSSM as the primary GSSM using the CLI. Refer to Chapter 2, Setting Up Your GSS for instructions on enabling the primary GSSM and to Chapter 9, GSS Administration and Troubleshooting for details about changing the GSSM role in the GSS network.


OL-4327-01

Chapter 1 Introducing the Global Site SelectorGSS Network Management

Deployment Within Data CentersA typical GSS network consists of multiple content sites, such as data centers and server farms, access to which is managed by one or more SLBs, such as the Cisco CSS.

Each SLB is represented by one or more virtual IP addresses, or VIPs. These VIPs act as the publicly addressable front-end of the data center. Behind each SLB are transaction servers, database servers, and mirrored origin servers offering a wide variety of content, from websites to applications.

The GSS communicates directly with the SLBs that are representing each data center, collecting statistics on availability and load for each of the SLBs and VIPs and using that data to direct requests to the best-suited data centers and the most available resources within each data center.

In addition to SLBs, a typical data center deployment may also contain DNS name servers that are not being managed by the GSS. These can be used to resolve requests, through name server forwarding, that the GSS cannot resolve itself.

GSS Network ManagementManagement of your GSS network is divided into two types:

• CLI-Based GSS Management

• GUI-Based Primary GSSM Management

CLI-Based GSS ManagementThe CLI is used to configure installation and management of your Cisco GSS software, including:

• Initial configuration of GSS and GSSM (primary and standby) devices

• Software upgrades and downgrades on GSSs and GSSMs

• Database and configuration backups, and database restore operations


OL-4327-01

Chapter 1 Introducing the Global Site SelectorGSS Network Management

In addition, the CLI is used for network configuration of your GSS devices, including:

• Network address and host name configuration

• Network interface configuration

• Access control for your GSS devices, including IP filtering and traffic segmentation

The CLI can also be used for status monitoring and logging for each GSS device.

Refer to the Cisco Global Site Selector Command Reference for an alphabetical list of all GSS Command Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.

GUI-Based Primary GSSM ManagementThe primary GSSM offers a single, centralized graphical user interface (GUI) for monitoring and administering your entire GSS network. The primary GSSM GUI is used for:

• Configuring DNS request handling and global server load balancing through the creation of DNS rules and monitoring of keepalives

• Monitoring GSS network resources

• Monitoring request routing and GSS statistics

See the “Understanding the Primary GSSM Graphical User Interface” section for background details anout the GUI.


OL-4327-01

Chapter 1 Introducing the Global Site SelectorUnderstanding the Primary GSSM Graphical User Interface

Understanding the Primary GSSM Graphical User Interface

The primary GSSM graphical user interface is a web-based tool that can be viewed using any standard web browser such as Microsoft Internet Explorer Version 5.0 and later and Netscape Navigator Version 4.79 or later. Basic authentication is used to restrict GUI access. All GUI traffic is encrypted using secure HTTP (HTTPS).

The primary GSSM GUI serves as a centralized management point for your entire GSS network. Using the primary GSSM GUI, you can add GSS devices to your network and build DNS rules that match groups of source addresses to hosted domains using one of a number of possible load-balancing methods. In addition, using the GSSM monitoring feature, you can obtain real-time statistics on the performance of your GSS network or of individual devices on that network.

When you first log on to the primary GSSM, you see a Welcome window (Figure 1-5). The current login account information appears in the User ID (upper right) area of the Welcome window.


OL-4327-01


Figure 1-5 Primary GSSM Welcome Window

The sections describes the organization and structure of the primary GSSM GUI and includes:

• Graphical User Interface Organization

• List Pages

• Details Pages

• Navigation

• Primary GSSM GUI Icons and Symbols

• Primary GSSM GUI Online Help

Review this information before using the primary GSSM to define global load balancing for your GSS network.


OL-4327-01


Graphical User Interface OrganizationThe primary GSSM graphical user interface is organized into four main functional areas that are accessed by clicking the appropriate tab. Each tab can be accessed at any time to navigate to that particular section of the primary GSSM.

• DNS Rules Tab—Contains pages for creating and modifying DNS rules, including the creation of source address lists, (hosted) domain lists, answers, answer groups, and shared keepalives.

• Resources Tab—Contains pages for creating and modifying GSS network resources such as GSSs, locations, regions, and owners. You can also modify global keepalive properties from the Resources tab.

• Monitoring Tab—Contains pages for monitoring the performance of content routing on your GSS network, such as displays of hit counts organized by source address, domain, answer method, or DNS rule.

• Tools Tab—Contains pages for performing the administrative functions for the GSS network, such as creating login accounts, managing account passwords, and viewing system logs.

Within each of these major functional areas, you access specific pages by choosing them from navigation links in the upper left-hand corner of the primary GSSM GUI. The navigation link varies according to the selected tab. Navigation links are present on all GUI pages.

Once you have selected a page, information on your GSS related to that feature is further organized into two areas: list pages and details page, which are described in the sections that follow.

List PagesList pages appear throughout the primary GSSM GUI to provide you with a feature-specific overview. For example, clicking the Answers tab (located on the DNS Rules tab) displays the Answers list page showing all of the answers currently configured on the listed GSS network.

List pages present data in tabular format, providing a detailed look at resources available on your GSS network. List pages are also the location from which new resources (for example, DNS rules or answer groups) are added to the GSS network or existing resources modified.


OL-4327-01


List pages enable you to sort resources by any one of a number of properties that are listed on the screen, quickly locating a particular resource by an identifying characteristic such as name, owner, or type. You can sort information in ascending or descending order by any column. To sort the information in a list page, click the column header for the column containing the information by which you wish to sort the list.

The GSS software temporarily retains information that you modify for a list page, allowing you to navigate to any of the details pages associated with the active list page while retaining the list page settings. The sort field, sort order, and rows per page are temporarily stored in memory for the active list page. Once you navigate to another list page the GSS software discards the modifications for the previous list page.

Figure 1-6 shows an example of a primary GSSM Answers list page.

Figure 1-6 Answers List Page


OL-4327-01


Details PagesDetails pages appear throughout the primary GSS GUI to provide specific configuration information for a specific GSS function, enabling you to create or to modify those properties.

For example, in Figure 1-6, clicking the Answers navigation link displays the Answers list page. Adjacent to each answer is an icon depicting a pad and pencil, called the Modify icon. Clicking the Modify icon displays the details page for that answer (Figure 1-7), allowing you to modify the properties of an answer or deleting the answer.

Figure 1-7 Modifying Answer Details Page


OL-4327-01


NavigationAlthough the primary GSSM graphical user interface is viewed as a series of web pages using a standard browser, navigating among pages is not the same as moving around different websites, or even within a single site. Instead, you navigate from one content area of the primary GSSM GUI using the tabs for each of the major funational areas: DNS Rules, Resources, Monitoring, and Tools. Online Help is located as a navigation link at the top of each page.

Once within a major content area, you access a particular feature or move between features using the navigation links. Choosing a feature from the navigation links immediately transfers you to that page in the graphical user interface. To move back from a details page to the corresponding list page, click another navigation link, or click either the Submit or Cancel buttons from the details page.

For example, to return to the Global Site Selectors list page after viewing the details for one of your GSSs, click a different navigation link (or click the Cancel button). If you made configuration changes to a GSS that you wish to retain, click the Submit button. Any of these actions returns you to the Global Site Selectors list page.

Note Do not use your web browser Back or Forward buttons to move between pages in the primary GSSM GUI. Clicking Back cancels any unsaved changes in the primary GSSM.

Primary GSSM GUI Icons and SymbolsTable 1-3 lists and explains some common icons and graphical symbols in the primary GSSM graphical user interface. These icons are referenced throughout this guide in explaining how to use the features of the primary GSSM GUI.


OL-4327-01


Table 1-3 GSSM GUI Icons and Symbols

Icon or Symbol Purpose Location

Modify icon. Opens the associated item for editing in a details page, displaying configuration settings on the details page.

List pages

Sort icon. Indicates that the items listed in a list table are sorted in descending order according to the property listed in this column.

List pages

Create icon/Open DNS Rules Builder icon. Opens the associated details page to accept user input for configuration.

List pages

Print icon. When you view GSS resources or monitor GSS network activity, clicking Print allows you to print data displayed in the page using your local or network printer

List pages and Detail pages

Export to CSV icon. When you view GSS resources or monitor GSS network activity, clicking Export allows you to save data displayed in the window to a comma-delimited flat file for use in other applications.

List pages

Refresh icon. When you view GSS resources or monitor GSS network activity, clicking Refresh forces the GSSM window to update its content.

List pages

Run Wizard icon. Opens the associated DNS rule for editing using the DNS Rules Wizard.

DNS Rules list page


OL-4327-01


Filter DNS Rule List icon. Provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in.

DNS Rules list page

Show All DNS Rules icon. Removes all filters, displaying a complete list of DNS rules for your GSS.

DNS Rules list page

* Asterisk. Required field. Indicates that a value is required in the adjacent field before the item can be successfully saved.

Details pages

Submit icon. Saves the configuration information. When editing specific GSS system or device configuration information, clicking Submit returns you to the associated list screen.

Detail pages

Cancel icon. Cancels any configuration changes that were entered. When editing specific GSS system and device configuration information, clicking Cancel returns you to the associated list screen.

Detail pages

Table 1-3 GSSM GUI Icons and Symbols (continued)



OL-4327-01


Delete icon. When you view configuration information for GSS resources, clicking Delete allows you to delete the resource from the GSS network.

Note Deletions of any kind cannot be undone in the primary GSSM GUI. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

Detail pages

Next icon. Moves forward to the next page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard.

DNS Rules wizard

Back icon. Moves backwards to the previous page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard.

DNS Rules wizard




OL-4327-01


Finish icon. Saves changes to the DNS rule. You return to the DNS Rules list page.

DNS Rules wizard

Activate Answer icon. Reactivates a single suspended answer, all suspended answers associated with an owner, or all suspended answers associated with a location.

Modifying Answer, Modifying Owner, and Modifying Location detail page

Suspend Answer icon. Temporarily stops the GSS from using a single answer, all answers in all groups for an owner, or all answers in a location.

Modifying Answer, Modifying Owner, and Modifying Location detail page

Activate DNS Rule icon. Reactivates a single suspended DNS Rule or all suspended DNS Rules associated with an Owner.

Modify DNS Rules and Modifying Owner detail pages

Suspend DNS Rules icon. Stop requests from being processed by a single DNS rule or all suspended DNS rules associated with an owner on your GSS.

Modify DNS Rules and Modifying Owner detail pages




OL-4327-01


Set Answers KAL ICMP icon. Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to ICMP using the answer’s own VIP.

Modifying Shared Keepalive details page

Set Answers KAL None icon. Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive.

Modifying Shared Keepalive details page




OL-4327-01


Primary GSSM GUI Online HelpThe Help navigation link in the upper right corner of each primary GSSM GUI page launches the Online Help system (Figure 1-8), which contains information on using that page as well as the features of the primary GSSM GUI. The Online Help topic associated with the form displays in a separate child browser window.

Each page in the primary GSSM GUI has a context-sensitive online Help file associated with it. These Help files (in HTML format) contain detailed information related to the form you are using. Online Help also includes a series of quick start procedures to assist you in navigating through the specific forms in the user interface and performing specific configuration procedures (for example, using the DNS Rules wizard to create a DNS rule).

Figure 1-8 GSSM Online Help


OL-4327-01

Chapter 1 Introducing the Global Site SelectorWhere to Go Next

The GSS Online Help system contains several navigational aids to assist you in finding the information you need quickly and easily. The navigation frame is contained in the left frame of each Help topic. The navigation frame contains the following three tabs:

• Contents–Displays all the topics in the GSSM Online Help system in a tiered format. Help topics are grouped into logical books by function. Books of Help topics may contain sub-books with additional topics. You can expand or collapse the contents to suit your needs. Note that the contents also automatically synchronizes with the Help topic you are currently viewing.

• Index–Displays a list of terms that allows you to look up topics based on keywords similar to the index at the back of a book. If only one topic is associated with the Index entry, that topic displays immediately when you double-click the entry. If more than one topic is associated with an Index entry, the Help system displays a Topics Found dialog box that allows you to select the topic you want to display from a list of topics.

• Search–Provides a full-text search tool that allows you to display a list of Help topics related to words you enter in the text box. You can then select a topic and click Display to view that topic.

Where to Go NextChapter 2, Setting Up Your GSS describes the process of configuring the Global Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or Global Site Selector (GSS) device.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 2
Setting Up Your GSS
This chapter describes how to configure your GSS devices to connect to your network. This includes the initial network configuration of a GSS and the configuration of a primary or as a standby GSSM. Network connectivity is configured for each device using the GSS command-line interface (CLI).


• Accessing the GSS CLI

• Performing Network Configuration of the GSS

• Creating and Modifying GSS Devices

• Global Server Load-Balancing Summary

For detailed instructions on command syntax and use of GSS CLI commands, refer to the Cisco Global Site Selector Command Reference.


Chapter 2 Setting Up Your GSSAccessing the GSS CLI

Accessing the GSS CLIYou can access the GSS CLI by establishing a remote connection using Telnet or Secure Shell (SSH) from a PC or by a direct connection to the device using a dedicated terminal. If required for your SSH connection, you may also login to the GSS using an externally generated private and public key pair.

This section contains the following procedures:

• Accessing the CLI Using a Direct Serial Connection

• Enabling Remote Access on a GSS Device

• Accessing the CLI Using a Remote Connection

• Accessing the GSS CLI Using a Private and Public Key Pair

Accessing the CLI Using a Direct Serial ConnectionTo access the GSS CLI using a serial connection, establish a direct serial connection between your terminal and the GSS device. Once you are connected, you can use any terminal communications application to access the CLI. The following procedure uses HyperTerminal for Windows. For information on how to establish a serial connection with your device, refer to the Cisco Global Site Selector Hardware Installation Guide.

To access the GSS CLI using a direct serial connection:

1. Launch HyperTerminal. The Connection Description window appears.

2. Enter a name for your session in the Name field.

3. Click OK. The Connect To window appears.

4. From the drop-down list, choose the COM port to which the device is connected.

5. Click OK. The Port Properties window appears.

6. Set the port properties as follows:

• Baud Rate = 9600

• Data Bits = 8

• Flow Control = none

• Parity = none

• Stop Bits = 1


OL-4327-01


7. Click OK to connect.

8. Press Enter to display the CLI prompt.

Once a session is created, choose Save As from the File menu to save the connection description. Saving the connection description has the following two advantages:

• The next time you launch HyperTerminal, the session is listed as an option under Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you reach the CLI prompt directly without going through the configuration steps.

• You can connect your cable to a different device without configuring a new HyperTerminal session. If you use this option, make sure that you connect to the same port on the new device as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears without a prompt.

Enabling Remote Access on a GSS DeviceTo monitor the performance of your GSS devices and administer them once they are deployed, you must be able to access those devices. Accordingly, once you have basic network connectivity on your GSS device you may want to use the CLI to enable remote access to the device using the SSH, Telnet, or FTP protocols.

To enable SSH, Telnet, or FTP on your GSS device:

1. Enable privileged EXEC mode and then global configuration mode on the device. For example:

localhost.localdomain> enablelocalhost.localdomain# configlocalhost.localdomain(config)#

2. From global configuration mode, use the enable command to activate the remote access protocol you need (SSH, Telnet, or FTP). For example, to enable SSH connections to the GSS device, you would enter the following command:

localhost.localdomain(config)# ssh enable


OL-4327-01


3. Repeat step 2 for each required remote access protocol using the ftp command and the telnet command.

Note To disable SSH, Telnet, or FTP, use the no form of the command.

4. Save your configuration changes to memory. For example:

localhost.localdomain(config)# copy running-config startup-config

5. Exit global configuration mode.

localhost.localdomain(config)# exitlocalhost.localdomain#

Accessing the CLI Using a Remote ConnectionTo access the GSS CLI using a remote connection, use Telnet or Secure Shell (SSH) from a PC. In a single Telnet or SSH session, you cannot connect to more than one device. You can, however, have several Telnet or SSH sessions running in parallel for different devices. Be sure you enable Telnet or SSH as described in the “Enabling Remote Access on a GSS Device” section.

Note We recommend using SSH connections because SSH lets you communicate securely over insecure channels and provides strong authentication.

You must have physical access to the GSS device to setup remote access by Telnet or SSH connection. Refer to the Cisco Global Site Selector Hardware Installation Guide for instructions on connecting a console cable to your Cisco Global Site Selector series hardware.

To access the GSS CLI using your preferred SSH or Telnet client:

1. Enter the host name or IP address of the GSS device (Global Site Selector or Global Site Selector Manager).

2. Specify your GSS administrative username and password to log on to the GSS device.

Once you have logged on remotely, use the CLI commands described in this document and in the Cisco Global Site Selector Command Reference.


OL-4327-01


Accessing the GSS CLI Using a Private and Public Key PairThe GSS supports remote login to the device over an SSH session using private and public key pairs for authentication. In this method of remote connection, you use a generated private/public key pair to participate in a secure communication by encrypting and decrypting messages. Use of a private and public key pair bypasses the normal username and password authentication process. This remote access method may be useful when running scripts that connect to the GSS automatically.

You generate the private key and the corresponding public key as a key pair on a server separate from the GSS and then copy the public key to the GSS /home directory.

To access the GSS CLI using a private and public key pair:

1. Generate the SSH private key and the corresponding SSH public key as a key pair on a server separate from the GSS. Refer to the documentation included with the SSH software for details on generating the private and public key pair.

2. Enable privileged EXEC mode. For example:

localhost.localdomain> enable

3. Use the scp command to securely copy the generated public key from the server to the GSS /home directory. For example:

localhost.localdomain# scp myusername@1myhost:~/mykey.pub .myusername@1myhost password:mykey.pub 100% |*****************************| 241 00:00

4. Use the type command to append the public key to the /home/.ssh/authorized_keys file. The /home/.ssh/authorized_keys file is a special file that the GSS software looks for when authenticating public/private keys. For example:

localhost.localdomain# cd .sshlocalhost.localdomain# type ../mykey.pub >> authorized_keys

5. Activate an SSH session from the remote host to the GSS using the private key. For example, on most Unix systems you would enter the following command line:

ssh -i private.key gss.cisco.com


OL-4327-01

Chapter 2 Setting Up Your GSSPerforming Network Configuration of the GSS

Performing Network Configuration of the GSSWhen setting up your GSS, log in directly to the CLI on the GSS device and configure the following basic setup configuration functions for the device:

• Specify a hostname for the GSS device

• Configure Ethernet 0 and Ethernet 1

• Configure a default gateway

• Enter the IP addresses of the name servers (up to 8)

• Configure a remote access protocol (FTP, Telnet, or SSH) so you can administer the GSS device remotely in the future.

Depending on your network requirements for the GSS device, make your configuration of GSSM (primary and standby) and GSS based on the following information:

• Primary GSSM—The primary GSSM performs content routing as well as centralized management functions for the GSS network. The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. The primary GSSM offers a single, centralized GUI for monitoring and administering your entire GSS network.

• Standby GSSM—The standby GSSM performs GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM need to go offline for repair or maintenance, or becomes unavailable to communicate with other GSS devices. As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command.


OL-4327-01


Note The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the “Logically Removing a GSS or Standby GSSM from the Network” section.

• GSS—The GSS performs routing of DNS queries based on DNS rules and conditions configured using the primary GSSM. Each GSS is known to and synchronized with the GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network delegates authority to the GSSs that serve DNS requests. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device.

A typical GSS deployment may contain up to eight GSS devices on a corporate intranet or the Internet. At least one GSS—and no more than two GSSs—must be configured as GSSMs. The primary GSSM monitors the other GSS devices on the network and offer features for managing and monitoring request routing services using a GUI accessible through secure HTTP. Only one primary GSSM can be “active” at any time, with the second GSSM serving as a “standby,” or backup device.

Network configuration requires that you enter into privileged EXEC mode on the CLI, so your login must have adequate permissions to do so.

After you enable your GSSM and GSS devices, use the primary GSSM to activate each device on your network. See the “Creating and Modifying GSS Devices” section for more information.

This section includes the following procedures:

• Configuring the GSS Using the Setup Script

• Configuring the GSS from the CLI

• Configuring a Primary GSSM or Standby GSSM

• Configuring a Global Site Selector

• Logging Into the Primary GSSM Graphical User Interface


OL-4327-01


Configuring the GSS Using the Setup ScriptWhen you boot the Cisco Global Site Selector platform for the first time and the system boots without a startup-configuration file, a setup script automatically runs to quickly guide you through the process of initially configuring the GSS.

To configure the GSS from the setup script:

1. If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide).

2. At the Do you want to continue? (y/n) [no]: prompt type y to continue (or press Enter to accept the default of No and bypass running the setup script).

If you chose to bypass the setup script, you can either:

• Manually configure the GSS from the CLI as described in the “Configuring the GSS from the CLI” section.

• Use the setup CLI command at a later point in time to configure basic configuration information (as described in this procedure).

Note The setup command cannot be executed while the GSS is running. You must issue the gss stop command before executing the setup command.

3. At the Hostname prompt, specify a qualified hostname for the GSS device. For example:

Enter the Hostname of this device: gssm1.yourdomain.com

4. At the Interface eth0 and eth1 prompts, specify the IP address and subnet mask for each interface to be used on the GSS device. For example:

* Interface eth1 (Inactive)Do you want to change this? (y/n) [n]: yDo you want to activate this interface? (y/n) [n]: yEnter the IP address: 192.168.1.3Enter the netmask: 255.255.255.0

Once you run the setup script there are additional configuration parameters that you can specify for each Ethernet interface using the interface ethernet CLI command (such as the autosense, duplex, and speed options). Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.


OL-4327-01


5. At the default gateway prompt, enter gateway information for the GSS device. For example:

Do you want to configure a default gateway? (y/n) [y]: Enter the default gateway [10.86.208.1]: 10.89.12.100

6. At the Name Servers prompt, configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers in a list. Enter a dash ('-') at a blank entry to instruct the GSS to stop requesting name servers. For example:

Enter the IP addresses for up to 8 Name Servers.Enter a dash ('-') at a blank entry to stop entering Name Servers.At least one Name Server is required for this setup script.Enter Name Server 1 [161.44.124.122]: 168.10.12.1Enter Name Server 2: 192.168.1.2Enter Name Server 3: -

7. At the Remote Access prompt, activate the remote access protocol required for the GSS device. For example:

* Remote AccessDo you want to enable FTP access? (y/n) [y]: nDo you want to enable Telnet access? (y/n) [n]: yDo you want to enable SSH access? (y/n) [y]: y

8. The setup script prompts you through a series of questions about configuring the device as a GSSM (primary or standby) or as a GSS. Perform one of the following actions:

– If you want to configure the device as the primary GSSM:

a. At the Do you want to configure this GSS as a Manager (gssm)? (y/n) [y]: prompt type y (or press Enter).

b. At the Do you want to configure this GSSM as the Primary? (y/n) [y]: prompt type y (or press Enter).

– If you want to configure the device as the standby GSSM:

a. At the Do you want to configure this GSS as a Manager (gssm)? (y/n) [y]: prompt type y (or press Enter).

b. At the Do you want to configure this GSSM as the Primary? (y/n) [y]: prompt type n.

c. At the Enter the Hostname or IP address of the Primary GSSM [192.168.3.4]: prompt specify the hostname or IP address of the primary GSSM for your network.


OL-4327-01


– If you want to configure the device as a GSS:

a. At the Do you want to configure this GSS as a Manager (gssm)? (y/n) [y]: prompt type n.

b. At the Enter the Hostname or IP address of the Primary GSSM [192.168.3.4]: prompt specify the hostname or IP address of the primary GSSM for your network.

9. When completed, the software prompts you to perform one of the following:

– Apply as the Running Configuration—Applies setup configuration changes to the running-configuration file.

– Edit This Configuration—Return to the beginning of setup and edit specific configuration information.

– Discard Configuration and Quit Setup—Cancel making initial configuration changes.

Once configuration setup is complete, the GSS software prompts you to log into the primary GSSM GUI and finish device setup (as described in the “Logging Into the Primary GSSM Graphical User Interface” section).

Configuring the GSS from the CLITo configure the GSS from the CLI:

1. If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide).

2. Log on to the CLI, following the instructions in “Accessing the GSS CLI”. The GSS CLI prompt appears.

By default, the hostname for GSS devices is localhost.localdomain. This name changes once you configure the hostname for the device.




OL-4327-01


4. Configure a qualified hostname and default gateway information for the GSS device. For example:

Host(config)# hostname gssm1.yourdomain.comgssm1.yourdomain.com(config)# ip default-gateway 10.89.12.100

5. From global configuration mode, enter interface configuration mode and configure the attributes of GSS interface Ethernet 0 or Ethernet 1. Each GSS device contains two Ethernet interfaces, 0 and 1. For example:

gssm1.yourdomain.com(config)# interface ethernet 0gssm1.yourdomain.com(config-eth0)# speed 100gssm1.yourdomain.com(config-eth0)# duplex full

Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.

Note Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the interface ethernet command.

6. Use the gss-communications command to configure a GSS Ethernet interface as the designated network interface for GSS device communications. For example:

gssm1.yourdomain.com(config-eth0)#gss-communications

Note Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the gss-communications command.

7. Configure the IP address and subnet mask that are to be used by the interface. For example:

gssm1.yourdomain.com(config-eth0)# ip address 10.89.3.24 255.255.255.0gssm1.yourdomain.com(config-eth0)# exitgssm1.yourdomain.com(config)#


OL-4327-01


8. Configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers using a comma-separated or space-separated list. For example:

gss1.yourdomain.com(config)# ip name-server 128.10.12.1gss1.yourdomain.com(config)# ip name-server 128.100.12.1, 128.110.12.1


gssm1.yourdomain.com(config)# copy running-config startup-config

The next step is to configure the device as either a GSSM (primary or standby) or as a GSS:

• If configuring the device as a GSSM (primary or standby), proceed to the “Configuring a Primary GSSM or Standby GSSM” section.

• If configuring the device as a GSS, proceed to the “Configuring a Global Site Selector” section.

Configuring a Primary GSSM or Standby GSSMBefore you begin configuring request routing or adding GSSs to your GSS network, you must first configure a primary GSSM with which the individual GSSs will be associated.

When configuring a GSSM, you need to configure both the network connectivity of the GSSM as well as the embedded GSS database that resides on the GSSM and holds GSS device and network configuration information. You must also indicate whether the GSSM serves as the primary or redundant (standby) manager.

To configure a GSS device to function as either a primary GSSM or a standby GSSM:

1. If you have not already done so:

a. Log on to the CLI (see the “Accessing the GSS CLI” section).

b. At the CLI prompt, enable privileged EXEC mode and then global configuration mode on the device. For example:



OL-4327-01


c. Ensure the GSS is properly configured (see either the “Configuring the GSS Using the Setup Script” section or the “Configuring the GSS from the CLI” section).

2. Perform one of the following steps:

– If this GSSM is to be the primary (default) routing manager for your GSS network, use the gss enable gssm-primary command to enable your GSS device and make it the primary GSSM. For example:

gssm1.yourdomain.com# gss enable gssm-primary

Note If a database already exists on this GSS device an error message appears. Use the gss disable command to disable the selected GSS device and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS device to the initial, disabled state.

– If this GSSM is to be a standby (backup) GSSM for your GSS, use the gss enable gssm-standby command to place the GSSM in standby mode and associate it with the DNS name or IP address of the primary GSSM. The standby GSSM is intended to be a backup device to be used on a temporary basis until the primary GSSM can come back online. For example:gssm1.yourdomain.com# gss enable gssm-standby 192.168.1.110

Note You must have a primary GSSM configured and enabled before you can enable a standby GSSM.


gssm1.yourdomain.com# copy running-config startup-config

If you fail to save your configuration changes, the GSS device reverts to its previous settings upon a reboot.


OL-4327-01


For the primary GSSM, you can now access the GUI using your preferred web browser by pointing that browser to the URL of the primary GSSM. See the “Logging Into the Primary GSSM Graphical User Interface” section for details.

After enabling the primary GSSM GUI, you can use it to activate each GSS device on your network. See the “Creating and Modifying GSS Devices” section.

If, at a later point, you need to move the primary GSSM or you want to take it offline for repair or maintenance, the standby GSSM is capable of temporarily taking over the role as the primary GSSM until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network. Refer to Chapter 9, GSS Administration and Troubleshooting, the “Logically Removing a GSS or Standby GSSM from the Network” section.

Configuring a Global Site SelectorYou must configure and enable your primary GSSM before you can configure additional GSS devices. If you have not already done so, see the “Configuring a Primary GSSM or Standby GSSM” section for information on configuring and enabling your primary and optional standby GSSMs.

To configure a device to function as a GSS:

1. If you have not already done so:

a. Log on to the CLI (see the “Accessing the GSS CLI” section).

b. At the CLI prompt, enable privileged EXEC mode and then global configuration mode on the device. For example:


c. Ensure the GSS is properly configured (see either the “Configuring the GSS Using the Setup Script” section or the “Configuring the GSS from the CLI” section).

d. Enable a remote access protocol on the GSS device (such as Telnet or SSH). See the“Enabling Remote Access on a GSS Device” section.


OL-4327-01


2. Exit global configuration mode and then use the gss command to enable your GSS device as a GSS and direct it to the primary GSSM in your GSS network. Specify either the domain name or the network address of the primary GSSM. For example:

gss1.yourdomain.com(config)# exitgss1.yourdomain.com# gss enable gss gssm1.yourdomain.com


gss1.yourdomain.com# copy running-config startup-config

If you fail to save your configuration changes, the device reverts to its previous settings upon a reboot.

4. Use the primary GSSM to activate each GSS device on your network. See the “Creating and Modifying GSS Devices” section.

Logging Into the Primary GSSM Graphical User InterfaceAfter you configure and enable your primary GSSM, you are ready to access the GUI. The GSSM uses secure HTTP (HTTPS) to communicate with web clients.

For example, if your primary GSSM is named gssm1.yourdomain.com, enter the following to display the primary GSSM logon dialog box and access the GUI:

https://gssm1.yourdomain.com

When first logging on to the primary GSSM GUI, you can use the system default administrative account and password. After accessing the GUI, create and maintain additional user accounts and passwords using the user administration features primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for more information on creating user accounts.

Note The user accounts and passwords that you create for the primary GSSM GUI are maintained separately from the usernames and passwords used to log on to your GSS devices using the CLI (using the username command).

To log on to the primary GSSM GUI:

1. Open your preferred Internet web browser application, such as Internet Explorer or Netscape Navigator.


OL-4327-01


2. In the address field, enter the secure HTTP address of your GSSM. For example:

https://gssm1.yourdomain.com

Note If you have trouble locating the primary GSSM DNS name, remember that the GSS network uses secure connections, so the address of the GSSM will feature https:// (secure HTTP) in the place of the more common http://.

3. If prompted to accept a certificate from the primary GSSM, click Yes to accept the certificate signed by Cisco Systems and proceed to the GUI.

– If you are using Internet Explorer and want to install the certificate, at the Security Alert dialog box click View Certificate, and then choose the Install Certificate option and follow the prompts of the Certificate Manager Import Wizard.

– If you are using Netscape and you want to install the certificate, at the New Site Certificate dialog box click Next and follow the prompts of the New Site Certificate Wizard.

Note Take the extra steps to trust certificates from Cisco Systems, Inc., which prevents you from having to approve a certificate every time you log on to a GSSM. Refer to the online help for your browser for instructions on trusting certificates from a particular owner or website.

4. When prompted to log on to the primary GSSM, enter your username and password in the fields provided, then click OK. If this is your first time logging on to the GSSM, use the default account name and password to access the GUI as follows:

– Username—admin

– Password—default

5. The GSSM Welcome page appears (Figure 2-1). Refer to Chapter 1, Introducing the Global Site Selector, the “Understanding the Primary GSSM Graphical User Interface” section for information on navigating through the primary GSSM GUI.


OL-4327-01


Figure 2-1 Primary GSSM Welcome Window


OL-4327-01

Chapter 2 Setting Up Your GSSCreating and Modifying GSS Devices

Creating and Modifying GSS DevicesA first step in configuring global server load balancing on your GSS network is to activate and configure your GSS devices. Using the Global Site Selectors tab of the primary GSSM GUI, you activate GSS devices (GSSs and standby GSSMs) that have been added to your GSS network, name the GSS devices, and, if necessary, delete those devices from the GSS network.


• Activating GSS Devices

• Modifying GSS Device Configuration

• Deleting GSS Devices

Activating GSS DevicesAfter you have configured your GSS devices to act as GSSs or GSSMs, you must activate those devices from the primary GSSM GUI before they receive and process user requests. The one exception to this rule is the primary GSSM, which does not need to be activated after initial configuration.

To activate a GSS or a standby GSSM from the primary GSSM GUI:

1. From the primary GSSM GUI, click the Resources tab.


OL-4327-01


2. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (Figure 2-2). All active devices are listed with an Online status. The devices you need to activate are listed with an Inactive status.

Figure 2-2 Global Site Selectors List Page - Inactive Status


OL-4327-01


3. Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (Figure 2-3).

Figure 2-3 Modifying GSS Details Page

4. Check the Activate check box. (This check box does not appear in the Modifying GSS details page after a GSS device has been activated.)

5. Click the Submit button. You return to the Global Site Selector list page. The status of the device that you activated is listed as Online. Assuming that the device is functioning properly and that network connectivity between the device and the primary GSSM is good, the status of the device changes to Online within approximately 30 seconds.


OL-4327-01


Figure 2-4 Global Site Selectors List Page - Active Status

6. Repeat Steps 1 through 5 for each inactive GSS or standby GSSM that you need to activate.

Modifying GSS Device ConfigurationYou can modify the name and location of any of your GSS devices using the primary GSSM GUI. To modify other network information such as the hostname, IP address, or role, however, you must access the CLI on the device.

To modify the name and location of a GSS device:


2. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (see Figure 2-2). All active devices are listed with an online status. The devices you need to activate are listed with an inactive status.


OL-4327-01


3. Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (see Figure 2-3).

4. In the Global Site Selector Name field, enter a new name for the device. This is not the same name as the hostname, which can only be changed using the CLI. It is used to easily distinguish one GSS device from another in the primary GSSM list pages, where many devices may appear together.

5. From the Location drop-down list, select a new device location.

6. Click Submit to save your changes. You return to the Global Site Selector list page.

Deleting GSS DevicesWith the exception of the primary GSSM, you can delete GSS devices from your network using the primary GSSM GUI. Deleting a GSS device such as a GSS or a standby GSSM allows you to remove nonfunctioning GSS devices from your network, or to reconfigure and then reactivate a device.

To delete a GSS device:


2. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears.

3. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears.

4. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device.

5. Click OK to confirm your decision. You return to the Global Site Selectors list page with the deleted device removed from the list.

6. To reconfigure the GSS device, refer to either the “Configuring a Primary GSSM or Standby GSSM” section or the “Configuring a Global Site Selector” section.


OL-4327-01

Chapter 2 Setting Up Your GSSGlobal Server Load-Balancing Summary

Global Server Load-Balancing SummaryOnce you have created your GSSM (primary and standby) and GSS devices and configured them to connect to your network, you are ready to begin configuring request routing and global server load balancing on your GSS network. Global server load balancing on your GSS network is managed through the centralized GUI on the primary GSSM. Using this interface, you can identify your network resources (GSSs) through the use of keepalives and create the DNS rules to process incoming content requests.

Because you will be creating DNS rules that route incoming DNS requests to the most available data centers and resources on your network, you must configure the elements that constitute your DNS rules before creating the rules themselves

Use the following order when configuring your GSS devices and resources from the primary GSSM:

1. Create regions, locations, and owners—Optional. Use these groupings to organize your GSS network resources by customer account, physical location, owner, or other organizing principle. Refer to Chapter 3, Configuring Resources for details.

2. Create one or more source address lists—Optional. Use these lists of addresses to identify the name servers (D-proxy) that forward requests for the specified domains. The default source address list is Anywhere to match any incoming DNS request to the domains. Refer to Chapter 4, Configuring Source Address Lists for details.

3. Create one or more domain lists—Establish lists of Internet domains, possibly using wildcards, that are managed by the GSS and queried by users. Refer to Chapter 5, Configuring Domain Lists for details.

4. Modify the default global keepalive settings or create any shared keepalives—Optional. These are GSS network resources that are regularly polled to monitor the online status of one or more GSS resources linked to the keepalive. Shared keepalives are required for any answer that uses the KAL-AP keepalive type. Refer to Chapter 6, Configuring KeepAlives for details.

5. Create one or more answers—Answers are resources that match requests to domains. Refer to Chapter 7, Configuring Answers and Answer Groups for details.


OL-4327-01

Chapter 2 Setting Up Your GSSWhere to Go Next

6. Create one or more answer groups—Answer groups are collections of resources that balance requests for content. Refer to Chapter 7, Configuring Answers and Answer Groups for details.

7. Build your DNS rules—Processes incoming DNS requests using the DNS Rule Builder or DNS Rule Wizard. Refer to Chapter 8, Building and Modifying DNS Rules for details.

Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:

• DNS Rule Wizard—An easy-to-use tool that guides you through the process of creating a DNS rule.

• DNS Rule Builder—If you are an experienced GSS user, you can use the DNS Rule Builder to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created.

Where to Go NextChapter 3, Configuring Resources, includes instructions on organizing resources on your GSS network as locations, regions, and owners.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 3
Configuring Resources
This chapter describes what you need to establish global server load-balancing resources. Before you configure request routing, make sure that you have configured your hardware devices as described in Chapter 2, Setting Up Your GSS. You must have a primary GSSM configured and enabled before you can configure request routing and server load balancing on the GSS network. Ideally, you have a standby GSSM configured as well.

If you will be deploying GSSs in addition to your primary GSSM and standby GSSM, these devices will identify themselves to the primary GSSM and appear on the GSSM GUI when you access the Resources tab and click the Global Site Selectors navigation link.


• Organizing Your GSS Network

• Creating and Modifying Locations and Regions

• Creating and Modifying Owners

• Grouping GSS Resources by Location, Region, and Owner


Chapter 3 Configuring ResourcesOrganizing Your GSS Network

Organizing Your GSS NetworkThe primary GSSM provides you with a number of tools that allow you to group and organize resources on your GSS network. These include:

• Locations—Logical groupings for GSS resources that correspond to geographical entities such as a city, data center, or content site

• Regions—Higher-level geographical groupings that contain one or more locations

• Owners—Groupings that correspond to business or organizational relationships; for example, customers, internal departments, and IT personnel

Keep in mind that it is not a requirement that regions and locations correspond to actual geographical sites. They are simply organizing concepts that allow you to group GSS resources and exist in a one (region) to many (locations) relationship.

In addition to providing an organizational scheme for your GSS network, locations can also be used for bulk management of GSS resources, such as answers. Answers can be grouped and managed according to a GSS location that has been established and with which answers have been associated. Using a location to manage your answers makes it easier for you to quickly suspend or activate answers in a particular area of your network, for example, shutting down one or more data centers for the purposes of software upgrades or regular maintenance. Refer to Chapter 7, Configuring Answers and Answer Groups, for more information.


OL-4327-01

Chapter 3 Configuring ResourcesCreating and Modifying Locations and Regions

Creating and Modifying Locations and RegionsThe process for creating and maintaining locations and regions is essentially identical, except that in addition to their other configuration information, locations are associated with regions in a many-to-one relationship. Use the following procedures to set up regions and locations on your GSS network.

Note We recommend that you create regions before you create locations.


• Creating Regions

• Creating Locations

• Modifying Regions

• Modifying Locations

• Deleting Locations and Regions

Creating Regions To create a region:


2. Click the Regions navigation link. The Regions list page appears (Figure 3-1).


OL-4327-01


Figure 3-1 Regions List Page

3. Click the Create Regions icon. The Creating New Region details page appears (Figure 3-2).


OL-4327-01


Figure 3-2 Creating New Region Details Page

4. In the Name field, enter the name for your new region.

5. In the Comments field, enter descriptive information or important notes regarding the new region.

6. Click Submit to save changes to your new region. You return to the Region list page. Your new region appears in the list and can be used to help you organize other GSS resources.


OL-4327-01


Creating LocationsTo create a location:


2. Click the Locations navigation link. The Locations list page appears (Figure 3-3).

Figure 3-3 Locations List Page

3. Click the Create Location icon. The Creating New Location details page appears (Figure 3-4).


OL-4327-01


Figure 3-4 Creating New Location Details Page

4. In the Name field, enter the name for your new location.

5. Click the Region drop-down list and choose a region with which the location will be associated. There should be a logical connection between region and location.

6. In the Comments field, enter descriptive information or important notes regarding the new region or location.

7. Click Submit to save your new location. You return to the Locations list page. Your new location appears in the list and can be used to help you organize other GSS resources.


OL-4327-01


Modifying RegionsTo modify a GSS region:


2. Click the Regions navigation link. The Regions list page appears.

3. From the Regions list, click the Modify Region icon located to the left of the list you want to modify. The Modifying Region details page appears (Figure 3-5).

Figure 3-5 Modifying Region Details Page

4. In the Name field, change the name of the region, if desired.

5. In the Comments field, enter or modify the descriptive information or notes regarding the region.


OL-4327-01


6. Click Submit to save the changes to your region. You return to the Regions list page.

Modifying Locations

To modify a GSS location:


2. Click the Locations navigation link. The Locations list page appears.

3. From the Locations list, click the Modify Location icon located to the left of the list you want to modify. The Modifying Location details page appears (Figure 3-6).

Figure 3-6 Modifying Location Details Page


OL-4327-01


4. In the Name field, change the name of the location, if desired.

5. If wish to move the location to a new region, click the Region drop-down list and select a new region with which the location will be associated.

6. In the Comments field, enter or modify the descriptive information or notes regarding the location.

7. Click Submit to save the changes to your location. You return to the Locations list page.

Deleting Locations and RegionsBefore deleting a region or location, be sure that you know what dependencies are associated with a resource. For example, regions that have locations associated with them cannot be deleted. In addition, answers associated with locations that are deleted are automatically associated with the “Unspecified” location.

Caution Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

To delete regions and locations:


2. Click either the Locations or Regions navigation link, depending on what type of resource you intend to delete. The list page appears.

3. Click the Modify icon for the location or region that you want to delete. The details page appears, displaying configuration information for that resource.

4. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the Region or Location.

5. Click OK. You return to the list page with the Region or Location removed.

If an error appears informing you that a GSS resource is still linked to the region or location you want to delete, disassociate that resource and then attempt to delete the grouping again.


OL-4327-01

Chapter 3 Configuring ResourcesCreating and Modifying Owners

Creating and Modifying OwnersOwners are logical groupings for GSS network resources that correspond to business or organizational structures. For example, an owner might be a hosting customer, an internal department such as human resources, or an IT staff resource.

Owners are created and managed separately from either GSS or GSSM logins, and there is no necessary connection between the two. As with locations, owner designations can be used for bulk management of GSS resources. Using a GSS owner to manage your answer groups makes it easier for you to quickly suspend or activate related answers.

For information on using owners to manage your GSS network, see the following chapters and sections:

• Chapter 7, Configuring Answers and Answer Groups, the Suspending or Reactivating All Answers in an Answer Group Associated with an Owner section

• Chapter 8, Building and Modifying DNS Rules, the Suspending or Reactivating All DNS Rules Belonging to an Owner section

Creating OwnersTo create an owner:


2. Click the Owners navigation link. The Owners list page appears displaying a list of all configured owners on your GSS network and providing an overview of the resources assigned to each owner (Figure 3-7).


OL-4327-01


Figure 3-7 Owners List Page

3. Click the Create Owner icon. The Creating New Owner details page appears (Figure 3-8).


OL-4327-01


Figure 3-8 Creating New Owner Details Page

4. In the Name field, enter the contact name for your new Owner.

5. In the Comments field, enter other descriptive or contact information for the new owner.

6. Click Submit to save the new Owner. You return to the Owners list page. Your new owner is listed and can now be used to help you organize other GSS resources.


OL-4327-01


Modifying OwnersTo modify an owner:


2. Click the Owners navigation link. The Owners list page appears.

3. From the Owners list, click the Modify Owner icon located to the left of the list you want to modify. The Modifying Owner details page appears (Figure 3-9).

Figure 3-9 Modifying Owner Details Page

4. In the Name field, enter a new name for your new owner, if desired.


OL-4327-01


5. In the Comments field, enter or modify the descriptive information or notes regarding the owner.

6. Click Submit to save the changes to the owner. You return to the Owners list page.

Deleting OwnersBefore you attempt to delete an owner, be sure that you know what dependencies that resource has. For example, answer groups, DNS rules, and domain lists associated with an owner will, if that owner is deleted, automatically be associated with the “System” owner account.

Caution Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

To delete an owner:


2. Click the Owners navigation link. The Owners list page appears.

3. From the Owners list, click the Modify Owner icon located to the left of the list you want to delete. The Modifying Owner details page appears.

4. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the owner.

5. Click OK. You return to the Owners list screen with the owner removed.


OL-4327-01

Chapter 3 Configuring ResourcesGrouping GSS Resources by Location, Region, and Owner

Grouping GSS Resources by Location, Region, and Owner

After you create your locations, regions, and owners, you can begin to use these tools to help organize your GSS resources. To associate a particular resource with a location, region, or owner, edit the properties of that resource and then choose the location, region, or owner from the drop-down list provided. Table 3-1 indicates which GSS resources can be grouped by locations, regions, and owners.

Where to Go NextChapter 4, Configuring Source Address Lists describes the creation of source address lists, collections of IP addresses or address blocks for known client DNS proxies (or D-proxies).

Table 3-1 GSS Network Groupings

GSS Network Resource Grouped By Grouped Using

GSS Location Global Site Selector details page

Locations Region Locations details page

Region — —

Owner — —

DNS rules Owner DNS Rule Builder

DNS Rule Wizard

Source address lists Owner Source Address Lists details page

Domain lists Owner Domain Lists details page

Answer group Owner Answer Group details page

Answer Location Answer details page


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 4
Configuring Source Address Lists
The next step in configuring DNS request handling on your GSS network is to define the addresses from which requests are sent to the GSS. This is accomplished through the creation of source address lists, collections of IP addresses or address blocks for known client DNS proxies (or D-proxies).

Note The deployment of source address lists is an optional process. A default source address list, named Anywhere, is supplied with the GSS software and matches any request for a domain.

Using the source address lists feature, you can enter one or more IP addresses, up to 30 addresses for each list, representing DNS proxies from which requests originate. Each GSS supports up to 60 source address lists.

In addition to adding individual addresses, the primary GSSM also allows you to enter IP address blocks conforming to the classless interdomain routing (CIDR) IP addressing scheme.


• Creating Source Address Lists

• Modifying Source Address Lists

• Deleting Source Address Lists


Chapter 4 Configuring Source Address ListsCreating Source Address Lists

Creating Source Address ListsTo configure a source address list:

1. From the primary GSSM GUI, click the DNS Rules tab.

2. Click the Source Address Lists navigation link. The Source Address Lists list page appears (Figure 4-1).

Figure 4-1 Source Address Lists List Page

3. Click the Create Source Address List icon. The Creating New Source Address List details page appears (Figure 4-2).


OL-4327-01


Figure 4-2 Creating New Source Address List - General Configuration

4. In the General Configuration details page (General Configuration navigation link), perform the following:

a. In the Name field, enter a name for the new Source Address List. Source Address List names cannot contain spaces.

b. From the Owner drop-down list, select the GSS network resource with which the Source Address List is associated. The owner may be a hosting customer, an internal department such as human resources, or an IT staff resource.

c. In the Comments text area, enter any comments for the new Source Address List.

5. Click the Add Address navigation link to access the Add Addresses section of the page. Add new addresses or address blocks to your list of source addresses (Figure 4-3).


OL-4327-01


Figure 4-3 Creating New Source Address List - Add Addresses

6. In the Add Addresses section of the page, perform the following:

a. Enter the IP addresses, or CIDR address blocks. If you are entering multiple addresses, separate each one with a semicolon. You can enter up to 30 addresses for each list. You use this interface to add new addresses or address blocks to your list of source addresses. For example:

192.168.100.0/24; 10.89.0.0/16; 10.68.10.1

b. Click the Add button. The GSS software adds the addresses to the Source Address List.

7. Click the General Configuration navigation link to view the address block associated with the source address list. The addresses appear under the Current Members section of the details page (Figure 4-4).


OL-4327-01

Chapter 4 Configuring Source Address ListsModifying Source Address Lists

Figure 4-4 Creating Source Address List - Current Members List

8. When you are satisfied with your Source Address List, click the Submit button to save your changes. You return to the Source Address Lists list page.

You can add or remove source addresses from the list at any time. See the “Modifying Source Address Lists” section that follows.

Modifying Source Address ListsTo modify an existing source address list:


2. Click the Modify Source Address List icon located to the left of the Source Address List you want to modify. The Modifying Source Address List details page appears.


OL-4327-01

Chapter 4 Configuring Source Address ListsModifying Source Address Lists

3. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the source address list (see Figure 4-2). Source address list names cannot contain spaces.

4. To add more source addresses to the list, click the Add Addresses navigation link. Use the field provided (see Figure 4-3) to enter the names of source address lists you wish to add. Click the Add button to append the new source address to the existing list.

5. To remove addresses from the Source Address List, click the Remove Addresses navigation link. The Remove Addresses section of the page appears (Figure 4-5). Click the check box accompanying each source address you wish to remove from the list, then click the Remove Selected button to remove the selected source addresses from the list.

Figure 4-5 Modifying Source Address List - Remove Addresses


OL-4327-01

Chapter 4 Configuring Source Address ListsDeleting Source Address Lists

6. Review your updated source address list under the Current Members section of the details page (see Figure 4-4).

7. Click the Submit button to save your modified source address list. You return to the Source Address List list page.

Deleting Source Address ListsYou cannot delete source address lists that are associated with an existing DNS rule. Before proceeding with these instructions, first verify that none of your DNS rules reference the source address list that you are deleting.


To delete a source address list from your GSS network:


2. Click the Source Address Lists navigation link. The Source Address Lists list page appears.

3. Click the Modify Source Address List icon located to the left of the Source Address List you want to remove. The Source Address Lists details page appears.

4. Click the Delete Source Address List icon in the upper right corner of the page (Figure 4-6). The GSS software prompts you to confirm your decision to delete the Source Address List.

Note If an error appears informing you that the source address list is referenced by an existing DNS rule, disassociate the source address list from the DS rule and then attempt to delete the source address list again.


OL-4327-01

Chapter 4 Configuring Source Address ListsWhere to Go Next

Figure 4-6 Modifying Source Address List - Delete Icon

5. Click OK. You return to the Source Address Lists list page. The source address list is removed from the list.

Where to Go NextChapter 5, Configuring Domain Lists, describes the creation of domain lists, collections of domain names for Internet or intranet resources, sometimes referred to as hosted domains, that are being requested by your users.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 5
Configuring Domain Lists
This chapter describes how to create domain lists.


• Domain List Overview

• Creating Domain Lists

• Modifying Domain Lists

• Deleting Domain Lists

Domain List OverviewDomain lists are collections of domain names for Internet or intranet resources, sometimes referred to as “hosted domains,” that are being requested by your users.

Domain lists contain one or more domain names that point to content for which the GSS is acting as the authoritative DNS server and for which you wish to use the GSS technology to balance traffic and user requests. Using the domain lists feature, you can enter complete domain names or any valid regular expression that specifies a pattern by which the GSS can match incoming addresses. The GSS supports POSIX 1003.2 extended regular expressions when matching wildcards.


Chapter 5 Configuring Domain ListsCreating Domain Lists

For example, if you had three hosted domains—www.cisco.com, support.cisco.com, and customer.cisco.com—for which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:

www.cisco.com; support.cisco.com; customer.cisco.com

However, if you had 20 or more possible domains for which the GSS was responsible—www1.cisco.com, www2.cisco.com, and so on—manually entering each address may be time-consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:

.*\.cisco\.com

Any request for a hosted domain that matches the pattern is directed accordingly.

Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list.

Creating Domain ListsTo create a domain list:


2. Click the Domain Lists navigation link. The Domain Lists list page appears (Figure 5-1).


OL-4327-01


Figure 5-1 Domain Lists Page

3. Click the Create Domain List icon. The Creating New Domain List details page appears. (Figure 5-2.)


OL-4327-01


Figure 5-2 Creating New Domain List Details Page - General Configuration


a. In the Name field, enter a name for the new Domain List. Domain List names cannot contain spaces.

b. From the Owner drop-down list, select the contact with whom the Domain List will be associated.

c. In the Comments text area, enter any comments for the new Domain List.


OL-4327-01


5. Click the Add Domains navigation link to access the Add Domains section of the page. Use this section to add new hosted domains to your list.

Figure 5-3 Creating New Domain List - Add Domains

6. In the text box provided, enter the names of any hosted domains that you want to add to the domain list. Hosted domains may or may not correspond to standard third-level domain names but cannot exceed 128 characters in length. The following examples could be domain names configured on the GSS:

cisco.comwww.cisco.comwww.support.cisco.com


OL-4327-01


Domain names that use wildcards are also supported by the GSS. You can enter complete domain names or any regular expression that specifies a pattern by which the GSS can match incoming addresses. For example:

.*\.cisco\.com

These should be the domain names of resources for which the GSS is acting as the authoritative DNS server.

Domain names that do not use wildcards cannot exceed 128 characters. For domain names with wildcards that are valid regular expressions, the GSS can match strings up to 256 characters long.

If you are entering multiple domain names, separate each one with a semicolon, for example:

www.cisco.com; support.cisco.com; cdn.cisco.com

7. Click the Add button. The domains you entered are added to the Domain List.

8. Click the General Configuration navigation link and view the domains list. The domain names appear under the Current Members section of the details page (Figure 5-4).

9. Click the Submit button to save your domain list changes.


OL-4327-01


Figure 5-4 Creating Domain List - Current Members List


OL-4327-01

Chapter 5 Configuring Domain ListsModifying Domain Lists

Modifying Domain ListsTo modify an existing domain list:


2. Click the Domain Lists navigation link. The Domain Lists list page appears (see Figure 5-1).

3. From the Domain Lists list, click the Modify Domain List icon located to the left of the Domains List you want to modify. The Modifying Domain List details page appears.

4. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the domain list (see Figure 5-2). Domain List names cannot contain spaces.

5. To add more domains to the list, click the Add Domains navigation link. Use the text box (see Figure 5-3) provided to enter the names of domains you wish to add. Click the Add button to append the new domains to the existing list.

6. To remove domains from the domain list, click the Remove Domains navigation link. The Remove Domains section of the page appears (Figure 5-5). Click the check box accompanying each domain you wish to remove from the list, then click the Remove Selected button. The deleted domain lists have been removed from the page.


OL-4327-01

Chapter 5 Configuring Domain ListsModifying Domain Lists

Figure 5-5 Modifying Domain List - Remove Domains

7. Review your updated domain lists under the Current Members section of the details page (see Figure 5-4).

8. Click the Submit button to save your changes. You return to the Domain List list page.


OL-4327-01

Chapter 5 Configuring Domain ListsDeleting Domain Lists

Deleting Domain ListsYou cannot delete domain lists that are associated with an existing DNS rule. Before proceeding with these instructions, first verify that none of your DNS rules reference the domain list that you are deleting.


To delete a domain list from your GSS network:

1. From the primary GSSM GUI, click the DNS Rules tab

2. Click the Domain Lists navigation link. The Domain Lists list page appears listing existing Domain Lists.

3. Click the Modify Domain List icon located to the left of the Domain List you want to remove. The Modifying Domain Lists details page appears (Figure 5-5).


OL-4327-01

Chapter 5 Configuring Domain ListsDeleting Domain Lists

Figure 5-6 Modifying Domain List - Delete Icon

4. Click the Delete Domain List icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the domain list.

Note If an error appears informing you that the domain list is referenced by a DNS rule, disassociate the domain list from the DNS rule and then attempt to delete the domain list again. Refer to Chapter 8, Building and Modifying DNS Rules.

5. Click OK. You return to the Domain List list page. The domain list is removed from the list.


OL-4327-01

Chapter 5 Configuring Domain ListsWhere to Go Next

Where to Go NextChapter 6, Configuring KeepAlives, describes the modification of global keepalives and the creation of shared keepalives.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 6
Configuring KeepAlives
A keepalive is a method by which the GSS periodically checks to see if a resource associated with an answer is still active. All answers are validated by configured keepalives as being either online or offline.

The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of answer being tracked, the GSS also monitors load and connection information on SLBs that can be used to perform load-based redirection.


• Modifying Global KeepAlive Properties

• Configuring and Modifying Shared VIP KeepAlives

Modifying Global KeepAlive PropertiesThe GSS includes a set of global keepalive properties that function as the default or minimum values used by the GSS when no other keepalive values are specified. You can modify your global keepalive properties for the GSS using the fields on the Global KeepAlive Properties details page from the Resources tab. Changing a global keepalive property and applying that change is immediate and it modifies the default values of keepalives currently in use by the GSS. For example, if a VIP answer uses a TCP keepalive with all of its associated defaults, and you change the default port value from port 80 to port 23, port 23 automatically becomes the default for the TCP keepalive.


Chapter 6 Configuring KeepAlivesModifying Global KeepAlive Properties

Note Changing global keepalive properties is an optional process.

To modify the GSS keepalive properties:


2. Click the KeepAlive Properties navigation link. The Configure Global KeepAlive Properties details page appears (Figure 6-1).

Figure 6-1 Configure Global KeepAlive Properties Details Page

3. Use the navigation links on the left side of the page to access the individual GSS global keepalive details page and to modify the global properties of the keepalive.


OL-4327-01


The following procedures describe how to modify the default properties for the individual global keepalives.

– Global KeepAlive Configuration—ICMP

– Global KeepAlive Configuration—TCP

– Global KeepAlive Configuration—HTTP HEAD

– Global KeepAlive Configuration—KAL-AP

– Global KeepAlive Configuration—CRA

– Global KeepAlive Configuration—Name Server

Global KeepAlive Configuration—ICMPTo modify the ICMP global keepalive configuration settings, see Figure 6-2 and Figure 6-3 and perform the following steps.

Figure 6-2 ICMP Global KeepAlive—Standard KAL Type


OL-4327-01


Figure 6-3 ICMP Global KeepAlive—Fast KAL Type

1. Select the ICMP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast ICMP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.

– Standard—Uses the default detection time of 60 seconds.

– Fast—Uses the user-selectable Number of Retries parameter to control the keepalive transmission rate. The default detection time is 4 seconds.

Note The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method.


OL-4327-01


2. If you selected the Standard KAL Type, in the Minimum Interval field change the minimum frequency with which the GSS attempts to schedule ICMP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.

3. If you selected the Fast KAL Type, modify the following parameters:

– In the Number of Retries field, specify the number of times the GSS retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.

– In the Number of Successful Probes field, specify the number of consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.

Note For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the “Keepalives” section.

4. Click the Submit button to save your ICMP global keepalive modifications.


OL-4327-01


Global KeepAlive Configuration—TCPTo modify the TCP global keepalive global configuration settings, see Figure 6-4 and Figure 6-5 and perform the following steps:

Figure 6-4 TCP Global KeepAlive—Standard KAL Type


OL-4327-01


Figure 6-5 TCP Global KeepAlive—Fast KAL Type

1. Select the TCP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast TCP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.



Note The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method.


OL-4327-01


2. In the Destination port field, enter the port on the remote device that is to receive the TCP keepalive request from the GSS. The port range is 1 to 65535. The default port is 80.

3. Specify the TCP keepalive connection termination method:

– Reset—The GSS immediately terminates the TCP connection by using a hard reset. This is the default termination method.

– Graceful—The GSS initiates the graceful closing of a TCP connection by using the standard three-way connection termination method.

4. If you selected the Standard KAL Type, specify the following parameters:

– In the Response Timeout field, specify the length of time allowed before the GSS re-transmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.

– In the Minimum Interval field, specify the minimum frequency with which the GSS attempts to schedule TCP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.

5. If you selected the Fast KAL Type, modify the following parameters:

– In the Number of Retries field, specify the number of times the GSS retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.

Note When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN.

– In the Number of Successful Probes field, specify the number of consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.



OL-4327-01


6. Click the Submit button to save your TCP global keepalive modifications.

Global KeepAlive Configuration—HTTP HEADTo modify the HTTP HEAD keepalive global configuration settings, see Figure 6-6 and Figure 6-7 and perform the following steps:

Figure 6-6 HTTP HEAD Global KeepAlive—Standard KAL Type


OL-4327-01


Figure 6-7 HTTP HEAD Global KeepAlive—Fast KAL Type

1. Select the HTTP HEAD keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast HTTP HEAD keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.



Note The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method.


OL-4327-01


2. In the Destination port field, enter the port on the remote device that is to receive the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default port is 80.

3. In the Path field, enter the default path that is relative to the server website being queried in the HTTP HEAD request. For example: /company/owner

4. Specify the HTTP HEAD keepalive connection termination method:

– Reset—The GSS immediately terminates the HTTP HEAD connection by using a hard reset. This is the default termination method.

– Graceful—The GSS initiates the graceful closing of a HTTP HEAD connection by using the standard three-way connection termination method.

5. If you selected the Standard KAL Type, specify the following parameters:

– In the Response Timeout field, change the length of time allowed before the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.

– In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule HTTP HEAD keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.

6. If you selected the Fast KAL Type, specify the following parameters:

– In the Number of Retries field, specify the number of times the GSS retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.

Note When using the Graceful termination sequence, there are three packets that require acknowledgement: SYN, HEAD, and FIN.

– In the Number of Successful Probes field, specify the number of consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.


OL-4327-01



7. Click the Submit button to save your HTTP HEAD global keepalive modifications.

Global KeepAlive Configuration—KAL-APTo modify the KAL-AP keepalive global configuration setting, see Figure 6-8 and Figure 6-9 and perform the following steps:

Figure 6-8 KAL-AP Global KeepAlive—Standard KAL Type


OL-4327-01


Figure 6-9 KAL-AP Global KeepAlive—Fast KAL Type

1. Select the KAL-AP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast KAL-AP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.




OL-4327-01


Note The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method.

2. If you intend to use Content and Application Peering Protocol (CAPP) encryption, in the CAPP Hash Secret field enter an alphanumeric encryption key value. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM. The default CAPP Hash Secret string is hash-not-set.

3. If you selected the Standard KAL Type, in the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule KAL-AP By Tag or KAL-AP By VIP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.

4. If you selected the Fast KAL Type, specify the following parameters:

– In the Number of Retries field, specify the number of times the GSS retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.

– In the Number of Successful Probes field, specify the number of consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.


5. Click the Submit button to save your KAL-AP global keepalive modifications.


OL-4327-01


Global KeepAlive Configuration—CRATo modify the CRA keepalive global configuration settings, see Figure 6-10 and perform the following steps:

Figure 6-10 Global KeepAlives Details Page—CRA KeepAlive

1. In the Timing Decay field, change the value to specify how heavily the GSS should weigh recent DNS Round Trip Time (RTT) probe results relative to earlier RTT metrics, with 1 indicating that recent results should not be weighed any more than previous RTT results. The valid entries are 1 to 10. The default is 2.

2. In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule CRA-type keepalives. The valid entries are 1 to 60 seconds. The default is 10 seconds.

3. Click the Submit button to save your CRA global keepalive modifications.


OL-4327-01


Global KeepAlive Configuration—Name ServerTo modify the Name Server keepalive global configuration settings, see Figure 6-11 and perform the following steps:

Figure 6-11 Global KeepAlives Details Page—Name Server KeepAlive

1. In the Query Domain field, change the globally defined domain name that is used to query when utilizing the name server (NS) keepalive. The default is ".".

2. In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule name server query keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.

3. Click the Submit button to save your Name Server global keepalive modifications.


OL-4327-01

Chapter 6 Configuring KeepAlivesConfiguring and Modifying Shared VIP KeepAlives

Configuring and Modifying Shared VIP KeepAlivesThe GSS supports the use of shared keepalives to minimize traffic between the GSS and the SLBs that it is monitoring. A shared keepalive identifies a common address or resource that can provide status for multiple answers. Shared keepalives are used to periodically provide state information (online, offline) to the GSS for multiple VIP answer types. Once created, you can associated the shared keepalives with VIPs when you create a VIP answer type.

Note Shared keepalives are not used with name server or CRA answers.

All answers are validated by configured keepalives and are not returned if the keepalive indicates that the answer is not viable. If a shared keepalive fails to return a status, all VIPs associated with that shared keepalive are assumed to be offline.

If you intend to use the KAL-AP keepalive method with a VIP answer you must configure a shared keepalive. The use of shared keepalives are an option for the ICMP, TCP, and HTTP HEAD keepalive types.


• Creating a Shared VIP KeepAlive

• Modifying a Shared KeepAlive

• Deleting a Shared KeepAlive

Creating a Shared VIP KeepAliveTo create a shared VIP keepalive:


2. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears listing all existing shared keepalives (Figure 6-12).


OL-4327-01


Figure 6-12 Shared KeepAlives Lists Page

3. Click the Create Shared KeepAlive icon. The Creating New Shared KeepAlives details page appears (Figure 6-13).


OL-4327-01


Figure 6-13 Creating New Shared KeepAlives Details Page

4. At the Type section at the top of the page, choose from one of the four keepalive types as the shared VIP keepalive:

– ICMP—Sends an ICMP echo message (ping) to the specified address. Online status is determined by the response received from the device, indicating simple connectivity to the network.

– TCP—Sends a TCP handshake to the specified IP address and port number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.


OL-4327-01


– HTTP-Head—Sends a TCP format HTTP HEAD request to an origin web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.

– KAL-AP—Sends a detailed query to the Cisco CSS or CSM to extract load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule.

The following procedures describe how to configure the properties for the individual VIP shared keepalives. The default values used for each VIP keepalive is determined by the values specified in the Global Keepalive Properties details page.

– Shared KeepAlive Configuration—ICMP

– Shared KeepAlive Configuration—TCP

– Shared KeepAlive Configuration—HTTP HEAD

– Shared KeepAlive Configuration—KAL-AP


OL-4327-01


Shared KeepAlive Configuration—ICMP

To define the ICMP shared keepalive configuration, see Figure 6-14 and perform the following steps:

Figure 6-14 Shared KeepAlives Details Page—ICMP KeepAlive (Fast KAL Type)

1. Enter the IP address used to test the online status for the linked VIPs.

2. If the ICMP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:

– In the Number of Retries field, specify the number of times the GSS retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.


OL-4327-01


– In the Number of Successful Probes field, specify the number of consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


3. Click the Submit button to save your ICMP shared keepalive configuration. You return to the Shared KeepAlives list page.

Shared KeepAlive Configuration—TCP

To define the TCP shared keepalive configuration, refer to Figure 6-15 and perform the procedure outlined below.

Figure 6-15 Shared KeepAlives Details Page—TCP KeepAlive (Fast KAL Type)


OL-4327-01



2. In the Destination port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.

3. Specify the TCP keepalive connection termination method:

– Default—Always use the globally defined TCP keepalive connection method.

– Reset—The GSS immediately terminates the TCP connection by using a hard reset.


4. If the TCP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:

– In the Number of Retries field, specify the number of times the GSS retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.


– In the Number of Successful Probes field, specify the number of consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.



OL-4327-01


5. Click the Submit button to save your TCP shared keepalive configuration. You return to the Shared KeepAlives list page.

Shared KeepAlive Configuration—HTTP HEAD

To define the HTTP HEAD shared keepalive configuration, see Figure 6-16 and perform the following steps:

Figure 6-16 Shared KeepAlives Details Page—HTTP HEAD KeepAlive (Fast KAL

Type)


2. In the Destination port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.


OL-4327-01


3. In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP.

4. In the Path feld, enter the default path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example: /company/owner

5. Specify the HTTP HEAD keepalive connection termination method:

– Default—Always use the globally defined HTTP HEAD keepalive connection method.

– Reset—The GSS immediately terminates the TCP formatted HTTP HEAD connection by using a hard reset.

– Graceful—The GSS initiates the graceful closing of a TCP formatted HTTP HEAD connection by using the standard three-way connection termination method.

6. If the HTTP-HEAD global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:

– In the Number of Retries field, specify the number of times the GSS retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.


– In the Number of Successful Probes field, specify the number of consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


OL-4327-01



7. Click the Submit button to save your HTTP HEAD shared keepalive configuration. You return to the Shared KeepAlives list page.

Shared KeepAlive Configuration—KAL-AP

To define the KAL-AP shared keepalive configuration, see Figure 6-17 and perform the following steps:

Figure 6-17 Shared KeepAlives Details Page—KAL-AP KeepAlive (Fast KAL Type)


OL-4327-01


1. Enter the primary (master) and secondary (backup) IP addresses that will be tested for online status in the fields provided. The secondary IP address is optional. The purpose of the secondary IP address is to query a second Cisco CSS or CSM in a virtual IP (VIP) redundancy and virtual interface redundancy configuration.

2. If you intend to use Content and Application Peering Protocol (CAPP) encryption, check the CAPP Secure box and enter an alphanumeric encryption key value in the CAPP Hash Secret field. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM.

3. If the KAL-AP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:

– In the Number of Retries field, specify the number of times the GSS retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.

– In the Number of Successful Probes field, specify the number of consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


4. Click Submit to create the new shared keepalive. You return to the Shared KeepAlives list page.


OL-4327-01


Modifying a Shared KeepAliveTo modify an existing shared keepalive:


2. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears (see Figure 6-12).

3. Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to modify. The Modify Shared KeepAlive details page appears (Figure 6-18).

Figure 6-18 Modifying Shared KeepAlive Details Page


OL-4327-01


4. Use the fields provided to modify the shared keepalive configuration.

5. Click Submit to save your configuration changes. You return to the Shared KeepAlive list page.

Deleting a Shared KeepAliveTo delete a shared keepalive from your GSS network, and that shared keepalive is in use by the GSS, you must first disassociate any answers that are using the keepalive. Use the procedure that follows to disassociate your answers and remove a shared keepalive from your GSS network.


To delete a shared keepalive:


2. Click the Shared KeepAlives navigation link. The Shared KeepAlives lists page appears listing all existing shared keepAlives.

3. Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to remove. The Modifying Shared KeepAlive details page appears.

4. If the shared keepalive is associated with an answer, perform one of the following:

– To disassociate all answers from the selected shared keepalive and set the keepalive type of each of those answers to ICMP using the answer’s own VIP, click the Set Answers KAL ICMP icon in the upper right corner of the page.

– To disassociate all answers from the selected shared keepalive and set the keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive, click the Set Answers KAL None icon in the upper right corner of the page.

The GSS software prompts you to confirm your decision to disassociate all the answers from the existing shared keepalive.


OL-4327-01

Chapter 6 Configuring KeepAlivesWhere to Go Next

5. Click the Delete button in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the shared keepalive.

6. Click OK to confirm your decision. You return to the Shared KeepAlives lists page.

Where to Go NextChapter 7, Configuring Answers and Answer Groups, provides you with all the information you need to create and configure GSS answers and answer groups, which are resources that respond to DNS queries.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 7
Configuring Answers and Answer Groups
This chapter describes how to create and configure GSS answers and answer groups. It contains the following major sections:

• Configuring and Modifying Answers

• Configuring and Modifying Answer Groups

Configuring and Modifying AnswersIn a GSS network, the term answers refers to resources that respond to content queries. When you create an answer using the primary GSSM, you are simply identifying a resource on your GSS network to which queries can be directed and that can provide your user’s D-proxy with the address of a valid host to serve their request.

Examples of GSS answers are:

• VIP—Virtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, cache, or other geographically dispersed SLBs in a global network deployment.

• Name Server—A configured DNS name server on your network that can answer queries that the GSS cannot resolve.

• CRA—Content routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a user’s D-proxy.


Chapter 7 Configuring Answers and Answer GroupsConfiguring and Modifying Answers

Once created, answers are grouped together as resource pools from which the GSS, using one of a number of available balance methods in a DNS rule, can choose the most appropriate answer for each user request.

In addition, once the query is passed to the answer, intelligence on that resource can be applied in choosing the best host. For example, a request that is routed to VIP associated with a CSS is evaluated by the CSS after it is received and directed to the most suitable host managed by that CSS.

In addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource a method by which the GSS can periodically check to see if the resource is still up and running. The keepalive monitoring method available to you varies with the resource type, as explained in this section.


• Creating a VIP-Type Answer

• Creating a CRA-Type Answer

• Creating a Name Server-Type Answer

• Modifying an Answer

• Suspending an Answer

• Reactivating an Answer

• Suspending or Reactivating All Answers in a Location

• Deleting an Answer

Creating a VIP-Type AnswerThe VIP-type answer refers to a virtual IP address (VIP) associated with an SLB device such as a Cisco CSS or CSM. When the GSS receives requests for content that is managed by an SLB, the GSS returns an A-record containing the VIP of the SLB that manages that content.

When configuring a VIP-type answer you have the option of configuring one of a variety of different keepalive types to test for that answer. For a KAL-AP keepalive, it is necessary to configure shared keepalives before configuring your answer. Refer to Chapter 6, Configuring KeepAlives for more information on creating shared keepalives.


OL-4327-01


Note Once an answer is created the Answer type cannot be modified (for example, from VIP to CRA).

To configure a VIP-type answer:


2. Click the Answers navigation link. The Answers list page appears (Figure 7-1).

Figure 7-1 Answers List Page

3. Click the Create Answer icon. The Creating New Answer detail page appears (Figure 7-2).


OL-4327-01


Figure 7-2 Creating New Answer Details Page

4. In the Type field, click the VIP option button. The VIP Answer section appears in the details page (Figure 7-3).


OL-4327-01


Figure 7-3 Creating New Answer—VIP Details Page

5. In the Name field, enter a name for the VIP-type answer you are creating. Specifying a name for the answer is an optional step.

6. From the Location drop-down list, select an GSS location to which the answer corresponds. Specifying a location for an answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources.

7. In the VIP address field, enter the VIP address to which the GSS will forward requests.

8. Choose from one of the five keepalive types for your VIP answer:

– None—Does not send keepalive queries to the VIP. The GSS assumes that the VIP is always alive.

– ICMP—Sends an ICMP echo message (ping) to the specified address. Online status is determined by the response received from the device, indicating simple connectivity to the network.


OL-4327-01


– TCP—Sends a TCP handshake to the specified IP address and port number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.

– HTTP-Head—Sends a TCP format HTTP HEAD request to an origin web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.

– KAL-AP—Sends a detailed query to the Cisco CSS or CSM to extract load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule.

The following procedures describe how to configure the properties for the individual VIP keepalives. The default values used for each of the VIP keepalives are determined by the values specified in the Global Keepalive Properties details page.

– VIP Answer—ICMP KeepAlive

– VIP Answer—TCP KeepAlive

– VIP Answer—HTTP HEAD KeepAlive

– VIP Answer—KAL-AP KeepAlive


OL-4327-01


VIP Answer—ICMP KeepAlive

To define the ICMP keepalive for your VIP answer, see Figure 7-4 and perform the following steps:

Figure 7-4 Answer Details Page—ICMP KeepAlive VIP Answer

1. The VIP Address check box is automatically checked to instruct the GSS to send an ICMP echo message (ping) to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and select an ICMP-type shared keepalive from the Shared ICMP Keepalive drop-down list.


OL-4327-01


2. If the ICMP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:

– In the Number of Retries field, specify the number of times the GSS retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.

– In the Number of Successful Probes field, specify the number of consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


3. Click the Submit button to save your ICMP keepalive VIP answer. You return to the Answers list page.


OL-4327-01


VIP Answer—TCP KeepAlive

To define the TCP shared keepalive for your VIP answer, see Figure 7-5 and perform the following steps:

Figure 7-5 Answer Details Page—TCP KeepAlive VIP Answer

1. The VIP Address check box is automatically checked to instruct the GSS to send a TCP keepalive to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and choose a TCP-type shared keepalive from the Shared TCP Keepalive drop-down list.

2. In the Destination Port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.


OL-4327-01


3. If you enabled the VIP Address check box, specify the TCP keepalive connection termination method:

– Default—Always use the globally defined TCP keepalive connection method.

– Reset—The GSS immediately terminates the TCP connection by using a hard reset.


4. If the TCP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:



– In the Number of Successful Probes field, specify the number of consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


5. Click the Submit button to save your TCP keepalive VIP answer. You return to the Answers list page.


OL-4327-01


VIP Answer—HTTP HEAD KeepAlive

To define the HTTP HEAD shared keepalive for your VIP answer, see Figure 7-6 and perform the following steps:

Figure 7-6 Answer Details Page—HTTP HEAD KeepAlive VIP Answer

1. The VIP Address check box is automatically checked to instruct the GSS to send a TCP format HTTP HEAD request to the web server at an address you specified and determine online status. If necessary, uncheck the VIP Address check box and select an HTTP-type shared keepalive from the Shared HTTP HEAD keepalive drop-down list.

2. In the Destination Port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.


OL-4327-01


3. In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP.

4. In the Path field, enter the path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example: /company/owner

5. If you enabled the VIP Address check box, specify the HTTP HEAD keepalive connection termination method:

– Default—Always use the globally defined HTTP HEAD keepalive connection method.

– Reset—The GSS immediately terminates the TCP formatted HTTP HEAD connection by using a hard reset.

– Graceful—The GSS initiates the graceful closing of a TCP formatted HTTP HEAD connection by using the standard three-way connection termination method.

6. If the HTTP HEAD global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:



– In the Number of Successful Probes field, specify the number of consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.


OL-4327-01



7. Click the Submit button to save your HTTP HEAD keepalive VIP answer. You return to the Answers list page.

VIP Answer—KAL-AP KeepAlive

To define the KAL-AP shared keepalive for your VIP answer, see Figure 7-7 and perform the following steps:

Figure 7-7 Answer Details Page—KAL-AP Keepalive VIP Answer


OL-4327-01


1. From the KAL-AP Type drop-down list, select the format of the KAL-AP keepalive query. Your choices are:

– KAL-AP By Tag—Embeds an alphanumeric tag associated with the VIP in the KAL-AP request. The tag value is used to match the correct shared keepalive VIP, thus avoiding confusion that can be caused when probing for the status of a VIP that is located behind a firewall network address translation (NAT).

– KAL-AP By VIP—Embeds the keepalive VIP address in the KAL-AP request. The KAL-AP queries the keepalive address to determine online status.

2. If you chose KAL-AP By VIP, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list.

3. If you chose KAL-AP By Tag, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list, then enter a unique alphanumeric value in the Tag field. This is used as a “key” by the CSS or GSSM that matches the KAL-AP request with the appropriate VIP.

4. Click the Submit button to save your KAL-AP keepalive VIP answer. You return to the Answers list page.

Creating a CRA-Type AnswerThe content routing agent (CRA) answer type relies on content routing agents and the GSS to choose a suitable answer for a given query based on the proximity of two or more possible hosts to the requesting D-proxy.

With the CRA answer type, requests received from a particular D-proxy are served by the content server that responds first to the request. Response time is measured using a DNS race, coordinated by the GSS and content routing agents running on each content server. In the race, multiple hosts respond simultaneously to a request. The server with the fastest response time (the shortest network delay between itself and the client’s D-proxy) is chosen to serve the content.

The CRA answer type is designed to work with the GSS when the boomerang balance method is selected for a DNS rule (utilizing the Boomerang Server component of the GSS).


OL-4327-01


Closeness is determined when multiple hosts reply to the requesting D-proxy simultaneously in what is referred to as a “DNS race.” The GSS coordinates the start of the race so that all CRAs initiate their response at the same time. The first DNS reply to reach the D-proxy is chosen by the name server as the host containing the answer.

Note Once an answer is created the Answer type cannot be modified (for example, from CRA to VIP).

To configure a CRA-type answer type:


2. Click the Answers navigation link. The Answers list page appears (see Figure 7-1).

3. Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2).

4. In the Type selection field, click the CRA option button. The CRA Answer section appears in the details page (Figure 7-8).


OL-4327-01


Figure 7-8 Creating New Answer—CRA Answer

5. In the Name field enter a name for the CRA-type answer being created. Specifying a name for the answer is an optional step.

6. Click the Location drop-down list and select a location for the answer. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources.

7. In the CRA Address field enter the interface or circuit address of the CRA.

8. If you want the GSS to perform keepalive checks on the CRA answer, click the Perform KeepAlive Check check box. Uncheck the Perform KeepAlive option if a static one-way delay value is used.

9. If a one way delay time is required, enter a value, in milliseconds, in the One Way Delay field. This value is used by the GSS to calculate a static round-trip time (RTT), with the one-way delay constituting one-half of the round-trip time that is used for all DNS races involving this answer.


OL-4327-01


10. Click Submit to create your new CRA-type answer. You return to the Answers list page.

Creating a Name Server-Type AnswerA name server (NS) answer type specifies the IP address of a DNS name server to which DNS queries are forwarded from the GSS. Using the name server forwarding feature, queries are forwarded to an external (non-GSS) name server for resolution, with the answer passed back to the GSS name server and from there to the requesting D-proxy. As such, the name server answer type acts as a guaranteed fallback resource—a way to resolve requests that the GSS cannot resolve itself—either because the requested content is unknown to the GSS, or because the resources that typically handle such requests are unavailable.

Note Once an answer is created the Answer type cannot be modified (for example, from name server to VIP).

To configure a Name Server-type answer:



3. Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2).

4. In the Type field, click the Name Server option button. The Name Server Answer section appears in the Creating New Answer details page (Figure 7-9).


OL-4327-01


Figure 7-9 Creating New Answer—Name Server Answer

5. In the Name field, enter a name for the name server-type answer you are creating. Specifying a name for the answer is an optional step.

6. From the Location drop-down list, select a GSS location to which the answer corresponds. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources.

7. In the Name Server Address field, enter the IP address of the name server that the GSS is to forward requests to.

8. If you want the GSS to perform keepalive checks on the specified Name Server, click the Perform KeepAlive Check check box. The GSS queries the specified name server address to determine online status.


OL-4327-01


9. If you wish to have the GSS query the name server for a specific domain in determining online status, enter the domain name in the KeepAlive Query Domain field.

If no domain is specified, the GSS queries the default query domain. For instructions on configuring the default query domain, see Chapter 6, Configuring KeepAlives.

10. Click Submit to create your new name server-type answer. You return to the Answers list page.

Modifying an AnswerOnce you have configured your answers, they can be modified at any time. However, once an answer is created the answer type cannot be modified (for example, from VIP to CRA).

To modify an existing answer:


2. Click the Answers navigation link. The Answers list page appears.

3. Click the Modify Answer icon located to the left of the answer you want to modify. The Modifying Answer details page appears (Figure 7-10).


OL-4327-01


Figure 7-10 Modifying Answer Details Page

4. Use the fields provided to modify the answer configuration.

5. Click Submit to save your configuration changes. You return to the Answers list page.

Suspending an AnswerIf you have created an answer but wish to temporarily stop the GSS from using it, use the suspend feature on the primary GSSM GUI to prevent that answer from being used by any of the currently configured DNS rules.

If you have already suspended an answer, use the activate feature to reactivate the answer (see the “Reactivating an Answer” section).

To suspend an answer:



OL-4327-01



3. Click the Modify Answer icon located to the left of the answer you want to suspend. The Modifying Answer details page appears (see Figure 7-10).

4. Click the Suspend Answer icon in the upper right corner of the page to suspend an answer.

5. Click OK to confirm your decision to suspend the answer. You return to the Answers list screen. The modified answer has a status of Suspended.

Reactivating an AnswerIf you have already suspended an answer, use the activate feature to reactivate the answer.

To reactivate an answer:



3. Click the Modify Answer icon located to the left of the answer you want to activate. All suspended answers have a status of Suspended in the list. The Modifying Answer details page appears (see Figure 7-10).

4. Click the Activate Answer icon in the upper right corner of the page to reactivate an answer.

5. Click OK to confirm your decision to reactivate the answer. You return to the Answers list screen. The modified answer has a status of Active.

Suspending or Reactivating All Answers in a LocationAnswers can be grouped and managed according to an established GSS location. Using a location to manage your answers makes it easier for you to quickly suspend or activate answers in a particular area of your network, for example, shutting down one or more data centers for the purposes of software upgrades or regular maintenance.

The GSS automatically detects and routes requests around suspended answers.


OL-4327-01


Note Suspending all answers in a location overrides the active or suspended state of an individual answer.

To suspend or reactivate answers based on their location:


2. Click the Locations navigation link. The Locations list page appears.

3. Click the Modify Location icon located to the left of the location that includes answers that you want to suspend or reactivate. The Modifying Location details page appears.

4. Perform one of the following:

– To suspend answers associated with this location, click the Suspend All Answers in This Location icon.

– To reactivate suspended answers associated with this location, click the Activate All Answers in This Location icon.

5. Confirm your decision to suspend or activate the answers associated with this location.

6. Click OK. You return to the Locations list page.

Deleting an AnswerIf you have created an answer but wish to delete it from the GSS, use the delete feature on the primary GSSM GUI to remove that answer.


To delete an answer:




OL-4327-01

Chapter 7 Configuring Answers and Answer GroupsConfiguring and Modifying Answer Groups

3. Click the Modify Answer icon located to the left of the answer you want to remove. The Modifying Answer details page appears (see Figure 7-10).

4. Click the Delete Answer icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer.

5. Click OK to confirm your decision. You return to the Answers list page.

Configuring and Modifying Answer GroupsAnswer groups are lists of GSS resources that are candidates to respond to DNS queries received from a user for a hosted domain. Using the DNS rules feature, these lists of network resources are associated with a particular balance method, which is used to resolve the request.

• In the case of a VIP answer group type, the GSS selects one or more VIPs using the balance method specified in the DNS rule.

• In the case of a CRA answer group type, all CRAs in the answer group are queried and then “race” to respond first to the D-proxy with their IP address.

• In the case of a name server answer group type, the GSS selects a name server using the balance method specified in the DNS rule and forwards the client’s request to that name server.

A DNS rule can have up to three balance clauses, each specifying a different answer group from which an answer can be chosen, after taking load threshold, order, and weight factors into account for each answer.

Before creating your answer groups, you must first configure the answers that make up those groups. See the “Configuring and Modifying Answers” section for more information on creating GSS answers.


• Creating an Answer Group

• Modifying an Answer Group

• Suspending or Reactivating an Answer Group

• Suspending or Reactivating All Answers in an Answer Group Associated with an Owner

• Deleting an Answer Group


OL-4327-01


Creating an Answer GroupTo create an answer group:


2. Click the Answer Groups navigation link. The Answer Groups list page appears (Figure 7-11).

Figure 7-11 Answer Group List Page

3. Click the Create Answer Group icon. The Creating New Answer Group details page appears (Figure 7-12).


OL-4327-01


Figure 7-12 Creating New Answer Group Details Page—General Configuration


– In the Name field, enter a name for the new answer group. The answer group name cannot contain spaces.

– From the Type drop-down list, choose one of the three options:

• Name Server—The answer group consists of configured name servers

• CRA—The answer group consists of content routing agents (CRAs) for use with the Boomerang Server component of the GSS

• VIP—The answer group consists of virtual IPs controlled by an SLB device such as a CSS or CSM


OL-4327-01


5. From the Owner drop-down list, select the GSS owner with which the answer group will be associated. For details about creating an owner, refer to Chapter 3, Configuring Resources.

6. In the Comments text area, enter a description or other instructions regarding the new answer group.

7. Click the Add Answers navigation link to access the Add Answers section of the page (Figure 7-13). Perform the following:

a. Click the check box corresponding to each answer you wish to add to the answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers and proceed to the next step.

b. Click the Add Selected button. The selected answers are added to the answer group. Answers can belong to more than one answer group simultaneously.

c. Repeat Steps a and b if your answers span multiple pages.

Note If an answer is added to multiple answer groups, when viewing the hit count of answers from either the Answer Status list page or the show statistics dns CLI command output, the number of hits provided represents the aggregate number of hits for that answer across all answer groups.


OL-4327-01


Figure 7-13 Creating New Answer Group Details Page—Add Answers

8. Click the General Configuration navigation link to return to the General Configuration section. The newly added answers appear in the Current Members section (Figure 7-14). There are different configuration options depending on the type of answer group.


OL-4327-01


Figure 7-14 Creating New Answer Group Details Page—Current Members


Note If you are unsure of the purpose of the order, weight, or load threshold settings, refer to Chapter 1, Introducing the Global Site Selector, the “Balance Methods” section for background information.

– If configuring a Name Server type answer group, assign an order and weight to each Answer in the answer group using the field and drop-down list provided.

– If configuring a VIP type answer group, assign an order, load threshold (LT), and weight to each answer in the answer group using the fields and drop-down lists provided.


OL-4327-01


Note Load thresholds, which allow the GSS to make routing decisions based on how heavily a particular resource is being tasked, can only be assigned to answers using the KAL-AP keepalive.

– If configuring CRA, no configuration parameters are required.

10. Click the Submit button to save your answer group.

Modifying an Answer GroupOnce you have created your answer groups, you can use the primary GSSM GUI to make modifications to their configurations, adding and removing answers, changing the order, weight, and load thresholds of individual answers. Answers can belong to more than one answer group. However, once you have added answers to an answer group, you cannot change the type of an answer group (for example, from VIP to CRA).

To modify an answer group:


2. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11).

3. Click the Modify Answer Group icon located to the left of the answer group you want to modify. The Modify Answer Group details page appears.

4. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, owner, or comments for the answer group.

5. Click the Add Answers navigation link. Click the check box corresponding to each answer you wish to add to the answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers, then click Add Selected, before proceeding to another page of answers.

6. To remove answers from the answer group, click the Remove Answers navigation link. The Remove Answers section of the page appears (Figure 7-15). Click the check box accompanying each answer you wish to remove from the list, then click the Remove Selected button. The deleted answers are removed from the page.


OL-4327-01


Figure 7-15 Modifying Answer Group - Remove Answers

7. Review your updated answer group under the Current Members section of the General Configuration details page (see Figure 7-14).

8. Click the Submit button to save your changes. You return to the Answer Groups Lists page.

Suspending or Reactivating an Answer GroupIf you have created an answer group but wish to temporarily stop the GSS from directing requests to it, you can use the suspend answer group feature on the primary GSSM GUI to temporarily suspend the answers that make up that group, preventing that answer group from being used by any of the currently configured DNS rules.


OL-4327-01


Note Suspending the answers in one answer group also affects any other answer groups to which those answers belong.

If you have already suspended the answers in an answer group, use the activate answers feature to reactivate the answer group.

To suspend or reactivate an answer group:


2. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11).

3. Click the Modify Answer Group icon located to the left of the answer group you want to suspend or reactivate. The Modifying Answer Group details page appears (Figure 7-16).

Figure 7-16 Modifying Answer Group - Suspend Answers Icon


OL-4327-01


4. To suspend an answer group, click the Suspend Answers button in the upper right corner of the page.

5. If you are reactivating a suspended answer group, click the Activate Answers icon.

6. Click OK to confirm your decision to suspend or reactivate the answers in the answer group. You return to the Answer Groups list page.

7. To view the status of the answers that you suspended or activated, refer to Chapter 10, Monitoring GSS Performance.

Suspending or Reactivating All Answers in an Answer Group Associated with an Owner

Answers that have been added to answer groups can be grouped and managed according to a GSS owner. Using a GSS owner to manage your answer groups makes it easier for you to quickly suspend or activate related answers.

To suspend or reactivate all answers in answer groups associated with a GSS owner:


2. Click the Owners navigation link. The Owners list page appears (Figure 7-17).


OL-4327-01



3. Click the Modify Owner icon located to the left of the answer group you want to suspend or reactivate. The Modifying Owner details page appears (Figure 7-18).


OL-4327-01


Figure 7-18 Modifying Owners Details Page


– To suspend all answers in all answer groups associated with this owner, click the Suspend All Answers in All Groups for This Owner icon in the upper-right corner of the details page.

– To reactivate all suspended answers associated with this owner, click the Activate All Answers in All Groups for This Owner icon in the upper-right corner of the details page.

5. Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.


OL-4327-01

Chapter 7 Configuring Answers and Answer GroupsWhere to Go Next

Deleting an Answer GroupIf you have created an answer group and want to delete it from the GSS, use the delete feature on the primary GSSM GUI to remove that answer group. You cannot delete answer groups that are linked to DNS rules. Disassociate your answer group from all DNS rules before attempting to delete it (refer to Chapter 8, Building and Modifying DNS Rules). Deleting an answer group does not delete the answers contained in the answer group.

Caution Deletions of any kind cannot be undone in the primary GSSM. If you might use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

To delete an answer group:

1. From the primary GSSM GUI, click DNS Rules tab.

2. Click the Answer Groups navigation link. The Answer Groups list page appears.

3. Click the Modify Answer Group icon located to the left of the answer group you want to remove. The Modifying Answer Group details page appears (see Figure 7-16).

4. Click the Delete Answer Group icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer group.

5. Click OK to confirm your decision. You return to the Answer Groups list page.

Where to Go NextChapter 8, Building and Modifying DNS Rules, describes constructing the DNS rules that govern all global server load balancing on your GSS network.


OL-4327-01

Chapter 7 Configuring Answers and Answer GroupsWhere to Go Next


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 8
Building and Modifying DNS Rules
Once you have configured your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will govern all global server load balancing on your GSS network.

When building DNS rules, you specify actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list).

The DNS rule specifies which response (answer) is given to the requesting user’s local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of your GSS host devices.

Note Before creating your DNS rules, review Chapter 1, Introducing the Global Site Selector, the “GSS Architecture” section.


• DNS Rule Configuration Overview

• Building DNS Rules Using the Wizard

• Building DNS Rules Using the DNS Rule Builder

• Modifying DNS Rules

• Suspending a DNS Rule

• Reactivating a DNS Rule

• Suspending or Reactivating All DNS Rules Belonging to an Owner


Chapter 8 Building and Modifying DNS RulesDNS Rule Configuration Overview

• Deleting a DNS Rule

• Configuring DNS Rule Filters

• Removing DNS Rule Filters

• Delegation to GSS Devices

DNS Rule Configuration OverviewBecause of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:

• DNS Rule Wizard

• DNS Rule Builder

DNS Rule WizardThe DNS Rule Wizard (Figure 8-1) is an easy-to-use tool that guides you through the process of creating a DNS rule. The DNS Rule Wizard provides explanations for each step in the rule authoring process. The DNS Rule Wizard allows you to create source address lists, domain lists, answer groups, and balance methods on the fly.

Note Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be created prior to using the wizard.


OL-4327-01


Figure 8-1 DNS Rule Wizard - Introduction Page

When you use the wizard, the Next and Back buttons step you forward and backward through the rule-building process. Alternatively, use the navigation links under the Wizard Contents heading to move back and forth to any step in the wizard.

To access the DNS Rule Wizard, click the DNS Rules tab and then click the Rule Wizard icon. See the “Building DNS Rules Using the Wizard”section for details.


OL-4327-01


DNS Rule BuilderIf you are an experienced GSS user, you can use the DNS Rule Builder (Figure 8-2) to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created. Using the fields and drop-down menus provided, you can assign a name for your rule and then configure the rule with up to three balance clauses for the GSS to choose an answer.

Figure 8-2 DNS Rule Builder Window

Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. For example, an answer group added while the DNS Rule Builder window is open automatically appears in the drop-down list of answer groups.

To access the DNS Rule Builder, click the DNS Rules tab and then click the Open Rule Builder icon. See the “Building DNS Rules Using the DNS Rule Builder”section for details.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesBuilding DNS Rules Using the Wizard

Building DNS Rules Using the WizardTo create a DNS rule using the DNS Rule Wizard:

Note Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be creating prior to using the wizard.

1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-3).

Figure 8-3 DNS Rules List Page

2. Click the Rule Wizard icon. The DNS Rule Wizard introduction page appears (Figure 8-4). Read this page carefully; it provides an overview of the steps necessary to create a DNS rule.


OL-4327-01


Figure 8-4 DNS Rule Wizard—Introduction Page

3. Click the Next and Back buttons to step forward or backwards through the DNS rule-building process. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the Wizard.

The following procedures describe how to configure the properties for the individual pages in the DNS Rule Wizard.

– DNS Rule Wizard—Source Address List Page

– DNS Rule Wizard—Domain List Page

– DNS Rule Wizard—Answer Group Page

– DNS Rule Wizard—Balance Method Page

– DNS Rule Wizard—Summary


OL-4327-01


DNS Rule Wizard—Source Address List PageThis step uses the Source Address List section of the DNS Rule Wizard (Figure 8-5) to identify your source address list.

Figure 8-5 DNS Rule Wizard—Source Address List Page 1

Perform one of the following:

• To have this DNS rule apply to requests originating from any DNS proxy, click the Any Address option, then click Next. See the DNS Rule Wizard—Domain List Page section for information on using the Domain List detail page in the wizard.

• To have this DNS Rule apply to requests originating from a list of DNS proxies that you have not yet configured but now want to configure, click the Manually-entered source address list option, then click Next. See the DNS Rule Wizard—Source Address List Page 2 section for information on using the Source Address List detail page in the wizard.


OL-4327-01


• To have this DNS rule apply to requests originating from a list of DNS proxies that you have already configured using the Source Address Lists feature, click the Predefined source address list option, then click Next. See the DNS Rule Wizard—Source Address List Page 3 section for information on using the Domain List detail page in the wizard.

DNS Rule Wizard—Source Address List Page 2

If you chose the Manually-entered Source Address List option in the Source Address List section of the wizard, perform the following steps to create your Source Address List (Figure 8-6). Once you configure your Source Address List using the wizard, it is available for other DNS rules as well.



OL-4327-01


1. Enter a name for your Source Address List in the List Name field.

2. Optionally, click the List Owner drop-down list and select a GSS owner name.

3. In the space provided, enter one or more source CIDR-format IP addresses that make up the list. You can enter individual IP addresses or address blocks. If you wish to enter multiple IP addresses, separate the addresses using semicolons.

For example:

192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16

4. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Domain List Page section for information.

DNS Rule Wizard—Source Address List Page 3

If you selected the Predefined Source Address List option in the Source Address List section of the wizard, perform the following procedure to create your Source Address List (Figure 8-7).


OL-4327-01



1. Click the name of the Source Address List in the list to highlight it.

2. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Domain List Page section for information.

DNS Rule Wizard—Domain List PageThis step uses the Domain List section of the DNS Rule Wizard (Figure 8-8) to specify the domains that users will be requesting. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list. If using a KAL-AP type answer, the GSS can support up to 1024 domains managed by any single server load balancing device such as a Cisco Content Services Switch (CSS) or Content Switching Module (CSM).


OL-4327-01


Figure 8-8 DNS Rule Wizard—Domains List Page 1


• To have the DNS rule apply to requests for a hosted domain that you have not yet configured but now want to configure, click the Manually-entered domain list option, then click Next. See the DNS Rule Wizard—Domain List Page 2 section for information on using this Domain List detail page in the wizard.

• To have the DNS Rule apply to requests for a domain from a list of hosted domains already configured using the Domain Lists feature of the primary GSSM, click the Predefined domain list option, then click Next. See the DNS Rule Wizard—Domain List Page 3 section for information on using this Domain List detail page in the wizard.


OL-4327-01


DNS Rule Wizard—Domain List Page 2

If you chose the Manually-entered Domain List option in the Domain List section of the wizard, perform the following steps to manually configure the domains that users will be requesting(Figure 8-9). Once you have configured your Domain List using the DNS Rule Wizard, it is available for other DNS rules as well.


1. Enter a name for your Domain List in the List Name field.

2. Optionally, click the List Owner drop-down list and select an owner name.

3. In the space provided, enter one or more domain names that make up the list. You can enter complete domain names, or any regular expression that specifies a pattern by which the GSS can match incoming addresses. Any request for a hosted domain that matches that pattern is directed accordingly.


OL-4327-01


For example, if you had only three hosted domains—www.cisco.com, support.cisco.com, and customer.cisco.com—for which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:

www.cisco.com; support.cisco.com; customer.cisco.com

However, if you had 20 or more possible domains for which the GSS was responsible—www1.cisco.com, www2.cisco.com, and so on—manually entering each address is time consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:

.*\.cisco\.com

4. When you complete entering the domain names, click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Answer Group Page section for information.

DNS Rule Wizard—Domain List Page 3

If you selected the Predefined Domain List option, this step allows you to select from a list of previously configured domains (Figure 8-10).


OL-4327-01



1. Click the name of the domain list so that its name is highlighted.

2. Click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Answer Group Page section for information.


OL-4327-01


DNS Rule Wizard—Answer Group PageThis step of the DNS Rule Wizard uses the Answer Groups section of the wizard (Figure 8-11) to configure an Answer Group.

Figure 8-11 DNS Rule Wizard—Answer Group Page 1


OL-4327-01



• To have this DNS rule respond to the request for the hosted domain using resources (answers) that you have not yet configured, click the Enter addresses option, then click Next. See the DNS Rule Wizard - Answer Group Page 2 section for information on using this Answer Group detail page in the wizard.

• To have this DNS rule respond to the request for the hosted domain using resources (answers) that you already configured using the Answers and Answer Group features, click the Select an existing answer group option, then click Next. See the DNS Rule Wizard - Answer Group Page 4 section for information on using this Answer Group detail page in the wizard.

DNS Rule Wizard - Answer Group Page 2

If you chose the Enter Addresses option in the Answer Group section of the wizard (Figure 8-12), perform the following steps to create your answers and answer group. Once you configure your Answer Group using the Wizard, it is available for other DNS Rules as well.


OL-4327-01



1. Enter a name for your answer group in the Group Name field.

2. Optionally, select an owner for the answer group by clicking the Group Owner drop-down list and selecting a GSS owner from the list.

3. Select an answer group type by clicking one of the three option buttons provided. Once you select an answer group type, only answers of that type (VIP, NS, or CRA) can be added to the group.

– VIP—Virtual IP (VIP) addresses associated with an SLB as such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web server, cache or other geographically dispersed SLBs in a global network deployment.

– Name Server—A configured DNS name server on your network that can answer queries that the GSS cannot resolve.

– CRA—Content routing agents that use a resolution process called DNS race to send identical and simultaneous requests back to a user’s D-proxy.


OL-4327-01


4. Click Next to begin configuring answers for your answer group. See the DNS Rule Wizard - Answer Group Page 3 section for information on using this Answer Group detail page in the wizard.


This step uses the Answer Group page of the DNS Rule Wizard to configure answers for the specified answer group type: VIP, NS, or CRA (Figure 8-13).



OL-4327-01



– If configuring a VIP type answer group, use the following steps to identify the VIPs that provide the answers that make up the answer group. Assign an order, load threshold, and weight to each answer in the answer group.

a. Enter the address of each VIP that belongs to the answer group in the IP Address fields provided.

b. Click the Location drop-down list and select an optional Location.

c. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group.

d. If using the Ordered List balance method, assign an order to each VIP listed in the answer group using the Order field provided. The number you assign represents the order of the answer in the list. Subsequent VIPs on the list will only be used in the event that preceding VIPs on the list are unavailable. The GSS supports gaps in numbering in an ordered list.


e. If using a KAL-AP-type answer, assign a load threshold between 0 and 255 using the Load Threshold field. If the VIP answer reports a load above the specified threshold the GSS will deem the device unavailable to handle further requests.

– If configuring a new name server-type answer group, use the following steps to identify the name servers that provide the answers that make up the answer group:

a. Enter the address of each name server that belongs to the answer group to the IP Address fields provided.

b. For each name server IP address select an optional location by clicking the Location drop-down list.


OL-4327-01


c. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A will receive 10 requests for every 1 directed to Answer B.

d. If you are using the Ordered List balance method with this answer group, assign an order to each name server listed in the answer group using the Order drop-down list provided. The number you assign represents the order of the answer in the list. Subsequent name servers on the list will only be used in the event that preceding name servers on the list are unavailable. The GSS supports gaps in numbering in an ordered list.


– If configuring a CRA type answer group, use the following steps to identify the content routing agents (CRAs) that provide the answers that make up the answer group, then assign a location for each answer in the answer group.

a. Enter the address of each CRA that belong to the answer group in the IP Address fields provided.

b. For each CRA IP address, select an optional location by clicking on the Location drop-down list.

2. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule Wizard—Balance Method Page section for information.


OL-4327-01



If you selected the Select an Existing Answer Group option, this step allows you to select from a series of previously configured answers (Figure 8-14).


1. Click the name of the answer group in the list so that the name is highlighted.

2. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule Wizard—Balance Method Page section for information.


OL-4327-01


DNS Rule Wizard—Balance Method PageThis step of the DNS Rule Wizard uses the Balance Method page of the wizard (Figure 8-15) to select a balance method to use when selecting the answer from your answer group that is best suited to respond to the DNS query. Your choice of balance methods is limited by the type of answer group (name server, VIP, or CRA) you selected. The DNS Rule Wizard only supports selection of a single balance clause. If necessary, you can modify the DNS rule and add additional balance clauses using the DNS Rule Builder (see the “Modifying DNS Rules” section).

Figure 8-15 DNS Rule Wizard—Balance Method Page


OL-4327-01



1. If configuring a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:

– Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.



– Least Loaded—Available for VIP-type answer groups only using a KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.

– Ordered List—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding responses or answer are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.


– Round Robin—The GSS cycles through the list of answers that are available as requests are received.

– Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.


OL-4327-01


2. If you configured a CRA Answer Group to respond to requests:

– Boomerang is automatically assigned by the GSS software as the balance method.

– Enter a “last gasp” address in the Last Gasp field provided. This address serves as the answer in the event that no content routing agents reply to the request. If you specify a “last gasp” address, the GSS automatically:

• Creates an answer for this address

• Creates an answer group that contains the “last gasp” answer

• Adds a second balance clause to the DNS rule with the suffix -GROUP and uses ordered list as the balance method.

3. Click Next to proceed to the Summary page of the DNS Rule Wizard. An overview of your rule is provided that supplies information on the selected source address list, domain List, answer group, and balance method. See the DNS Rule Wizard—Summary section for information.


OL-4327-01


DNS Rule Wizard—SummaryThe Summary page (Figure 8-16) provides an overview of your rule, including information on the source address list, domain List, answer group, and balance method chosen.

Figure 8-16 DNS Rule Wizard—Summary Page

Using the fields provided on the Summary page, complete your DNS rule as follows:

1. Enter a name for your DNS Rule in the Rule Name field.

2. Optionally, associate the rule with an GSS owner by selecting an owner name from the Rule Owner drop-down list.


OL-4327-01


3. Indicate what type of DNS queries applies to this rule by selecting a query type from the Match DNS Query Type drop-down list:

– All - The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.

Note When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.

– A record - The DNS rule is applied only to answer address record (A record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.

4. Select an operating status for the rule from the Rule Status drop-down list:

– Active—The DNS rule immediately begins processing requests

– Suspended—The DNS rule is listed on the DNS Rules list page, but has a status of “suspended”. The DNS rule is not used to process any incoming DNS queries.

5. Click Finish to save your DNS Rule. You return to the DNS Rules list page.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesBuilding DNS Rules Using the DNS Rule Builder

Building DNS Rules Using the DNS Rule BuilderIf you are comfortable with the process of building a DNS rule and have already configured your domain lists, answers, and answer groups, use the DNS Rule Builder to quickly assemble a DNS rule.

The DNS Rule Builder is an interface that pulls together all the GSS elements needed to create new DNS rules. Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder.

In addition, the DNS Rule Builder allows you to configure multiple clauses for your DNS rule; that is, additional answer group and balance method pairs that can be tried in the event that the first answer group and balance method specified does not yield an answer.

To create a DNS rule using the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-17).


OL-4327-01


Figure 8-17 DNS Rules List Page

2. Click the Open Rule Builder icon. The DNS Rule Builder page opens in a separate window (Figure 8-18.)


OL-4327-01


Figure 8-18 Create New DNS Rule Window

3. In the Rule Name field, enter a name for your new DNS Rule. Rule names cannot contain spaces.

4. From the Rule Owner drop-down list, choose a contact with whom the rule will be associated. The default Rule Owner is System.

5. From the Source Address List drop-down list, choose a Source Address List from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.


OL-4327-01


6. From the Domain List drop-down list, choose a domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list.

7. From the Match DNS Query Type drop-down list, indicate what type of DNS queries applies to this rule:

– All - The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.

Note When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.

– A record - The DNS rule is applied only to answer address record (A record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.

8. At the Balance Clause 1 heading:

– Select the answer group component of your first answer group/balance method pairing from the drop-down list. This is the first effort the GSS uses to select an answer for the DNS query.

– Select the balance method for the answer group from the drop-down list. Your choice of balance methods changes based on the type of answer group (Name Server, VIP, or CRA) you selected.


OL-4327-01


9. If you selected a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:

Note If you selected a CRA-type Answer Group, the balance method is automatically set to Boomerang.

– Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.



– Least Loaded—Available for VIP-type answer groups only using a KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.

– Ordered List—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.


– Round Robin—The GSS cycles through the list of answers that are available as requests are received.

– Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.


OL-4327-01


10. If you selected a VIP-type answer group, configure the following configuration information in the fields provided:

– DNS TTL—The duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer.

– Return Record Count—The number of address records (A-records) that you want the GSS to return for requests that match the DNS rule.

11. If you selected a CRA-type answer group, configure the following configuration information in the fields provided:

– DNS TTL—The duration of time in (units) that the requesting DNS proxy caches the response sent from the GSS and consider it to be a valid answer.

– Fragment Size—The preferred size of the boomerang race response that is produced by a match to a DNS rule and sent to the requesting client.

– Pad Size—The amount of extra data (in bytes) included with each CRA response packet and used to evaluate CRA bandwidth as well as latency when making load balancing decisions.

– IP TTL—The maximum number of network hops that should be utilized when returning a response to a CRA from a match on a DNS rule.

– Secret—A text string, up to 64 characters, that is used to encrypt critical data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.

– Max Prop. Delay—The maximum propagation delay, the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA.

– Server Delay—The maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS returns the address of its “last gasp” server as a response to the requesting name server.

12. If you wish, repeat Step 8 through Step 10 to select additional answer group/balance method pairings for Balance Clause 2 and Balance Clause 3. These answer pairs are only applied if the preceding clause is unable to provide an answer for the DNS query.

13. Click Save to save your DNS Rule. You return to the DNS Rules list page. The DNS rule is now active and processing incoming DNS requests.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesModifying DNS Rules

Modifying DNS RulesAs with the creation of DNS rules, you can also use the DNS Rule Builder or the DNS Rule Wizard to modify a DNS rule. To modify a previously created DNS rule, perform one of the following:

To modify a DNS rule using the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.

2. Click the Modify DNS Rule Using Rule Builder Interface button located to the left of the DNS rule you want to modify. The Modify DNS Rule details page opens in a separate window.

3. Make modifications as necessary to the DNS rule. See “Building DNS Rules Using the DNS Rule Builder” for details about using the DNS Rule Builder.

4. Click Save when you complete your modifications. You return to the DNS Rules list page.

To modify a DNS rule using the DNS Rule Wizard:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.

2. Click the Modify DNS Rule Using Wizard button located to the left of the DNS rule you want to modify. The Modify DNS Rule Wizard appears.

3. Make modifications as necessary to the DNS rule in the DNS Rule Wizard. Click here “Building DNS Rules Using the Wizard” for details about using the DNS Rule Wizard.

4. Click Finish when you complete your modifications. You return to the DNS Rules list page.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesSuspending a DNS Rule

Suspending a DNS RuleIf you want to stop requests from being processed by a DNS rule on your GSS, use the suspend feature to temporarily deactivate the rule. You can use the suspend feature to temporarily halt traffic to particular answers while those resources are receiving maintenance.

Once a rule has been suspended, you must reactivate it from the primary GSSM GUI before it can again be used to process incoming DNS queries.

To suspend a DNS rule from the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to suspend. The DNS Rule Builder page appears in a separate browser window.

3. Click the Suspend icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to suspend the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.

To suspend a DNS rule from the DNS Rule Wizard:


2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears.

3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16).

4. From the Rule Status drop down list, select the Suspended operating status for the DNS rule.

5. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesReactivating a DNS Rule

Reactivating a DNS RuleTo reactivate operation of a suspended DNS rule from the DNS Rule Builder:


2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to activate. All suspended DNS rules have a status of Suspended in the list. The DNS Rule Builder window appears.

3. Click the Activate icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to activate the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.

To reactivate operation of a suspended DNS rule from the DNS Rule Wizard:


2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears.

3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16).

4. From the Rule Status drop down list, select the Active operating status for the DSN rule.

5. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesSuspending or Reactivating All DNS Rules Belonging to an Owner

Suspending or Reactivating All DNS Rules Belonging to an Owner

DNS rules can be grouped and managed according to a GSS owner that has been established and with which the DNS rules have been associated. Using owners to manage your DNS rules makes it easier for you to quickly suspend or activate rules related to a particular group or department within your organization (for example, HR or Sales) without requiring to individually edit each rule that serves that owner.

To suspend or reactivate DNS rules belonging to an owner:

1. From the primary GSSM GUI, click Resources tab.

2. Click the Owners navigation link. The Owners list page appears (Figure 8-19).



OL-4327-01

Chapter 8 Building and Modifying DNS RulesSuspending or Reactivating All DNS Rules Belonging to an Owner

3. Click the Modify Owner icon located to the left of the owner responsible for the DNS rules you want to suspend or reactivate. The Modifying Owner details page appears (Figure 8-20).

Figure 8-20 Modifying Owners Details Page


– To suspend all DNS rules associated with this owner, click the Suspend All DNS Rules for This Owner icon in the upper-right corner of the details page.

– To reactivate all suspended DNS rules associated with this owner, click the Activate All DNS Rules for This Owner icon in the upper-right corner of the details page.

5. Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesDeleting a DNS Rule

Deleting a DNS RuleUse the delete feature on the primary GSSM GUI to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated the DNS rule.

Caution Deletions of any kind cannot be undone in the GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

To delete a DNS rule:


2. Click the Modify DNS Rule using rule builder interface icon located to the left of the DNS rule you want to delete. The DNS Rule Builder window appears.

3. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page.

Configuring DNS Rule FiltersAs your GSS network grows, so will your collection of DNS rules for handling traffic to and from your network. In time, it may become difficult to locate the rules that you need. For that reason, the GSS GUI provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in. For example, you can create a filter that will limit your view of the DNS rules to include only those that involve a certain source address list or domain list, use a certain balance method, are owned by a particular user, or have a status of “active.”

To configure a DNS rule filter:



OL-4327-01

Chapter 8 Building and Modifying DNS RulesConfiguring DNS Rule Filters

2. Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter details page appears (Figure 8-21).

Figure 8-21 Configure DNS Rule List Filter Details Page

3. To filter your list by any of the properties displayed on the Filter List page, enter a complete or partial (wildcard) value into the fields provided. This page is divided by Source Address List Filter Parameters, Domain List Filter Parameters, Balance Clause Filter Parameters, and DNS Rule Filter Parameters The GSS supports filtering combinations in the properties of all four sections of the details page.

Table 8-1 lists the parameters that can be used to filter your DNS rules list and provides explanations and sample entries for each parameter.


OL-4327-01


Table 8-1 DNS Rules Filter Parameters

Parameter Description Selection Examples

Source Address List Filter Parameters

Name Name assigned to a source address list associated with the DNS rule

VIP1

VIP*

NameServerList

IP Address Block IP address or address block assigned to a source address list associated with the DNS rule

192.168.110.100

192.168.*

Owner Name of the owner assigned to the source address list associated with the DNS rule

Any

System

Education

Domain List Filter Parameters

Name Name assigned to a domain list associated with the DNS rule

CiscoSystems

Cisco*

Domain Domain included on the domain list associated with the DNS rule

www.cisco.com

support.cisco.com

www.*

Owner Name of the owner assigned to the domain list associated with the DNS rule

Any

System

Sales

Balance Clause Filter Parameters

Answer Group Name Name assigned to an answer group associated with the DNS rule

VIP_answer_Group_1

VIP_answer_Group_2

VIP_*


OL-4327-01


Answer Group Owner Name of the owner assigned to the answer group associated with the DNS rule

Any

System

HR

Answer Group Type Type of answer group associated with the DNS rule

CRA

Name Server

VIP

Contains Answer Answer belonging to an answer group associated with the DNS rule

192.161.1.2

192.168.*

Balance Method Type of balance method (such as boomerang and ordered list) associated with the DNS rule

Boomerang

Hashed

Least Loaded

Order List

Round-Robin

Weighted Round-Robin

DNS Rule Filter Parameters

Name Name of the DNS rule Cisco_Rule

Cisco*

Owner Name of the owner assigned to the DNS rule

Any

System

Sales

Status Status of the DNS rule, either active or suspended

Any

Active

Suspended

Table 8-1 DNS Rules Filter Parameters (continued)

Parameter Description Selection Examples


OL-4327-01

Chapter 8 Building and Modifying DNS RulesRemoving DNS Rule Filters

4. Click Submit to confirm your decision. The DNS Rule list page reappears. The displayed DNS rules are those DNS rules that match your search criteria. If no DNS Rule parameters match the parameters that you used to filter the list, a message appears:

No DNS rules match the filter specification.

Removing DNS Rule FiltersUse the Show All DNS Rules icon on the DNS Rules list page to remove any filters that have been applied to your DNS Rules. The Show All DNS Rules icon removes all filters and displays a complete list of DNS Rules on your GSS network.

To remove DNS rule filters:


2. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes, displaying all configured DNS rules.

Delegation to GSS DevicesOnce you have configured your GSS devices to connect to your network and have created the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you are ready to complete the final step that integrates your new global server load-balancing device into your network’s DNS infrastructure and starts delivering user queries to your GSS: modifying your parent domain’s DNS server to delegate parts of its name space to your GSSs.

Note You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.


OL-4327-01

Chapter 8 Building and Modifying DNS RulesDelegation to GSS Devices

Modifying your DNS servers to accommodate your GSS devices involves the following steps:

1. Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs

2. Adding “glue” address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address

Example 8-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type.

In Example 8-1, the delegated domains are:

• www.cisco.com

• ftp.cisco.com

• media.cisco.com

The GSS devices are:

• gss1.cisco.com

• gss2.cisco.com


OL-4327-01

Chapter 8 Building and Modifying DNS RulesDelegation to GSS Devices

Example 8-1 Sample BIND Zone Configuration File Delegating GSSs

cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. (2001111001; serial number36000; refresh 10 hours3600 ; retry 1 hour3600000; expire 42 days360000; minimum 100 hours )

; Corporate Name Servers for cisco.comIN NS ns1.cisco.com.IN NS ns2.cisco.com.

ns1 IN A 192.168.157.209ns2 IN A 192.168.150.100

; Sub-domains delegated to GSS Networkwww IN NS gss1.cisco.com.

IN NS gss2.cisco.com.media IN CNAME wwwftp IN NS gss1.cisco.com.

IN NS gss2.cisco.com.

; “Glue” A records with GSS interface addresses; Cisco GSS Dallasgss1 IN A 172.16.2.3; Cisco GSS Londongss2 IN A 192.168.3.6...

When reviewing this zone file, remember that there are any number of possible GSS deployments that you can use, some of which may suit your needs and your network better than the example listed. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.


OL-4327-01

Cisco GlOL-4327-01

C H A P T E R 9
GSS Administration and Troubleshooting
This chapter covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM database administration, and GSSM error messages.


• Performing Advanced GSS Configuration Tasks

• Configuring the Primary GSSM Graphical User Interface

• Printing and Exporting GSSM Data

• Configuring GSS Security

• Configuring SNMP on Your GSS Network

• Backing Up the GSSM

• Upgrading the Cisco GSS Software

• Downgrading and Restoring Your GSS Devices

• Viewing Third-Party Software Versions

• Primary GSSM Error Messages


Chapter 9 GSS Administration and TroubleshootingPerforming Advanced GSS Configuration Tasks

Performing Advanced GSS Configuration TasksThese sections describe the following advanced GSS configuration tasks:

• Logically Removing a GSS or Standby GSSM from the Network

• Changing the GSSM Role in the GSS Network

• Modifying Network Configuration Settings of a GSS

• Changing the Startup and Running Configuration Files

• Loading the Startup Configuration from an External File

Logically Removing a GSS or Standby GSSM from the NetworkThis section describes the steps to logically remove a GSS or standby GSSM device from your network. You may need to logically remove a GSS from your network when you:

• Move a GSS device between GSS networks

• Send the GSS or standby GSSM out for repair or replacement

Before removing or replacing a GSS or standby GSSM, you should logically remove the GSS from the network before physically removing it.

Note Do not logically remove the primary GSSM from the GSS network. If you need to take the primary GSSM offline for either maintenance or repair, temporarily switch the roles of the primary and standby GSSMs as outlined in the “Changing the GSSM Role in the GSS Network” section.

To logically remove a GSS or standby GSSM from the network, follow these steps. The first four steps in the instructions assume that the GSS or standby GSSM is operational. If that is not the case, proceed directly to step 5.

1. Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the “Accessing the GSS CLI” section. The CLI prompt appears.

2. At the CLI prompt, enable privileged EXEC mode and then global configuration mode on the device. For example:

localhost.localdomain> enable


OL-4327-01


3. If possible, use the copy startup-config disk command to backup the startup configuration file on the GSS or standby GSSM device. For example:

localhost.localdomain# copy startup-config disk configfile

4. Use the gss stop command to stop the GSS software running on the GSS. For example:

localhost.localdomain# gss stop

5. Use the gss disable command to disable the selected GSS and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS to the initial, disabled state. If the GSS device is to be powered down, also enter the shutdown command. For example:

localhost.localdomain# gss disablelocalhost.localdomain# shutdown

6. To logically remove a GSS or a standby GSSM from the network, access the primary GSSM graphical user interface and click the Resources tab.

7. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears.

8. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears.

9. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device.

10. Click OK to confirm your decision. You return to the Global Site Selectors list page with the deleted device removed from the list.

For details on physically removing or replacing a GSS from your network, refer to the Cisco Global Site Selector Hardware Installation Guide.

To add a GSS or standby GSSM back into the GSS network, follow the procedures outlined in Chapter 2, Setting Up Your GSS.

After you configure the GSS or standby GSSM, you may reload the backup copy of the GSS device startup configuration settings (see the “Loading the Startup Configuration from an External File” section).

.


OL-4327-01


Changing the GSSM Role in the GSS NetworkThe GSS software supports multiple GSSMs on a single GSS network, with one GSSM acting as the primary GSSM and another GSSM acting as a standby device. The standby GSSM is capable of temporarily taking over the role as the primary GSSM is the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance).

Using the CLI, you can manually switch the roles of your primary and standby GSSMs at any time. Before switching GSSM roles, however, both a primary and a standby GSSM must be configured and enabled in your GSS network.

Do not attempt to switch roles before both a primary and a standby GSSM have been configured and enabled (refer to Chapter 2, Setting Up Your GSS). In addition, ensure that the designated primary GSSM is offline before you attempt to enable the standby GSSM as the new primary GSSM. Having two primary GSSMs active at the same time may result in the inadvertent loss of configuration changes for your GSS network. Although request routing continues to function in such a situation, GUI configuration changes made on one or both devices may be lost or overwritten, and may not be communicated to your GSS devices. If this dual primary GSSM configuration occurs, the two primary GSSMs change to standby mode and you will need to reconfigure one of the GSSMs as the primary GSSM.

Note that the switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. The interim primary GSSM can be used to monitor GSS behavior and make configuration changes if necessary.

Switching the Roles of the Primary and Standby GSSMs

Use the following steps to change the roles of your primary and standby GSSMs. These instructions assume that your primary GSSM is online and functional at the time you are switching GSSM roles. If this is not the case (for example, the primary GSSM is not functional), ignore any steps that apply to accessing the primary GSSM.

1. Log on to the CLI of the primary GSSM, following the instructions in Chapter 2, Setting Up Your GSS, the “Accessing the GSS CLI” section. The CLI prompt appears.


OL-4327-01



gssm1.yourdomain.com> enable

3. If you have not already done so, perform a full backup of your primary GSSM to preserve your current network and configuration settings (see the “Performing a Full GSSM Backup” section).

4. Configure the current primary GSSM as the standby GSSM. Use the gssm primary-to-standby command to place the primary GSSM in standby mode. For example:

gssm1.yourdomain.com# gssm primary-to-standby

5. If the GSSM is to be powered down, also enter the shutdown command. For example:

gssm1.yourdomain.com# shutdown

6. Exit from the CLI of the GSSM.

7. Log on to the standby GSSM. You cannot log in to the GUI of the old primary GSSM once it begins acting in a standby capacity.



9. Configure the current standby GSSM to be the temporary primary GSSM for your GSS network. Use the gssm standby-to-primary command to enable your standby GSSM and make it the primary GSSM. For example:

gssm2.yourdomain.com# gssm standby-to-primary

The standby GSSM begins to function in its new role as the primary GSSM.

Note The configuration changes do not take effect immediately. It can take up to five minutes for the other GSS devices in the network to learn about the new primary GSSM.

10. Exit privileged EXEC mode. The interim primary GSSM is now fully functional and you can now access the GUI.


OL-4327-01


Reversing the Roles of the Interim Primary and Standby GSSMs

To reverse the roles of the interim primary and standby GSSMs back to the original GSS network deployment (assuming both devices are online):

Note If your original primary GSSM has been replaced by Cisco Systems, contact the Cisco Technical Assistance Center (TAC).

1. Log on to the CLI of the interim primary GSSM. The CLI prompt appears.



3. Perform a full backup of the interim primary GSSM to preserve the current network and configuration settings (see the “Performing a Full GSSM Backup” section).

4. Use the gssm primary-to-standby command to place the current interim primary GSSM in standby mode and resume its role in the GSS network as the standby GSSM. For example:

gssm2.yourdomain.com# gssm primary-to-standby

5. Exit from the CLI of the standby GSSM.

6. Log on to the CLI of the primary GSSM from the original network deployment. The CLI prompt appears.



8. Use the gssm standby-to-primary command to return the GSS device back to the role as the primary GSSM in the GSS network. For example:

gssm1.yourdomain.com# gssm standby-to-primary


OL-4327-01


Modifying Network Configuration Settings of a GSSOnce you have configured your GSS devices in your network, you can use the CLI to modify the configuration settings of those devices.

To modify the network configuration of a GSS device:

1. Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the “Accessing the GSS CLI” section. The GSS CLI prompt appears.



3. Use the gss stop command to stop your GSS servers. For example:

gssm1.yourdomain.com# gss stop

4. Enter global configuration mode. For example:

gssm1.yourdomain.com# configuregssm1.yourdomain.com(config)#

5. Use the no form of the network configuration commands to erase configuration settings. For example, to change the IP address assigned to a GSS interface, you would enter:

gssm1.yourdomain.com(config-eth0)# no ip address 10.89.3.24 255.255.255.0gssm1.yourdomain.com(config-eth0)# exitgssm1.yourdomain.com(config)#

Once you have removed a GSS device setting, you can reregister it with the primary GSSM by following the instructions in Chapter 2, Setting Up Your GSS.


OL-4327-01


Changing the Startup and Running Configuration FilesThe network configuration for a GSS device includes:

• Interface—Ethernet interface being used

• IP address—Network address and subnet mask assigned to the interface

• GSS communications—Which interface (Ethernet 0 or Ethernet 1) is designated for handling GSS-related communications on the device

• GSS TCP keepalives—Which interface (Ethernet 0 or Ethernet 1) is designated for outgoing keepalives of type TCP and HTTP HEAD

• Host name—Host name assigned to the GSS

• IP default gateway—Network gateway used by the device

• IP name server—Network DNS server being used by the device

• IP routes—All static IP routes

• SSH enable—Whether SSH is enabled on the device

• Telnet enable—Whether Telnet is enabled on the device

• FTP enable—Whether FTP is enabled on the device

Each GSS device tracks two such configurations:

• Startup configuration—The default network configuration. These configuration settings are loaded each time the device is booted.

• Running configuration—The network configuration currently being used by the GSS device.

Usually, the running configuration and the startup configuration file are identical. However, once a configuration parameter is modified for any reason, the two must be reconciled using the CLI in one of the following ways:

• The running configuration can be saved as the new startup configuration using the copy running-config startup-config command. Any changes to the network configuration of the device are retained and used when the device is next rebooted.

• The startup configuration can be maintained. In this case, the running configuration is used up until the point at which the device is rebooted, at which time the running configuration is discarded and the startup configuration is restored.


OL-4327-01


To change the startup configuration file for a GSS device:


By default, the host name for GSS devices is localhost.localdomain. This name changes once you configure the host name for the device.


gssm1.yourdomain.com> enablegssm1.yourdomain.com# configgssm1.yourdomain.com(config)#

3. Make any desired changes to the network configuration of the device. For example, if you wanted to change the device host name, you would use the following command:

gssm1.yourdomain.com(config)# hostname new.yourdomain.comnew.yourdomain.com(config)#

4. Use the copy running-config startup-config command to install the current running configuration as the new startup configuration for the device. For example:

new.yourdomain.com(config)# copy running-config startup-config

5. Alternatively, use the copy command to achieve the same result, copying the running configuration to the startup configuration. For example:

new.yourdomain.com(config)# copy running-config startup-config

Loading the Startup Configuration from an External FileIn addition to copying your running configuration as a new startup configuration, internally you can also upload or download GSS device configuration information from an external file using the copy command.

Before attempting to load the startup configuration from a file, make sure that the file has been moved to a local directory on the GSS device.

To copy the GSS device startup configuration to or from a disk:



OL-4327-01

Chapter 9 GSS Administration and TroubleshootingConfiguring the Primary GSSM Graphical User Interface



3. Use the copy command to install a new startup configuration from a file. For example:

gssm1.yourdomain.com# copy disk startup-config filename

where filename is the name of the file containing the startup configuration settings.

4. Alternatively, copy the current startup configuration to a file for use on other devices or for backup purposes. For example:

gssm1.yourdomain.com# copy startup-config disk filename

where filename is the name of the file created to contain the startup configuration settings.

Configuring the Primary GSSM Graphical User Interface

The primary GSSM GUI provides you with a number of configuration options for modifying the behavior and performance of the primary GSSM web-based GUI.

Among the settings you can modify are:

• GUI Session Inactivity Timeout Enable—Check box that enables or disables the use of the GUI Session Inactivity Timeout function.

• GUI Session Inactivity Timeout—Number of minutes of inactivity that must pass before your primary GSSM GUI session is automatically terminated

• GSS Reporting Interval—Interval (in seconds) at which GSS devices report their status to the primary GSSM

• Monitoring Screen Refresh Interval—Interval (in seconds) at which the primary GSSM GUI refreshes displayed content


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingConfiguring the Primary GSSM Graphical User Interface

To modify any GUI session settings:

1. From the primary GSSM GUI, click the Tools tab.

2. Click the GUI Configuration navigation link. The GUI Configuration details page appears (Figure 9-1) listing fields for modifying your GUI session settings.

Figure 9-1 GUI Configuration Details Page

3. Perform one or more of the following:

– To adjust the amount of time without GUI activity that must pass before the primary GSSM automatically terminates the GUI session, click the GUI Session Inactivity Timeout Enable check box and enter a number in the GUI Session Inactivity Timeout field. This value is the length of time, in minutes, that passes without any user activity before the session is terminated.


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingPrinting and Exporting GSSM Data

– To adjust the amount of time that must pass before GSS devices report their status to the primary GSSM, enter a number in the GSS Reporting Interval field. This value is the length of time, in seconds, that passes between reports.

– To increase the length of time that passes between automatic screen refreshes when viewing GSS information from the primary GSSM GUI, enter a number in the Monitoring Screen Refresh Interval field. This value is the length of time, in seconds, that passes between automatic screen refreshes.

4. Click Submit to update the primary GSSM. The Transaction Complete icon appears in the lower left corner of the configuration area to inform you that the GUI session has been successfully updated.

Printing and Exporting GSSM DataYou can send any data displayed on the primary GSSM GUI to a local or network printer configured on your workstation, or export that data to a flat file for use with other office applications. When printing or exporting data, all information displayed on the primary GSSM GUI is dumped. You cannot select individual pieces of data to output.

To print or export GSSM data:

1. From the primary GSSM GUI, navigate to the list page or details page containing the data you wish to export or print.


– To export the data, click the Export button. You are prompted to either save the exported data as a comma-delimited file or open it using your designated CSV editor.

– To print the data, click the Print button. The Print dialog box on your workstation appears, allowing you to choose a printer.

Note If you need to export the output of all configured fields from the primary GSSM GUI from the GSS CLI (intended for use by a Cisco technical support representative), specify the show tech-support config. Refer to the Cisco Global Site Selector Command Reference.


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingConfiguring GSS Security

Configuring GSS SecurityUsing the primary GSSM GUI, you can control access to the GUI. Using the CLI, you can control login access to individual GSS devices, as well as incoming traffic to your GSS devices.


• Creating and Managing GSSM Login Accounts

• Creating and Managing GSS CLI Login Accounts

• Segmenting GSS Traffic by Interface

• Filtering GSS Traffic Using Access Lists

• Deploying GSS Devices Behind Firewalls

Creating and Managing GSSM Login AccountsUsing the user administration feature of the GSSM, you can create and maintain login accounts for the primary GSSM GUI. In addition to login name and password information, the user administration feature also allows you to maintain contact information for each user.

Note Only users who log in to the primary GSSM GUI as administrator have the privileges to create, modify, or remove a GSSM GUI account.


• Creating a GSSM GUI User Account

• Modifying a GSSM GUI User Account

• Removing a GSSM GUI User Account

• Changing Your GSSM GUI Password


OL-4327-01


Creating a GSSM GUI User Account

To create a GSSM GUI user account:


2. Click the User Administration navigation link. The GUI Configuration list page appears (Figure 9-2).

Figure 9-2 GSSM User Administration List Page

3. Click the Create User icon. The Creating New User details page appears (Figure 9-3).


OL-4327-01


Figure 9-3 GSSM User Administration Details Page

4. In the User Account area, enter the login name for the new account in the Username field. Usernames can contain spaces.

5. In the Password field, enter the alphanumeric password for the new account.

6. In the Re-type Password field, reenter the password for the new account.

7. In the Personal Information area, enter the user’s first name in the First Name field.

8. In the Last Name field, enter the user’s last name. The first and last name will be displayed next to the user’s login, whenever the user logs on to the primary GSSM.


OL-4327-01


9. Optionally, fill in the rest of the user’s contact information as follows:

– Job title—User’s position within your organization

– Department—User’s department

– Phone—User’s business telephone number

– E-mail—User’s e-mail address

– Comments—Any important information or comments about the user account

10. Click Submit to create your new user account. You return to the User Administration list page.

Modifying a GSSM GUI User Account

To modify an existing GSSM user account:


2. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts.

3. Click the Modify User icon to the left of the user account that you wish to modify. The Modifying User details page appears (see Figure 9-3) listing fields for modifying your GUI session settings.

4. Use the fields provided to modify the user’s account, as follows:

– Username—Change the account’s login name.

– Password/Retype password—Modify the login password for the account; new passwords must be entered identically in both fields before they are accepted.

– First name—Modify the user’s first name.

– Last name—Modify the user’s last name.

– Job title—Modify the user’s listed position within your organization.

– Department—Modify the user’s department.

– Phone—Modify the user’s business phone number.

– E-mail—Modify the user’s e-mail address.

– Comments—Modify comments on the user account.


OL-4327-01


5. Click Submit to save changes to the account. You return to the GSSM User Administration list page.

Removing a GSSM GUI User Account

To delete an existing GSSM GUI user account:


2. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts.

3. Click the Modify User icon to the left of the user account that you wish to remove. The Modifying User details page appears (see Figure 9-3), displaying that user’s account information.

Note You cannot delete the admin account.

4. Click the Delete icon. The software prompts you to confirm your decision to permanently delete the user.

5. Click OK. You return to the GSSM User Administration list page with the user account removed.

Changing Your GSSM GUI Password

Using the change password feature of the primary GSSM GUI, you can change the password for the account that you used to log on to the primary GSSM. You must know the existing password for an account before you can change it to a new value.

Note If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to “default” by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command.

To change your account password:



OL-4327-01


2. Click the Change Password navigation link. The Change Password detail page (Figure 9-4) appears displaying your account name in the Username field

Figure 9-4 GSSM Change Password Details Page

3. In the Old Password field, enter your existing GSSM login password.

4. In the New Password field, enter the string that you would like to use as the new GSSM login password.

5. In the Re-type New Password field, enter the new password string a second time. This is used to verify that you have entered your password correctly.

6. Click Submit to update your login password.


OL-4327-01


Creating and Managing GSS CLI Login AccountsUsing the CLI, you can set user access for each of your GSS devices, including the GSSM. User access to the CLI of your GSSs must be managed individually on each device.

Note Only the admin account can create and manage GSS logins.


• Creating a GSS User Account Using the CLI

• Modifying a GSS User Account Using the CLI

• Deleting a GSS User Account Using the CLI

Creating a GSS User Account Using the CLI

When creating user accounts from the CLI, you must specify the new login, password, and privilege level using a single command. You cannot create a new account without designating a value for each of these configuration settings. Refer to the Cisco Global Site Selector Command Reference for detailed information on the username command.

To create a user or administrative login account that can access the CLI of one of your GSS devices:



gss1.yourdomain.com> enablegss1.yourdomain.com# configgss1.yourdomain.com(config)#

3. Use the username command to create and configure your new login account and then press Enter to create the account. For example:

gss1.yourdomain.com(config)# username paulr password mypwd privilege adminUser paulr added.


OL-4327-01


For a login name, enter an unquoted alphanumeric text string with no spaces and a maximum of 32 characters. Login names must start with an alpha character (for example, A-Z or a-z). The GSS does not support usernames that begin with a numerical value. For a password, enter an unquoted text string with no spaces and a maximum length of 8 characters. To create an administrative account, set the privilege level to admin. To create a user account, set the privilege level to user.

4. Repeat step 3 for each new user account that you wish to create.

Modifying a GSS User Account Using the CLI

When modifying a GSS user account using the CLI, use the same procedure that you used to create the account: entering the full username, password, and privilege level and substituting new values for the configuration settings that you wish to change.

1. Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the “Accessing the GSS CLI” section. The GSS CLI prompt appears.



3. Use the username command to modify your new login account and then press Enter to input the new values. For example:

gss1.yourdomain.com(config)# username paulr password newpwd privilege userUser paulr exists, change info? [y/n]: y

4. Repeat step 3 for each new user account that you wish to modify.

Deleting a GSS User Account Using the CLI

You must have administrative-level access to the GSS to delete login accounts.

To delete a login account:



OL-4327-01




3. Use the username command to delete an existing login account. For example:

gss1.yourdomain.com#(config) username paulr deleteUser paulr removed

Note You cannot delete the admin account.

4. Repeat step 3 for each new user account that you wish to delete.

Resetting the CLI Administrator Account Password

If you accidentally forget the password for the GSS administrator account, you can reset it from the GSS CLI. You must have physical access to the GSS device to perform this procedure.

Note If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to “default” by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command.

To reset the CLI administrator account password:

1. Attach an ASCII terminal to the GSS console port, following the instructions in the “Connecting Cables” section of Chapter 3 in the Cisco Global Site Selector Hardware Installation Guide.

2. If the GSS device is currently up and running, enter the reload command to halt and perform a cold restart of your GSS device. For example:

Host# reload

As the GSS reboots, output appears on the console terminal.


OL-4327-01


3. After the BIOS boots and the LILO boot: prompt appears, enter ? (a question mark) to determine which software version the GSS device is running and to enter boot mode.

LILO boot: ?GSS-<software_version>boot:

At the LILO boot: prompt, press Tab or ? to view a listing of the available GSS software images.

Note Enter the ? command within a few seconds of seeing the LILO boot prompt or the GSS device continues to boot. If you miss the time window to enter the ? command, wait for the GSS to properly complete booting, cycle power to the GSS device, and try again to access the LILO boot prompt.

4. At the boot: prompt, enter GSS-<software_version> RESETADMINCLIPW=1. Use care when entering this command; this CLI command is case-sensitive. For example: boot: GSS-1.1.0 RESETADMINCLIPW=1

If you successfully reset the administrator password, the Resetting admin account CLI password message appears on the console terminal while the GSS device reboots. If the message does not appear, repeat steps 2 through 4 again. Pay close attention when you enter the GSS-<software_version> RESETADMINCLIPW=1 command.

Segmenting GSS Traffic by InterfaceGSS devices include two Ethernet interfaces. By default, GSS servers listen for DNS traffic on both Ethernet interfaces.

Note In the case of inter-GSS communications, GSS devices listen for configuration and status updates on one interface only, which is the first Ethernet interface (eth 0) by default. You can use the gss-communications command to configure which interface is used for interdevice communications on the GSS network. Refer to the Cisco Global Site Selector Command Reference for instructions on using the gss-communications command.


OL-4327-01


However, for security reasons you may wish to limit GSS traffic to one interface, or segment traffic by constraining a certain type of traffic on a designated interface. Using the access-list and access-group commands discussed in the “Filtering GSS Traffic Using Access Lists” section, you can use access lists to limit traffic on either of your GSS interfaces.

For example, network management services like Telnet, SSH, and FTP listen on all active interfaces once they are enabled. To force these remote management servers to listen on only the second Ethernet interface, you would use the following CLI commands:

gss1.yourdomain.com> enablegss1.yourdomain.com# gss1.yourdomain.com# configgss1.yourdomain.com(config)# gss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port ftpgss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port sshgss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port telnetgss1.yourdomain.com(config)# access-group alist1 interface eth1

By default, the above commands would limit the second interface (eth1) to the specified traffic. All other traffic to that interface would be refused.

To deny the same traffic on the first interface (eth0), you would use the following commands:

gss1.yourdomain.com(config)# gss1.yourdomain.com(config)# access-list alist1 deny tcp any destination-port ftpgss1.yourdomain.com(config)# access-list alist1 deny tcp any destination-port sshgss1.yourdomain.com(config)# access-list alist1 deny tcp any destination-port telnetgss1.yourdomain.com(config)# access-group alist1 eth0


OL-4327-01


Filtering GSS Traffic Using Access ListsUsing built-in packet filtering features on the GSS, you can instruct your GSSs and GSSMs to permit or refuse specific packets that are received based on a combination of criteria that includes:

• Destination port of the packets

• Requesting host

• Protocol used (TCP, User Datagram Protocol [UDP], or ICMP)

These packet-filtering tools, called access lists, are created and maintained from the GSS CLI. Access lists are essentially collections of filtering rules that are created using the access-list CLI command and can be applied to one or both of your GSS interfaces using the access-group command.

Each access list is a sequential collection of permit and deny conditions that apply to a source network IP address to control whether routed packets are forwarded or blocked at the GSS. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria you specified within the access lists.

Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important. When the GSS is deciding whether to forward or block a packet, the software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked.

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

For detailed information on access list syntax options, refer to the access-list, access-group, and show access-list commands in the Cisco Global Site Selector Command Reference.


OL-4327-01



• Creating an Access List

• Associating an Access List with a GSS Interface

• Disassociating an Access List from a GSS Interface

• Adding Rules to an Access List

• Removing Rules from an Access List

• Viewing Access Lists

Creating an Access List

The term access list simply refers to one or more filtering rules that are grouped together. You can create any number of access lists on a given GSS device. After you have created an access list, rules can be appended to or removed from the list at any time.

To ensure your GSS functions properly with access lists, identify the ports and protocols normally used by each GSS device. Table 9-1 illustrates the types of expected inbound traffic received by the GSS.

Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic)

Source Port(Remote Device)

Destination Port(GSS) Protocol Details

* 20–23 TCP FTP, SSH, and Telnet server services on the GSS

20, 21, 23 * TCP Return traffic of FTP and Telnet GSS CLI commands

* 53 UDP, TCP GSS DNS server traffic

53 * UDP GSS software reverse lookup and “dnslookup” queries

123 123 UDP Network Time Protocol (NTP) updates

* 161 UDP Simple Network Management Protocol (SNMP) traffic


OL-4327-01


*Any legal port number.

To create an access list:


Note You need access to the CLI of your GSS devices to create access lists.

2. Enable privileged EXEC mode and access configuration mode. For example:

gss1.yourdomain.com> enablegss1.yourdomain.com# gss1.yourdomain.com# configgss1.yourdomain.com(config)#

3. Use the access-list command to create your first access list.

For example, to configure an access list named alist1 containing a rule that allows any traffic using the TCP protocol on port 443 on the GSS device, enter the following:

gss1.yourdomain.com# configgss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port eq 443

* 443 TCP Primary GSSM GUI

1304 1304 UDP CRA keepalives

* 2000 UDP Inter-GSS periodic status reporting

* 2001–2009 TCP Inter-GSS communication

2001–2009 * TCP Inter-GSS communication



5002 * UDP KAL-AP keepalives

Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic)




OL-4327-01


Refer to the Cisco Global Site Selector Command Reference for an explanation of access-list command syntax.

4. Repeat step 3 for each access list that you wish to add to this device, or see the “Adding Rules to an Access List” section for instructions on adding more rules to an access list that already exists.

Associating an Access List with a GSS Interface

After you have created an access list, you must associate it with one or both of your GSS interfaces before it can be used to filter incoming traffic to that interface.

When no access lists are associated with an interface, all incoming traffic is allowed on that interface. After an access list has been applied, only the type of traffic explicitly permitted by that list is allowed. All other traffic is disallowed.

The access-group command is used to associate an access list with a GSS interface.

Note You need access to the CLI of your GSS devices to associate access lists with GSS interfaces.

To associate access lists with a GSS interface:




3. Use the access-group command to associate an access list with the GSS interface. For example, to associate the access list named alist1 with the first interface on your GSS device, you would enter the following:

gss1.yourdomain.com(config)# access-group alist1 interface eth0

Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group command syntax.

4. Repeat step 3 for each access list that you wish to associate with an interface.


OL-4327-01


Disassociating an Access List from a GSS Interface

After you have associated an access list with one or more of your GSS interfaces, you can dissociate it from that interface using the no form of the access-group command. Disassociating an access list from an interface removes any constraints that the list applied to traffic to that interface.

Note You need to be able to access the CLI of your GSS devices to disassociate access lists from GSS interfaces.

To disassociate an access list from an interface:




3. Use the no access-group command to disassociate an access list from your GSS interface. For example, to disassociate the access list named alist1 from the first interface on your GSS device, you would enter the following:

gss1.yourdomain.com(config)# no access-group alist1 interface eth0

Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group and no access-group command syntax.

4. Repeat step 3 for each access list that you wish to disassociate from an interface.

Adding Rules to an Access List

Once you have created one or more access lists, you can append rules to them at any time.

To add a rule to an access list:



OL-4327-01




3. Use the access-list command to add a new rule to an existing access list. For example, to add a new rule to the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:

gss1.yourdomain.com(config)# access-list alist1 deny tcp host 192.168.1.101


4. Use the show access-list command to verify that the rule has been added to your access list. For example:

gss1.yourdomain.com(config)# show access-listaccess-list:alist1 access-list alist1 permit tcp any destination-port eq 443access-list alist1 deny tcp host 192.168.1.101

5. Repeat steps 3 and 4 for each rule that you wish to add to this access list.

Removing Rules from an Access List

Once you have created one or more access lists, you can remove rules from them at any time. Access lists must contain at least one rule. Removing the last rule from an access list removes the list itself from the GSS.

To remove a rule from an access list:





OL-4327-01


3. Use the no form of the access-list command to remove a rule from an existing access list. For example, to remove the rule from the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:

gss1.yourdomain.com(config)# no access-list alist1 deny tcp host 192.168.1.101


4. Use the show access-list command to verify that the rule has been removed from your access list. For example:

gss1.yourdomain.com(config)# show access-listaccess-list:alist1 access-list alist1 permit tcp any destination-port eq 443

5. Repeat steps 3 and 4 for each rule that you wish to remove from this access list, or from others configured on your system.

Viewing Access Lists

Use the show access-list command to view configured access lists. For example:

gss1.yourdomain.com(config)# show access-listaccess-list:alist1 access-list alist1 permit tcp any destination-port eq 443

Deploying GSS Devices Behind FirewallsIn addition to the packet-filtering features of the access-list and access-group commands discussed in the “Filtering GSS Traffic Using Access Lists” section, you can also deploy your GSS devices behind an existing firewall on your enterprise network.

The GSS does not support deployment of devices behind a NAT for inter-GSS communication. The communication between the GSSs cannot include an intermediate device behind a NAT because the actual IP address of the devices is embedded in the payload of the packets.


OL-4327-01


When configuring your GSS for deployment behind a firewall, at a minimum you will need to allow DNS traffic into the box. If you have multiple GSSs deployed such that traffic between them must pass through a firewall, then you must configure the firewall to also allow inter-GSS communications, and inter-GSS status reporting. Whether you need to allow other traffic in Table 9-2 and Table 9-3 will depend on your GSS configuration (for example, whether you are using KAL-AP keepalives) and your need access to certain GSS services through the firewall (for example, SNMP).

To configure your firewall to work with the GSS product, follow the guidelines in Table 9-2 and Table 9-3 to permit inbound and outbound traffic to and from the specified GSS ports. You may also want to use the access-list and access-group commands to enable authorized GSS traffic to the specified ports. By default, all ports not explicitly permitted in your access list are blocked by that interface once the list is associated.

Table 9-2 Inbound Traffic Going Through a Firewall to the GSS



* 20–23 TCP FTP, SSH, and Telnet server services on the GSS

20, 21, 23 * TCP Return traffic of FTP and Telnet GSS CLI commands

* 53 UDP, TCP GSS DNS server traffic

53 * UDP GSS software reverse lookup and “dnslookup” queries


* 161 UDP Simple Network Management Protocol (SNMP) traffic

* 443 TCP Primary GSSM GUI

1304 1304 UDP CRA keepalives

* 2000 UDP Inter-GSS periodic status reporting




OL-4327-01





5002 * UDP KAL-AP keepalives

Table 9-2 Inbound Traffic Going Through a Firewall to the GSS (continued)



Table 9-3 Outbound Traffic Originating from the GSS

Source Port(GSS)

Destination Port

(Remote Device) Protocol Details

20–23 * TCP Return traffic of FTP, SSH, and Telnet server services on the GSS

* 20, 21, 23 TCP Traffic of FTP and Telnet GSS CLI commands

53 * UDP, TCP GSS DNS server traffic* 53 UDP GSS software reverse lookup and

“dnslookup” queries


161 * UDP Simple Network Management Protocol (SNMP) traffic

443 * TCP Primary GSSM GUI

1304 1304 UDP CRA keepalives* 2000 UDP Inter-GSS periodic status reporting* 2001–2009 TCP Inter-GSS communication

2001-2009 * TCP Inter-GSS communication* 3001–3009 TCP Inter-GSS communication


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingConfiguring SNMP on Your GSS Network


To configure your GSS devices to function behind a firewall:

1. Determine what level of access and what services you wish to enable on your GSSs and GSSMs. Determine whether you want to allow FTP, SSH, and Telnet access to the device, or do you wish to permit GUI access to your primary GSSM.

Table 9-2 and Table 9-3 show which GSS-related ports and protocols must be enabled for the product to function properly.

2. Construct your access lists to filter traffic coming to and from your GSS device.

Configuring SNMP on Your GSS NetworkYour GSS or GSSM contains an Simple Network Management Protocol (SNMP) agent, ucd-snmp v4.2.3, that enables you to query your GSS devices for standard MIB resources found in MIB-II (RFC-1213) and HOST-RESOURCE-MIB (RFC-1514). SNMP runs on GSS port 161 by default.

MIB-II and HOST-RESOURCE-MIB definitions can be obtained from the following Cisco FTP sites:

ftp://ftp.cisco.com/pub/mibs/v1


Before you can begin using SNMP to monitor your GSS or GSSM, however, you must first enable the SNMP agent on your GSS device.

3001-3009 * TCP Inter-GSS communication* 5002 UDP KAL-AP keepalives

Table 9-3 Outbound Traffic Originating from the GSS (continued)

Source Port(GSS)

Destination Port

(Remote Device) Protocol Details


OL-4327-01





• Configuring SNMP on Your GSS

• Viewing SNMP Status

• Viewing MIB Files on the GSS

Configuring SNMP on Your GSSTo enable and configure the SNMP agent on your GSS device:




3. Use the snmp enable command to enable the SNMP agent. For example:

gss1.yourdomain.com(config)# snmp enable

4. Use the snmp community-string command to specify a SNMP community name for this GSS device. By default, the SNMP community string is public. To change the SNMP community string, enter an unquoted text string with no space and a maximum length of 12 characters. For example:

gss1.yourdomain.com(config)#snmp community-string Enter new Community String:

5. Use the snmp contact command to specify the name of the contact person for this GSS device. You can also include information on how to contact the person; for example, a phone number or e-mail address. Enter an unquoted text string with a maximum of 255 characters including spaces.For example:

gss1.yourdomain.com(config)#snmp contactEnter new Contact Info: Cisco Systems, Inc.


OL-4327-01


6. Use the snmp location command to specify the physical location of this GSS device. Enter an unquoted text string with a maximum length of 255 characters. For example:

gss1.yourdomain.com(config)#snmp locationEnter new Location Info: Boxborough, MA 01719

7. To disable SNMP or any of the parameters outlined above, use the no form of the snmp command. For example, to disable SNMP for the GSS, enter:

gss1.yourdomain.com(config)# no snmp enable

Viewing SNMP StatusOnce SNMP is enabled, you can display the Simple Network Management Protocol (SNMP) operating status on your GSS device using the show snmp command.

To view the operating status of SNMP on your GSS device:



gss1.yourdomain.com> enablegss1.yourdomain.com#

3. Use the show snmp command to verify that your SNMP agent, ucd-snmp, is enabled or disabled, as well as the community-string, location and contact. For example:

Host# show snmp snmp is enabledsnmp settings-------------Community String = <set>Location = Boxborough MAContact = Cisco Systems

Note You can also use the gss status command to verify if SNMP is enabled or disabled.

4. See the “Configuring SNMP on Your GSS” section to change the status of your SNMP agent.


OL-4327-01


Viewing MIB Files on the GSSIf necessary, you can view the GSS MIB files contained in the /mibs directory on the GSS. The GSS includes a set of standard MIB resources found in MIB-II (RFC-1213) and HOST-RESOURCE-MIB (RFC-1514). MIB-II and HOST-RESOURCE-MIB definitions can be obtained from the following Cisco FTP sites:



If you need to copy the MIBs, use the ftp or scp commands.

To view the GSS MIB files:




3. Use the dir command to view the list of GSS MIBs contained in the /mibs directory. For example:

gss.cisco.com#dir /mibstotal 1100drwxr-xr-x 2 root root 4096 Jul 18 08:45 .drwxrwxrwx 19 root root 4096 Jul 18 08:46 ..-rw-r--r-- 1 root root 17455 Jul 18 08:45 AGENTX-MIB.txt-rw-r--r-- 1 root root 19850 Jul 18 08:45 DISMAN-SCHEDULE-MIB.txt-rw-r--r-- 1 root root 64311 Jul 18 08:45 DISMAN-SCRIPT-MIB.txt-rw-r--r-- 1 root root 50054 Jul 18 08:45 EtherLike-MIB.txt-rw-r--r-- 1 root root 4660 Jul 18 08:45 HCNUM-TC.txt-rw-r--r-- 1 root root 52544 Jul 18 08:45 HOST-RESOURCES-MIB.txt-rw-r--r-- 1 root root 10583 Jul 18 08:45 HOST-RESOURCES-TYPES.txt-rw-r--r-- 1 root root 4015 Jul 18 08:45 IANA-ADDRESS-FAMILY-NUMBERS-MIB.txt-rw-r--r-- 1 root root 4299 Jul 18 08:45 IANA-LANGUAGE-MIB.txt-rw-r--r-- 1 root root 15661 Jul 18 08:45 IANAifType-MIB.txt-rw-r--r-- 1 root root 5066 Jul 18 08:45 IF-INVERTED-STACK-MIB.txt-rw-r--r-- 1 root root 71691 Jul 18 08:45 IF-MIB.txt-rw-r--r-- 1 root root 6260 Jul 18 08:45 INET-ADDRESS-MIB.txt-rw-r--r-- 1 root root 26781 Jul 18 08:45 IP-FORWARD-MIB.txt-rw-r--r-- 1 root root 23499 Jul 18 08:45 IP-MIB.txt-rw-r--r-- 1 root root 15936 Jul 18 08:45 IPV6-ICMP-MIB.txt-rw-r--r-- 1 root root 48703 Jul 18 08:45 IPV6-MIB.txt-rw-r--r-- 1 root root 2367 Jul 18 08:45 IPV6-TC.txt-rw-r--r-- 1 root root 7257 Jul 18 08:45 IPV6-TCP-MIB.txt-rw-r--r-- 1 root root 4400 Jul 18 08:45 IPV6-UDP-MIB.txt-rw-r--r-- 1 root root 1174 Jul 18 08:45 RFC-1215.txt


OL-4327-01



Chapter 9 GSS Administration and TroubleshootingBacking Up the GSSM

-rw-r--r-- 1 root root 3067 Jul 18 08:45 RFC1155-SMI.txt-rw-r--r-- 1 root root 79667 Jul 18 08:45 RFC1213-MIB.txt-rw-r--r-- 1 root root 147822 Jul 18 08:45 RMON-MIB.txt-rw-r--r-- 1 root root 4628 Jul 18 08:45 SMUX-MIB.txt-rw-r--r-- 1 root root 15490 Jul 18 08:45 SNMP-COMMUNITY-MIB.txt-rw-r--r-- 1 root root 20750 Jul 18 08:45 SNMP-FRAMEWORK-MIB.txt-rw-r--r-- 1 root root 5261 Jul 18 08:45 SNMP-MPD-MIB.txt-rw-r--r-- 1 root root 19083 Jul 18 08:45 SNMP-NOTIFICATION-MIB.txt-rw-r--r-- 1 root root 8434 Jul 18 08:45 SNMP-PROXY-MIB.txt-rw-r--r-- 1 root root 21495 Jul 18 08:45 SNMP-TARGET-MIB.txt-rw-r--r-- 1 root root 38035 Jul 18 08:45 SNMP-USER-BASED-SM-MIB.txt-rw-r--r-- 1 root root 33430 Jul 18 08:45 SNMP-VIEW-BASED-ACM-MIB.txt-rw-r--r-- 1 root root 8263 Jul 18 08:45 SNMPv2-CONF.txt-rw-r--r-- 1 root root 25052 Jul 18 08:45 SNMPv2-MIB.txt-rw-r--r-- 1 root root 8924 Jul 18 08:45 SNMPv2-SMI.txt-rw-r--r-- 1 root root 38034 Jul 18 08:45 SNMPv2-TC.txt-rw-r--r-- 1 root root 3981 Jul 18 08:45 SNMPv2-TM.txt-rw-r--r-- 1 root root 10765 Jul 18 08:45 TCP-MIB.txt-rw-r--r-- 1 root root 2058 Jul 18 08:45 UCD-DEMO-MIB.txt-rw-r--r-- 1 root root 3131 Jul 18 08:45 UCD-DISKIO-MIB.txt-rw-r--r-- 1 root root 2928 Jul 18 08:45 UCD-DLMOD-MIB.txt-rw-r--r-- 1 root root 8037 Jul 18 08:45 UCD-IPFWACC-MIB.txt-rw-r--r-- 1 root root 30343 Jul 18 08:45 UCD-SNMP-MIB.txt-rw-r--r-- 1 root root 4076 Jul 18 08:45 UDP-MIB.txt

4. If desired, use the ftp or scp command to copy the MIB files from the /mibs directory on the GSS to another location on the GSS or to a remote network location.

Backing Up the GSSMThe GSSM database of your primary GSSM is the heart of your GSS network. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts.

Because it is so important to the continued operation of your GSS network, it is important that you make frequent backups of your primary GSSM and its database to ensure that if a sudden and unexpected power loss or media failure occurs, your GSSM configuration and database survive, and your GSSM can be quickly restored to operation.

The two types of backups that you can perform are:

• Full—Backs up the GSSM network configuration settings as well as the GSSM database holding GSLB configuration information

• Database—Backs up just the primary GSSM database


OL-4327-01


We recommend that you always perform a full backup of the GSSM. From a full backup, you can later restore the same information that is contained in a database-only backup in addition to GSSM platform information (if desired). You do not have the option of restoring GSSM platform information from a database-only backup. The full backup provides you with the flexibility to pick and choose the specific GSSM configuration information you want to restore on the GSSM.

Whenever you execute a backup on your primary GSSM, the GSS software automatically creates a tar archive (“tarball”) of the necessary files. If you are performing a full backup, this file has the .full extension. If you are performing a database backup, the file has the .db extension.

When you execute a database restore on your primary GSSM, this archive is automatically unpacked and the database is copied to the GSSM, overwriting the failed database that is there.

Backing up your GSSM database requires access to the GSS CLI and the completion of the following actions:

1. Determining the appropriate time to back up your GSSM

2. Determining whether you need to perform a full backup or database-only backup

3. Performing the backup

4. Moving the backup file to a secure location on your network


• Determining When and What Type of Backup to Perform

• Performing a Full GSSM Backup

• Performing a GSSM Database Backup


OL-4327-01


Determining When and What Type of Backup to PerformSome general guidelines exist for when and how to back up your primary GSSM. If followed, they help ensure that you are never caught unprepared if you suffer a catastrophic loss of your GSSM.

When to Perform a Full Backup

You should perform a full backup of your GSSM in these situations:

• Before switching GSSM roles, making the standby GSSM your primary GSSM on your network

• Before you perform a GSS software upgrade

• After you make any changes in the device or network configuration of your GSSM

When to Perform a Database Backup

You should perform a database backup of your GSSM in these situations:

• After you make any changes in the device configuration of any of your GSS devices using the GSSM GUI

• After you make any changes to the GSLB configuration of your GSS network using the GSSM GUI. For example, adding or removing an answer, source address list, DNS rule, or user account

Performing a Full GSSM BackupYou can perform a full primary GSSM backup at any time. Performing a full backup of the primary GSSM requires access to the CLI.

To perform a full backup of your primary GSSM:





OL-4327-01


3. Use the gssm database validate command to verify the integrity of your existing database.

gssm1.yourdomain.com# gssm database validategssm1.yourdomain.com#

4. Use the gssm backup command to create a full backup of your primary GSSM. You need to supply a filename for your full backup. For example:

gssm1.yourdomain.com# gssm backup full gssmfullbk GSSM database backup succeeded [gssmfullbk.full]

5. Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM.

Either the secure copy (scp) or ftp command can be used to move your full backup to a remote host. For example:

gssm1.yourdomain.com# scp gssmfullbk.full [email protected]:~/

Performing a GSSM Database BackupYou can perform a database backup at any time. Backing up the primary GSSM database requires access to the GSS CLI.

To perform a database backup of your primary GSSM:



gssm1.yourdomain.com> enablegssm1.yourdomain.com#

3. Use the gssm backup command to create backup your primary GSSM database. You need to supply a filename for your database backup. For example:

gssm1.yourdomain.com# gssm backup database gssmdbbk GSSM database backup succeeded [gssmdbbk.db]


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingUpgrading the Cisco GSS Software

4. Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM.

Either the secure copy (scp) or ftp command can be used to move your database backup to a remote host. For example:

gssm1.yourdomain.com# scp gssmdbbk.db server.yourdomain.com:home

Upgrading the Cisco GSS SoftwareTo upgrade to a new software version, you must have access to the GSS download area of the Cisco software download site and to Cisco.com. You must be familiar with the proper procedure for updating your GSS devices and know the CLI commands required to execute the backup.

To take full advantage of all of the features and capabilities of the software release, we recommend that you upgrade all GSS devices in your network within the same time frame, starting with the primary GSSM. This upgrade sequence ensures that the other GSS devices properly receive configuration information from, and are able to send statistics to, the primary GSSM.

The GSS software upgrade requires that you complete the following procedures in the order listed below:

1. Verifying the GSSM Role in the GSS Network

2. Backing up and Archiving the Primary GSSM

3. Obtaining the Software Upgrade

4. Upgrading Your GSS Devices


OL-4327-01


Verifying the GSSM Role in the GSS NetworkYou can reconfigure the standby GSSM to operate as an interim primary GSSM in the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). Note that the changing of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Before you continue with the upgrade procedure, verify that the roles of the designated primary and standby GSSMs have not changed.

To verify the role of the current primary GSSM and the standby GSSM:

1. At the CLI of the current primary GSSM, enter the following commands:

gssm1.yourdomain.com# cd /homegssm1.yourdomain.com# type ../props.cfg | grep -i fqdn

The following output appears:

controllerFqdn= domain_name or ip_address

2. Based on the output value for controllerFqdn, note the following:

– If the value of the domain name or IP address is the current primary GSSM in your network, then the current primary GSSM and standby GSSM configuration is the original configuration and no further action is needed. Proceed to the “Backing up and Archiving the Primary GSSM” section.

– If the value of the domain name or IP address is the current standby GSSM in your network, then the current primary GSSM and standby GSSM configuration is not the original configuration. In this case, you must reverse the roles of the primary and standby GSSM devices to those of the original GSS network deployment. See the “Reversing the Roles of the Interim Primary and Standby GSSMs” section.

– If the value of the domain name or IP address is not the current primary GSSM or the standby GSSM in your network, this indicates that the device is not a primary GSSM or is no longer on the network. No further action is required. Proceed to the “Backing up and Archiving the Primary GSSM” section.


OL-4327-01


The next step is to ensure that you have a full (and current) backup of the primary GSSM database and that you archive this backup. Proceed to the “Backing up and Archiving the Primary GSSM” section.

Backing up and Archiving the Primary GSSMBefore you upgrade your GSS software, ensure that you have a full backup of your primary GSSM database and that you archive the backup by moving it to a remote device. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts. That way, if necessary, you can quickly restore your GSS network to its previous state. You can perform a full backup at any time. Doing so does not interfere with the functions of the primary GSSM or other GSS devices.

See the “Performing a Full GSSM Backup” section for instructions on performing a full backup of your primary GSSM. Performing a full backup requires access to the CLI.

You are now ready to obtain the upgrade file and upgrade the software on a GSS device. Proceed to the “Obtaining the Software Upgrade” section.

Obtaining the Software Upgrade Before you can update your GSS software, obtain the appropriate software update file from Cisco.

To acquire the software update from Cisco, you must:

• Access the Cisco.com website and locate the software update files.

• Download the software update files to a server within your own organization that is accessible using FTP or SCP from your GSSs and GSSMs.

You must have a Cisco.com username and password before attempting to download a software update from Cisco.com. To acquire a Cisco.com login, go to http://www.cisco.com and click the Register link.


OL-4327-01




Note You need a service contract number, Cisco.com registration number and verification key, Partner Initiated Customer Access (PICA) registration number and verification key, or packaged service registration number to obtain a Cisco.com username and password.

To add an upgrade file for the GSS software:

1. Launch your preferred web browser and point it to the Cisco Global Site Selector download page. When prompted, log in to Cisco.com using your designated Cisco.com username and password. The Cisco GSS Software download page appears, listing the available software upgrades for the GSS software product.

2. If you do not have a shortcut to the Cisco Global Site Selector download page:

a. Log in to Cisco.com using your designated Cisco.com username and password.

b. Access the Software Center from the Technical Support link.

c. Select the Content Networking Software link from the Software Center - Software Products and Downloads page.

d. Select the Cisco Global Site Selector link from the Software Center - Content Networking page.

e. Select the Download Cisco Global Site Selector link from the Software Center - Content Networking page.

The Cisco GSS Software download page appears, listing the available software upgrades for the Cisco GSS Software product.

Note When you first access the Content Networking page of the Software Center, you must apply for eligibility for GSS software updates because it is considered a strong encryption image. Under the Cisco Content Networking Cryptographic Software section is the Apply for 3DES Cisco Cryptographic Software Under Export Licensing Controls link. Click this link and complete the Encryption Software Export Distribution Authorization Form. You must complete this step to access and download Global Site Selector software images.


OL-4327-01


3. Locate the .upg file you wish to download by referring to the Release column for the proper release version of the software.

Note The meta file, originally posted for use with GSS version 1.0, is no longer posted for version 1.1(0) and subsequent releases. The meta file is unnecessary for the installation, and is only used as a check to let you verify the file size of the upgrade file. The Cisco Global Site Selector Software download page contains information on the GSS file size, the MD5 checksum, and other important details about the GSS software upgrade file. Use this file information to verify the integrity of the software upgrade file.

4. Click the link for the .upg file. The download page appears.

5. Click the Software License Agreement link. A new browser window opens to display the license agreement.

6. After you have read the license agreement, close the browser window displaying the agreement and return to the Software Download page.

7. Click the filename link labeled Download. If prompted, reenter your username and password.

8. Click Save to file and then choose a location on your workstation to temporarily store the .upg upgrade file.

9. Post the .upg file that you downloaded to a designated area on your network that is accessible to all your GSS devices.

You are now ready to upgrade the software on a GSS device. Proceed to the “Upgrading Your GSS Devices” section.

Upgrading Your GSS DevicesYou must upgrade your GSS devices in the following sequence: the primary GSSM first, followed by the other GSS devices in your network. After you upgrade the primary GSSM, ensure that the GSS device in your network being upgraded has connectivity to the primary GSSM before you perform the software upgrade procedure.


OL-4327-01


When executing an upgrade, use the CLI install command. Before proceeding with the installation of the software upgrade, the install command also performs a validation check on the upgrade file, unpacks the upgrade archive, and installs the upgraded software. Finally, the install command restarts the affected GSS device.

Note Upgrading your GSS devices causes a temporary loss of service for each affected device.

To upgrade the GSS software (starting with the primary GSSM):

1. Log on to the CLI of the GSS device.

2. Use the ftp or scp command to copy the GSS software upgrade file from the network location to a directory on the GSS. Ensure that you set the transfer type to binary.

For example, to copy an upgrade file named gss.upg from a remote host, your FTP session might look like the following:

gssm1.yourdomain.com> ftp host.yourdomain.comConnected to host.yourdomain.com.220 host.yourdomain.com FTP server (Version wu-2.6.1-0.6x.21) ready.Name (host.yourdomain.com:root): admin331 Password required for admin.Password: 230 User admin logged in. Access restrictions apply.Remote system type is UNIX.Using ascii mode to transfer files.ftp> binaryftp> get (remote-file) gss.upg(local-file) gss.upglocal: gss.upg remote: gss.upg200 PORT command successful....



4. Enter the gss stop command to stop your GSS servers. For example:

gssm1.yourdomain.com# gss stop


OL-4327-01


5. Enter the install command to install the upgrade. For example:

gssm1.yourdomain.com# install gss.upg

6. At the Proceed with install (the device will reboot)? (y/n): prompt, type y to reboot the GSS device. When the GSS reboots, you lose any network CLI connections. Console connections remain active.

7. If you did not previously save changes to the startup-configuration file, the Save current configuration? [y/n]: prompt appears. Type y to continue. The GSS reboots.

8. After the GSS device reboots, log on to the device and enable privileged EXEC mode.

9. Enter the gss status command and verify that the GSS device reaches a Normal Operation state of runmode 4 or 5.

10. Repeat this procedure for the remaining GSS devices in your network.


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingDowngrading and Restoring Your GSS Devices

Downgrading and Restoring Your GSS DevicesIf you encounter problems with a software upgrade, you can always restore an earlier version of the GSS software on your GSSs and GSSMs.

However, to restore an earlier version of your software, you must have backed up a version of your GSSM database that corresponds to that version. In other words, if you wish to downgrade from GSS Release 3 to GSS Release 1 software, there must be a GSS Release 1 database backup that you can restore; your GSS Release 3 database cannot run on the Release 1 platform because of changes in the database schema between releases.

We recommend that you always perform a full backup of the GSSM. From a full backup, you can restore the same information that is contained in a database-only backup in addition to GSSM platform information (if desired). You do not have the option of restoring GSSM platform information from a database-only backup. The full backup provides you with the flexibility to pick and choose the specific GSSM configuration information you want to restore on the GSSM.

When downgrading, use the following order of operations to safeguard your critical GSS data and properly restore your GSSM database:

1. Verify the current software version.

2. Perform a full backup of your primary GSSM.

3. Obtain the software downgrade (.upg) file.

4. Downgrade your GSS device.

5. Verify your downgrade.

In addition, do not attempt to restore an earlier version of the software than the earliest database backup you have available. For example, if the earliest version of the GSS software that you have run is Release 2.0 and your earliest database backup is for Release 2.0, do not attempt to downgrade to a release of the software earlier than 2.0.


• Restoring an Earlier Software Version on Your GSS Devices

• Restoring Your GSSM from a Full Backup

• Restoring Your GSSM Database from a Database-Only Backup


OL-4327-01


Restoring an Earlier Software Version on Your GSS DevicesTo restore an earlier version of your GSS software, follow the instructions in the “Verifying the GSSM Role in the GSS Network” and “Upgrading Your GSS Devices” sections to acquire and then install the earlier software upgrade.

After you have downgraded the software on your GSSM, see the “Restoring Your GSSM from a Full Backup” section to restore your backed up GSSM database.

Restoring Your GSSM from a Full BackupWhen restoring the GSSM from a full backup as opposed to a database backup, you use the last full backup to restore the GSS device’s network configuration settings as well as the encryption keys that are used to communicate with other GSS devices. Restoring the GSSM from a full backup should be done when you need to return the device to its exact configuration as of the last full backup. It is not necessary if you are simply rolling back the device to an earlier software version.

Use the following procedure to restore an earlier version of the GSSM from a full backup:


2. Verify that your full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension.



4. Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:

atcr1.cisco.com# gss stopatcr1.cisco.com# gss statusCisco GSS - 1.1(0.0.1) - [Mon Sep 15 11:33:47 UTC 2003]

gss is not running.


OL-4327-01


5. Once the GSSM has stopped, use the gssm restore command to restore the GSSM from the full backup file. To restore the file gssmfullbk.full, you would enter:

gss1.yourdomain.com# gssm restore gssmfullbk.full

6. Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).

% WARNING WARNING WARNINGRestoring the database will overwrite all existingsystem configuration. If running, the system willbe restarted during this process.

Are you sure you wish to continue? (y/n): yBackup file is valid. Timestamp = 2003-Sep-15-14:01:53

7. Confirm your decision whether to restore GSSM platform information, or only the GSS database. This selection enables you to return the primary GSSM back to the original state prior to the database backup. Platform information includes all configuration parameters set at the CLI, including: interface configuration, hostname, service settings (NTP, SSH, Telnet, FTP, and SNMP), timezone, logging levels, Web certificates, inter-GSS communication certificates, access lists and access groups, CLI user information, GUI user information, and property-set CLI commands.

This backup contains a backup of the platform configuration.'n' restores just the database. Restoring platform files requires a reboot.Restore Platform files? [y/n]: y

Perform one of the following actions:

– Select y to restore GSSM platform information.

Note Restoring platform information requires a reboot of the GSS at the end of the restore procedure.

– Select n to restore only the GSSM database and not the GSSM platform information. If you choose not to restore GSSM platform information, you must reconfigure the GSSM platform information from the CLI. Refer to Chapter 2, Setting Up Your GSS for details.


OL-4327-01


8. Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.

Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y


– Select y to restore the GSS network information, such as registered GSS devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.

– Select n to instruct the software not to restore GSS network information to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details.

The GSSM continues with the restore process.

Deleting existing database...Creating empty database for restore...Restoring the database...Using GSS network information present in backup file...Restoring platform backup files.Database restored successfully.Reboot Device now? (y/n): y

If you specified to restore GSSM platform information, the GSSM reboots.

9. Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode (runmode = 5).


OL-4327-01


Restoring Your GSSM Database from a Database-Only BackupYou must have a backup of an earlier version of your database file to restore it to run with your downgraded GSS software. You should be aware that the GSS database schema often changes between versions. When you downgrade from a later to an earlier version of the GSSM database, any configuration changes that you entered through the GSSM subsequent to your last upgrade are lost, including configuration changes, device configuration information, and DNS rules.

See the “Backing Up the GSSM” section for details on performing a database backup of the GSSM.

Note Restoring your GSSM database requires that the GSSM device be stopped and restarted, resulting in the device and the GUI being unavailable for a short period.

Use the following procedure to restore an earlier version of the GSSM from a backup:


2. Verify that the full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension.



4. Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:

gss1.yourdomain.com# gss stopgss1.yourdomain.com# gss statusCisco GSS - 1.1(0.0.1) - GSSM - primary [Mon Sep 15 12:58:27 UTC 2003]

gss is not running.


OL-4327-01


5. Once the GSSM has stopped, use the gssm restore command to restore the GSSM database from the backup file that corresponds to the software version that you just restored. To restore the file gssmdbbk.db, you would enter:

gss1.yourdomain.com# gssm restore gssmdbbk.db

6. Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).

% WARNING WARNING WARNINGRestoring the database will overwrite all existingsystem configuration. If running, the system will be restarted during this process.

Are you sure you wish to continue? (y/n):Backup file is valid. Timestamp = 2003-Aug-20-14:02:06Restoring database only (No platform backup present)

7. Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.

Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y


– Select y to restore the GSS network information, such as registered GSS devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.

– Select n to instruct the software not to restore GSS network information to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details.


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingViewing Third-Party Software Versions

The GSSM continues with the restore process.

Deleting existing database...Creating empty database for restore...Restoring the database...Using GSS network information present in backup file...Database restored successfully.GSSM database restore succeeded.

8. Once you receive confirmation that the database restoration has succeeded, use the gss start command to restart your GSSM. For example:

gss1.yourdomain.com# gss startSystem started.

9. Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode (runmode = 5).

Viewing Third-Party Software VersionsThe GSS software relies on a variety of third-party software products to operate properly. For that reason, the GSSM GUI provides a feature that easily allows you to track the third-party software used by the GSS software.

To view information on the third-party software currently running on your GSS:

1. From the GSSM GUI, click the Tools tab.

2. Click the Third-Party Software navigation link. The GSSM Third-Party Software list page appears (Figure 9-5). This page displays the following information:

• Product—Third-party software product. For example, RedHat Version 6.2

• Version—Version of the third-party software currently installed on the GSS device

• URL—Web URL for the software product


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingViewing Third-Party Software Versions

Figure 9-5 GSSM Third-Party Software List Page


OL-4327-01

Chapter 9 GSS Administration and TroubleshootingPrimary GSSM Error Messages

Primary GSSM Error MessagesThe following sections describe error messages that you may encounter when using the primary GSSM GUI to manage your GSS network. Error messages are organized by GSSM component.

This section contains the following GSSM error messages:

• Answer Error Messages

• Answer Group Error Messages

• DNS Rule Error Messages

• Domain List Error Messages

• Shared KeepAlive Error Messages

• KeepAlive Error Messages

• Location Error Messages

• Owner Error Messages

• Region Error Messages

• GSSM Error Messages

• Source Address List Error Messages

• User Error Messages

Answer Error Messages

Error Message Invalid answer name. If entered, name must not be the empty string.

Explanation The name that you entered for the answer is not valid. Answer names cannot be blank or contain blank spaces.

Recommended Action Enter a valid alphanumeric answer name of a least 1 and no more than 80 characters in length that does not contain spaces.


OL-4327-01


Error Message Invalid answer name. Name length must not exceed 80 characters.

Explanation The answer name that you entered contains too many characters.

Recommended Action Enter a valid alphanumeric answer name of at least 1 and no more than 80 characters in length that does not contain spaces.

Error Message Invalid CRA timing decay. Timing decay must be between 1 and 10.

Explanation You entered an invalid number for the CRA timing decay.

Recommended Action Enter a number between 1 and 10. Lower timing decay values mean that more recent DNS races are weighted more heavily than older races. Higher decay values mean that the results of older races are weighted more heavily than more recent races.

Error Message Invalid CRA static RTT value. Static RTT must be between 0 and 1000.

Explanation You entered an invalid number for the static round-trip time (RTT). This is a manually entered value that is used by the GSS to represent the time it takes for traffic to reach and return from a host.

Recommended Action Enter a static RTT value between 0 and 1000.

Error Message A VIP/Name Server/CRA-type answer named answer_name already exists. If specified, name and type must uniquely identify an answer.

Explanation You are trying to create an answer that already exists on the GSS. You cannot have two answers with the same name and answer type.

Recommended Action Assign a new name or answer type to your answer to make it unique.


OL-4327-01


Error Message An unnamed VIP/Name Server/CRA-type answer having address IP_address already exists. Name must be specified to configure an answer with the same address as another answer.

Explanation You are trying to create an answer that already exists on the GSS. You cannot have two answers with the same name and IP address.

Recommended Action Assign a new name to your answer to make it unique.

Error Message The maximum number of number VIP/Name Server/CRA-type answers has been met.

Explanation You are attempting to create an answer when the maximum number of that type of answer has already been created.

Recommended Action Remove an existing answer of the same type.

Error Message CRA decay value must be specified.

Explanation You are attempting to create a CRA answer type without specifying a decay value. The decay value is required to tell the GSS how to evaluate and weigh DNS race results.

Recommended Action Enter a number between 1 and 10 for the CRA decay, with 1 causing the GSS to weigh recent DNS race results more heavily, and 10 telling it to weigh them less heavily.

Error Message CRA static RTT must be specified.

Explanation You are attempting to create a CRA answer type without specifying a static round-trip time (RTT) value. The RTT value is used to force the GSS to use a value that you supply as the round-trip time necessary to reach the requesting D-proxy.

Recommended Action Enter a number between 1 and 1000 for the CRA round-trip time in milliseconds.


OL-4327-01


Error Message Invalid keepalive tag. Tag must be at least one character in length.

Explanation You are attempting to create a VIP answer with a KAL-AP By Tag keepalive, but you have not specified a value for the tag in the field provided.

Recommended Action Enter an alphanumeric tag between 1 and 76 characters in the Tag field.

Error Message Invalid keepalive tag. Tag length must not exceed 76 characters.

Explanation You are attempting to create a VIP answer with a KAL-AP By Tag keepalive, but you have specified a value for the tag that contains too many characters.

Recommended Action Enter an alphanumeric tag between 1 and 76 characters in the Tag field.

Error Message NS-type answer IP Address has the same IP address as GSS GSS_name. GSS IP addresses must not equal any NS-type answers.

Explanation You are attempting to create a name server answer type with the same IP address as a GSS device on the same GSS network. Name server answers cannot use the same address as GSS devices belonging to the same GSS network.

Recommended Action Assign a valid IP address to your name server answer.


OL-4327-01


Answer Group Error Messages

Error Message This answer group cannot be deleted because it is referenced by number DNS rule balance clause(s).

Explanation You are attempting to delete an answer group that is being referenced by one or more DNS rules.

Recommended Action Modify any DNS rules that are referencing the answer group so that those rules do not point to the group, and then try again to delete the group.

Error Message Invalid answer group name. Name must be entered.

Explanation You are attempting to create an answer group without assigning a name to that group. All answer groups must have names of at least one character.

Recommended Action Enter a name for the new answer group in the field provided, and then click Save.

Error Message Invalid answer group name. Name length must not exceed 80 characters.

Explanation You are attempting to assign the answer group an invalid name.

Recommended Action Enter an alphanumeric name for the answer group that is fewer than 80 characters and does not contain spaces.

Error Message Invalid answer group name. Name must not contain spaces.

Explanation You are attempting to assign the answer group an invalid name.

Recommended Action Enter an alphanumeric name for the answer group that is fewer than 80 characters and does not contain spaces.


OL-4327-01


Error Message An answer group named name already exists. Name must uniquely identify an answer group.

Explanation You are attempting to assign the answer group a name that is already being used by a different GSS device.

Recommended Action Enter a unique alphanumeric name for the answer group that is fewer than 80 characters and does not contain spaces.

Error Message The maximum number of number answers per VIP/Name Server/CRA-type group has been met.

Explanation You are attempting to add an answer to an answer group to which the maximum number of answers has already been assigned.

Recommended Action Remove an answer from the group, or add the answer to a group to which the maximum number of answers has not already been added.

DNS Rule Error Messages

Error Message TTL must be specified for balance method associated with CRA- or VIP-type answer group.

Explanation You are attempting to create a balance clause without specifying a Time To Live (TTL) for answers returned by the clause.

Recommended Action Enter a TTL value between 0 and 604,800 seconds.

Error Message Invalid balance clause TTL. TTL must be between 0 and 604,800.

Explanation You are required to specify a Time To Live (TTL) value for answers provided by the balance clause that you are creating.

Recommended Action Enter a TTL value between 0 and 604,800 seconds.


OL-4327-01


Error Message Invalid balance clause position. Position must be between 0 and 2.

Explanation You are attempting to create a clause for your DNS rule that is out of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.

Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.

Error Message Hash type must be specified for answer group using hash balance method.

Explanation You are trying to create an answer group using the balance method “Hashed” with the selected answer, but you have not selected one (or more) hash methods: By Domain Name and By Source Address.

Recommended Action Select one or more of the available hash methods by checking the box corresponding to the methods that you wish to use with this balance clause.

Error Message Balance clause Boomerang fragment size must be specified.

Explanation You are attempting to create a balance clause using the boomerang balance method but have not specified a fragment size in the Fragment Size field. The fragment size determines the preferred size of the boomerang race response that is produced by a match to a DNS rule and is sent to the requesting client.

Recommended Action Enter a fragment size between 28 and 1980 in the field provided. The fragment size must be divisible by 4.


OL-4327-01


Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be 0 or between 28 and 1980.

Explanation You are attempting to specify an unacceptable fragment size for this balance clause in the Fragment Size field.

Recommended Action Enter a valid fragment size. Fragment sizes must be between 28 and 1980, and must be divisible by 4.

Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be a multiple of 4.

Explanation You are attempting to specify a fragment for this boomerang balance clause that is within the acceptable range but not divisible by 4. Fragment sizes must be divisible by 4.

Recommended Action Enter a fragment size between 28 and 1980 that is also divisible by 4. Zero is also an acceptable fragment size.

Error Message Balance clause Boomerang IP TTL value must be specified.

Explanation You are attempting to create a balance clause using the boomerang balance method, but have not specified an IP Time To Live (TTL) in the field provided. The IP TTL specifies the maximum number of network hops that can be used when returning a response to a CRA from a match on a DNS rule.

Recommended Action Enter an IP TTL between 1 and 255 in the field provided and then click Save.

Error Message Invalid balance clause Boomerang IP TTL. Boomerang IP TTL must be between 1 and 255.

Explanation You are attempting to create a balance clause using the boomerang balance method but have specified an invalid IP Time to Live (TTL).

Recommended Action Enter an IP TTL between 1 and 255 in the field provided and then click Save.


OL-4327-01


Error Message Balance clause Boomerang maximum propagation delay must be specified.

Explanation You are attempting to create a balance clause using the boomerang balance method but have not specified a maximum propagation delay (Max Prop. Delay) in the field provided. The maximum propagation delay specifies the maximum length of time (in milliseconds) that is observed before the GSS forwards a Domain Name System (DNS) request to a content routing agent (CRA).

Recommended Action Enter a maximum propagation delay between 1 and 1000 milliseconds in the Max Prop. Delay field.

Error Message Invalid balance clause Boomerang maximum propagation delay. Boomerang maximum propagation delay must be between 1 and 1000.

Explanation You are attempting to create a balance clause using the boomerang balance method but have not specified a valid maximum propagation delay (Max Prop. Delay) in the field provided.

Recommended Action Enter a maximum propagation delay between 1 and 1000 milliseconds in the Max Prop. Delay field.

Error Message Balance clause Boomerang padding size must be specified.

Explanation You are attempting to create a balance clause using the boomerang balance method but have not specified a pad size in the Pad Size field. The pad size is the amount of extra data (in bytes) included with each content routing agent (CRA) response packet and is used to evaluate CRA bandwidth as well as latency when routing decisions are made.

Recommended Action Enter a valid pad size between 0 and 2000 in the Pad Size field.


OL-4327-01


Error Message Invalid balance clause Boomerang padding size. Boomerang padding size must be between 0 and 2000.

Explanation You are attempting to create a balance clause using the boomerang balance method but have specified an invalid pad size in the Pad Size field.

Recommended Action Enter a valid pad size between 0 and 2000 in the Pad Size field.

Error Message Invalid balance clause Boomerang secret. If specified, Boomerang secret must be between 1 and 64 characters in length.

Explanation You are attempting to create a balance clause using the boomerang balance method but have specified an invalid secret in the Secret field. The boomerang secret is a text string consisting of between 1 and 64 characters that is used to encrypt critical data sent between the boomerang server and content routing agents (CRAs). This key must be the same for each configured CRA.

Recommended Action Enter a valid boomerang secret between 1 and 64 characters in the Secret field.

Error Message Balance clause Boomerang server delay must be specified.

Explanation You are attempting to create a balance clause using the boomerang balance method but have not specified a server delay in the Server Delay field. The boomerang server delay is the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards the address of its “last gasp” server as a response to the requesting name server.

Recommended Action Enter a valid server delay between 32 and 999 milliseconds in the Server Delay field.


OL-4327-01


Error Message Invalid balance clause Boomerang server delay. Boomerang server delay must be between 32 and 999.

Explanation You are attempting to create a balance clause using the boomerang balance method but have specified an invalid server delay in the Server Delay field.

Recommended Action Enter a valid server delay between 32 and 999 milliseconds in the Server Delay field.

Error Message Invalid DNS rule name. Name must be entered.

Explanation You are attempting to create a DNS rule without assigning a name to the rule. DNS rules must have names of between 1 and 100 characters.

Recommended Action Assign a name to your DNS rule using the Rule Name field and then try again to save the rule.

Error Message Invalid DNS rule name. Name length must not exceed 100 characters.

Explanation You are attempting to assign a name to your DNS rule that is too long. The maximum length for DNS rules is 100 characters.

Recommended Action Enter a name for your DNS rule that is between 1 and 100 characters and then attempt to save the rule again.

Error Message Invalid DNS rule name. Name must not contain spaces.

Explanation You are attempting to assign your DNS rule a name that contains spaces.

Recommended Action Enter a valid name for your DNS rule that is between 1 and 100 characters and does not contain spaces.


OL-4327-01


Error Message A DNS rule using the specified source address list, domain list, and matching query type already exists. Source address list, domain list, and matching query type must uniquely identify a DNS rule.

Explanation You are attempting to create a DNS rule that already exists. DNS rules must specify a unique combination of source address list, domain list, and matching query type.

Recommended Action Reconfigure your DNS rule so that it does not exactly match the preexisting rule and then save the rule.

Error Message Duplicate answer group/balance method assignment detected. A DNS rule cannot use the same answer group and balance method in multiple balance clauses.

Explanation You are attempting to create two identical answer group and balance method clauses in your DNS rule. Each clause must use a unique combination of answer groups and balance methods.

Recommended Action Modify one of your answer group and balance method pairs so that it is no longer identical to the other and then save your DNS rule.

Error Message Balance clause gap detected at position {0,1,2}. Balance clauses must be specified sequentially without gaps.

Explanation You are attempting to create a clause for your DNS rule that is out of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.

Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.


OL-4327-01


Error Message A DNS rule named DNS_Rule_name already exists. Name must uniquely identify a DNS rule.

Explanation You are attempting to assign a name to the DNS rule that is already assigned to another rule. DNS rule names must be unique.

Recommended Action Assign the rule a name that is not already being used and then save the rule.

Domain List Error Messages

Error Message <domain name> must contain at least one character.

Explanation You are attempting to add a domain to a domain list with an invalid name. Domains in domain lists must have names of at least one character.

Recommended Action Enter a name that is between 1 and 100 characters and then save your domain list.

Error Message <domain name> character limit exceeded.

Explanation You are attempting to add a domain to a domain list using a name that is too long. Domains in domain lists cannot have names of more than 100 characters.

Recommended Action Enter a new domain name of no more than 100 characters and then save your domain list.

Error Message Domain specification must not exceed 128 characters.

Explanation You are attempting to add a domain to your domain list with a name that is longer than 128 characters. Domain lists cannot contain domains with names longer than 128 characters.

Recommended Action Replace the domain with a domain name containing fewer than 128 characters and then save your domain list.


OL-4327-01


Error Message <domain name> must not contain spaces.

Explanation You are attempting to add a domain to your domain list with a name that contains spaces. Domains in domain lists cannot have names that contain spaces.

Recommended Action Modify the domain name so that it does not contain spaces and then save your domain list.

Error Message <domain name> is not a valid regular expression: <regular expression syntax error message here>

Explanation You are attempting to add a domain name to a domain list with a name that contains invalid characters or formatting. Domain names in domain lists must be valid regular expressions.

Recommended Action Modify the domain name so that it is a valid regular expression and does not contain any invalid characters or formatting. For example, www.cisco.com or .*\.cisco\.com, and then save your domain list.

Error Message <domain name> must not begin or end with '.'

Explanation You are attempting to add a domain to a domain list with a literal name that contains an invalid character at the beginning or end of the domain name.

Recommended Action Modify the domain name so that it does not contain a period at the beginning or end of the name and then save your domain list.

Error Message <domain name> component must not begin or end with '-'

Explanation You are attempting to add a domain to a domain list with a literal name that contains an invalid character at the beginning or end of one component of the domain name. For example, www.cisco-.com.

Recommended Action Modify the domain name so that it does not contain a dash (-) at the beginning or end of any segment of the name and then save your domain list.


OL-4327-01


Error Message <domain name> contains invalid character '<character>' (<ASCII value of the character>)

Explanation You are attempting to add a domain to a domain list with a name that contains an invalid text character. Domains belonging to domain lists must have names that are regular expressions.

Recommended Action Modify the domain name so that it does not contain an invalid text character and then save your domain list.

Error Message This domain list cannot be deleted because it is referenced by X DNS rule

Explanation You are attempting to delete a domain list that is being referenced by one or more DNS rules.

Recommended Action Modify any DNS rules that use the domain list so that they no longer reference it and then try again to delete the list.

Error Message Invalid domain list name. Name must be entered.

Explanation You are attempting to create a domain list without a name. Domain lists must have names of at least one character.

Recommended Action Assign a name of at least 1 and no more than 80 characters to your domain list and then save it.

Error Message Invalid domain list name. Name length must not exceed 80 characters.

Explanation You are attempting to create a domain list with a name that is too long.

Recommended Action Assign a name of at least 1 and no more than 80 characters to your domain list and then save it.


OL-4327-01


Error Message Invalid domain list name. Name must not contain spaces.

Explanation You are attempting to create a domain list with a name that contains spaces. Domain list names cannot contain spaces.

Recommended Action Assign a name without spaces to your domain list. Names must consist of at least 1 and no more than 80 characters. Save your domain list when you have assigned it a valid name.

Error Message A domain list named '<name>' already exists. Name must uniquely identify a domain list.

Explanation You are attempting to assign a name to your domain list that has already been assigned to another domain list on the same GSS network.

Recommended Action Assign a unique name to your new domain list and then save the list.

Error Message The maximum number of <limit> domains per list has been met.

Explanation You are attempting to add a domain to your domain list when the maximum number of domains has already been added to that list.

Recommended Action Remove an existing domain from the domain list and then add the new domain. Alternatively, create a domain list to hold the new domain and any subsequent domains that you wish to add.


OL-4327-01


Shared KeepAlive Error Messages

Error Message Invalid CAPP hash secret. Secret must be entered.

Explanation You are attempting to create a KAL-AP keepalive using a CAPP hash secret but have not specified a secret in the field provided.

Recommended Action Enter a CAPP hash secret of no more than 31 characters in the field provided.

Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters.

Explanation You are attempting to create a KAL-AP keepalive using a CAPP hash secret but have specified a secret that is too long.


Error Message Invalid HTTP HEAD response timeout.

Explanation You are attempting to specify an HTTP HEAD response timeout that is invalid.

Recommended Action Enter a response timeout between 20 and 60 seconds in the HTTP HEAD response timeout field of the Shared Keepalive details page.

Error Message Response timeout must be between 20 and 60 seconds.

Explanation You are attempting to specify an HTTP HEAD response timeout that is invalid.

Recommended Action Enter a response timeout between 20 and 60 seconds in the HTTP HEAD response timeout field of the Shared Keepalive details page.


OL-4327-01


Error Message Invalid HTTP HEAD destination port. Destination port must be between 1 and 65,535.

Explanation You are attempting to specify a port number for HTTP HEAD traffic that is invalid.

Recommended Action In the HTTP HEAD destination port field in the Shared Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.

Error Message Invalid HTTP HEAD path. Path length must not exceed 256 characters.

Explanation You are attempting to specify an HTTP HEAD path that is not valid.

Recommended Action Enter a valid path shorter than 256 characters in the HTTP HEAD default path field in the Shared Keepalive details page.

Error Message Invalid <keepalive type> minimum probe frequency. Frequency must be between <min> and <max>.

Explanation You are attempting to specify a minimum probe interval for your keepalive type that is invalid.

Recommended Action Specify an interval (in seconds) within the range specified for that keepalive type in the Shared Keepalive details page. The interval range for the CRA keepalive type is between 1 and 60 seconds. For all other keepalive types, it is between 45 and 255 seconds.


OL-4327-01


KeepAlive Error Messages

Error Message Duplicate keepalive address detected. A keepalive must not be configured to use the same primary and secondary addresses.

Explanation You are trying to configure a KAL-AP keepalive that is identical to a keepalive of the same type that already exists.

Recommended Action Configure the KAL-AP keepalive to use a different primary and secondary address.

Error Message Duplicate keepalive primary address '<primaryaddress>' detected. An address can be used by at most one KAL-AP type keepalive.

Explanation You are trying to configure a KAL-AP keepalive that uses the same primary IP address as a keepalive of the same type that already exists.

Recommended Action Configure the KAL-AP keepalive to use a primary IP address that is not already being used by another keepalive.

Error Message Duplicate keepalive secondary address '<secondary address>' detected. An address can be used by at most one KAL-AP type keepalive.

Explanation You are trying to configure a KAL-AP keepalive that uses the same secondary IP address as a keepalive of the same type that already exists.

Recommended Action Configure the KAL-AP keepalive to use a secondary IP address that is not already being used by another keepalive.


OL-4327-01


Error Message HEAD Duplicate keepalive detected. An HTTP HEAD keepalive must not use the same address, destination path, host tag, and port as another HTTP HEAD keepalive.

Explanation You are trying to configure an HTTP HEAD keepalive that features an identical configuration to that of another HTTP HEAD keepalive on your GSS network.

Recommended Action Configure the HTTP HEAD keepalive to use a unique configuration of address, destination path, host tag, and port.

Error Message Duplicate keepalive detected. An ICMP keepalive must not use the same address as another ICMP keepalive.

Explanation You are trying to configure an ICMP keepalive with an IP address that is identical to that of another ICMP keepalive on your GSS network.

Recommended Action Configure the ICMP to use a unique IP address.

Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters.

Explanation You are attempting to create a KAL-AP keepalive using a CAPP hash secret but have specified a secret that is too long.


Error Message Invalid HTTP HEAD destination port. If specified, destination port must be between 0 and 65,535.

Explanation You are attempting to specify a port number for HTTP HEAD traffic that is invalid.

Recommended Action In the HTTP HEAD destination port field in the Shared Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.


OL-4327-01


Error Message Invalid HTTP HEAD host tag. Host tag length must not exceed 128 characters.

Explanation You are attempting to create an HTTP HEAD host tag that is too long.

Recommended Action Enter an HTTP HEAD host tag of no more than 128 characters.

Error Message Invalid HTTP HEAD path. If specified, path length must not exceed 256 characters.

Explanation You are attempting to specify an HTTP HEAD path that is not valid.

Recommended Action Enter a valid path shorter than 256 characters in the HTTP HEAD default path field in the Shared Keepalive details page.

Location Error Messages

Error Message The location is still being referenced by other objects and cannot be removed.

Explanation You are attempting to delete a location that has answers or GSSs associated with it.

Recommended Action Dissociate any answers or GSSs from the location and then try again to delete it.

Error Message There already exists a location named <name> in region <region> with the same name. Please specify a different location name.

Explanation You are attempting to create a location within this region when another location with the same name already exists.

Recommended Action Change the name of the location so that it is unique for the region.


OL-4327-01


Owner Error Messages

Error Message Invalid owner name. Name must be entered.

Explanation You are attempting to create an owner without assigning the owner a name.

Recommended Action Owners must have a unique name. Enter a name for the owner in the field provided and then save the owner.

Error Message Invalid owner name. Name length must not exceed 80 characters.

Explanation You are attempting to assign a name to an owner that is too long.

Recommended Action Assign your owner a name that is no longer than 80 characters.

Error Message An owner named <owner name> already exists. Name must uniquely identify an owner.

Explanation You are attempting to assign your owner a name that is already assigned to another owner on your GSS network.

Recommended Action Assign a unique name to your owner.

Region Error Messages

Error Message The region is still being referenced by other objects and cannot be removed.

Explanation You are attempting to delete a region that is associated with GSSs on your GSS network.

Recommended Action Disassociate the GSSs from the region and then try again to delete the region.


OL-4327-01


Error Message There already exists a region named <region name>. All region names have to be unique.

Explanation You are attempting assign a name to the region that is already being used by another region on your GSS network.

Recommended Action Assign a unique name to your region.

GSSM Error Messages

Error Message Maximum number of GSSMs exceeded. A GSS network can contain at most 2 GSSMs.

Explanation You are attempting to enable a GSSM when there are already two GSSMs enabled on your GSS network.

Recommended Action If necessary, remove your standby GSSM from your GSS network and then try again to enable the GSSM.

Error Message The maximum number of <size> <className> has been met.

Explanation You are attempting to add a resource to your GSS network when the maximum number of that resource already exists.

Recommended Action Remove an existing resource of the same type and then try again to add the new resource.


OL-4327-01


Source Address List Error Messages

Error Message Invalid source address block '<block string>'. Address block must specify a host or a network.

Explanation You are attempting to specify an invalid source address range.

Recommended Action Enter a valid source address or block of source addresses. Source addresses cannot specify a multicast address list.

Error Message Invalid source address block '<blockstring>'. Address block must specify a class A, B, or C host or network.

Explanation You are attempting to specify an invalid source address range.

Recommended Action Enter a valid source address or block of source addresses. Source addresses cannot specify a multicast address list.

Error Message Invalid source address list name. Name must be entered.

Explanation You are attempting to create a source address list without assigning the list a name.

Recommended Action Enter a name for the source address list in the Name field.

Error Message Invalid source address list name. Name length must not exceed 80 characters.

Explanation You are attempting to create a source address list with a name that is too long.

Recommended Action Enter a valid name for the source address list that has fewer than 80 characters and does not contain spaces.


OL-4327-01


Error Message Invalid source address list name. Name must not contain spaces.

Explanation You are attempting to create a source address list with a name that contains spaces. Source address list names cannot contain spaces.

Recommended Action Enter a valid name for the source address list that has fewer than 80 characters and does not contain spaces.

Error Message This source address list cannot be deleted because it is referenced by <number> DNS rules.

Explanation You are attempting to delete a source address list that is referenced by one or more DNS rules.

Recommended Action Disassociate your DNS rules from the source address list using the DNS Rule Builder or DNS Rule Wizard and then attempt to delete the source address list again.

Error Message A source address list named '<name>' already exists. Name must uniquely identify a source address list.

Explanation You are attempting to create a source address list using a name that is already being used by another source address list on your GSS network.

Recommended Action Assign a unique name to your source address list that is no more than 80 characters and does not contain spaces.

Error Message The maximum number of 30 source address blocks per list has been met.

Explanation You are attempting to add a source address block to the source address list, when the maximum of 30 source address blocks has already been added to the list.

Recommended Action Remove an existing source address block, or create a source address list for the source address block that you wish to add.


OL-4327-01


User Error Messages

Error Message There already exists a user account named <user name>. All user accounts must have a unique username.

Explanation You are attempting to create a user account with a name identical to that of an existing account.

Recommended Action Assign your new user account a unique name.

Error Message You cannot delete the account with username 'admin'. This account must exist.

Explanation You are attempting to delete the admin user account.

Recommended Action This account cannot be deleted from the GSSM.

Error Message Invalid answer load threshold. Load threshold must be between 2 and 254.

Explanation You are attempting to assign an invalid load threshold to your answer in the LT field.

Recommended Action Assign a load threshold for the answer that is between 2 and 254 in the LT field.

Error Message Invalid answer order. Order must not be negative.

Explanation You are attempting to assign a negative order number to your answer. The order must be a positive number.

Recommended Action Enter a nonnegative whole number for the order.


OL-4327-01



OL-4327-01

Cisco GlOL-4327-01

C H A P T E R10
Monitoring GSS Performance
The GSS software features a number of tools for monitoring the status of your GSS devices and of global load balancing on your GSS network. These include CLI-based commands for determining the status of your GSSs, GSSMs (primary and standby), and the embedded GSS database. In addition, the primary GSSM GUI contains pages that display the status of global server load balancing activity. For example, tabulating answer and DNS rule hit counts.


• Monitoring GSS and GSSM Status

• Monitoring GSSM Database Status

• Monitoring Global Load-Balancing Status

• Viewing Log Files

Monitoring GSS and GSSM StatusYou can easily monitor the status of your GSSs and GSSMs from both the CLI and the GSSM GUI.


• Monitoring the Online Status of GSS Devices from the CLI

• Monitoring the Status of Your GSS Network from the CLI

• Monitoring GSS Device Status from the Primary GSSM GUI


Chapter 10 Monitoring GSS PerformanceMonitoring GSS and GSSM Status

Monitoring the Online Status of GSS Devices from the CLIUse the gss command to display the online status and resource usage of your GSS servers.

To monitor the status of a GSS device from the CLI:




3. Use the gss command to display the current running status of the GSS device that you have logged on to. For example:

gss1.yourdomain.com# gss status verboseCisco GSS - 1.1(0.0.1) - Development build GSSM - primary [Mon Sep 15 13:16:38 UTC 2003]

Normal Operation [runmode = 5]

%CPU START SERVER 0.0 Jun17 Boomerang 0.0 Jun17 Config Agent 0.0 Jun17 Config Server 0.0 Jun17 DNS Server 0.0 Jun17 Database 0.0 Jun17 GUI Server 0.0 Jun17 Keepalive Engine 0.0 Jun17 Node Manager 0.0 Jun17 Syslog 0.0 Jun17 Web Server --- --- SNMP [DISABLED]


OL-4327-01


Monitoring the Status of Your GSS Network from the CLIUse the show statistics command to view the status of any request routing and load balancing component on your GSS devices, including answers, keepalives, domains, and DNS rules. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics command.

The following sections provide instructions about using and interpreting the output of the various show statistics command options.

• Monitoring the Status of the Boomerang Server on Your GSS

• Monitoring the Status of the DNS Server on Your GSS

• Monitoring the Status of Keepalives on Your GSS

Note If you specify the show statistics command after issuing either the gss start command or the reload command, the GSS device can take approximately one minute before the command can take affect and display the requested statistics.

Monitoring the Status of the Boomerang Server on Your GSS

The boomerang server is a server load-balancing component of the GSS that uses calculations of network delay provided by DNS races between content routing agents (CRAs) to determine which server is best able to respond to a given request.

Use the show statistics boomerang command option to view boomerang activity such as DNS races on your GSS device on a domain-by-domain or on a global basis. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics boomerang command.

To view DNS race statistics:





OL-4327-01


3. Use the show statistics boomerang command to display current boomerang server statistics for a particular domain, or across all domains managed by your GSS. For example:

gss1.yourdomain.com# show statistics boomerang globalBoomerang global statistics: Total races: 24

Monitoring the Status of the DNS Server on Your GSS

The DNS server component tracks all DNS-related traffic to and from your GSS device, including information about DNS queries received, responses sent, queries dropped and forwarded, and so on.

Using the show statistics dns command option, you can view DNS statistics with regard to your GSS request routing and server load-balancing components such as DNS rules, answers, answer groups, domains, domain lists, source addresses, and source address groups. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics dns command.

To view DNS statistics:




3. Use the show statistics dns command to display statistics from the domain name server (DNS) component of the GSS. For example:

gss1.yourdomain.com# show statistics dns answerAnswer Type Total Hits 1-Min 5-Min 30-Min 4-Hr -----------------------------------------------------------------192.168.1.80 VIP 0 0 0 0 0 1.1.5.160 VIP 0 0 0 0 0 192.168.1.24 VIP 0 0 0 0 0 192.168.1.245 VIP 0 0 0 0 0


OL-4327-01


Monitoring the Status of Keepalives on Your GSS

The keepalive engine on your GSS device monitors the online status of keepalive objects across your GSS network.

Using the show statistics keepalive command option, you can view statistics about the health of your GSS keepalives globally or by keepalive type. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics keepalive command.

To view keepalive statistics:




3. Use the show statistics keepalive command to display current keepalive engine statistics for your GSS network. You can view statistics for all keepalive types on your network, or limit statistics to a particular keepalive type such as ICMP, HTTP HEAD, TCP, KAL-AP, or CRA.

For example:

gss1.yourdomain.com# show statistics keepalive tcp all

IP: 192.168.50.41 Keepalive => 192.168.50.41Destination Port: 80Status: ONLINEPackets Sent: 93188Packets Received: 69891Positive Probe: 23297Negative Probe: 0Transitions: 1GID: 105 LID: 5


OL-4327-01

Chapter 10 Monitoring GSS PerformanceMonitoring GSSM Database Status

Monitoring GSS Device Status from the Primary GSSM GUITo monitor the status of your GSS devices from the primary GSSM GUI:


2. Click the Global Site Selectors navigation link. The Global Site Selector list page appears.

3. Click the Modify GSS icon for the GSS or GSSM that you wish to monitor. The device type (GSS or GSSM) appears in the Node Services column.

The Global Site Selectors details page appears, displaying configuration and status information about the device at the bottom of the page including:

– Status—Online status

– Version—Software version currently loaded on the device

– Node services—Current role of the device (GSS, primary or standby GSSM, or both)

– IP address—Network address of the device

– Hostname—Network host name of the device

– MAC—Machine address of the device

4. Click Cancel to return to the Global Site Selectors list page.

Monitoring GSSM Database StatusThe GSS software includes a number of CLI commands that you can use to monitor the status of the GSSM database and its contents. This section includes the following procedures:

• Monitoring the Database Status

• Validating Database Records

• Creating a Database Validation Report


OL-4327-01


Monitoring the Database StatusTo verify that the GSS database on the GSSM is functioning properly:




3. Use the gssm database status command to display the current running status of the GSS device that you have logged on to. For example:

gss1.yourdomain.com# gssm database statusGSSM database is running.

Validating Database RecordsTo validate the records in your GSSM database:




3. Use the gssm database validate command to validate the content of your GSSM database. For example:

gss1.yourdomain.com# gssm database validateGSSM database passed validation.


OL-4327-01


Creating a Database Validation ReportShould you encounter problems while attempting to validate your GSSM database, you can generate a report, called validation.log, that details which database records failed validation.

To generate a database validation report:




3. Use the gssm database report command to generate a validation report on the content of your GSSM database. For example:

gss1.yourdomain.com# gssm database reportGSSM database validation report written to validation.log.

4. Use the type command to view the contents of your validation report. For example:

gss1.yourdomain.com# type validation.logvalidation.logStart logging at Thu Aug 28 19:17:21 GMT+00:00 2003

- storeAdmin Validating ... Thu Aug 28 19:17:23 GMT+00:00 2003 -- ObjectId Object_Name.Field_Name Description -Validating FactoryInfoValidating answerElementValidating answerGroup 70 answerGroup.OwnerId Many-To-One ListValidating CachingConfigValidating ClusterConfigValidating CmdControlValidating CmdPurgeRdValidating CmdUpdateValidating ConfigPropertyValidating CustomerValidating DistTreeValidating DnsRuleValidating DomainElementValidating DomainGroupValidating ENodeConfigValidating ENodeStatus


OL-4327-01

Chapter 10 Monitoring GSS PerformanceMonitoring Global Load-Balancing Status

Validating KeepAliveConfigValidating KeepAliveValidating LocationValidating OrderedanswerGroupValidating OwnerValidating RegionValidating RequestHandlerValidating RoutedDomainValidating RoutingConfigValidating RrConfigValidating RrStatusValidating SNodeConfigValidating SourceAddressElementValidating SourceAddressGroupValidating SpInfoValidating SystemConfigValidating UpdateInfoValidating UserConfigValidating VirtualCDNValidating WlpanswerElementValidating User ValidationsEnd of file validation.log

Monitoring Global Load-Balancing StatusFrom the primary GSSM GUI, you can monitor the status of global load balancing on your GSS network using a variety of features that filter and condense GSS traffic and statistics.


• Monitoring Answer Hit Counts

• Monitoring Answer Keepalive Statistics

• Monitoring Answer Status

• Monitoring DNS Rule Statistics

• Monitoring Domain Statistics

• Monitoring Source Address Statistics

• Monitoring Global Statistics


OL-4327-01


Monitoring Answer Hit CountsThe answer hit counts feature of the primary GSSM GUI provides you with an overview of your GSS answer resources and the number of times that user requests have been directed to each answer device. Looking at answer hit counts is one way to judge how well your GSS resources are being used in responding to user requests.

To view the number of hits recorded by each of your GSS answers:

1. From the primary GSSM GUI, click the Monitoring tab.

2. Click the Answers navigation link.

3. Click the Answer Hit Counts navigation link (located under the Contents table of contents).

4. . The Answer Hit Counts list page appears (Figure 10-1).

Figure 10-1 Answer Hit Counts List Page


OL-4327-01


Table 10-1 describes the fields on the Answer Hit Counts list page.

5. Click the column header of any of the displayed columns to sort your answers by a particular property.

Monitoring Answer Keepalive StatisticsThe answer keepalive statistics feature of the primary GSSM GUI provides you with an overview of the online status of your GSS answer resources. For each answer configured on your GSS, the answer keepalive statistics feature displays the number of keepalive probes that have been directed to that answer by the primary and the standby GSSM, as well as information about how that keepalive probe was handled. If a large number of keepalive probes are being rejected or are encountering transition conditions, the answer may be offline or may be having problems staying online.

To view the online status of each of your GSS answers:



3. Click the Answer KeepAlive Statistics navigation link (located under the Contents table of contents). The Answer KeepAlive Statistics list page appears (Figure 10-2).

Table 10-1 Field Descriptions for Answer Hit Counts List Page

Field Description

Answer IP address of the answer device

Name Name assigned to the answer using the primary GSSM GUI

Type Type of answer: VIP (virtual IP address), NS (name

server), or CRA (content routing agent)

Location GSS network location into which the answer has been

grouped

Name of the GSSM or GSS

Number of requests directed to the answerby each GSS device


OL-4327-01


Figure 10-2 Answer Keepalive Statistics List Page

Table 10-2 describes the fields on the Answer KeepAlive Statistics list page.

Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page

Field Description

Answer IP address of the answer device being probed

Type Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent)

Name Name assigned to the answer using the primary GSSM GUI

Keepalive The address assigned to the remote device, CRA, or name server that the GSS is to forward requests


OL-4327-01



Method The keepalive method used by the answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent)

Location GSS network location into which the answer has been grouped


Number of keepalive probes directed to the answer by each GSS device, as well as a record of how those probes were handled. Statistics are presented in the following order:

• Keepalive packets sent—Total number of keepalive probes sent to the answer by each GSS on the network

• Keepalive packets received—Total number of keepalive probes returned from the answer

• Keepalive positive probe count—Total number of keepalive probes received to which a positive (OK) response was returned

• Keepalive negative probe count—Total number of keepalive probes received to which a negative response was returned

• Keepalive transition count—Total number of keepalive probe transitions (for example, from the INIT to the ONLINE state) experienced by the keepalive

Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page

Field Description


OL-4327-01


Monitoring Answer StatusThe answer status feature of the primary GSSM GUI provides you with an overview of your GSS answer resources and their online status. Answers can be sorted by IP address, name, type, location, or online status according to a particular device.

To view the status of your GSS answers:



3. Click the Answer Status navigation link (located under the Contents table of contents). The Answer Status list page appears (Figure 10-3).

Figure 10-3 Answer Status List Page


OL-4327-01


Table 10-3 describes the fields on the Answer Status list page.


Monitoring DNS Rule StatisticsThe DNS rule statistics feature of the primary GSSM GUI provides you with an overview of your global load-balancing rules, as well as information about how many queries were processed by each rule and how many of those processed queries were successfully matched with answers.

To view the status of your DNS rules:


2. Click the DNS Rules navigation link. The DNS Rule Statistics list page appears (Figure 10-4).

Table 10-3 Field Descriptions for Answer Status List Page

Field Description

Answer IP address of the answer device

Name Name assigned to the answer using the primary GSSMGUI

Type Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent)

Location GSS network location into which the answer has been grouped


Online status of the answer according to the named device


OL-4327-01


Figure 10-4 DNS Rule Statistics List Page

Table 10-4 describes the fields on the DNS Rule Statistics list page.

3. Click the column header of any of the displayed columns to sort your DNS rules by a particular property.

Table 10-4 Field Descriptions for DNS Rule Statistics List Page

Field Description

Name Name assigned to the answer using the primary GSSM.

Owner GSS owner to which the DNS rule has been assigned.


Total hit count and successful hit count for the DNS rule from the listed GSS device. Refer to the legend that appears below the listed DNS rules if you are confused about which number represents total hits and which represents successful requests served.


OL-4327-01


Monitoring Domain StatisticsThe domain statistics feature of the primary GSSM GUI provides you with an overview of the hosted domains that your GSS is serving, as well as information about how many queries were directed to each domain by your DNS rules. The domain hit counts feature tracks the traffic directed to individual domains, not GSS domain lists, which may include one or more domains.

To view the status of your hosted domains:


2. Click the Domains navigation link. The Domain Hit Counts list page appears (Figure 10-5).

Figure 10-5 Domain Hit Counts List Page


OL-4327-01


Table 10-5 describes the fields on the Domain Hit Counts list page.

3. Click the column header of any of the displayed columns to sort the listed domains by a particular property.

Monitoring Source Address StatisticsThe source address statistics feature of the primary GSSM GUI provides you with an overview of incoming requests received by each of your source addresses (that is, those addresses from which DNS queries to your GSS originate) from each of your GSS devices. The source address hit counts feature tracks requests from individual address blocks, not from GSS source address lists, which may contain one or more address blocks.

To view the statistics for your source address lists:


2. Click the Source Addresses navigation link. The Source Address Lists Statistics list page appears (Figure 10-6).

Table 10-5 Field Descriptions for Domain Statistics List Page

Field Description

Domain DNS domains for which your GSS is responsible; these are the domains contained in your domain lists.


Total number of requests for the listed domain from each GSS device


OL-4327-01


Figure 10-6 Source Address List Statistics List Page

Table 10-6 describes the fields on the Source Address Lists Statistics list page.


Table 10-6 Field Descriptions for Source Address Statistics List Page

Field Description

Source Address Block Address or range of addresses from which DNS queries originate. Source address blocks make up GSS source address lists.


Total number of requests received by the listed GSS device from each address or address block.


OL-4327-01


Monitoring Global StatisticsThe global statistics feature of the primary GSSM GUI provides you with an overview of your GSS network, providing average statistics for DNS requests received by each GSS device and keepalive messages sent to your answers, as well as the online status of each GSS device.

To view the status of your GSS network:


2. Click the Global navigation link. The Global Statistics list page (Figure 10-7) appears.

Figure 10-7 Global Statistics List Page


OL-4327-01


Table 10-7 describes the fields on the Global Statistics list page.


Table 10-7 Field Descriptions for Global Statistics List Page

Field Description

GSS Status Online status of each GSS device

Unmatched DNS Queries Total number of DNS queries received by each listed device for which no answer could be found

DNS Queries/sec Average number of DNS queries received each second by each listed GSS device

Keepalive Probes/sec Average number of keepalive probes received by each listed GSS device each second


OL-4327-01

Chapter 10 Monitoring GSS PerformanceViewing Log Files

Viewing Log FilesThe GSS maintains logged records for a wide range of GSS network activity in the gss.log file as well as through the system logs feature of the GSSM.

The following sections help you audit logged information about your GSS devices.

• Understanding GSS Logging Levels

• Viewing Device Logs from the CLI

• Viewing System Logs from the Primary GSSM GUI

Understanding GSS Logging LevelsThe GSS employs eight separate logging levels to identify the wide range of critical and noncritical logged events that may occur on a GSS device. Table 10-8 lists these different logging levels and explains their meanings.

Table 10-8 GSS Logging Levels

Level Number Level Name Description

0 Emergencies The GSS has become unusable: for example, the device is shutting down and cannot be restarted, or it has experienced a hardware failure.

1 Alerts The GSS requires immediate attention: for example, one of the GSS servers is not running.

2 Critical The GSS has encountered a critical condition that requires attention: for example, being unable to connect to the primary GSSM and not having a configuration snapshot to use in the meantime.

3 Errors The GSS has encountered an error condition that requires prompt attention but still enables the device to function: for example, running out of memory.


OL-4327-01


Viewing Device Logs from the CLIEach GSS device contains a variety of log files that retain records of both GSS-related activity and the functioning of various GSS subsystems. You can access these log files using the CLI to troubleshoot problems or better understand the behavior of a GSS device.


• Viewing the gss.log File from the CLI

• Viewing Subsystem Log Files from the CLI

• Rotating Existing Log Files from the CLI

4 Warnings The GSS has encountered an error condition that requires attention but is not interfering with the operation of the GSS device: for example, losing contact with the primary GSSM when a local configuration snapshot exists.

5 Notifications The GSS has encountered a nonerror condition that should be brought to the administrator’s attention: for example, a software upgrade.

6 Information Messages at this level are normal operational messages for the GSS device, such as status or configuration changes.

7 Debug Messages at this level (such as detailed information about DNS request or keepalive handling, specific code path tracking, and so on) are intended for use by technical support personnel.

Table 10-8 GSS Logging Levels (continued)

Level Number Level Name Description


OL-4327-01


Viewing the gss.log File from the CLI

The gss.log file pulls together information that may be of use to customers, such as keepalive, availability, and load statistics for GSS devices. This log file can be viewed from the CLI using the show logs command.

Refer to the Cisco Global Site Selector Command Reference for a list of the various log files that are displayed using the show logs command.

Note The show logs command outputs all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file.

To view logged GSS messages in the gss.log file:




3. Use the show logs command to display logged information for the device on your terminal. For example:

gssm1.yourdomain.com# show logsgss.logJul 14 21:42:01 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.2.1Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.4.1Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.4.1] (Retry Count 3)Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL [192.10.2.1]Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.2.1Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 1)Jul 14 21:42:09 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 msecondsJul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.2.1Jul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 2)Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.2.1]Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.3.1]


OL-4327-01


Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.4.1]Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.6.1]Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.7.1]Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.8.1]Jul 14 21:42:17 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.3.1Jul 14 21:42:17 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29413)=> Host 192.10.2.1Jul 14 21:42:17 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 3)Jul 14 21:42:19 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 msecondsJul 14 21:42:22 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL [192.10.3.1]Jul 14 21:42:22 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.3.1Jul 14 21:42:22 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count 1)Jul 14 21:42:22 gss-css2 NMR-7-NODEMGR[1035] Checking process queue for defunct members.Jul 14 21:42:27 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.3.1Jul 14 21:42:27 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count 2)

...

4. To limit the output of the show logs command, specify one of the following:

– Use the tail option of the show logs command to view just the last ten lines of logged information. For example:

gssm1.yourdomain.com# show logs tail

– Use the follow option of the show logs command to view data that is appended to the end of the log as it grows. For example:

gssm1.yourdomain.com# show logs follow

Viewing Subsystem Log Files from the CLI

In addition to the gss.log file, each GSS device maintains a number of additional log files that record subsystem-specific information (for example, the keepalive engine or DNS server component of the GSS). Although these log files are not generally associated with specific CLI commands as the gss.log file is, any of them can be viewed from the CLI using the type EXEC command.


OL-4327-01


Note Many GSS subsystem logs output all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file.

To view your GSS subsystem log files:


2. From privileged EXEC mode, navigate to the directory containing the log file or files that you wish to view. For example:

gssm1.yourdomain.com> cd ../sysoutgssm1.yourdomain.com>

3. Use the type command to display the contents of the log file. For example:

gssm1.yourdomain.com> type dnsserver.logdnsserver.logStarting dnsserver: Mon Jul 1 13:52:50 UTC 2003 [(1221)]2003-07-10 16:23:08 relog: Booting...Starting dnsserver: Wed Jul 10 16:23:33 UTC 2003 [(1201)]End of file dnsserver.log]

4. Use the tail command to view just the last ten lines of the log file. For example:

gssm1.yourdomain.com# tail dnsserver.log

Rotating Existing Log Files from the CLI

You can force the GSS to restart its log files and save archive copies of all existing log files by using the rotate-logs command. This command forces the GSS to save archive copies of all existing log files in the $STATE directory and subdirectories and replaces them with fresh log files.


OL-4327-01


Existing log files are archived locally using the following naming convention:

logfile_name.log.number

where:

• logfile_name.log - Name of the archived log file (for example, gss.log or kale.log) .

• number - An incremented number representing the number of times the logs have been rotated (for example, .3). The number of the most recent rotated log file is .1. The maximum number of log files is 25 for the gss.log file, five for all other log files.

To rotate existing log files:



gssm1.yourdomain.com> enable gssm1.yourdomain.com#

3. Use the rotate-logs command to rotate existing log files. For example:

gssm1.yourdomain.com# rotate-logs

If you wish to clear all rotated log files in the $STATE directory and subdirectories, except for the active log files, include the delete-rotated-logs option. For example:

gssm1.yourdomain.com# rotate-logs delete-rotated-logs


OL-4327-01


Viewing System Logs from the Primary GSSM GUIFrom the primary GSSM GUI, you can view messages logged in the GSS system.log file. This log presents the logged information that is most likely of interest to GSS administrators. However, the system.log file presents only a subset of all logged information. See the “Viewing Subsystem Log Files from the CLI” section for information about viewing the entire contents of individual GSS log files.


• Viewing System Logs from the GUI

• Purging System Log Messages from the GUI

• System Log Messages

Viewing System Logs from the GUI

To view the GSS system logs:


2. Click the System Logs option. The System Log list page appears (Figure 10-8) displaying the following information:

– Time—Time in Universal Coordinated Time (UTC) at which the logged event occurred on the GSS device.

– Node type—Type of GSS node (GSS or GSSM) on which the logged event occurred.

– Node name—Name assigned to the GSS device using the primary GSSM.

– Module—GSS component logging the message. For example, server or storeAdmin.

– Severity— Severity of the logged message; system log messages are rated using one of four severity levels, as follows:

• Fatal—Indicates that the GSS or one of its components failed. Fatal errors are rare and are usually caused by exceptions from which it is impossible to recover, or by the failure of a GSS component to initialize properly.

• Warning—Indicates a noncritical error or unexpected condition.


OL-4327-01


• Info—Provides information about the normal operation of the GSS and its components.

• Debug—Provides very detailed information about the internal operations of the GSS or one of its components. Debug log messages are intended for use by Cisco support engineers in their efforts to troubleshoot a problem.

– Description—Text description that explains the event.

– Message—Information about any relevant conditions encountered while the event was being logged.

Figure 10-8 System Log List Page


OL-4327-01


3. Click the column header of any of the displayed columns (except for Severity or Description) to sort the listed domains by a particular property.

Purging System Log Messages from the GUI

You can instruct the GSS to purge system log messages from the GSSM database by using the gssm database purge-log-records CLI command. This option removes the system log messages appearing on the primary GSSM GUI, the System Log list page of the Tools navigation tab. You can instruct the GSS software to:

• Purge a quantity of system log messages from the database up to the last n records, where n equals the number of database records back from the last record to be retained when the database is purged.

• Purge system log messages covering a set time period up to n days before today, where n equals the number of days back from today to be retained when the database is purged.

To purge system log messages from the GSSM database:



gssm1.yourdomain.com> enable gssm1.yourdomain.com#

3. Use the gssm database purge-log-records command to purge system log messages.

For example, to purge all system log messages except for the last 3, enter:

gssm1.yourdomain.com# gssm database purge-log-records count 3

For example, to purge all system log messages except for those generated within the last 7 days, enter:

gssm1.yourdomain.com# gssm database purge-log-records days 7

4. From the primary GSSM GUI, click the Tools tab, then click the System Logs option. The System Log list page appears. Notice that system log message have been purged based on the criteria specified in the gssm database purge-log-records CLI command.


OL-4327-01


System Log Messages

Table 10-9 lists common GSS system messages that may be encountered in the System Log list page. Error messages are listed alphabetically, and each error message is accompanied by a brief description. Contact a Cisco technical support representative if you require more detailed information about the purpose of a message.

Table 10-9 System Log Messages

System Log Message Description

Deleted a Global Site Selector The named GSS has been deleted from the primary GSSM

Error occurred while processing received data

An error occurred while the device was processing configuration updates from the primary GSSM. The affected device will attempt to recover automatically.

Failed store invalidation The process of marking internally inconsistent database records has failed. Errors can be viewed in the validation log.

Failed store validation The GSSM database has failed its internal consistency checks.

Multiple primary GSSMs detected The system has detected multiple primary GSSMs operating concurrently.

Passed store invalidation The process of marking internally inconsistent database records has been successfully completed.

Passed store validation The GSSM database has passed its internal consistency checks.

Registered a new Global Site Selector

A new GSS is online and identified itself to the primary GSSM.

Registered a new standby GSSM A new standby GSSM came online and identified itself to the primary GSSM.

Server is Shutting Down The Cisco GSS software has been stopped from the CLI.


OL-4327-01


Server Started The Cisco GSS software has been started from the CLI.

Standby GSSM database error An error has occurred on the standby GSSM embedded database.

Started store invalidation The process of marking internally inconsistent database records has begun.

Started store validation An internal consistency check has begun for the GSSM database.

Store is corrupted The GSS GSSM database has failed internal consistency checks.

x System Messages Dropped The GSS device has dropped (did not report) a certain number of messages in an effort to throttle message traffic to the GSSM.

Unexpected GSSM activation timestamp warning

The primary GSSM has received a report from a GSS device with a GSSM activation time stamp that was not consistent with the primary GSSM’s current time. The standby and primary GSSM may have clocks that are not synchronized.

User HTTP Password Change A user has changed his or her password using the Change Password details page from the Tools tab.

Table 10-9 System Log Messages (continued)

System Log Message Description


OL-4327-01

Cisco GlobOL-4327-01

G L O S S A R Y

A

answer Individual resource (virtual IP address [VIP], name server [NS], or content routing agent [CRA]) that is used to reply to a content request.

answer group Customer-defined set of virtual IP address (VIP), name server (NS), or content routing agent (CRA) addresses from which an individual answer is selected and used to reply to a content request.

B

boomerang Server load-balancing component of the Global Site Selector (GSS) that uses calculations of network delay to select the site “closest” to the requesting D-proxy. Closeness is determined by conducting DNS races between content routing agents (CRAs) on each host server. The CRA that replies first to the requesting D-proxy is chosen to reply to the request.

C

client Content consumer, typically a web browser or multimedia stream player, that makes Domain Name System (DNS) requests for domains managed by the Global Site Selector (GSS).

content provider Customer deploying content on a Content Delivery Network (CDN), or purchasing hosting services from a service provider or web hosting service.

content router Machine that routes requests for content through Domain Name System (DNS) records.

GL-1al Site Selector Configuration Guide

Glossary

content routing

agent (CRA)

Software running on a Content Delivery Network (CDN) or server load-balancing device that provides information to a Global Site Selector (GSS) for making content routing decisions, and handles content routing requests from the GSS.

Content Switching

Module (CSM)

Server load-balancing component for the Catalyst 6000 Switch product.

Content Services

Switch (CSS)

Cisco server load-balancing appliance for Layer 4 through Layer 7 content.

customer Cisco customer purchasing Global Site Selector (GSS) hardware, software, or services. Typically an Internet service provider (ISP), application service provider (ASP), or enterprise customer.

D

data center Collection of centrally located devices (content servers, transaction servers, or web caches).

DNS rule Central configuration and routing concept of the Global Site Selector (GSS), allowing specific request balance resources, methods, and options to be applied to source address and domain pairs.

domain list One or more hosted domains logically grouped for administrative and routing purposes.

D-proxy Client’s local name server, which makes iterative DNS queries on behalf of a client. A single recursive query from a client may result in many iterative queries from a D-proxy. Also referred to as local domain name server (LDNS).

F

fully qualified

domain name

(FQDN)

Domain name that specifies the named node’s absolute location relative to the Domain Name System (DNS) root in the DNS hierarchy.

GL-2Cisco Global Site Selector Configuration Guide

OL-4327-01

Glossary

G

Global Site Selector

(GSS)

Cisco content routing device that intelligently responds to Domain Name System (DNS) queries, selecting the “best” content locations to serve those queries based on DNS rules created by the customer.

GSS network Set of Global Site Selectors (GSSs) in a scaled, redundant GSS deployment.


Manager (GSSM)

Device that administers a Global Site Selector (GSS) network, storing configuration information and statistics for GSS devices and providing a graphical user interface that GSS administrators use to reconfigure or monitor the performance of their GSS network.

global server load

balancing (GSLB)

System based on the Content Services Switch that directs clients through the Domain Name System (DNS) to different sites based on load and availability. Two versions of GSLB currently exist:

• Rule-based GSLB

• Zone-based GSLB

H

hosted domain Any domain managed by the Global Site Selector (GSS). A minimum of two levels is required for delegation (for example, foo.com). Domain wildcards are supported.


OL-4327-01

Glossary

K

keepalive (KAL) Periodic testing of availability and status of a content service through the sending of intermittent queries to a specified address using one of a variety of methods.

The Global Site Selector product uses both primary keepalive and secondary keepalive IP addresses.

See keepalive method.

keepalive method Protocol or strategy used to determine whether a device is online, for example, ICMP, TCP, KAL-AP, HTTP-HEAD, and CRA round-trip time.

L

location Grouping for devices with common geographical attributes, used for administrative purposes only, and similar to data center or content site.

See data center.

N

name server (NS) Publicly or privately addressable Domain Name System (DNS) server that resolves DNS names to IP addresses. Name servers are used by the Global Site Selector (GSS) for name server forwarding, in which queries that the GSS cannot resolve are forwarded to a designated name server that can resolve them.

O

ordered list List of possible answers that are used for routing. List members are ranked and tried in order. Answers lower on the list are not tried unless all previous members fail to provide a suitable result.


OL-4327-01

Glossary

origin server Machine that serves original or replicated content provider content.

owner Internal department or resource or external customer associated with a group of GSS resources such as domain lists, answer groups, and so on.

R

region Grouping of Global Site Selector (GSS) locations with common geographic attributes that is used to organize GSS resources.

S

Secure Socket Layer

(SSL)

Industry-standard method for protecting and encrypting web communication.

server load balancer

(SLB)

Network device that balances content requests to network resources based on content rules and real-time load and availability data collected from those devices. Server load balancers like the Cisco Content Services Switch (CSS), Content Switching Module (CSM), and LocalDirector provide publicly routable virtual IP addresses (VIPs) while front-ending content servers, firewalls, Secure Socket Layer (SSL) terminators, and caches. Third-party SLBs are supported in a GSS network through the use of Internet Message Control Protocol (ICMP), TCP, and HTTP-HEAD keepalives.

service provider Cisco customer providing infrastructure for a Content Delivery Network (CDN). Also ISP (Internet service provider) and ASP (application service provider).

source address list List of source IPs or source IP blocks that are logically grouped by the system administrator.

static proximity Type of request routing in which incoming requests from specified D-proxies are routed to statically defined resources that have been identified as being in proximity to the source D-proxies.

subscriber Client or set of clients receiving a certain style of DNS routing. Subscribers often pay for application services from the Cisco GSS customer.


OL-4327-01

Glossary

T

Time To Live (TTL) Length of time that a response is to be cached and considered valid by the requesting D-proxy.

W

Web Network

Services (WebNS)

VxWorks-based operating system and software that runs on the Content Services Switch (CSS).


OL-4327-01

Cisco GlobOL-4327-01

I N D E X

A

accessing

CLI 2-2, 2-4, 2-5

primary GSSM GUI 2-15

remote connection 2-2

serial connection 2-2

access lists

access-group command 9-27

access-list command 9-26

adding rules to 9-28

associating with an interface 9-27

creating 9-25

disassociating from an interface 9-28

filtering traffic 9-24

overview 9-24

removing rules 9-29

viewing 9-30

activating GSS devices 2-18

adding rules to access lists 9-28

administrator account, resetting 9-21

answer

activating 1-45

configuring 7-1

CRA-type answer, creating 7-14

CRA-type answer, overview 1-16

deleting 7-22

error messages 9-56

hit count 10-11

keepalive 1-17

keepalive statistics 10-11

modifying all in location 7-21

modifying an answer 7-19

monitoring 10-11

name server-type answer, creating 7-17

name server-type answer, overview 1-16

overview 1-14, 7-1

reactivating 7-21

setting all to ICMP 1-46

setting all to none 1-46

status 10-14

suspending 1-45, 7-20

suspending all answers in a location 7-21

VIP-type answer, creating 7-2

VIP-type answer, overview 1-15

answer group

adding answers 7-26

balance method options 1-27

balance methods 7-23

CRA configuration information 8-32

IN-1al Site Selector Configuration Guide

Index

creating 7-24

current members 7-27

deleting 7-35

DNS rule 1-12, 1-15

DNS Rule Wizard 8-15

error messages 9-60

general configuration 7-25

load threshold 7-28

modifying 7-29

order 7-28

overview 1-15, 7-23

removing answers 7-29

suspending 7-30

suspending or reactivating all for an owner 7-32

VIP DNS configuration information 8-32

weight 7-28

answer hit counts 10-10

answer keepalive statistics 10-11

Anywhere source address 1-14, 4-1

appliance-based global server load balancing 1-6

A record 8-26, 8-30

associating access list with interface 9-27

audience xx

IN-2Cisco Global Site Selector Configuration Guide

B

backup of GSSM

conditions for 9-39

overview 9-37

procedure 9-39

backup of GSSM database

conditions for 9-39

overview 9-37

procedure 9-40

balance clause 7-23, 8-30

balance method

answer group options 1-27

answer group pair 7-23

balance clauses 7-23

boomerang 1-26

DNS rule 1-12, 1-15


hash 1-26, 8-23, 8-31

hashed balance method 8-31

least loaded 1-25, 8-31

load threshold option 1-29, 8-19

ordered list 1-24, 8-23, 8-31

order option 1-28, 8-19

overview 1-24

round robin 1-25, 8-23, 8-31

weighted round robin 1-25, 8-23, 8-31

weight option 1-28, 8-19

BIND sample zone configuration file 8-44

OL-4327-01

Index

boomerang

activity, monitoring 10-3

balance method 1-26

DNS race 1-26

server 1-27

server, monitoring status 10-3

server status 10-3

browsers supported 1-36

C

Cancel icon 1-43

certificate

accepting 2-16

trusting 2-16

changing

GSSM role 9-2

startup and running configuration 9-8

CIDR block masking 4-1

clauses (balance clause) in answer group 7-23

CLI

accessing 2-2, 2-12

configuring GSS 2-10

device management 1-34

direct serial connection 2-2

GSS device monitoring 10-2

monitoring GSS network statistics 10-3

private and public key pair 2-5


COL-4327-01

resetting CLI administrator account 9-21

resetting password 9-21

saving session 2-3

user account, creating 9-19

closeness (DNS race) 7-15

communication between nodes 1-33

Content Services Switch

data center deployment 1-34

definition G-2

global load-balancing 1-2

GSS network deployment 1-6

VIP answers 1-15

Content Switching Module

data center deployment 1-34

definition G-2

global load-balancing 1-2

GSS network deployment 1-6

VIP answers 1-15

copy command 9-9

copying startup configuration to or from disk 9-9

CRA

answer, creating 7-14

balance method 1-28, 7-23

closeness 7-15

CRA answer overview 1-16

definition G-2

DNS race 7-15

global keepalive configuration 6-15

keepalive 1-19

IN-3isco Global Site Selector Configuration Guide

Index

last gasp address 8-24

minimum frequency 6-15

one way delay 7-16

overview 1-19

round-trip time 7-16

timing delay 6-15

Create icon 1-42

CSM

See Content Switching Module

CSS

See Content Services Switch

D

database

backing up 9-40

monitoring status of 10-7

restoring GSSM from full backup 9-49

synchronized with standby GSSM 1-33

validating records 10-7

validation report 10-8

data center

definition G-2

deployment 1-34

debug log message 10-29

default

password 2-16

username 2-16


delegation

definition 1-3

domains to GSS 1-31, 8-43

GSS devices 8-42

subdomains to GSS 1-31, 8-43

Delete icon 1-44

deployment

configuring name servers 8-42

data center 1-34

GSS devices behind firewall 9-30

locations and regions 3-2

overview 1-31

resources 3-2

typical GSS deployment 1-31

details pages 1-40

disassociating access list from interface 9-28

DNS

all 8-26, 8-30

A record 8-26, 8-30

balance clause 8-30

creating DNS rules 8-5

delegation 8-42

DNS queries 8-26, 8-30

glue A records 8-43

hosted domain 1-13

iterative request 1-5

query 1-14

race 1-16, 7-15

recursive request 1-4

OL-4327-01

Index

request resolution 1-5

routing overview 1-3

sample BIND zone configuration 8-44

server, modifying 8-43

server, monitoring 10-4

traditional routing 1-3

unmatched queries 10-21

zone configuration file 8-43

DNS race

balance method 1-26

closeness 7-15

coordinate start time 7-15

CRAs 1-16

DNS rule

activating 1-45

answer 1-12

balance clause 7-23

components 1-12

creating 8-2

definition G-2

deleting 8-38

error messages 9-61

filtering 1-43

filters, configuring 8-38

filters, removing 8-42

hit count 10-15

modifying 8-33

overview 1-12

reactivating 8-35

COL-4327-01

reactivating all by owner 8-36

removing filters 8-42

showing all rules 1-43

suspending 1-45, 8-34

suspending all by owner 8-36

DNS Rule Builder

balance clause 8-30

CRA configuration information 8-32


DNS queries 8-30

modifying DNS rule 8-33

name server balance methods 8-23, 8-31

overview 8-4

VIP answer group configuration information 8-32

VIP balance methods 8-31

DNS rule filter

configuring 8-38

parameters 8-39

removing 8-42

DNS Rules tab 1-38

DNS Rule Wizard

activating 8-26

answer group, configuring 8-15

balance method, configuring 8-22


domain list, configuring 8-10

icons 1-42, 1-44, 1-45

modifying DNS rule 8-33

overview 8-2


Index

source address list, configuring 8-7

summary 8-25

suspending 8-26

documentation

caution and note overview xxiii

conventions xxi, xxii

organization xx

related xxi

set xxi

symbols and conventions xxii

domain lists

adding domains to 5-2, 5-5, 8-13

creating 5-2

current members 5-6

deleting 5-10


error messages 9-68


maximum domains 1-13

maximum nonwildcard domain length 5-6

modifying 5-8

overview 1-13, 5-1

regular expressions 5-1

removing domains 5-8

wildcards in domains 5-2, 5-6, 8-13

domain name space 1-3

Domain Name System

See DNS


domains

delegating to GSS 1-32, 8-43

hit counts 10-17

maximum length 5-6

maximum name length 5-5

maximum per domain list 1-13, 5-2

wildcards example 8-13

wildcards maximum length 5-6

downgrading

GSS device software 9-48

order of operation 9-48

restoring earlier software version 9-49

D-proxy

background 1-4

definition G-2

iterative requests 1-5

name server forwarding 1-16

query GSS 1-14

E

error messages 9-56

answer 9-56

answer group 9-60

DNS rule 9-61

domain list 9-68

GSSM 9-78

keepalive 9-74

location 9-76

OL-4327-01

Index

owner 9-77

region 9-77

shared keepalive 9-72

source address list 9-79

user 9-81

Ethernet interface, segmenting traffic 9-22

exporting

GSSM data 9-12

icon 1-42

Export to CSV icon 1-42

F

failure detection time, adjusting 1-20

fatal error log message 10-28

filtering GSS traffic 9-24

filters

DNS rules 8-38

parameters 8-39, 8-40

removing 8-42

firewall

configuring for GSS 9-33

deploying GSS devices 1-32, 9-30

inbound traffic to the GSS 9-31

outbound traffic from the GSS 9-32

permitting traffic to GSS 1-32

FTP, enabling 2-3

full GSSM backup 9-39

fully qualified domain name G-2

COL-4327-01

G

global keepalives

CRA configuration settings 6-15

fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13

HTTP HEAD configuration settings 6-9

ICMP configuration settings 6-3

KAL-AP configuration settings 6-12

modifying 6-2

name server configuration settings 6-16

overview 6-1

properties, modifying 6-2

standard transmission rate 1-20, 6-4, 6-7, 6-10, 6-13

TCP configuration settings 6-6

global server load balancing

balance clauses 7-23

data centers 1-34

definition G-3

delegation of GSS devices 8-42

global statistics 10-20

monitoring 10-9

overview 1-6

summary 2-23

using the GSS 1-6


accessing the CLI 2-2, 2-4

accessing the CLI with private/public key pair 2-5

acting as GSSM 1-10, 1-31


Index

activating 2-18

authoritative DNS server 1-7

balancing data centers 1-34

boomerang server 10-3

CLI-based management 1-34

communication 1-33

configured as GSSM (primary or standby) 2-12

configuring 2-14

configuring from CLI 2-10

console port, physical access to 2-4

delegation of devices 8-42

deleting devices 2-22

deployment 1-31, 1-32, 1-34, 8-42

direct serial connection 2-2

DNS server, monitoring 10-4

downgrading software 9-48

enable remote connect 2-3, 2-5

factors in responding to a request 1-7

firewalls 9-30, 9-33

global server load balancing 1-6

GSLB configuration 2-23

GUI-based management 1-35

hardware 1-10, 1-11

initial setup 2-8

interact with SLBs 1-6

inter-GSS communications 1-33, 9-22

keepalives overview 1-17, 6-1

locating 1-31

login accounts 9-19


MIBs 9-36

modifying device configuration 2-21

monitoring through CLI 10-2

monitoring through GUI 10-6

network configuration settings 9-7

network deployment 2-6

network management 1-34

online status and resource usage 10-2

overview 1-2, 1-10

packet filtering 1-32

ports and protocols 9-25, 9-31

purging system log messages 10-30

remote access, enabling 2-3


removing or replacing 9-2

reporting interval 9-12

resources, grouping 3-16


running configuration 9-8

setup configuration decisions 2-6

setup script, configuring with 2-8

software architecture 1-9

startup configuration 9-8

synchronized with GSSM 1-10, 1-33

upgrading software 9-41


user account, deleting 9-20

user account, modifying 9-20

OL-4327-01

Index

Global Site Selector Manager

activating 2-18

backing up 9-37

changing role in GSS network 9-4

changing the GUI password 9-17

communication 1-33

configuring, primary 2-13

configuring, standby 2-13

configuring the GUI 9-10

creating user account (GUI) 9-14

database 1-10, 1-33

database, monitoring 10-7

database, restoring from backup 9-52

default username and password 2-16

definition G-3

deployment 1-31

DNS rule configuration interface 2-24, 8-2

DNS rules 1-12

downgrading software 9-48

error messages 9-78

exporting data 9-12

GSLB configuration 2-23

GUI overview 1-36

icons 1-41

initial setup 2-8

inter-GSS communication 1-33

keepalives overview 6-1

locating 1-31

logging on 2-15

COL-4327-01

login accounts 9-13

modifying user account (GUI) 9-16

monitoring device status from GUI 10-6

online help 1-47

overview 1-10

password 9-17

platform information 9-50

primary 1-10

primary GSSM GUI overview 1-36

printing data 9-12

redundancy 1-33

removing user account (GUI) 9-17

resetting the GUI password 9-17

resources, grouping 3-16


restoring full backup 9-49

role change 9-4

security 9-13


standby 1-11

standby, as backup 1-31

standby acting as primary 1-33

switching primary and standby role 9-2

upgrading software 9-41

viewing system logs 10-28


glossary of terms G-1

glue A records 8-43


Index

GSLB

See global server load balancing

GSS

See Global Site Selector

gss.log file 10-24

GSSM

See Global Site Selector Manager

gssm standby-to-primary command 9-5

GSS network

changing GSSM role 9-4

configuration 1-10, 1-33

configuration overview 2-6

definition G-3

deployment 1-31


GSLB status 10-9

GSS, removing 9-2

GSSM connectivity 2-12

limiting network traffic 9-22

logically removing a GSS 9-2

logically removing a standby GSSM 9-2

management 1-34

monitoring through CLI 10-3

monitoring through GUI 10-6

organizing 3-2

primary GSSM 1-10

primary GSSM, removing 9-2

resource grouping 3-16

segmenting network traffic 9-22



standby GSSM, removing 9-2

URL 2-15

GSS-related ports and protocols 9-25

GUI

browsers supported 1-36

configuration 9-10, 9-11

details pages 1-40

device management 1-34

icons 1-41

list pages 1-38

logging on 1-36, 2-15

monitoring GSS device status 10-6

navigation 1-41

organization 1-38

overview 1-36

password 9-17

refreshing 1-42, 9-10, 9-12

security 9-13

session inactivity timeout 9-10, 9-11

tabs 1-38

timeout 9-11

understanding 1-36


user account, modifying 9-16

user account, removing 9-17

OL-4327-01

Index

H

hashed balance method 1-26, 8-23, 8-31

help

navigation link 1-47

obtaining 1-47

primary GSSM Online help overview 1-47

hosted domain

definition G-3

domain names 1-13

name examples 1-13

overview 1-13, 5-1

regular expressions 1-13

requested 1-12

statistics 10-17

HTTP HEAD keepalive

default path 6-11, 6-25, 7-12

destination port 6-11, 7-11


host tag 6-25, 7-12

overview 1-18

shared keepalive configuration 6-24

termination method 6-11, 6-25, 7-12

VIP answer 7-11

HyperTerminal

launching 2-2

saving session 2-3

COL-4327-01

I

ICMP keepalive


overview 1-18


VIP answer 7-7

icons 1-41

Info log message 10-29

inter-GSS communication 1-33

inter-GSS communications 9-22

iterative requests 1-5

K

KAL

See keepalive

KAL-AP keepalive

by tag 7-14

by VIP 7-14

CAPP hash secret 6-14, 6-27


overview 1-19

primary and secondary IP addresses 6-27


VIP answer 7-13

keepalive

CRA overview 1-19

CRA type 1-19


Index

definition G-4

deleting a shared keepalive 6-29

error messages 9-72, 9-74

failure detection time, adjusting 1-20

fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13

global properties, modifying 6-2

global properties, overview 6-1

HTTP HEAD connection termination method 6-11, 6-25, 7-12

HTTP HEAD overview 1-18

ICMP type 1-18

KAL-AP overview 1-19

keepalive attempts 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12

monitoring status 10-5

name server 1-20

name server overview 1-20

none 1-20

number of retries 1-22, 6-5, 6-8, 6-11, 6-14, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12

overview 1-17

probes 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12

probes per second 10-21

shared keepalive, creating 6-17

shared keepalive, modifying 6-28

shared keepalive overview 6-17

shared VIP keepalives, overview 6-17

standard transmission rate 1-20, 6-4, 6-7, 6-10, 6-13

supported types 1-17


TCP connection termination method 6-8, 6-23, 7-10

TCP overview 1-18

transmission interval formula 1-21

VIP 1-18, 1-19, 6-17

L

last gasp address 8-24

least loaded 8-31

balance method 1-25, 8-23, 8-31

overview 1-25, 8-23, 8-31

weight option 1-29

list pages

overview 1-38

sorting items 1-38

loading startup configuration from external file 9-9

load threshold, balance method option 1-29, 8-19

location

creating 3-6

definition G-4

deleting 3-10

error messages 9-76

modify all answers in 7-21

modifying 3-9

organizing resources 3-16

overview 3-2

suspending all answers 7-21

OL-4327-01

Index

location overview 1-30

log files

logging levels 10-22

rotating 10-26

subsystem 10-25

viewing 10-22

logging levels 10-22

logging on to GSSM GUI 2-15

logically removing

standby GSSM from a network 9-2

logically removing a GSS from a network 9-2

login

accounts 9-13

certificate 2-15

default 2-16

GUI 1-36

security 9-13

login accounts

creating on GSS 9-19

creating on GSSM 9-14

deleting 9-20

GSSM 9-13

managing 9-19

modifying 9-16, 9-20

removing 9-17

COL-4327-01

M

messages

error 9-56

purging 10-30

system log 10-31

viewing 10-28

MIBs 9-33, 9-36

Modify icon 1-42

monitoring


answer keepalive statistics 10-11

answer status 10-14

boomerang server status 10-3

database status 10-7

DNS rule statistics 10-15

DNS server 10-4

global load-balancing status 10-9


GSS network status 10-3

hosted domain statistics 10-17

keepalives 10-5

online status 10-2

resource usage 10-2

source address statistics 10-18

status of GSS devices by CLI 10-2

status of GSS devices from the GUI 10-6

Monitoring tab 1-38


Index

N

name server

answer type, creating 7-17

authoritative 1-6

authoritative name server (ANS) 1-4

balance method 7-23


balance methods 8-23, 8-31

client name server (CNS) 1-4

definition G-4

DNS resolvers (DNSR) 1-4

forwarding 1-16

intermediate name server (INS) 1-4

keepalive 1-20

name server answer overview 1-16

overview 1-4

query 7-19

records, adding to zone configuration file 8-43

root name servers (RNS) 1-4

name server keepalive


minimum frequency 6-16

overview 1-20

query domain 6-16

navigation through the GUI 1-41

network

configuration, erasing 9-7

configuration, modifying 9-7


configuration for GSS devices 9-8

deployment 1-31

locating GSS on 1-31

running configuration, changing 9-8

startup configuration, changing 9-8

network management 1-34

CLI-based 1-34

GUI-based 1-35

node communication 1-33

number of retries for keepalive types 1-22, 6-5, 6-8, 6-11, 6-14, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12

O

one-way delay 7-16

Online help overview 1-47

ordered list 8-31


definition G-4

overview 1-24

order option, balance method 1-28, 8-19

origin server G-5

owner

creating 3-11

deleting 3-15

error messages 9-77

modifying 3-14


overview 1-30, 3-2

reactivating all DNS rules 8-36

OL-4327-01

Index

suspending all answer groups for 7-32

suspending all DNS rules 8-36

P

Partner Initiated Customer Access

See PICA

password

CLI, resetting 9-21

default 2-16

GSSM GUI, changing 9-17

GSSM GUI, resetting 9-17

logging in 2-16

resetting CLI administrator account 9-21


PICA 9-44

platform information

restoring 9-50

summary 9-50

ports and protocols 9-25, 9-31

primary GSSM

changing to standby 9-4

configuring the GUI 9-10

overview 1-10

security 9-13

viewing system logs 10-28

Print icon 1-42

printing

GSSM data 9-12

COL-4327-01

Print icon 1-42

private and public key pairs 2-5

protocols and ports for GSS devices 9-25

proximity DNS race 7-15

purging system log messages 10-30

Q

query

answers 7-2

balance methods 1-24

CRA answer 7-14

DNS request 1-6

DNS rules 1-12

KAL-AP 1-19, 7-14

match DNS query type 8-26

name server 1-20, 6-16

name server answer 7-17

not matched to D-proxy 1-14

query domain 6-16

source addresses 1-13

VIP answer 7-2

R

reactivating

all answer groups for an owner 7-32

all answers in an answer group 7-32

all answers in location 7-21


Index

all DNS rules by owner 8-36

answer 7-21

DNS rule 8-35

record

database records, validating 10-7

request 8-26, 8-30

redundancy synchronization 1-33

Refresh icon 1-42

refreshing the GUI 1-42, 9-10, 9-12

region

creating 3-3

definition G-5

deleting 3-10

error messages 9-77

modifying 3-8


overview 1-30, 3-2

regular expressions 1-13, 5-1

remote access

enabling 2-3

FTP 2-3

SSH 2-3

Telnet 2-3

remote connection

accessing CLI 2-4

SSH 2-4

Telnet 2-4

report



answer status 10-14

database validation 10-8

DNS rule hit count 10-15

domain hit count 10-17

keepalive statistics 10-11

source address hit count 10-18

reporting interval 9-12

requests

iterative 1-5

resolution 1-4, 1-7

resetting

CLI administrator account 9-21

CLI password 9-21

GUI password 9-17

password 9-21

resources

configuring 3-1

grouping 3-16

organizing 3-2

Resources tab 1-38

restoring

earlier software version 9-49

GSSM database from a backup 9-52

GSSM from full backup 9-49

GSSM platform information 9-50

rotating log files 10-26

round robin 8-31


overview 1-25

OL-4327-01

Index

round-trip time 7-16

running configuration

changing 9-8

saving 9-8

S

sample BIND zone configuration 8-44

secure HTTP address 2-16

security

configuration 9-13

GUI 9-13

segmenting GSS traffic by interface 9-22

server load balancer 1-2, G-5

service provider G-5

session inactivity timeout 9-10, 9-11

setup script 2-8

bypassing 2-8

configuring GSS 2-8

configuring GSSM 2-8

severity log message 10-28

shared keepalive

creating 6-17

deleting 6-29

error messages 9-72

modifying 6-28

overview 6-17

COL-4327-01

shared keepalives

HTTP HEAD configuration settings 6-24

ICMP configuration settings 6-21

KAL-AP configuration settings 6-26

TCP configuration settings 6-22

show access-list command 9-30

show logs command 10-24

show statistics command 10-3

boomerang 10-3

dns 10-4

keepalive 10-5

Simple Network Management Protocol (SNMP)

community-string 9-34

configuring 9-34

contact information 9-34

enabling 9-34

location 9-35

MIB files, viewing 9-36

overview 9-33

port, changing 9-36

viewing status 9-35

software, restoring earlier version 9-49

software downgrade

procedure 9-48


software update

new update file 9-43

obtaining update file 9-43

procedure 9-41


Index

sort

DNS rules 8-38

removing 8-42

Sort icon 1-42

source address

Anywhere 1-14, 4-1

blocks 1-14, 4-1

hit counts 10-18

maximum per source address list 4-1

overview 1-14

source address and domain hash balance method 1-26, 8-23, 8-31

source address list

adding addresses 4-3

address blocks 4-4

anywhere 1-14

Anywhere (default) 4-1

creating 4-1, 4-2

current members 4-4

definition G-5

deleting 4-7

DNS Rule Wizard 8-7

error messages 9-79


maximum addresses 4-1

modifying 4-5

overview 1-13

removing addresses 4-6

SSH, enabling 2-3


SSL

See Secure Socket Layer

standby GSSM

changing to primary 9-4

definition 1-33

overview 1-11

startup configuration

changing 9-8, 9-9

loading from external file 9-9

saving from external file 9-9

static proximity G-5

statistics


answer keepalive 10-11

answer status 10-14

DNS rule hit count 10-15

global 10-20

hosted domains 10-17

source address 10-18

subdomains, delegation 1-31, 8-43

Submit icon 1-43

subscriber G-5

subsystem log files

rotating 10-26

viewing 10-25

suspending

all answer groups for an owner 7-32

all answers in a location 7-21

all answers in an answer group 7-32

OL-4327-01

Index

all DNS rules by owner 8-36

answer 7-20

answer group 7-30

DNS rule 8-34

switching primary and standby GSSM role 9-2

synchronization of primary and standby GSSM 1-33

system log

messages 10-31

purging 10-30

severity 10-28

viewing 10-28

T

tail command option 10-24

TCP keepalive

destination port 6-8, 7-9


overview 1-18


termination method 6-8, 6-23, 7-10

VIP answer 7-9

Telnet, enabling 2-3, 2-5

third-party software, viewing information 9-54

Time To Live G-6

Tools tab 1-38

traffic

limiting 9-22

segmenting by interface 9-22

COL-4327-01

troubleshooting 9-56

TTL

See Time To Live

U

update file, obtaining 9-43

upgrading

GSS device software 9-41

obtaining update file 9-43

order of operation 9-41

URL, secure HTTP 2-16

user

account, creating 9-14

account, modifying 9-16

account, removing 9-17

error messages 9-81

user account

creating 9-14

creating for GUI 9-14

creating with CLI 9-19

deleting 9-20

modifying 9-16, 9-20

removing 9-17

user interface

details windows 1-40

icons 1-41

list windows 1-38

log on to 2-15


Index

navigation 1-41

organization 1-38

understanding 1-36

username

default 2-16

logging in 2-16


V

validating database records 10-7

viewing

access lists 9-30

gss.log file 10-24

log files 10-22

MIB files 9-36

SNMP status 9-35

subsystem log files 10-25

system log 10-28

third-party software information 9-54

VIP

answer groups 7-23

answers 7-2


balance methods 7-23, 8-23, 8-31

keepalive type 1-18

VIP answer overview 1-15

VIP answer

answer types 7-5


creating 7-2

HTTP HEAD keepalive 7-11

ICMP keepalive 7-7

KAL-AP keepalive 7-13

TCP keepalive 7-9

VIP keepalive type

HTTP HEAD 1-18

ICMP 1-18

KAL-AP 1-19

TCP 1-18

W

warning log message 10-28

weight

balance method overview 1-28, 8-19

least loaded 1-29

round-robin 1-29

weighted round robin


overview 1-25

wildcards

example 8-13

in domains 5-2, 5-6, 8-13

maximum length in domain names 5-6

wizard


DNS Rule Wizard 8-2

overview 8-2

OL-4327-01

Index

write memory command 9-8

Z

zone configuration file

modifying 8-43

sample 8-44

COL-4327-01
IN-21
isco Global Site Selector Configuration Guide

Index


OL-4327-01

Documents

Cisco Global Site Selector Configuration Guide Book-Length PDF v1.1