Cisco Global Site Selector Configuration Guide: Software Version 1.1 January 2004

Cisco Global Site Selector Configuration Guide
Software Version 1.1 January 2004
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Text Part Number: OL-4327-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)
Cisco Global Site Selector Configuration Guide Copyright 2003 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xix Audience xx How to Use This Guide xx Related Documentation xxi Symbols and Conventions xxii Obtaining Documentation, Obtaining Support, and Security Guidelines xxiv
1
CHAPTER
Introducing the Global Site Selector 1-1 GSS Overview 1-2 DNS Routing 1-3 DNS Name Servers 1-4 Request Resolution 1-5 GSLB Using the GSS 1-6 GSS Architecture 1-9 Global Site Selectors and Global Site Selector Managers 1-10 GSS 1-10 Primary GSSM 1-10 Standby GSSM 1-11 DNS Rules 1-12 Hosted Domains and Domain Lists 1-13 Source Address and Source Address Lists 1-13 Answers and Answer Groups 1-14 VIP Answers 1-15 Name Server Answers 1-16
Cisco Global Site Selector Configuration Guide OL-4327-01
iii
Contents
CRA Answers 1-16 Keepalives 1-17 ICMP 1-18 TCP 1-18 HTTP-HEAD 1-18 KAL-AP 1-19 CRA 1-19 Name Server 1-20 None 1-20 Adjusting Failure Detection Time for Keepalives 1-20 Balance Methods 1-24 Ordered List 1-24 Round-Robin 1-25 Weighted Round-Robin 1-25 Least Loaded 1-25 Hash 1-26 Boomerang (DNS Race) 1-26 Balance Method Options for Answer Groups 1-27 Locations and Regions 1-30 Owners 1-30 GSS Network Deployment 1-31 Locating GSS Devices 1-31 Locating GSS Devices Behind Firewalls 1-32 Communication Between GSS Nodes 1-33 Deployment Within Data Centers 1-34 GSS Network Management 1-34 CLI-Based GSS Management 1-34 GUI-Based Primary GSSM Management 1-35 Understanding the Primary GSSM Graphical User Interface 1-36 Graphical User Interface Organization 1-38
iv
OL-4327-01
Contents
List Pages 1-38 Details Pages 1-40 Navigation 1-41 Primary GSSM GUI Icons and Symbols 1-41 Primary GSSM GUI Online Help 1-47 Where to Go Next 1-48
2
CHAPTER
Setting Up Your GSS 2-1 Accessing the GSS CLI 2-2 Accessing the CLI Using a Direct Serial Connection 2-2 Enabling Remote Access on a GSS Device 2-3 Accessing the CLI Using a Remote Connection 2-4 Accessing the GSS CLI Using a Private and Public Key Pair 2-5 Performing Network Configuration of the GSS 2-6 Configuring the GSS Using the Setup Script 2-8 Configuring the GSS from the CLI 2-10 Configuring a Primary GSSM or Standby GSSM 2-12 Configuring a Global Site Selector 2-14 Logging Into the Primary GSSM Graphical User Interface 2-15 Creating and Modifying GSS Devices 2-18 Activating GSS Devices 2-18 Modifying GSS Device Configuration 2-21 Deleting GSS Devices 2-22 Global Server Load-Balancing Summary 2-23 Where to Go Next 2-24
CHAPTER
Configuring Resources 3-1 Organizing Your GSS Network 3-2 Creating and Modifying Locations and Regions 3-3
OL-4327-01
Contents
Creating Regions 3-3 Creating Locations 3-6 Modifying Regions 3-8 Modifying Locations 3-9 Deleting Locations and Regions 3-10 Creating and Modifying Owners 3-11 Creating Owners 3-11 Modifying Owners 3-14 Deleting Owners 3-15 Grouping GSS Resources by Location, Region, and Owner 3-16 Where to Go Next 3-16
4
CHAPTER
Configuring Source Address Lists 4-1 Creating Source Address Lists 4-2 Modifying Source Address Lists 4-5 Deleting Source Address Lists 4-7 Where to Go Next 4-8
CHAPTER
Configuring Domain Lists 5-1 Domain List Overview 5-1 Creating Domain Lists 5-2 Modifying Domain Lists 5-8 Deleting Domain Lists 5-10 Where to Go Next 5-12
CHAPTER
Configuring KeepAlives 6-1 Modifying Global KeepAlive Properties 6-1 Global KeepAlive ConfigurationICMP 6-3
vi
OL-4327-01
Contents
Global KeepAlive ConfigurationTCP 6-6 Global KeepAlive ConfigurationHTTP HEAD 6-9 Global KeepAlive ConfigurationKAL-AP 6-12 Global KeepAlive ConfigurationCRA 6-15 Global KeepAlive ConfigurationName Server 6-16 Configuring and Modifying Shared VIP KeepAlives 6-17 Creating a Shared VIP KeepAlive 6-17 Shared KeepAlive ConfigurationICMP 6-21 Shared KeepAlive ConfigurationTCP 6-22 Shared KeepAlive ConfigurationHTTP HEAD 6-24 Shared KeepAlive ConfigurationKAL-AP 6-26 Modifying a Shared KeepAlive 6-28 Deleting a Shared KeepAlive 6-29 Where to Go Next 6-30
7
CHAPTER
Configuring Answers and Answer Groups 7-1 Configuring and Modifying Answers 7-1 Creating a VIP-Type Answer 7-2 VIP AnswerICMP KeepAlive 7-7 VIP AnswerTCP KeepAlive 7-9 VIP AnswerHTTP HEAD KeepAlive 7-11 VIP AnswerKAL-AP KeepAlive 7-13 Creating a CRA-Type Answer 7-14 Creating a Name Server-Type Answer 7-17 Modifying an Answer 7-19 Suspending an Answer 7-20 Reactivating an Answer 7-21 Suspending or Reactivating All Answers in a Location 7-21 Deleting an Answer 7-22 Configuring and Modifying Answer Groups 7-23
OL-4327-01
vii
Contents
Creating an Answer Group 7-24 Modifying an Answer Group 7-29 Suspending or Reactivating an Answer Group 7-30 Suspending or Reactivating All Answers in an Answer Group Associated with an Owner 7-32 Deleting an Answer Group 7-35 Where to Go Next 7-35
8
CHAPTER
Building and Modifying DNS Rules 8-1 DNS Rule Configuration Overview 8-2 DNS Rule Wizard 8-2 DNS Rule Builder 8-4 Building DNS Rules Using the Wizard 8-5 DNS Rule WizardSource Address List Page 8-7 DNS Rule WizardSource Address List Page 2 8-8 DNS Rule WizardSource Address List Page 3 8-9 DNS Rule WizardDomain List Page 8-10 DNS Rule WizardDomain List Page 2 8-12 DNS Rule WizardDomain List Page 3 8-13 DNS Rule WizardAnswer Group Page 8-15 DNS Rule Wizard - Answer Group Page 2 8-16 DNS Rule Wizard - Answer Group Page 3 8-18 DNS Rule Wizard - Answer Group Page 4 8-21 DNS Rule WizardBalance Method Page 8-22 DNS Rule WizardSummary 8-25 Building DNS Rules Using the DNS Rule Builder 8-27 Modifying DNS Rules 8-33 Suspending a DNS Rule 8-34 Reactivating a DNS Rule 8-35
viii
OL-4327-01
Contents
Suspending or Reactivating All DNS Rules Belonging to an Owner 8-36 Deleting a DNS Rule 8-38 Configuring DNS Rule Filters 8-38 Removing DNS Rule Filters 8-42 Delegation to GSS Devices 8-42
9
CHAPTER
GSS Administration and Troubleshooting 9-1 Performing Advanced GSS Configuration Tasks 9-2 Logically Removing a GSS or Standby GSSM from the Network 9-2 Changing the GSSM Role in the GSS Network 9-4 Switching the Roles of the Primary and Standby GSSMs 9-4 Reversing the Roles of the Interim Primary and Standby GSSMs 9-6 Modifying Network Configuration Settings of a GSS 9-7 Changing the Startup and Running Configuration Files 9-8 Loading the Startup Configuration from an External File 9-9 Configuring the Primary GSSM Graphical User Interface 9-10 Printing and Exporting GSSM Data 9-12 Configuring GSS Security 9-13 Creating and Managing GSSM Login Accounts 9-13 Creating a GSSM GUI User Account 9-14 Modifying a GSSM GUI User Account 9-16 Removing a GSSM GUI User Account 9-17 Changing Your GSSM GUI Password 9-17 Creating and Managing GSS CLI Login Accounts 9-19 Creating a GSS User Account Using the CLI 9-19 Modifying a GSS User Account Using the CLI 9-20 Deleting a GSS User Account Using the CLI 9-20 Resetting the CLI Administrator Account Password 9-21 Segmenting GSS Traffic by Interface 9-22
ix
Contents
Filtering GSS Traffic Using Access Lists 9-24 Creating an Access List 9-25 Associating an Access List with a GSS Interface 9-27 Disassociating an Access List from a GSS Interface 9-28 Adding Rules to an Access List 9-28 Removing Rules from an Access List 9-29 Viewing Access Lists 9-30 Deploying GSS Devices Behind Firewalls 9-30 Configuring SNMP on Your GSS Network 9-33 Configuring SNMP on Your GSS 9-34 Viewing SNMP Status 9-35 Viewing MIB Files on the GSS 9-36 Backing Up the GSSM 9-37 Determining When and What Type of Backup to Perform 9-39 When to Perform a Full Backup 9-39 When to Perform a Database Backup 9-39 Performing a Full GSSM Backup 9-39 Performing a GSSM Database Backup 9-40 Upgrading the Cisco GSS Software 9-41 Verifying the GSSM Role in the GSS Network 9-42 Backing up and Archiving the Primary GSSM 9-43 Obtaining the Software Upgrade 9-43 Upgrading Your GSS Devices 9-45 Downgrading and Restoring Your GSS Devices 9-48 Restoring an Earlier Software Version on Your GSS Devices 9-49 Restoring Your GSSM from a Full Backup 9-49 Restoring Your GSSM Database from a Database-Only Backup 9-52 Viewing Third-Party Software Versions 9-54 Primary GSSM Error Messages 9-56
OL-4327-01
Contents
Answer Error Messages 9-56 Answer Group Error Messages 9-60 DNS Rule Error Messages 9-61 Domain List Error Messages 9-68 Shared KeepAlive Error Messages 9-72 KeepAlive Error Messages 9-74 Location Error Messages 9-76 Owner Error Messages 9-77 Region Error Messages 9-77 GSSM Error Messages 9-78 Source Address List Error Messages 9-79 User Error Messages 9-81
10
CHAPTER
Monitoring GSS Performance 10-1 Monitoring GSS and GSSM Status 10-1 Monitoring the Online Status of GSS Devices from the CLI 10-2 Monitoring the Status of Your GSS Network from the CLI 10-3 Monitoring the Status of the Boomerang Server on Your GSS 10-3 Monitoring the Status of the DNS Server on Your GSS 10-4 Monitoring the Status of Keepalives on Your GSS 10-5 Monitoring GSS Device Status from the Primary GSSM GUI 10-6 Monitoring GSSM Database Status 10-6 Monitoring the Database Status 10-7 Validating Database Records 10-7 Creating a Database Validation Report 10-8 Monitoring Global Load-Balancing Status 10-9 Monitoring Answer Hit Counts 10-10 Monitoring Answer Keepalive Statistics 10-11 Monitoring Answer Status 10-14 Monitoring DNS Rule Statistics 10-15
OL-4327-01
xi
Contents
Monitoring Domain Statistics 10-17 Monitoring Source Address Statistics 10-18 Monitoring Global Statistics 10-20 Viewing Log Files 10-22 Understanding GSS Logging Levels 10-22 Viewing Device Logs from the CLI 10-23 Viewing the gss.log File from the CLI 10-24 Viewing Subsystem Log Files from the CLI 10-25 Rotating Existing Log Files from the CLI 10-26 Viewing System Logs from the Primary GSSM GUI 10-28 Viewing System Logs from the GUI 10-28 Purging System Log Messages from the GUI 10-30 System Log Messages 10-31
GLOSSARY
INDEX
xii
OL-4327-01
F I G U R E S
Figure 1-1 Figure 1-2 Figure 1-3 Figure 1-4 Figure 1-5 Figure 1-6 Figure 1-7 Figure 1-8 Figure 2-1 Figure 2-2 Figure 2-3 Figure 2-4 Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 4-1 Figure 4-2
Domain Name Space
1-3 1-5 1-8 1-23
DNS Request Resolution
GLSB Using the Cisco Global Site Selector Primary GSSM Welcome Window Answers List Page GSSM Online Help
1-39 1-40 1-37
Effect of the Number of Retries Value on the Keepalive Transmission Interval
Modifying Answer Details Page

1-47
Primary GSSM Welcome Window Modifying GSS Details Page Regions List Page Locations List Page
3-4 2-20
2-17 2-19
Global Site Selectors List Page - Inactive Status Global Site Selectors List Page - Active Status Creating New Region Details Page
3-6 3-7 3-5
2-21
Creating New Location Details Page Modifying Region Details Page Modifying Location Details Page Owners List Page
3-12 3-8 3-9
Creating New Owner Details Page Modifying Owner Details Page Source Address Lists List Page
4-2
3-13
3-14
Creating New Source Address List - General Configuration
4-3
xiii
Figures
Figure 4-3 Figure 4-4 Figure 4-5 Figure 4-6 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10 Figure 6-11 Figure 6-12 Figure 6-13 Figure 6-14 Figure 6-15 Figure 6-16 Figure 6-17
Creating New Source Address List - Add Addresses Creating Source Address List - Current Members List Modifying Source Address List - Remove Addresses Modifying Source Address List - Delete Icon Domain Lists Page
5-3 4-8
4-4 4-5 4-6
Creating New Domain List Details Page - General Configuration Creating New Domain List - Add Domains Creating Domain List - Current Members List Modifying Domain List - Remove Domains Modifying Domain List - Delete Icon
5-11 6-2 5-5 5-7 5-9
5-4
Configure Global KeepAlive Properties Details Page ICMP Global KeepAliveStandard KAL Type ICMP Global KeepAliveFast KAL Type TCP Global KeepAliveFast KAL Type
6-4 6-6 6-3
TCP Global KeepAliveStandard KAL Type

6-7
HTTP HEAD Global KeepAliveStandard KAL Type HTTP HEAD Global KeepAliveFast KAL Type KAL-AP Global KeepAliveStandard KAL Type KAL-AP Global KeepAliveFast KAL Type
6-13 6-10 6-12
6-9
Global KeepAlives Details PageCRA KeepAlive Shared KeepAlives Lists Page

6-18
6-15 6-16
Global KeepAlives Details PageName Server KeepAlive Creating New Shared KeepAlives Details Page
6-19
Shared KeepAlives Details PageICMP KeepAlive (Fast KAL Type) Shared KeepAlives Details PageTCP KeepAlive (Fast KAL Type)
6-21 6-22 6-24
Shared KeepAlives Details PageHTTP HEAD KeepAlive (Fast KAL Type) Shared KeepAlives Details PageKAL-AP KeepAlive (Fast KAL Type)
6-26
xiv
OL-4327-01
Figures
Figure 6-18 Figure 7-1 Figure 7-2 Figure 7-3 Figure 7-4 Figure 7-5 Figure 7-6 Figure 7-7 Figure 7-8 Figure 7-9 Figure 7-10 Figure 7-11 Figure 7-12 Figure 7-13 Figure 7-14 Figure 7-15 Figure 7-16 Figure 7-17 Figure 7-18 Figure 8-1 Figure 8-2 Figure 8-3 Figure 8-4 Figure 8-5 Figure 8-6 Figure 8-7 Figure 8-8
Modifying Shared KeepAlive Details Page Answers List Page

7-3 7-4
6-28
Creating New Answer Details Page
Creating New AnswerVIP Details Page
7-5 7-7 7-9 7-11
Answer Details PageICMP KeepAlive VIP Answer Answer Details PageTCP KeepAlive VIP Answer
Answer Details PageHTTP HEAD KeepAlive VIP Answer Answer Details PageKAL-AP Keepalive VIP Answer Creating New AnswerCRA Answer Modifying Answer Details Page Answer Group List Page
7-24 7-20 7-16 7-18 7-13
Creating New AnswerName Server Answer
Creating New Answer Group Details PageGeneral Configuration Creating New Answer Group Details PageAdd Answers Modifying Answer Group - Remove Answers Owners List Page
7-33 7-34 8-3 7-30 7-31 7-27 7-28
7-25
Creating New Answer Group Details PageCurrent Members Modifying Answer Group - Suspend Answers Icon Modifying Owners Details Page DNS Rule Builder Window DNS Rules List Page
8-5 8-6 8-7 8-8 8-10 8-4
DNS Rule Wizard - Introduction Page
DNS Rule WizardIntroduction Page
DNS Rule WizardSource Address List Page 1 DNS Rule WizardSource Address List Page 2 DNS Rule WizardSource Address List Page 3 DNS Rule WizardDomains List Page 1
8-11
xv
Figures
Figure 8-9 Figure 8-10 Figure 8-11 Figure 8-12 Figure 8-13 Figure 8-14 Figure 8-15 Figure 8-16 Figure 8-17 Figure 8-18 Figure 8-19 Figure 8-20 Figure 8-21 Figure 9-1 Figure 9-2 Figure 9-3 Figure 9-4 Figure 9-5 Figure 10-1 Figure 10-2 Figure 10-3 Figure 10-4 Figure 10-5 Figure 10-6 Figure 10-7 Figure 10-8
DNS Rule WizardDomains List Page 2 DNS Rule WizardDomains List Page 3 DNS Rule WizardAnswer Group Page 1 DNS Rule WizardAnswer Group Page 2 DNS Rule WizardAnswer Group Page 3 DNS Rule WizardAnswer Group Page 4 DNS Rule WizardBalance Method Page DNS Rule WizardSummary Page DNS Rules List Page Owners List Page
8-28 8-29 8-25
8-12 8-14 8-15 8-17 8-18 8-21 8-22
Create New DNS Rule Window

8-36
Modifying Owners Details Page GUI Configuration Details Page
8-37 8-39
Configure DNS Rule List Filter Details Page

9-11 9-14
GSSM User Administration List Page GSSM Change Password Details Page GSSM Third-Party Software List Page Answer Hit Counts List Page Answer Status List Page
10-10
GSSM User Administration Details Page
9-15 9-18 9-55
Answer Keepalive Statistics List Page

10-14 10-16 10-17
10-12
DNS Rule Statistics List Page Domain Hit Counts List Page Global Statistics List Page System Log List Page
10-29
Source Address List Statistics List Page

10-20
10-19
xvi
OL-4327-01
T A B L E S
Table 1-1 Table 1-2 Table 1-3 Table 3-1 Table 8-1 Table 9-1 Table 9-2 Table 9-3 Table 10-1 Table 10-2 Table 10-3 Table 10-4 Table 10-5 Table 10-6 Table 10-7 Table 10-8 Table 10-9
Keepalive Transmission Rates GSSM GUI Icons and Symbols GSS Network Groupings
3-16
1-21 1-28
Balance Method Options for Answer Types

1-42
DNS Rules Filter Parameters
8-40 9-25 9-31
GSS-Related Ports and Protocols (Inbound Traffic) Inbound Traffic Going Through a Firewall to the GSS Outbound Traffic Originating from the GSS
9-32
Field Descriptions for Answer Hit Counts List Page Field Descriptions for Answer Status List Page Field Descriptions for Domain Statistics List Page Field Descriptions for Global Statistics List Page GSS Logging Levels System Log Messages
10-22 10-31
10-11 10-12
Field Descriptions for Answer Keepalive Statistics List Page

10-15 10-16 10-18
Field Descriptions for DNS Rule Statistics List Page
Field Descriptions for Source Address Statistics List Page

10-21
10-19
xvii
Tables
xviii
OL-4327-01
Preface
This guide includes information on configuring the Cisco Global Site Selector (GSS). It provides procedures for the proper setup, global server load balancing configuration, administration, and monitoring of the GSS product. Steps for troubleshooting many common problems are also provided. This preface describes the following topics:

Audience How to Use This Guide Related Documentation Symbols and Conventions Obtaining Documentation, Obtaining Support, and Security Guidelines
xix
Preface Audience
Audience
To use this configuration guide, you should be familiar with the Cisco Global Site Selector Series hardware. In addition, you should be familiar with basic TCP/IP and networking concepts, router configuration, Domain Name System (DNS), theBerkeley Internet Name Domain (BIND) software or similar DNS products, and your organizations specific network configuration.
How to Use This Guide

This guide includes the following chapters: Chapter/Title Chapter 1, Introducing the Global Site Selector Chapter 2, Setting Up Your GSS Description Describes the basic concepts underlying the GSS product as well as important GSS-related terms. Describes the process of configuring the Global Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or Global Site Selector (GSS) device. Instructions on organizing resources on your GSS network as locations, regions, and owners. Describes the creation and modification of source address lists. Describes the creation and modification of domain lists. Describes the modification of global keepalive parameters and the creation of shared keepalives. Describes the creation of GSS answers and answer groups. Describes constructing the DNS rules that govern all global server load balancing on your GSS network.
Chapter 3, Configuring Resources Chapter 4, Configuring Source Address Lists Chapter 5, Configuring Domain Lists Chapter 6, Configuring KeepAlives Chapter 7, Configuring Answers and Answer Groups Chapter 8, Building and Modifying DNS Rules
xx
OL-4327-01
Preface Related Documentation
Chapter/Title Chapter 9, GSS Administration and Troubleshooting Chapter 10, Monitoring GSS Performance
Description Covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM database administration, and GSSM error messages. Describes the tools that you can use to monitor the status of your GSS devices and of global load balancing on your GSS network.
Related Documentation
In addition to this document, the GSS documentation set includes the following: Document Title Global Site Selector Hardware Installation Guide Description Intended to help you install your Cisco Global Site Selector and get it ready for operation. It describes how to prepare your site for installation, how to install the GSS in an equipment rack, and how to maintain and troubleshoot the system hardware.
Release Note for the Cisco Provides information on operating considerations, Global Site Selector caveats, and commands for the Global Site Selector software. Cisco Global Site Selector Provides an alphabetical list of all GSS Command Command Reference Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.
xxi
Preface Symbols and Conventions
Symbols and Conventions

This guide uses the following symbols and conventions to emphasize certain information. Command descriptions use the following conventions:
boldface font italic font [ ] {x | y | z} [x | y | z] string
Commands and keywords are in boldface. Variables for which you supply values are in italics. Elements in square brackets are optional. Alternative keywords are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars. A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.
Screen examples use the following conventions: font Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface
screen
screen
boldface screen
font.
font italic screen font Variables for which you supply values are in italic screen font. This pointer highlights an important line of text in an example. ^ The symbol ^ represents the key labeled Controlfor example, the key combination ^D in a screen display means hold down the Control key while you press the D key. Nonprinting characters, such as passwords, are in angle brackets.
< >
xxii
OL-4327-01
Preface Symbols and Conventions
[ ] !, #
Default responses to system prompts are in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Graphical user interface elements use the following conventions:
boldface text
Courier text
Instructs the user to enter a keystroke or act on a GUI element. Indicates text that appears in a command line, including the CLI prompt. Indicates commands and text you enter in a command line. Directories and filenames are in italic font.
Courier bold text
italic text
Caution
A caution means that a specific action you take could cause a loss of data or adversely impact use of the equipment.
Note
A note provides important related information, reminders, and recommendations.

1.
A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is
important.
A bulleted list indicates that the order of the list topics is unimportant.
An indented list indicates that the order of the list subtopics is
unimportant.
xxiii
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines
Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
xxiv
OL-4327-01
C H A P T E R
Introducing the Global Site Selector

This chapter describes the Cisco Global Site Selector (GSS) and introduces you to the terms and concepts necessary to properly understand and operate the GSS product. This chapter contains the following major sections:

GSS Overview DNS Routing GSLB Using the GSS GSS Architecture GSS Network Deployment GSS Network Management Understanding the Primary GSSM Graphical User Interface
For background material on DNS-based global server load balancing (GSLB), as it applies to the GSS, refer to the Business Case for Global Server Load Balancing white paper available on Cisco.com.
1-1
Chapter 1 GSS Overview
GSS Overview
With the growth of the Internet and of Internet-based commerce, there is an increasing demand for high-end networking solutions that can handle sophisticated customer transactions and high traffic loads. Improved content routing is a core technology behind such networking solutions. Global load-balancing devices such as the Cisco Content Services Switch (CSS) and Cisco Content Switching Module (CSM) can balance content requests among two or more servers containing the same content that are connected to a corporate LAN or the Internet. Server load balancing devices ensure that the content consumer is directed to the host that is best suited to handle that consumers request. Increasingly, organizations with a global reach or businesses that provide web and application hosting services require network devices that can perform such complex request routing to two or more redundant, geographically dispersed data centers, improving response times while also providing disaster recovery and failover protection through so-called global server load balancing, or GSLB. The Cisco Global Site Selector (GSS) is a next-generation networking product that provides these services, allowing customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability. Inserted into the traditional DNS routing hierarchy and closely integrated with your Cisco CSS, Cisco CSM, or third-party server load balancers (SLBs), the GSS monitors the health and load of the SLBs in each of your data centers and then uses that information along with customer-controlled routing algorithms to select the best-suited and least-loaded data center in real time. Just as important, the GSS is capable of detecting site outages, ensuring that web-based applications are always online and that customer requests to data centers that suddenly go offline are quickly rerouted to available resources. Finally, the GSS offloads tasks from traditional DNS servers by taking control of the domain resolution process for parts of your domain name space. Because it can respond to requests at a rate of thousands of requests per second, the GSS greatly improves DNS responsiveness to those subdomains.
1-2
OL-4327-01
Chapter 1
Introducing the Global Site Selector DNS Routing
DNS Routing
Before you can begin using the GSS product, you must first understand content routing as it currently exists, including DNS and how the introduction of GSS devices on your network will affect content routing and delivery to your customers. This section explains some of the key DNS routing concepts behind the GSS product. Since the early 1980s, content routing on the Internet has been handled using the Domain Name System (DNS), a distributed database of host information that maps domain names to IP addresses. A radical departure from the largely manual system of maintaining lists of domain names that preceded it, DNS vastly improved the ability of those responsible for maintaining the Internet to manage network traffic and load, as well as maintain a consistent and unique list of valid Internet hosts. Almost all transactions that occur across the Internet rely on DNS, including electronic mail, remote terminal access such as Telnet, file transfers using FTP, and web surfing. DNS makes possible the use of easy-to-remember alphanumeric host names instead of numeric IP addresses that bear no relationship to the content on the host. DNS is a robust and flexible system for managing a nearly infinite number of host names, called the domain name space (Figure 1-1). DNS is particularly effective in that it allows local administration of segments (individual domains) of the overall database, yet makes it possible for data in any segment to be available across the entire network, a process known as delegation.
Figure 1-1 Domain Name Space
com cisco ftp www
lnt
net
org
gov
mil
edu vassar admissions alumni

78664
www
1-3
Chapter 1 DNS Routing
DNS Name Servers

Information about the domain name space is stored on name servers that are distributed throughout the Internet, each server storing the complete information about its small part of the total domain name space, called a zone. End users requiring data from a particular domain or machine generate a recursive DNS request on their client that is sent first to the local name server (NS), sometimes called the D-proxy. The job of the D-proxy is to return the IP address of the requested domain to the end user. The DNS structure is based on a hierarchical tree structure similar to common file systems. The key components in this infrastructure include:

DNS Resolvers (DNSR)Clients that access client name servers. Client Name Server (CNS)A server running DNS software and has the responsibility of finding the requested web site. The CNS is sometimes called the client DNS proxy (D-proxy). Root Name Servers (RNS)A server that resides at the top of the DNS hierarchy. The RNS knows how to locate every extension after the . in the host name. There are many top-level domains, the most common include .org, .edu, .net, .gov, and .mil. There are approximately 13 root servers worldwide for handling all Internet requests. Intermediate Name Server (INS)A server that is used for scaling purposes. When the root name server does not have the IP address of the authoritative name server (ANS), it sends the requesting client name server to an intermediate name server. The intermediate name server then sends the client name server to the authoritative name server. Authoritative Name Server (ANS)A server that is run by an enterprise or is outsourced to a service provider and is authoritative for the domain requested. The authoritative name server responds directly to the client name server (not to the client) with the requested IP address.
1-4
OL-4327-01
Chapter 1
Introducing the Global Site Selector DNS Routing
Request Resolution
If the local D-proxy does not have the information requested by the end user, it sends out iterative requests to the name servers that it knows are authoritative for domains close to the requested domain.For example, a request for www.cisco.com causes the D-proxy to check first for another name server that is authoritative for www.cisco.com. The process outlined below summarizes the sequence performed by the DNS infrastructure to return an IP address when a client tries to access the www.cisco.com website. Figure 1-2 illustrates how the DNS request resolution process works.
Figure 1-2 DNS Request Resolution
www.cisco.com com ns
2
Root Name Server www.cisco.com
"."
cisco.com ns
3
Intermediate Name Server (supporting .com)
com
cisco www.cisco.com www.cisco.com
4
hr support
Authoritative Name Server (supporting Cisco.com and all sub-domains, such as www.cisco.com)
tac
svc
software
www.cisco.com www.cisco.com? Client Name Server (D-proxy)
5 1
Desktop system
78668
1-5
Chapter 1 GSLB Using the GSS
1. 2.
The resolver (client) sends a query for www.cisco.com to the local client name server (D-proxy). The local D-proxy does not have the IP address for www.cisco.com so it sends a query to a root name server (.) asking for the IP address. The root name server responds by referring the D-proxy to the specific name server supporting the .com domain. The root name server can respond to the request in two different ways, the most common way, is to send the D-proxy directly to the authoritative name server for tac.support.cisco.com. Another method, called iterated query, is when the root name server sends the D-proxy to an intermediate name server that knows the address of the authoritative name server tac.support.cisco.com. The local D-proxy sends a query to the intermediate name server which responds, referring the D-proxy to the authoritative name server for cisco.com and all the associated sub-domains. The local D-proxy sends a query to the cisco.com authoritative name server. This name server is authoritative for cisco.com which is the top-level domain. www.cisco.com is a sub-domain of cisco.com so this name sever is authoritative for the requested domain and sends the IP address to the D-proxy. The D-proxy sends the IP address (198.133.219.25) to the client browser. The browser uses this IP address and initiates a connection to the www.cisco.com web site
3.
4.
5.
GSLB Using the GSS

The GSS addresses critical disaster recovery needs by globally load balancing distributed data centers. The GSS is designed to coordinate the efforts of SLBs, such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache or other geographically dispersed SLB in a global network deployment. Running on a Cisco Global Site Selector Series platform, the GSS can support up to 256 unique SLBs and over 4000 separate VIP addresses. The GSS coordinates the activities of SLBs by acting as the authoritative DNS server for those devices under its control.
1-6
OL-4327-01
Chapter 1
Introducing the Global Site Selector GSLB Using the GSS
When the Cisco GSS is responsible for GSLB services, the DNS process migrates to the GSS. The DNS configuration is the same process as described in the Request Resolution section. The only exception is that the NS-records point to the GSSs located at each data center. Ultimately, the Cisco GSS device determines which data center site should receive the client traffic. As the authoritative name server for a domain or subdomain, the GSS can consider additional information about the resources under its control when it receives requests from client name servers. Among the additional factors that the GSS is capable of considering when responding to a request are:

AvailabilityWhich servers are online and available to respond to the query? ProximityWhich server responded the fastest to a query? LoadWhat type of traffic load is each server handling in the domain? Source of the RequestFrom which D-proxy did the content request originate? PreferenceWhat is the first, second, or third choice of algorithm to use in responding to a query?
This type of load balancing helps to ensure not only that end users are always directed to resources that are online, but also that requests are forwarded to the most suitable device, resulting in increased response time for users. In resolving DNS requests, the Cisco GSS performs a series of distinct operations that take into account the resources under its control and return the best possible answer to the requesting clients D-proxy. The process outlined below discuss how the GSS interacts with various clients as part of the website selection process to return the IP address of the requested content site. Figure 1-3 illustrates how this process works.
1-7
Chapter 1 GSLB Using the GSS
Figure 1-3
GLSB Using the Cisco Global Site Selector

Client Name Servers (D-Proxy) DNS Name Server
GSS 1
1
Mobile
2 4
DNS Global Control Plane
3
Data Center 3
Fixed Wireless
GSS 2
Cable
IP Global Forwarding Plane
DSL
Data Center 1
Data Center 2
Dedicated ATM/ Frame Relay
ISDN/Dial Clients Requesting Web sites Cisco GSS's Response Clients DNS Requests Cisco GSS Tracking Global Resources Layer 3 Communications
97789
1.
A client starts to download an updated version of software from www.cisco.com and types www.cisco.com in the location or address field of the browser. This application is supported at three different data centers. The request is processed by the DNS global control plane infrastructure and arrives at the Cisco GSS device.
2.
1-8
OL-4327-01
Chapter 1
Introducing the Global Site Selector GSS Architecture
3.
The Cisco GSS offloads the site selection process from the DNS global control plane. The request and site selection are based on the load and health information in conjunction with customer-controlled load-balancing algorithms. The Cisco GSS, in real time, selects a data center that is available and not overloaded. The Cisco GSS sends the IP address of the best server load balancer at a specific data center, in this case the SLB at Data Center 2. The web browser processes the transmitted IP address. The client is directed to the SLB at Data Center 2 by the IP control and forwarding plane.
4. 5. 6.
GSS Architecture
This section describes the key components of a GSS deployment, including hardware and software, as well as GSS networking concepts. It includes:

Global Site Selectors and Global Site Selector Managers DNS Rules Hosted Domains and Domain Lists Source Address and Source Address Lists Answers and Answer Groups Keepalives Balance Methods Locations and Regions Owners
1-9
Chapter 1 GSS Architecture
Global Site Selectors and Global Site Selector Managers

The Global Site Selector solution relies on three distinct but closely related devices:

GSS Primary GSSM Standby GSSM
GSS
The GSS is a Cisco Global Site Selector platform running GSS software and performing routing of DNS queries based on DNS rules and conditions configured using the GSSM. Each GSS is known to and synchronized with the primary GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network must delegate authority to the parent domain GSS DNS server that serves the DNS requests. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device. A device that acts as a GSS may also be serving as the primary GSSM for a GSS network.
Primary GSSM
The primary GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing content routing as well as centralized management functions for the GSS network. The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. Configuration changes initiated on the primary GSSM using the graphical user interface are automatically communicated to each device that the primary GSSM manages. Any GSS device can serve as a GSSM.
1-10
OL-4327-01
Chapter 1
In addition to content routing configuration, a subset of device-monitoring and logging features is accessible from the GSSM GUI, though more extensive inquiries may require access to the GSS CLI for an individual device. Communication between administrators and the primary GSSM uses secure HTTP (HTTPS), and access to the primary GSSM graphical user interface is password-protected.
Standby GSSM
The standby GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM go offline or become unavailable to communicate with other GSS devices. As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM so that the two devices are never out of step. The GUI is inaccessible on the standby GSSM until it is designated as the primary GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command. You must make sure that your original primary GSSM is offline before attempting to enable the standby GSSM as the new primary GSSM. Having two primary GSSMs active at the same time may result in the inadvertent loss of configuration changes for your GSS network. If this dual primary GSSM configuration occurs, the two primary GSSMs revert to standby mode and you will need to reconfigure one of the GSSMs as the primary GSSM. The standby GSSM is capable of temporarily taking over the role as the primary GSSM is the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. The interim primary GSSM can be used to monitor GSS behavior and make configuration changes if necessary. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section.
1-11
DNS Rules
The GSS uses DNS rules, as configured by the administrator through the primary GSSM GUI to:

Provide you with centralized command and control of how the GSS will globally load balances a given hosted domain Define the IP address(es) to send to the clients name server (D-proxy) Define the recovery method to use (using up to three load balance clauses)
DNS rules determine how the GSS responds to each query it receives by matching requests received from a known source, or D-proxy, to the most suitable member of a collection of name servers or virtual IP addresses (VIPs). Each DNS rule takes into account four variables:

The source IP address of the requesting D-proxy The requested hosted domain An answer group, which is a group of resources considered for the response A balance method, an algorithm for selecting the best server, together with an answer group, makes up a clause
A DNS rule defines how a request is handled by the GSS by answering the following question: When traffic arrives from a DNS proxy, querying a specific domain name, what resources should be considered for the response, and how should they be balanced? Each GSS network supports a maximum of 4000 DNS rules. Up to three possible response answer group and balance method clauses are available for each DNS rule. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. These clauses are evaluated in order, with parameters established to determine when one clause should be skipped in the event that the first answer group and balance method specified does not yield an answer, and the next clause is used.
1-12
OL-4327-01
Chapter 1
Hosted Domains and Domain Lists

A hosted domain (HD) is any domain or subdomain that has been delegated to the GSS and configured using the primary GSSM GUI for DNS query responses. In other words, a hosted domain is a DNS domain name for which the GSS is authoritative. All DNS queries must match a domain belonging to a configured domain list, or else they are denied by the GSS. Queries that do not match domains on any GSS domain lists can also be forwarded by the GSS to an external DNS name server for resolution. Hosted domains may or may not correspond to standard third-level domain names but cannot exceed 128 characters in length. Domain names that use wildcards are supported by the GSS. The GSS supports POSIX 1003.2 extended regular expressions when matching wildcards. The following examples could be domain or sub-domain names configured on the GSS:
cisco.com www.cisco.com www.support.cisco.com .*\.cisco\.com
Domain lists are groups of hosted domains that have been delegated to the GSS. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list. Using the DNS rules feature of the primary GSSM graphical user interface, requests for any member of a domain list are matched to an answera resource hosting the content being requestedusing one of a number of balance methods. Refer to Chapter 5, Configuring Domain Lists for more information on configuring domain lists.
Source Address and Source Address Lists

The term source address refers to the source of DNS queries received by the GSS. Source addresses might point to an IP address or block of addresses representing client D-proxies from which queries originate.
1-13
Using DNS rules, the GSS matches source addresses to domains hosted by the GSS using one of a number of different balance methods. Source addresses are taken from the D-proxy (the local name server) to which a requesting client issued a recursive request. The D-proxy iterates the client queries to multiple name servers, eventually querying the GSS, which matches the D-proxy address against its list of configured source addresses. DNS queries received by the GSS do not have to match a specific D-proxy in order to be routed; default routing can be performed on requests that do not emanate from a known source address. A fail safe Anywhere source address list is provided by default. Incoming queries that do not match your configured source address lists are matched to this list. In addition to specific IP addresses, source addresses can also be set up to represent address blocks using variable-prefix-length classless interdomain routing (CIDR) block masking. For example, the following would all be acceptable GSS source addresses:
192.168.1.110 192.168.1.110/32 192.168.1.0/24 192.168.0.0/16
Source addresses are grouped into lists, referred to as source address lists, for the purposes of routing requests. Source address lists can contain between 1 and 30 source addresses, or unique address blocks. Each GSS supports up to 60 source address lists.
Answers and Answer Groups

In a GSS network, the term answers refers to resources to which the GSS resolves DNS requests that it receives. There are three types of possible answers on a GSS network. These answers include:
VIPVirtual IP (VIP) addresses associated with an SLB such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache or other geographically dispersed SLBs in a global network deployment. Name ServerConfigured DNS name server on your network that can answer queries that the GSS cannot resolve. CRAContent routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a users D-proxy.
1-14
OL-4327-01
Chapter 1
As with domains and source addresses, answers are configured using the primary GSSM GUI by identifying the IP address to which queries can be directed. Once created, answers are grouped together as resource pools called answer groups, from which the GSS, using up to three possible response answer group and balance method clauses in a DNS rule, can choose the most appropriate resource to serve each user request. Each balance method provides a different algorithm for selecting one answer from a configured answer group. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. Depending on the type of answer, further intelligence can be applied to DNS queries to choose the best host. For example, a request that is routed to a VIP associated with a Cisco CSS is routed to the best resource based on load and availability, as determined by the CSS. A request that is routed to a CRA is routed to the best resource based on proximity, as determined in a DNS race conducted by the GSS.
VIP Answers
VIP answers are used by SLBs to represent content hosted on one or more servers under their control. The use of VIP answers allows for traffic to be balanced among multiple origin servers, application servers, or transaction servers in a way that results in faster response times for users and less network congestion for the host. When queried by a clients D-proxy for a domain associated with a VIP answer type, the GSS responds with the VIP address of the SLB best suited to handle that request. The requesting client then contacts the SLB, which load balances the request to the server best suited to respond.
1-15
Name Server Answers

A name server answer specifies the IP address of a DNS name server to which DNS queries are forwarded from the GSS. Using the name server forwarding feature, queries are forwarded to an external (non-GSS) name server for resolution, with the answer passed back to the GSS name server and from there to the requesting D-proxy. As such, the name server answer type can act as a guaranteed fallback resourcea way to resolve requests that the GSS cannot resolve itselfbecause of the following reasons:

The requested content is unknown to the GSS. The resources that typically handle such requests are unavailable. To use DNS server features that are not supported by the GSS, such as mail exchanger (type MX) records. To use a third-party content provider for failover and error recovery. To build a tiered DNS system.
CRA Answers
The CRA (content routing agent) answer relies on content routing agents and the GSS to choose a suitable answer for a given query based on the proximity of two or more possible hosts to the requesting D-proxy. With the CRA answer, requests received from a particular D-proxy are served by the content server that responds first to the request. Response time is measured using a DNS race, coordinated by the GSS and content routing agents running on each content server. In the DNS race, multiple hosts respond simultaneously to an A-record request. The server with the fastest response time (the shortest network delay between itself and the clients D-proxy) is chosen to serve the content. For the GSS to initiate a DNS race it needs two pieces of information:
The delay between the GSS and each of the CRAs in each data center. With this data the GSS computes how much time to delay the race from each data center so each CRA starts the race simultaneously. The online status of the CRA through the use of keepalives.
The boomerang balance method uses the DNS race to determine the best site. See the Boomerang (DNS Race) section for more information on this balance method.
1-16
OL-4327-01
Chapter 1
Keepalives
In addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource, a method by which the GSS can periodically check to see if the resource is still active. A keepalive is a specific interaction (handshake) between the GSS and another device using a commonly supported protocol. A keepalive is designed to test if a specific protocol on the device is functioning properly. If the handshake is successful, then the device is available, active, and able to receive traffic. If the handshake fails, then the device is considered to be unavailable and inactive. All answers are validated by configured keepalives and are not returned by the GSS to the D-proxy if the keepalive indicates that the answer is not viable. The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of resource that you are configuring as a GSS answer (for example, a VIP address associated with a Cisco CSS or a virtual server IP address associated with a CSM), you have the option of configuring a keepalive for that answer that is used to monitor its online status continually and report that information to the GSSM. Routing decisions involving that answer consider that online status information. The GSS also supports the use of shared keepalives to minimize traffic between the GSS and the SLBs that it is monitoring. A shared keepalive identifies a common address or resource that can provide status for multiple answers. Shared keepalives are not used with name server or CRA answers. The sections that follow explain the various keepalive types supported by the GSS:

ICMP TCP HTTP-HEAD KAL-AP CRA Name Server None Adjusting Failure Detection Time for Keepalives
1-17
ICMP
An ICMP keepalive is used when the GSS answer that you are testing is a VIP address, IP address, or a virtual server IP address. The Internet Control Message Protocol (ICMP) keepalive type monitors the health of resources by issuing queries containing ICMP packets to the configured VIP address (or a shared keepalive address) for the answer. Online status is determined by a response from the targeted address, indicating simple connectivity to the network. The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method. See the Adjusting Failure Detection Time for Keepalives section for details.
TCP
A TCP keepalive is used when the GSS answer that you are testing is to a GSLB devices that may be something other than a CSS or CSM. These GSLB remote devices could include webservers, LocalDirectors, WAP gateways, and other devices that can be checked using a TCP keepalive. The TCP keepalive initiates a TCP connection to the remote device by performing the three-way handshake sequence. Once the TCP connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination). The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method. Refer to the Adjusting Failure Detection Time for Keepalives section for details.
HTTP-HEAD
An HTTP HEAD keepalive is used when the GSS answer that you are testing is an HTTP web server acting as a standalone device or managed by an SLB device such as a Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, or Cisco LocalDirector. The HTTP-HEAD keepalive type sends a TCP formatted HTTP HEAD request to a web server at an address that you specify, returning the online status of the device in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK).
1-18
OL-4327-01
Chapter 1
Once the HTTP HEAD connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination). The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method. Refer to the Adjusting Failure Detection Time for Keepalives section for details.
KAL-AP
A KAL-AP (KeepAlive-Appliance Protocol) keepalive is used when the GSS answer that you are testing is a VIP associated with a Cisco CSS or a Cisco CSM. The KAL-AP keepalive type sends a detailed query to both a primary (master) and an optional secondary (backup) circuit address that you specify, returning the online status of each interface as well as information on load. Depending on your GSS network configuration, the KAL-AP keepalive can be used to either query a VIP address directly (KAL-AP By VIP) or query an address by way of an alphanumeric tag (KAL-AP By Tag). Using a KAL-AP By Tag keepalive query can be particularly useful in the following cases:

You are attempting to determine the online status of a device that is located behind a firewall that is performing Network Address Translation (NAT). There are multiple content rule choices on the SLB.
The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method. See the Adjusting Failure Detection Time for Keepalives section for details.
CRA
The CRA keepalive is used when you are testing a CRA answer that responds to DNS race requests. The CRA keepalive type tracks the time required (in milliseconds) for a packet of information to reach the CRA and return to the GSS. The GSS supports up to 200 CRA keepalives.
1-19
Name Server
The name server keepalive sends a query to the IP address of the name server for a query domain that you specify (for example, www.cisco.com). Online Status for the name server answer is determined by the ability of the name server or D-proxy for the query domain to respond to the query and assign the domain to an address. The GSS supports up to 100 name server keepalives.
None
With the keepalive set to None, the GSS assumes that the named answer is always online. Setting the keepalive type to None prevents your GSS from taking online status or load into account when routing. However, a keepalive of None can be useful under certain conditions, such as when adding devices to your GSS network that are not suited to other keepalive types. In general, ICMP is a simple and flexible keepalive type that works with most devices. Using ICMP is preferable to using the None option.
Adjusting Failure Detection Time for Keepalives

Failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurred (the answer resource goes offline) and when the GSS realized the failure occurred. The failure detection window is the window of time that the GSS may wait, once a keepalive cycle has been initiated, before determining that an answer has failed. If a response packet fails to arrive back to the GSS within this window the answer is marked offline. The GSS supports two failure detection modes, standard and fast. The standard GSS detection time is typically 60 seconds before the GSS detects that a failure has occurred. Standard mode allows adjustment of the following parameters:
Response Timeout - The length of time allowed before the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds. Minimum Interval - The minimum frequency with which the GSS attempts to schedule a keepalive. The valid entries are 40 to 255 seconds. The default is 40 seconds.
1-20
OL-4327-01
Chapter 1
With fast mode, the GSS controls the failure detection time through use of the following keepalive transmission interval formula: (# Ackd Packets * (Response TO + (Retry TO * # of Retries))) + Timed Wait where: # Ackd Packets = Number of packets that require some form of acknowledgement (how many packets require acknowledgement) Response TO = Response Timeout (how long to wait for a reply for a packet that requires acknowledgement) Retry TO = Retry Timeout (how long to wait for a reply for a retransmitted packet) # of Retries = Number of Retries (how many times the GSS retransmits packets to a potentially failed device before declaring the device offline) Timed Wait = Time for remote side of the connection to close (TCP-based keepalive only) Table 1-1 summarizes how the GSS software calculates the fast keepalive transmission rates.
Table 1-1 Keepalive Transmission Rates
# Ackd Packets (Fixed Value) KAL-AP ICMP TCP (RST) TCP (FIN) HTTP HEAD (RST) HTTP HEAD (FIN) 1 1 1 2 2 3
Response TO (Fixed Value) 2 seconds 2 seconds 2 seconds 2 seconds 2 seconds 2 seconds
Retry TO (Fixed Value) 2 seconds 2 seconds 2 seconds 1 second 2 seconds 2 seconds
# of Retries (User Selectable) 1 1 1 1 1 1
Timed Wait (Fixed Value) 0 0 0 2 seconds 0 2 seconds
Transmission Interval
4 seconds 4 seconds 4 seconds 10 seconds 8 seconds 14 seconds
1-21
In the case of a TCP (RST) connection, the default transmission interval for a TCP keepalive would be: (1 * (2 + (2 * 1))) + 0 = 4 seconds You can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and KAL-AP keepalive types. The number of retries defines how many times the GSS retransmits packets to a potentially failed device before declaring the device offline. The range is 1 to 10 retries. The default is 1. As you adjust the number of retries, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The number of retries value is associated with every packet that requires some form of acknowledgement before continuing with a keepalive cycle (ICMP requests, TCP SYN, or TCP FIN). For example, to fully complete a TCP-based keepalive cycle, the TCP-based keepalive retries the SYN packet for the specified number of retries, and then retries the FIN packet for the specified number of retries. In the above example of a TCP (RST) connection, if you change the number of retries from the default value of 1 to a setting of 5 the transmission interval would be: (1 * (2 + (2 * 5))) + 0 = 12 seconds Figure 1-4 illustrates the effect on the keepalive transmission interval as you increase the number of retries value.
1-22
OL-4327-01
Chapter 1
Figure 1-4
Effect of the Number of Retries Value on the Keepalive Transmission Interval
Fast Keepalive Intervals 80

KAL Interval in Seconds
70 60 50 40 30 20 10 0
0
4 5 6 Number of Retries
10
KALAP, ICMP, & TCP (Reset) HTTP-HEAD (Reset)
TCP (Standard Close) HTTP-HEAD (Standard Close)

97788
You can also define the number of consecutive successful keepalive attempts (probes) that must occur before the GSS identifies that an offline answer is now online. The GSS monitors each keepalive attempt to determine whether it has been successful. The number of successful probes parameter identifies how many consecutive successful keepalive attempts must be recognized by the GSS before bringing an answer back online and reintroducing it back into the GSS network.
1-23
Balance Methods
The GSS supports six unique balance methods that allow you to specify how a GSS answer should be selected to respond to a given DNS query. Each balance method provides a different algorithm for selecting one answer from a configured answer group. The sections that follow explain the various balance methods supported by the GSS:

Ordered List Round-Robin Weighted Round-Robin Least Loaded Hash (based on source address or hosted domain) Boomerang (DNS race)
Ordered List
Using the ordered list balance method, each resource within an answer group (for example, an SLB VIP or a name server) is assigned a number that corresponds to the rank of that answer within the group. The number you assign represents the order of the answer on the list. Subsequent VIPs or name servers, on the list will only be used in the event that preceding VIPs or name server on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group. Using the ranking of each answer, the GSS tries each resource in the order that has been prescribed, selecting the first available (live) answer to serve a user request. List members are given precedence and tried in order, and a member is not used unless all previous members fail to provide a suitable result. The ordered list method is typically useful in managing resources across multiple content sites in which a deterministic method for selecting answers is required.
1-24
OL-4327-01
Chapter 1
See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the ordered list balance method.
Round-Robin
Using the round-robin balance method, each resource within an answer group is tried in turn, with the GSS cycling through the list of answers, selecting the next answer in line for each request. In this way, the GSS can resolve requests by evenly distributing the load among possible answers. The round-robin balance method is useful when balancing requests among multiple, active data centers that are hosting identical content; for example between SLBs at a primary and at an active standby site that serves requests. See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the round-robin balance method.
Weighted Round-Robin
As with the round-robin balance method, the weighted round-robin method cycles through a list of defined answers, choosing each available answer in turn. However, with weighted round-robin, an additional weight factor is assigned to each answer, biasing the GSS toward certain servers, so that they are used more often. See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the weighted round-robin balance method.
Least Loaded
Using the least loaded balance method, the GSS resolves requests to the least loaded of all resources, as reported by the KAL-AP keepalive process, which provides the GSS with detailed information on the SLB load and availability. The least loaded balance method resolves the request by determining the least number of connections on a CSM or the least-loaded CSS.
1-25
See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the least loaded balance method.
Hash
Using the source address and domain hash balance method, elements of the clients DNS proxy IP address and the requesting clients domain are extracted and used to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query. The use of hash values makes it possible to stick traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features such as online shopping baskets in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

By Source AddressThe GSS selects the answer based on a hash value created from the source address of the request. By Domain NameThe GSS selects the answer based on a hash value created from the requested domain name.
Boomerang (DNS Race)

The GSS supports the boomerang (DNS race) method of proximity routing, a type of DNS resolution that is initiated by the GSS and is designed to load balance between 2 and 20 sites. Based on the concept that instantaneous proximity can be determined if a content routing agent (CRA) within each data center sends an A-record (IP address) at the exact same time to the clients D-proxy, the DNS race method of DNS resolution gives all possible CRAs (which can be either Cisco Content Engines or Content Services Switches) a fair chance at resolving a client request and allows for proximity to be determined without probing the clients D-proxy. Whatever A-record is received first by the D-proxy is by default the most proximate.
1-26
OL-4327-01
Chapter 1
For the GSS to initiate a DNS race, it needs to establish two pieces of information for each CRA:
The delay between the GSS and each of the CRAs in each data center. With this data, the GSS computes how long to delay the race from each data center, so that each CRA starts the race simultaneously. The online status of the CRAs. With this data, the GSS knows not to forward requests to any CRA that is not responding.
The Boomerang server on the GSS gathers this information by sending keepalive messages at predetermined intervals. This data, along with the IP addresses of the CRAs, is used to request the exact start time of the DNS race. Finally, for the CRA response to be accepted by the D-proxy, each CRA must spoof the IP address of the GSS to which the DNS request was sent when responding.
Balance Method Options for Answer Groups

For most balance methods supported by the GSS, there are additional configuration options that you must consider when you group specific answers in an answer group. These configuration options ensure that the GSS properly applies the balance method for answers, and they ensure that you are getting the best possible results from your GSS device. Table 1-2 describes the available balance method options for each answer type (VIP, CRA, or NS).
1-27
Table 1-2
Balance Method Options for Answer Types
Answer Type VIP
Balance Methods Used Hash Least loaded Ordered list Round-robin Weighted round-robin
Balance Method Options Order LT (Load Threshold) Weight
Name server
Hash Ordered list Round-robin Weighted round-robin
Order Weight
CRA
Boomerang (DNS race)
None
The following sections explain each of the balance method options available for an answer in an answer group.
Order
The order option is used when the balance method for the answer group is Ordered List. Answers on the list are given precedence based upon their position in the list in responding to requests.
Weight
The weight option is used when the balance method for the answer group is weighted round-robin or least loaded. Weights are specified by a number between 1 and 10 and indicate the capacity of the answer to respond to requests. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A receives 10 requests for every 1 directed to Answer B.
1-28
OL-4327-01
Chapter 1
When used with the weighted round-robin balance method, the number listed is used by the GSS to create a ratio of the number of times the answer is used to respond before the next answer on the list is tried. When used with the least-loaded balance method, the number listed is used by the GSS as the divisor in calculating the load number associated with the answer, which is used to create a bias in favor of answers with greater capacity.
Load Threshold
The load threshold is used when the answer type is VIP and the keepalive method is KAL-AP to determine whether an answer is available, regardless of the balance method used. The load threshold specifies a number between 2 and 254 that is compared to the load being reported by the answer device. If the answers load is greater than the specified threshold, the answer is considered offline and unavailable to serve further requests. The load threshold value can also be used in conjunction with the weight assigned to an answer, with the weight acting as a divisor for the load threshold in calculating capacity. When there are multiple answers to choose from, the GSS software compares the load threshold to the load reported by the answer device to determine if the answer is available, and then selects the answer.
1-29
Locations and Regions

As your GSS network grows, the job of organizing and administering your GSS resourcesanswers and answer groups, domain lists, and DNS rulesbecomes a more complex problem. For that reason, the GSS makes features available to you that help you make sense of and organize your resources. Among these resources are:

LocationsLogical groupings for GSS resources that correspond to geographical areas such as a city, data center, or content site RegionsHigher-level geographical groupings that contain one or more locations
In addition to allowing you to easily sort and navigate long lists of answers and DNS rules, the use of logical groupings such as locations and regions makes it easier to perform bulk administration of GSS resources. For example, in the primary GSSM, you can suspend or activate all answers linked to a particular GSS data center, shutting down a site for scheduled maintenance and then bringing it back online with only a few mouse clicks.
Owners
Owners serve a purpose similar to that of locations and regions in the GSS, providing a simple way to organize and identify groups of related GSS resources. However, whereas regions and locations are used to make geographical sense of your GSS network, owners are used to group resources according to other organizational schemes. For example, a service provider using the GSS to manage multiple hosting sites might create an owner for each web or application hosting customer. With this organizational scheme, domain lists containing that customers hosted content as well as DNS rules, answer groups, and source address lists that specify how traffic to those domains should be processed, can all be associated with and managed through the owner. Deployed on a corporate intranet, owners can be used to segregate GSS resources on a department-by-department basis, or to allocate specific resources to IT personnel. For example, you could create an owner for the finance, human resources, and sales departments so that resources corresponding to each can be viewed and managed together.
1-30
OL-4327-01
Chapter 1
Introducing the Global Site Selector GSS Network Deployment
GSS Network Deployment

A typical GSS deployment may contain up to eight GSS devices deployed on a corporate intranet or the Internet. At least one GSSand no more than two GSSsmust be configured as a primary GSSM and a standby GSSM. The GSSM monitors other GSS devices on the network and offers features for managing and monitoring request routing services using a GUI accessible through secure HTTP. Only one GSSM can be active at any time, with the second GSSM serving as a standby, or backup device. The GSSM functionality is embedded on each GSS, and any GSS device can be configured to act as a primary GSSM or a standby GSSM. Refer to Chapter 2, Setting Up Your GSS for details. Additional GSSs beyond the primary and standby GSSM that are configured on the GSS network respond to DNS requests and transmit periodic keepalives to provide resource state information about devices. These GSS devices do not perform GSS network management tasks. This section describes a typical network deployment of the GSS and includes:

Locating GSS Devices Locating GSS Devices Behind Firewalls Communication Between GSS Nodes Deployment Within Data Centers
Locating GSS Devices

Although it is your organization that determines where your GSS devices are deployed in your network, some general guidelines must be observed. Because the GSS serves as the authoritative name server for one or more domains, each GSS must be publicly or privately addressable on your enterprise network. That way, the D-proxy clients that are requesting content can find the GSSs that have been charged with handling requests for that content.
1-31
Chapter 1 GSS Network Deployment
Options are available for delegating responsibility for your domain to your GSS devices, depending on traffic patterns to and from your domain. For example, given a network containing five GSS devices, you might choose to modify your parent domain DNS servers so that all traffic sent to your domain is directed to each of your GSS devices. Or you might choose to have a subset of your traffic delegated to one or more of your GSSs, with other devices handling other segments of your traffic. Refer to Chapter 8, Building and Modifying DNS Rules, the Delegation to GSS Devices section for information on modifying your networks DNS configuration to accommodate the addition of GSSs to your network.
Locating GSS Devices Behind Firewalls

Deploying a firewall can be of immense benefit in preventing unauthorized access to your GSS network, as well as thwarting common denial of service (DoS) attacks on your GSS devices. Besides being deployed behind your corporate firewall, the GSS comes with robust packet-filtering features that enable GSS administrators to permit and disallow traffic to any GSS device. When positioning your GSS behind a firewall or enabling packet filtering on the GSS itself, you must properly configure each device (the firewall and the GSS) to allow valid network traffic to reach the GSS device on specific ports. In addition to requiring HTTPS traffic to access the primary GSS graphical user interface, you may want to configure your GSSs to allow FTP, Telnet, and SSH access through certain ports. In addition, GSSs must be able to communicate their status to and receive configuration information from the GSSM. Finally, primary and standby GSSMs must be able to communicate and synchronize with one another. Refer to Chapter 9, GSS Administration and Troubleshooting, the Filtering GSS Traffic Using Access Lists for the discussion of the access-list and access-group CLI commands for instructions on limiting incoming traffic. See the Deploying GSS Devices Behind Firewalls section in that chapter as well for information on which ports must be enabled and left open for the GSS to function properly. Refer to the Cisco Global Site Selector Command Reference for detailed descriptions of the CLI commands required to create a firewall that blocks all non-GSS traffic to your GSS devices.
1-32
OL-4327-01
Chapter 1
Introducing the Global Site Selector GSS Network Deployment
Communication Between GSS Nodes

The primary GSSM serves as the organizing point of the GSS network, performing DNS queries and hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Configuration changes initiated on the primary GSSM using the GSSM graphical user interface are automatically communicated to each registered GSS device that the primary GSSM manages. The standby GSSM performs GSLB functions for the GSS network. In addition, the standby GSSM is configured to act as the GSSM should the primary GSSM suddenly go offline or become unavailable to communicate with other GSS devices. The standby GSSM can be quickly enabled as the primary GSSM using the gss CLI command. GUI support is not available on a standby GSSM until it is configured as a primary GSSM. Th e GSS also runs GSS software and performs routing of DNS queries based on DNS rules and conditions configured using the GSSM. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device. Each GSS on your network must delegate authority to the parent domain GSS DNS server that serves the DNS requests. Each GSS is known to and synchronized with the GSSM, but individual GSSs do not report their presence or status to one another. Should a GSS unexpectedly go offline, other GSSs on the network responsible for the same resources are not affected. With both a primary and a standby GSSM deployed on your GSS network, device configuration information and DNS rules are automatically synchronized between the primary GSSM and a data store maintained on the standby GSSM. Synchronization occurs automatically between the two devices whenever the GSS network configuration changes. Updates are packaged and sent to the standby GSSM using a secure connection between the two devices. Should the primary GSSM suddenly become unavailable, the GSS network continues to function and does not impact global server load balancing. If desired, you can manually enable the standby GSSM as the primary GSSM using the CLI. Refer to Chapter 2, Setting Up Your GSS for instructions on enabling the primary GSSM and to Chapter 9, GSS Administration and Troubleshooting for details about changing the GSSM role in the GSS network.
1-33
Chapter 1 GSS Network Management
Deployment Within Data Centers

A typical GSS network consists of multiple content sites, such as data centers and server farms, access to which is managed by one or more SLBs, such as the Cisco CSS. Each SLB is represented by one or more virtual IP addresses, or VIPs. These VIPs act as the publicly addressable front-end of the data center. Behind each SLB are transaction servers, database servers, and mirrored origin servers offering a wide variety of content, from websites to applications. The GSS communicates directly with the SLBs that are representing each data center, collecting statistics on availability and load for each of the SLBs and VIPs and using that data to direct requests to the best-suited data centers and the most available resources within each data center. In addition to SLBs, a typical data center deployment may also contain DNS name servers that are not being managed by the GSS. These can be used to resolve requests, through name server forwarding, that the GSS cannot resolve itself.
GSS Network Management

Management of your GSS network is divided into two types:

CLI-Based GSS Management GUI-Based Primary GSSM Management
CLI-Based GSS Management

The CLI is used to configure installation and management of your Cisco GSS software, including:

Initial configuration of GSS and GSSM (primary and standby) devices Software upgrades and downgrades on GSSs and GSSMs Database and configuration backups, and database restore operations
1-34
OL-4327-01
Chapter 1
Introducing the Global Site Selector GSS Network Management
In addition, the CLI is used for network configuration of your GSS devices, including:

Network address and host name configuration Network interface configuration Access control for your GSS devices, including IP filtering and traffic segmentation
The CLI can also be used for status monitoring and logging for each GSS device. Refer to the Cisco Global Site Selector Command Reference for an alphabetical list of all GSS Command Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.
GUI-Based Primary GSSM Management

The primary GSSM offers a single, centralized graphical user interface (GUI) for monitoring and administering your entire GSS network. The primary GSSM GUI is used for:

Configuring DNS request handling and global server load balancing through the creation of DNS rules and monitoring of keepalives Monitoring GSS network resources Monitoring request routing and GSS statistics
See the Understanding the Primary GSSM Graphical User Interface section for background details anout the GUI.
1-35
Chapter 1 Understanding the Primary GSSM Graphical User Interface
Understanding the Primary GSSM Graphical User Interface

The primary GSSM graphical user interface is a web-based tool that can be viewed using any standard web browser such as Microsoft Internet Explorer Version 5.0 and later and Netscape Navigator Version 4.79 or later. Basic authentication is used to restrict GUI access. All GUI traffic is encrypted using secure HTTP (HTTPS). The primary GSSM GUI serves as a centralized management point for your entire GSS network. Using the primary GSSM GUI, you can add GSS devices to your network and build DNS rules that match groups of source addresses to hosted domains using one of a number of possible load-balancing methods. In addition, using the GSSM monitoring feature, you can obtain real-time statistics on the performance of your GSS network or of individual devices on that network. When you first log on to the primary GSSM, you see a Welcome window (Figure 1-5). The current login account information appears in the User ID (upper right) area of the Welcome window.
1-36
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
Figure 1-5
Primary GSSM Welcome Window
The sections describes the organization and structure of the primary GSSM GUI and includes:

Graphical User Interface Organization List Pages Details Pages Navigation Primary GSSM GUI Icons and Symbols Primary GSSM GUI Online Help
Review this information before using the primary GSSM to define global load balancing for your GSS network.
1-37
Graphical User Interface Organization

The primary GSSM graphical user interface is organized into four main functional areas that are accessed by clicking the appropriate tab. Each tab can be accessed at any time to navigate to that particular section of the primary GSSM.
DNS Rules TabContains pages for creating and modifying DNS rules, including the creation of source address lists, (hosted) domain lists, answers, answer groups, and shared keepalives. Resources TabContains pages for creating and modifying GSS network resources such as GSSs, locations, regions, and owners. You can also modify global keepalive properties from the Resources tab. Monitoring TabContains pages for monitoring the performance of content routing on your GSS network, such as displays of hit counts organized by source address, domain, answer method, or DNS rule. Tools TabContains pages for performing the administrative functions for the GSS network, such as creating login accounts, managing account passwords, and viewing system logs.
Within each of these major functional areas, you access specific pages by choosing them from navigation links in the upper left-hand corner of the primary GSSM GUI. The navigation link varies according to the selected tab. Navigation links are present on all GUI pages. Once you have selected a page, information on your GSS related to that feature is further organized into two areas: list pages and details page, which are described in the sections that follow.
List Pages
List pages appear throughout the primary GSSM GUI to provide you with a feature-specific overview. For example, clicking the Answers tab (located on the DNS Rules tab) displays the Answers list page showing all of the answers currently configured on the listed GSS network. List pages present data in tabular format, providing a detailed look at resources available on your GSS network. List pages are also the location from which new resources (for example, DNS rules or answer groups) are added to the GSS network or existing resources modified.
1-38
OL-4327-01
Chapter 1
List pages enable you to sort resources by any one of a number of properties that are listed on the screen, quickly locating a particular resource by an identifying characteristic such as name, owner, or type. You can sort information in ascending or descending order by any column. To sort the information in a list page, click the column header for the column containing the information by which you wish to sort the list. The GSS software temporarily retains information that you modify for a list page, allowing you to navigate to any of the details pages associated with the active list page while retaining the list page settings. The sort field, sort order, and rows per page are temporarily stored in memory for the active list page. Once you navigate to another list page the GSS software discards the modifications for the previous list page. Figure 1-6 shows an example of a primary GSSM Answers list page.
Figure 1-6 Answers List Page
1-39
Details Pages
Details pages appear throughout the primary GSS GUI to provide specific configuration information for a specific GSS function, enabling you to create or to modify those properties. For example, in Figure 1-6, clicking the Answers navigation link displays the Answers list page. Adjacent to each answer is an icon depicting a pad and pencil, called the Modify icon. Clicking the Modify icon displays the details page for that answer (Figure 1-7), allowing you to modify the properties of an answer or deleting the answer.
Figure 1-7 Modifying Answer Details Page
1-40
OL-4327-01
Chapter 1
Navigation
Although the primary GSSM graphical user interface is viewed as a series of web pages using a standard browser, navigating among pages is not the same as moving around different websites, or even within a single site. Instead, you navigate from one content area of the primary GSSM GUI using the tabs for each of the major funational areas: DNS Rules, Resources, Monitoring, and Tools. Online Help is located as a navigation link at the top of each page. Once within a major content area, you access a particular feature or move between features using the navigation links. Choosing a feature from the navigation links immediately transfers you to that page in the graphical user interface. To move back from a details page to the corresponding list page, click another navigation link, or click either the Submit or Cancel buttons from the details page. For example, to return to the Global Site Selectors list page after viewing the details for one of your GSSs, click a different navigation link (or click the Cancel button). If you made configuration changes to a GSS that you wish to retain, click the Submit button. Any of these actions returns you to the Global Site Selectors list page.
Note
Do not use your web browser Back or Forward buttons to move between pages in the primary GSSM GUI. Clicking Back cancels any unsaved changes in the primary GSSM.
Primary GSSM GUI Icons and Symbols

Table 1-3 lists and explains some common icons and graphical symbols in the primary GSSM graphical user interface. These icons are referenced throughout this guide in explaining how to use the features of the primary GSSM GUI.
1-41
Table 1-3
GSSM GUI Icons and Symbols
Icon or Symbol
Purpose
Location
Modify icon. Opens the associated List pages item for editing in a details page, displaying configuration settings on the details page. Sort icon. Indicates that the items listed in a list table are sorted in descending order according to the property listed in this column. List pages
List pages Create icon/Open DNS Rules Builder icon. Opens the associated details page to accept user input for configuration. List pages and Detail Print icon. When you view GSS resources or monitor GSS network pages activity, clicking Print allows you to print data displayed in the page using your local or network printer Export to CSV icon. When you view GSS resources or monitor GSS network activity, clicking Export allows you to save data displayed in the window to a comma-delimited flat file for use in other applications. List pages
Refresh icon. When you view GSS List pages resources or monitor GSS network activity, clicking Refresh forces the GSSM window to update its content. Run Wizard icon. Opens the associated DNS rule for editing using the DNS Rules Wizard. DNS Rules list page
1-42
OL-4327-01
Chapter 1
Table 1-3
GSSM GUI Icons and Symbols (continued)
Icon or Symbol
Purpose
Location
DNS Rules list page Filter DNS Rule List icon. Provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in. DNS Rules list page Show All DNS Rules icon. Removes all filters, displaying a complete list of DNS rules for your GSS. * Asterisk. Required field. Indicates Details pages that a value is required in the adjacent field before the item can be successfully saved. Detail pages Submit icon. Saves the configuration information. When editing specific GSS system or device configuration information, clicking Submit returns you to the associated list screen. Cancel icon. Cancels any configuration changes that were entered. When editing specific GSS system and device configuration information, clicking Cancel returns you to the associated list screen. Detail pages
1-43
Table 1-3
Icon or Symbol
Purpose
Location
Detail pages Delete icon. When you view configuration information for GSS resources, clicking Delete allows you to delete the resource from the GSS network.
Note
Deletions of any kind cannot be undone in the primary GSSM GUI. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.
Next icon. Moves forward to the DNS Rules wizard next page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard. DNS Rules wizard Back icon. Moves backwards to the previous page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard.
1-44
OL-4327-01
Chapter 1
Table 1-3
Icon or Symbol
Purpose Finish icon. Saves changes to the DNS rule. You return to the DNS Rules list page.
Location DNS Rules wizard
Activate Answer icon. Reactivates a single suspended answer, all suspended answers associated with an owner, or all suspended answers associated with a location. Suspend Answer icon. Temporarily stops the GSS from using a single answer, all answers in all groups for an owner, or all answers in a location. Activate DNS Rule icon. Reactivates a single suspended DNS Rule or all suspended DNS Rules associated with an Owner.
Modifying Answer, Modifying Owner, and Modifying Location detail page Modifying Answer, Modifying Owner, and Modifying Location detail page Modify DNS Rules and Modifying Owner detail pages
Modify DNS Rules Suspend DNS Rules icon. Stop requests from being processed by a and Modifying Owner single DNS rule or all suspended detail pages DNS rules associated with an owner on your GSS.
1-45
Table 1-3
Icon or Symbol
Purpose
Location
Modifying Shared Set Answers KAL ICMP icon. Keepalive details page Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to ICMP using the answers own VIP. Modifying Shared Set Answers KAL None icon. Keepalive details page Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive.
1-46
OL-4327-01
Chapter 1
Primary GSSM GUI Online Help

The Help navigation link in the upper right corner of each primary GSSM GUI page launches the Online Help system (Figure 1-8), which contains information on using that page as well as the features of the primary GSSM GUI. The Online Help topic associated with the form displays in a separate child browser window. Each page in the primary GSSM GUI has a context-sensitive online Help file associated with it. These Help files (in HTML format) contain detailed information related to the form you are using. Online Help also includes a series of quick start procedures to assist you in navigating through the specific forms in the user interface and performing specific configuration procedures (for example, using the DNS Rules wizard to create a DNS rule).
Figure 1-8 GSSM Online Help
1-47
Chapter 1 Where to Go Next
The GSS Online Help system contains several navigational aids to assist you in finding the information you need quickly and easily. The navigation frame is contained in the left frame of each Help topic. The navigation frame contains the following three tabs:
ContentsDisplays all the topics in the GSSM Online Help system in a tiered format. Help topics are grouped into logical books by function. Books of Help topics may contain sub-books with additional topics. You can expand or collapse the contents to suit your needs. Note that the contents also automatically synchronizes with the Help topic you are currently viewing. IndexDisplays a list of terms that allows you to look up topics based on keywords similar to the index at the back of a book. If only one topic is associated with the Index entry, that topic displays immediately when you double-click the entry. If more than one topic is associated with an Index entry, the Help system displays a Topics Found dialog box that allows you to select the topic you want to display from a list of topics. SearchProvides a full-text search tool that allows you to display a list of Help topics related to words you enter in the text box. You can then select a topic and click Display to view that topic.
Where to Go Next
Chapter 2, Setting Up Your GSS describes the process of configuring the Global Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or Global Site Selector (GSS) device.
1-48
OL-4327-01
C H A P T E R
Setting Up Your GSS

This chapter describes how to configure your GSS devices to connect to your network. This includes the initial network configuration of a GSS and the configuration of a primary or as a standby GSSM. Network connectivity is configured for each device using the GSS command-line interface (CLI). This chapter contains the following major sections:

Accessing the GSS CLI Performing Network Configuration of the GSS Creating and Modifying GSS Devices Global Server Load-Balancing Summary
For detailed instructions on command syntax and use of GSS CLI commands, refer to the Cisco Global Site Selector Command Reference.
2-1
Chapter 2 Accessing the GSS CLI
Setting Up Your GSS
Accessing the GSS CLI

You can access the GSS CLI by establishing a remote connection using Telnet or Secure Shell (SSH) from a PC or by a direct connection to the device using a dedicated terminal. If required for your SSH connection, you may also login to the GSS using an externally generated private and public key pair. This section contains the following procedures:

Accessing the CLI Using a Direct Serial Connection Enabling Remote Access on a GSS Device Accessing the CLI Using a Remote Connection Accessing the GSS CLI Using a Private and Public Key Pair
Accessing the CLI Using a Direct Serial Connection

To access the GSS CLI using a serial connection, establish a direct serial connection between your terminal and the GSS device. Once you are connected, you can use any terminal communications application to access the CLI. The following procedure uses HyperTerminal for Windows. For information on how to establish a serial connection with your device, refer to the Cisco Global Site Selector Hardware Installation Guide. To access the GSS CLI using a direct serial connection:
1. 2. 3. 4. 5. 6.
Launch HyperTerminal. The Connection Description window appears. Enter a name for your session in the Name field. Click OK. The Connect To window appears. From the drop-down list, choose the COM port to which the device is connected. Click OK. The Port Properties window appears. Set the port properties as follows:

Baud Rate = 9600 Data Bits = 8 Flow Control = none Parity = none Stop Bits = 1
2-2
OL-4327-01
Chapter 2
Setting Up Your GSS Accessing the GSS CLI
7. 8.
Click OK to connect. Press Enter to display the CLI prompt.
Once a session is created, choose Save As from the File menu to save the connection description. Saving the connection description has the following two advantages:
The next time you launch HyperTerminal, the session is listed as an option under Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you reach the CLI prompt directly without going through the configuration steps. You can connect your cable to a different device without configuring a new HyperTerminal session. If you use this option, make sure that you connect to the same port on the new device as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears without a prompt.
Enabling Remote Access on a GSS Device

To monitor the performance of your GSS devices and administer them once they are deployed, you must be able to access those devices. Accordingly, once you have basic network connectivity on your GSS device you may want to use the CLI to enable remote access to the device using the SSH, Telnet, or FTP protocols. To enable SSH, Telnet, or FTP on your GSS device:
1.
Enable privileged EXEC mode and then global configuration mode on the device. For example:
localhost.localdomain> enable localhost.localdomain# config localhost.localdomain(config)#
2.
From global configuration mode, use the enable command to activate the remote access protocol you need (SSH, Telnet, or FTP). For example, to enable SSH connections to the GSS device, you would enter the following command:
localhost.localdomain(config)# ssh enable
2-3
Chapter 2 Accessing the GSS CLI
Setting Up Your GSS
3.
Repeat step 2 for each required remote access protocol using the ftp command and the telnet command.
Note 4.
To disable SSH, Telnet, or FTP, use the no form of the command. Save your configuration changes to memory. For example:
localhost.localdomain(config)# copy running-config startup-config
5.
Exit global configuration mode.

localhost.localdomain(config)# exit localhost.localdomain#
Accessing the CLI Using a Remote Connection

To access the GSS CLI using a remote connection, use Telnet or Secure Shell (SSH) from a PC. In a single Telnet or SSH session, you cannot connect to more than one device. You can, however, have several Telnet or SSH sessions running in parallel for different devices. Be sure you enable Telnet or SSH as described in the Enabling Remote Access on a GSS Device section.
Note
We recommend using SSH connections because SSH lets you communicate securely over insecure channels and provides strong authentication. You must have physical access to the GSS device to setup remote access by Telnet or SSH connection. Refer to the Cisco Global Site Selector Hardware Installation Guide for instructions on connecting a console cable to your Cisco Global Site Selector series hardware. To access the GSS CLI using your preferred SSH or Telnet client:
1. 2.
Enter the host name or IP address of the GSS device (Global Site Selector or Global Site Selector Manager). Specify your GSS administrative username and password to log on to the GSS device.
Once you have logged on remotely, use the CLI commands described in this document and in the Cisco Global Site Selector Command Reference.
2-4
OL-4327-01
Chapter 2
Setting Up Your GSS Accessing the GSS CLI
Accessing the GSS CLI Using a Private and Public Key Pair
The GSS supports remote login to the device over an SSH session using private and public key pairs for authentication. In this method of remote connection, you use a generated private/public key pair to participate in a secure communication by encrypting and decrypting messages. Use of a private and public key pair bypasses the normal username and password authentication process. This remote access method may be useful when running scripts that connect to the GSS automatically. You generate the private key and the corresponding public key as a key pair on a server separate from the GSS and then copy the public key to the GSS /home directory. To access the GSS CLI using a private and public key pair:
1.
Generate the SSH private key and the corresponding SSH public key as a key pair on a server separate from the GSS. Refer to the documentation included with the SSH software for details on generating the private and public key pair. Enable privileged EXEC mode. For example:
localhost.localdomain> enable
2.
3.
Use the scp command to securely copy the generated public key from the server to the GSS /home directory. For example:
localhost.localdomain# scp myusername@1myhost:~/mykey.pub . myusername@1myhost password: mykey.pub 100% |*****************************| 241 00:00
4.
Use the type command to append the public key to the /home/.ssh/authorized_keys file. The /home/.ssh/authorized_keys file is a special file that the GSS software looks for when authenticating public/private keys. For example:
localhost.localdomain# cd .ssh localhost.localdomain# type ../mykey.pub >> authorized_keys
5.
Activate an SSH session from the remote host to the GSS using the private key. For example, on most Unix systems you would enter the following command line:
ssh -i private.key gss.cisco.com
2-5
Chapter 2 Performing Network Configuration of the GSS
Setting Up Your GSS
Performing Network Configuration of the GSS

When setting up your GSS, log in directly to the CLI on the GSS device and configure the following basic setup configuration functions for the device:

Specify a hostname for the GSS device Configure Ethernet 0 and Ethernet 1 Configure a default gateway Enter the IP addresses of the name servers (up to 8) Configure a remote access protocol (FTP, Telnet, or SSH) so you can administer the GSS device remotely in the future.
Depending on your network requirements for the GSS device, make your configuration of GSSM (primary and standby) and GSS based on the following information:
Primary GSSMThe primary GSSM performs content routing as well as centralized management functions for the GSS network. The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. The primary GSSM offers a single, centralized GUI for monitoring and administering your entire GSS network. Standby GSSMThe standby GSSM performs GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM need to go offline for repair or maintenance, or becomes unavailable to communicate with other GSS devices. As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command.
2-6
OL-4327-01
Chapter 2
Setting Up Your GSS Performing Network Configuration of the GSS
Note
The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section. GSSThe GSS performs routing of DNS queries based on DNS rules and conditions configured using the primary GSSM. Each GSS is known to and synchronized with the GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network delegates authority to the GSSs that serve DNS requests. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device.
A typical GSS deployment may contain up to eight GSS devices on a corporate intranet or the Internet. At least one GSSand no more than two GSSsmust be configured as GSSMs. The primary GSSM monitors the other GSS devices on the network and offer features for managing and monitoring request routing services using a GUI accessible through secure HTTP. Only one primary GSSM can be active at any time, with the second GSSM serving as a standby, or backup device. Network configuration requires that you enter into privileged EXEC mode on the CLI, so your login must have adequate permissions to do so. After you enable your GSSM and GSS devices, use the primary GSSM to activate each device on your network. See the Creating and Modifying GSS Devices section for more information. This section includes the following procedures:

Configuring the GSS Using the Setup Script Configuring the GSS from the CLI Configuring a Primary GSSM or Standby GSSM Configuring a Global Site Selector Logging Into the Primary GSSM Graphical User Interface
2-7
Setting Up Your GSS
Configuring the GSS Using the Setup Script

When you boot the Cisco Global Site Selector platform for the first time and the system boots without a startup-configuration file, a setup script automatically runs to quickly guide you through the process of initially configuring the GSS. To configure the GSS from the setup script:
1. 2.
If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide). At the Do you want to continue? (y/n) [no]: prompt type y to continue (or press Enter to accept the default of No and bypass running the setup script). If you chose to bypass the setup script, you can either:

Manually configure the GSS from the CLI as described in the Configuring the GSS from the CLI section. Use the setup CLI command at a later point in time to configure basic configuration information (as described in this procedure).
Note
The setup command cannot be executed while the GSS is running. You must issue the gss stop command before executing the setup command. At the Hostname prompt, specify a qualified hostname for the GSS device. For example:
Enter the Hostname of this device: gssm1.yourdomain.com
3.
4.
At the Interface eth0 and eth1 prompts, specify the IP address and subnet mask for each interface to be used on the GSS device. For example:
* Interface eth1 (Inactive) Do you want to change this? (y/n) [n]: y Do you want to activate this interface? (y/n) [n]: y Enter the IP address: 192.168.1.3 Enter the netmask: 255.255.255.0
Once you run the setup script there are additional configuration parameters that you can specify for each Ethernet interface using the interface ethernet CLI command (such as the autosense, duplex, and speed options). Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.
2-8
OL-4327-01
Chapter 2
5.
At the default gateway prompt, enter gateway information for the GSS device. For example:
Do you want to configure a default gateway? (y/n) [y]: Enter the default gateway [10.86.208.1]: 10.89.12.100
6.
At the Name Servers prompt, configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers in a list. Enter a dash ('-') at a blank entry to instruct the GSS to stop requesting name servers. For example:
Enter the IP addresses for up to 8 Name Servers. Enter a dash ('-') at a blank entry to stop entering Name Servers. At least one Name Server is required for this setup script. Enter Name Server 1 [161.44.124.122]: 168.10.12.1 Enter Name Server 2: 192.168.1.2 Enter Name Server 3: -
7.
At the Remote Access prompt, activate the remote access protocol required for the GSS device. For example:
* Remote Access Do you want to enable FTP access? (y/n) [y]: n Do you want to enable Telnet access? (y/n) [n]: y Do you want to enable SSH access? (y/n) [y]: y
8.
The setup script prompts you through a series of questions about configuring the device as a GSSM (primary or standby) or as a GSS. Perform one of the following actions:
If you want to configure the device as the primary GSSM: a. b.
At the
Do you want to configure this GSS as a Manager
(gssm)? (y/n) [y]:
prompt type y (or press Enter).
At the Do
you want to configure this GSSM as the Primary?
(y/n) [y]:
If you want to configure the device as the standby GSSM: a. b. c.
At the Do At the Do
you want to configure this GSS as a Manager
(gssm)? (y/n) [y]:
you want to configure this GSSM as the Primary?
(y/n) [y]:
prompt type n.
the Hostname or IP address of the Primary GSSM
At the Enter
prompt specify the hostname or IP address of the primary GSSM for your network.
[192.168.3.4]: Cisco Global Site Selector Configuration Guide OL-4327-01
2-9
Setting Up Your GSS
If you want to configure the device as a GSS: a. b.
At the Do
you want to configure this GSS as a Manager
(gssm)? (y/n) [y]:
prompt type n.
At the Enter
the Hostname or IP address of the Primary GSSM
prompt specify the hostname or IP address of the primary GSSM for your network.
[192.168.3.4]:
9.
When completed, the software prompts you to perform one of the following:
Apply as the Running ConfigurationApplies setup configuration
changes to the running-configuration file.

Edit This ConfigurationReturn to the beginning of setup and edit
specific configuration information.

Discard Configuration and Quit SetupCancel making initial
configuration changes. Once configuration setup is complete, the GSS software prompts you to log into the primary GSSM GUI and finish device setup (as described in the Logging Into the Primary GSSM Graphical User Interface section).
Configuring the GSS from the CLI

To configure the GSS from the CLI:
1. 2.
If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide). Log on to the CLI, following the instructions in Accessing the GSS CLI. The GSS CLI prompt appears. By default, the hostname for GSS devices is localhost.localdomain. This name changes once you configure the hostname for the device.
3.
2-10
OL-4327-01
Chapter 2
4.
Configure a qualified hostname and default gateway information for the GSS device. For example:
Host(config)# hostname gssm1.yourdomain.com gssm1.yourdomain.com(config)# ip default-gateway 10.89.12.100
5.
From global configuration mode, enter interface configuration mode and configure the attributes of GSS interface Ethernet 0 or Ethernet 1. Each GSS device contains two Ethernet interfaces, 0 and 1. For example:
gssm1.yourdomain.com(config)# interface ethernet 0 gssm1.yourdomain.com(config-eth0)# speed 100 gssm1.yourdomain.com(config-eth0)# duplex full
Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.
Note
Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the interface ethernet command. Use the gss-communications command to configure a GSS Ethernet interface as the designated network interface for GSS device communications. For example:
gssm1.yourdomain.com(config-eth0)# gss-communications
6.
Note
Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the gss-communications command. Configure the IP address and subnet mask that are to be used by the interface. For example:
gssm1.yourdomain.com(config-eth0)# ip address 10.89.3.24 255.255.255.0 gssm1.yourdomain.com(config-eth0)# exit gssm1.yourdomain.com(config)#
7.
2-11
Setting Up Your GSS
8.
Configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers using a comma-separated or space-separated list. For example:
gss1.yourdomain.com(config)# ip name-server 128.10.12.1 gss1.yourdomain.com(config)# ip name-server 128.100.12.1, 128.110.12.1
9.
Save your configuration changes to memory. For example:

gssm1.yourdomain.com(config)# copy running-config startup-config
The next step is to configure the device as either a GSSM (primary or standby) or as a GSS:

If configuring the device as a GSSM (primary or standby), proceed to the Configuring a Primary GSSM or Standby GSSM section. If configuring the device as a GSS, proceed to the Configuring a Global Site Selector section.
Configuring a Primary GSSM or Standby GSSM

Before you begin configuring request routing or adding GSSs to your GSS network, you must first configure a primary GSSM with which the individual GSSs will be associated. When configuring a GSSM, you need to configure both the network connectivity of the GSSM as well as the embedded GSS database that resides on the GSSM and holds GSS device and network configuration information. You must also indicate whether the GSSM serves as the primary or redundant (standby) manager. To configure a GSS device to function as either a primary GSSM or a standby GSSM:
1.
If you have not already done so:

a. Log on to the CLI (see the Accessing the GSS CLI section). b. At the CLI prompt, enable privileged EXEC mode and then global
configuration mode on the device. For example:

2-12
OL-4327-01
Chapter 2
c. Ensure the GSS is properly configured (see either the Configuring the
GSS Using the Setup Script section or the Configuring the GSS from the CLI section).
2.
Perform one of the following steps:

If this GSSM is to be the primary (default) routing manager for your GSS
network, use the gss enable gssm-primary command to enable your GSS device and make it the primary GSSM. For example:
gssm1.yourdomain.com# gss enable gssm-primary
Note
If a database already exists on this GSS device an error message appears. Use the gss disable command to disable the selected GSS device and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS device to the initial, disabled state.
If this GSSM is to be a standby (backup) GSSM for your GSS, use the
gss enable gssm-standby command to place the GSSM in standby mode and associate it with the DNS name or IP address of the primary GSSM. The standby GSSM is intended to be a backup device to be used on a temporary basis until the primary GSSM can come back online. For example:
gssm1.yourdomain.com# gss enable gssm-standby 192.168.1.110
Note
You must have a primary GSSM configured and enabled before you can enable a standby GSSM.
3.

gssm1.yourdomain.com# copy running-config startup-config
If you fail to save your configuration changes, the GSS device reverts to its previous settings upon a reboot.
2-13
Setting Up Your GSS
For the primary GSSM, you can now access the GUI using your preferred web browser by pointing that browser to the URL of the primary GSSM. See the Logging Into the Primary GSSM Graphical User Interface section for details. After enabling the primary GSSM GUI, you can use it to activate each GSS device on your network. See the Creating and Modifying GSS Devices section. If, at a later point, you need to move the primary GSSM or you want to take it offline for repair or maintenance, the standby GSSM is capable of temporarily taking over the role as the primary GSSM until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network. Refer to Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section.
Configuring a Global Site Selector

You must configure and enable your primary GSSM before you can configure additional GSS devices. If you have not already done so, see the Configuring a Primary GSSM or Standby GSSM section for information on configuring and enabling your primary and optional standby GSSMs. To configure a device to function as a GSS:
1.
If you have not already done so:

a. Log on to the CLI (see the Accessing the GSS CLI section). b. At the CLI prompt, enable privileged EXEC mode and then global
configuration mode on the device. For example:

c. Ensure the GSS is properly configured (see either the Configuring the
GSS Using the Setup Script section or the Configuring the GSS from the CLI section).
d. Enable a remote access protocol on the GSS device (such as Telnet or
SSH). See theEnabling Remote Access on a GSS Device section.
2-14
OL-4327-01
Chapter 2
2.
Exit global configuration mode and then use the gss command to enable your GSS device as a GSS and direct it to the primary GSSM in your GSS network. Specify either the domain name or the network address of the primary GSSM. For example:
gss1.yourdomain.com(config)# exit gss1.yourdomain.com# gss enable gss gssm1.yourdomain.com
3.

gss1.yourdomain.com# copy running-config startup-config
If you fail to save your configuration changes, the device reverts to its previous settings upon a reboot.
4.
Use the primary GSSM to activate each GSS device on your network. See the Creating and Modifying GSS Devices section.
Logging Into the Primary GSSM Graphical User Interface

After you configure and enable your primary GSSM, you are ready to access the GUI. The GSSM uses secure HTTP (HTTPS) to communicate with web clients. For example, if your primary GSSM is named gssm1.yourdomain.com, enter the following to display the primary GSSM logon dialog box and access the GUI:
https://gssm1.yourdomain.com
When first logging on to the primary GSSM GUI, you can use the system default administrative account and password. After accessing the GUI, create and maintain additional user accounts and passwords using the user administration features primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for more information on creating user accounts.
Note
The user accounts and passwords that you create for the primary GSSM GUI are maintained separately from the usernames and passwords used to log on to your GSS devices using the CLI (using the username command). To log on to the primary GSSM GUI:
1.
Open your preferred Internet web browser application, such as Internet Explorer or Netscape Navigator.
2-15
Setting Up Your GSS
2.
In the address field, enter the secure HTTP address of your GSSM. For example:
https://gssm1.yourdomain.com
Note
If you have trouble locating the primary GSSM DNS name, remember that the GSS network uses secure connections, so the address of the GSSM will feature https:// (secure HTTP) in the place of the more common http://. If prompted to accept a certificate from the primary GSSM, click Yes to accept the certificate signed by Cisco Systems and proceed to the GUI.
If you are using Internet Explorer and want to install the certificate, at the
3.
Security Alert dialog box click View Certificate, and then choose the Install Certificate option and follow the prompts of the Certificate Manager Import Wizard.
If you are using Netscape and you want to install the certificate, at the
New Site Certificate dialog box click Next and follow the prompts of the New Site Certificate Wizard.
Note
Take the extra steps to trust certificates from Cisco Systems, Inc., which prevents you from having to approve a certificate every time you log on to a GSSM. Refer to the online help for your browser for instructions on trusting certificates from a particular owner or website. When prompted to log on to the primary GSSM, enter your username and password in the fields provided, then click OK. If this is your first time logging on to the GSSM, use the default account name and password to access the GUI as follows:
Usernameadmin Passworddefault
4.
5.
The GSSM Welcome page appears (Figure 2-1). Refer to Chapter 1, Introducing the Global Site Selector, the Understanding the Primary GSSM Graphical User Interface section for information on navigating through the primary GSSM GUI.
2-16
OL-4327-01
Chapter 2
Figure 2-1
Primary GSSM Welcome Window
2-17
Chapter 2 Creating and Modifying GSS Devices
Setting Up Your GSS
Creating and Modifying GSS Devices

A first step in configuring global server load balancing on your GSS network is to activate and configure your GSS devices. Using the Global Site Selectors tab of the primary GSSM GUI, you activate GSS devices (GSSs and standby GSSMs) that have been added to your GSS network, name the GSS devices, and, if necessary, delete those devices from the GSS network. This section includes the following procedures:

Activating GSS Devices Modifying GSS Device Configuration Deleting GSS Devices
Activating GSS Devices

After you have configured your GSS devices to act as GSSs or GSSMs, you must activate those devices from the primary GSSM GUI before they receive and process user requests. The one exception to this rule is the primary GSSM, which does not need to be activated after initial configuration. To activate a GSS or a standby GSSM from the primary GSSM GUI:
1.
From the primary GSSM GUI, click the Resources tab.
2-18
OL-4327-01
Chapter 2
Setting Up Your GSS Creating and Modifying GSS Devices
2.
Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (Figure 2-2). All active devices are listed with an Online status. The devices you need to activate are listed with an Inactive status.
Global Site Selectors List Page - Inactive Status
Figure 2-2
2-19
Setting Up Your GSS
3.
Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (Figure 2-3).
Modifying GSS Details Page
Figure 2-3
4. 5.
Check the Activate check box. (This check box does not appear in the Modifying GSS details page after a GSS device has been activated.) Click the Submit button. You return to the Global Site Selector list page. The status of the device that you activated is listed as Online. Assuming that the device is functioning properly and that network connectivity between the device and the primary GSSM is good, the status of the device changes to Online within approximately 30 seconds.
2-20
OL-4327-01
Chapter 2
Setting Up Your GSS Creating and Modifying GSS Devices
Figure 2-4
Global Site Selectors List Page - Active Status
6.
Repeat Steps 1 through 5 for each inactive GSS or standby GSSM that you need to activate.
Modifying GSS Device Configuration

You can modify the name and location of any of your GSS devices using the primary GSSM GUI. To modify other network information such as the hostname, IP address, or role, however, you must access the CLI on the device. To modify the name and location of a GSS device:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (see Figure 2-2). All active devices are listed with an online status. The devices you need to activate are listed with an inactive status.
2-21
Setting Up Your GSS
3. 4.
Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (see Figure 2-3). In the Global Site Selector Name field, enter a new name for the device. This is not the same name as the hostname, which can only be changed using the CLI. It is used to easily distinguish one GSS device from another in the primary GSSM list pages, where many devices may appear together. From the Location drop-down list, select a new device location. Click Submit to save your changes. You return to the Global Site Selector list page.
5. 6.
Deleting GSS Devices

With the exception of the primary GSSM, you can delete GSS devices from your network using the primary GSSM GUI. Deleting a GSS device such as a GSS or a standby GSSM allows you to remove nonfunctioning GSS devices from your network, or to reconfigure and then reactivate a device. To delete a GSS device:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device. Click OK to confirm your decision. You return to the Global Site Selectors list page with the deleted device removed from the list. To reconfigure the GSS device, refer to either the Configuring a Primary GSSM or Standby GSSM section or the Configuring a Global Site Selector section.
4. 5. 6.
2-22
OL-4327-01
Chapter 2
Setting Up Your GSS Global Server Load-Balancing Summary
Global Server Load-Balancing Summary

Once you have created your GSSM (primary and standby) and GSS devices and configured them to connect to your network, you are ready to begin configuring request routing and global server load balancing on your GSS network. Global server load balancing on your GSS network is managed through the centralized GUI on the primary GSSM. Using this interface, you can identify your network resources (GSSs) through the use of keepalives and create the DNS rules to process incoming content requests. Because you will be creating DNS rules that route incoming DNS requests to the most available data centers and resources on your network, you must configure the elements that constitute your DNS rules before creating the rules themselves Use the following order when configuring your GSS devices and resources from the primary GSSM:
1.
Create regions, locations, and ownersOptional. Use these groupings to organize your GSS network resources by customer account, physical location, owner, or other organizing principle. Refer to Chapter 3, Configuring Resources for details. Create one or more source address listsOptional. Use these lists of addresses to identify the name servers (D-proxy) that forward requests for the specified domains. The default source address list is Anywhere to match any incoming DNS request to the domains. Refer to Chapter 4, Configuring Source Address Lists for details. Create one or more domain listsEstablish lists of Internet domains, possibly using wildcards, that are managed by the GSS and queried by users. Refer to Chapter 5, Configuring Domain Lists for details. Modify the default global keepalive settings or create any shared keepalivesOptional. These are GSS network resources that are regularly polled to monitor the online status of one or more GSS resources linked to the keepalive. Shared keepalives are required for any answer that uses the KAL-AP keepalive type. Refer to Chapter 6, Configuring KeepAlives for details. Create one or more answersAnswers are resources that match requests to domains. Refer to Chapter 7, Configuring Answers and Answer Groups for details.
2.
3.
4.
5.
2-23
Setting Up Your GSS
6.
Create one or more answer groupsAnswer groups are collections of resources that balance requests for content. Refer to Chapter 7, Configuring Answers and Answer Groups for details. Build your DNS rulesProcesses incoming DNS requests using the DNS Rule Builder or DNS Rule Wizard. Refer to Chapter 8, Building and Modifying DNS Rules for details.
7.
Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:

DNS Rule WizardAn easy-to-use tool that guides you through the process of creating a DNS rule. DNS Rule BuilderIf you are an experienced GSS user, you can use the DNS Rule Builder to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created.
Where to Go Next
Chapter 3, Configuring Resources, includes instructions on organizing resources on your GSS network as locations, regions, and owners.
2-24
OL-4327-01
C H A P T E R
Configuring Resources
This chapter describes what you need to establish global server load-balancing resources. Before you configure request routing, make sure that you have configured your hardware devices as described in Chapter 2, Setting Up Your GSS. You must have a primary GSSM configured and enabled before you can configure request routing and server load balancing on the GSS network. Ideally, you have a standby GSSM configured as well. If you will be deploying GSSs in addition to your primary GSSM and standby GSSM, these devices will identify themselves to the primary GSSM and appear on the GSSM GUI when you access the Resources tab and click the Global Site Selectors navigation link. This chapter contains the following major sections:

Organizing Your GSS Network Creating and Modifying Locations and Regions Creating and Modifying Owners Grouping GSS Resources by Location, Region, and Owner
3-1
Chapter 3 Organizing Your GSS Network
Organizing Your GSS Network

The primary GSSM provides you with a number of tools that allow you to group and organize resources on your GSS network. These include:

LocationsLogical groupings for GSS resources that correspond to geographical entities such as a city, data center, or content site RegionsHigher-level geographical groupings that contain one or more locations OwnersGroupings that correspond to business or organizational relationships; for example, customers, internal departments, and IT personnel
Keep in mind that it is not a requirement that regions and locations correspond to actual geographical sites. They are simply organizing concepts that allow you to group GSS resources and exist in a one (region) to many (locations) relationship. In addition to providing an organizational scheme for your GSS network, locations can also be used for bulk management of GSS resources, such as answers. Answers can be grouped and managed according to a GSS location that has been established and with which answers have been associated. Using a location to manage your answers makes it easier for you to quickly suspend or activate answers in a particular area of your network, for example, shutting down one or more data centers for the purposes of software upgrades or regular maintenance. Refer to Chapter 7, Configuring Answers and Answer Groups, for more information.
3-2
OL-4327-01
Chapter 3
Configuring Resources Creating and Modifying Locations and Regions
Creating and Modifying Locations and Regions

The process for creating and maintaining locations and regions is essentially identical, except that in addition to their other configuration information, locations are associated with regions in a many-to-one relationship. Use the following procedures to set up regions and locations on your GSS network.
Note
We recommend that you create regions before you create locations. This section includes the following procedures:

Creating Regions Creating Locations Modifying Regions Modifying Locations Deleting Locations and Regions
Creating Regions
To create a region:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Regions navigation link. The Regions list page appears (Figure 3-1).
3-3
Chapter 3 Creating and Modifying Locations and Regions
Figure 3-1
Regions List Page
3.
Click the Create Regions icon. The Creating New Region details page appears (Figure 3-2).
3-4
OL-4327-01
Chapter 3
Figure 3-2
Creating New Region Details Page
4. 5. 6.
In the Name field, enter the name for your new region. In the Comments field, enter descriptive information or important notes regarding the new region. Click Submit to save changes to your new region. You return to the Region list page. Your new region appears in the list and can be used to help you organize other GSS resources.
3-5
Creating Locations
To create a location:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears (Figure 3-3).
Locations List Page
Figure 3-3
3.
Click the Create Location icon. The Creating New Location details page appears (Figure 3-4).
3-6
OL-4327-01
Chapter 3
Figure 3-4
Creating New Location Details Page
4. 5.
In the Name field, enter the name for your new location. Click the Region drop-down list and choose a region with which the location will be associated. There should be a logical connection between region and location. In the Comments field, enter descriptive information or important notes regarding the new region or location. Click Submit to save your new location. You return to the Locations list page. Your new location appears in the list and can be used to help you organize other GSS resources.
6. 7.
3-7
Modifying Regions
To modify a GSS region:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Regions navigation link. The Regions list page appears. From the Regions list, click the Modify Region icon located to the left of the list you want to modify. The Modifying Region details page appears (Figure 3-5).
Modifying Region Details Page
Figure 3-5
4. 5.
In the Name field, change the name of the region, if desired. In the Comments field, enter or modify the descriptive information or notes regarding the region.
3-8
OL-4327-01
Chapter 3
6.
Click Submit to save the changes to your region. You return to the Regions list page.
Modifying Locations
To modify a GSS location:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears. From the Locations list, click the Modify Location icon located to the left of the list you want to modify. The Modifying Location details page appears (Figure 3-6).
Modifying Location Details Page
Figure 3-6
3-9
4. 5. 6. 7.
In the Name field, change the name of the location, if desired. If wish to move the location to a new region, click the Region drop-down list and select a new region with which the location will be associated. In the Comments field, enter or modify the descriptive information or notes regarding the location. Click Submit to save the changes to your location. You return to the Locations list page.
Deleting Locations and Regions

Before deleting a region or location, be sure that you know what dependencies are associated with a resource. For example, regions that have locations associated with them cannot be deleted. In addition, answers associated with locations that are deleted are automatically associated with the Unspecified location.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete regions and locations:
1. 2. 3. 4. 5.
From the primary GSSM GUI, click the Resources tab. Click either the Locations or Regions navigation link, depending on what type of resource you intend to delete. The list page appears. Click the Modify icon for the location or region that you want to delete. The details page appears, displaying configuration information for that resource. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the Region or Location. Click OK. You return to the list page with the Region or Location removed.
If an error appears informing you that a GSS resource is still linked to the region or location you want to delete, disassociate that resource and then attempt to delete the grouping again.
3-10
OL-4327-01
Chapter 3
Configuring Resources Creating and Modifying Owners
Creating and Modifying Owners

Owners are logical groupings for GSS network resources that correspond to business or organizational structures. For example, an owner might be a hosting customer, an internal department such as human resources, or an IT staff resource. Owners are created and managed separately from either GSS or GSSM logins, and there is no necessary connection between the two. As with locations, owner designations can be used for bulk management of GSS resources. Using a GSS owner to manage your answer groups makes it easier for you to quickly suspend or activate related answers. For information on using owners to manage your GSS network, see the following chapters and sections:
Chapter 7, Configuring Answers and Answer Groups, the Suspending or Reactivating All Answers in an Answer Group Associated with an Owner section Chapter 8, Building and Modifying DNS Rules, the Suspending or Reactivating All DNS Rules Belonging to an Owner section
Creating Owners
To create an owner:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears displaying a list of all configured owners on your GSS network and providing an overview of the resources assigned to each owner (Figure 3-7).
3-11
Chapter 3 Creating and Modifying Owners
Figure 3-7
Owners List Page
3.
Click the Create Owner icon. The Creating New Owner details page appears (Figure 3-8).
3-12
OL-4327-01
Chapter 3
Figure 3-8
Creating New Owner Details Page
4. 5. 6.
In the Name field, enter the contact name for your new Owner. In the Comments field, enter other descriptive or contact information for the new owner. Click Submit to save the new Owner. You return to the Owners list page. Your new owner is listed and can now be used to help you organize other GSS resources.
3-13
Chapter 3 Creating and Modifying Owners
Modifying Owners
To modify an owner:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears. From the Owners list, click the Modify Owner icon located to the left of the list you want to modify. The Modifying Owner details page appears (Figure 3-9).
Modifying Owner Details Page
Figure 3-9
4.
In the Name field, enter a new name for your new owner, if desired.
3-14
OL-4327-01
Chapter 3
5. 6.
In the Comments field, enter or modify the descriptive information or notes regarding the owner. Click Submit to save the changes to the owner. You return to the Owners list page.
Deleting Owners
Before you attempt to delete an owner, be sure that you know what dependencies that resource has. For example, answer groups, DNS rules, and domain lists associated with an owner will, if that owner is deleted, automatically be associated with the System owner account.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an owner:
1. 2. 3. 4. 5.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears. From the Owners list, click the Modify Owner icon located to the left of the list you want to delete. The Modifying Owner details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the owner. Click OK. You return to the Owners list screen with the owner removed.
3-15
Chapter 3 Grouping GSS Resources by Location, Region, and Owner
Grouping GSS Resources by Location, Region, and Owner

After you create your locations, regions, and owners, you can begin to use these tools to help organize your GSS resources. To associate a particular resource with a location, region, or owner, edit the properties of that resource and then choose the location, region, or owner from the drop-down list provided. Table 3-1 indicates which GSS resources can be grouped by locations, regions, and owners.
Table 3-1 GSS Network Groupings
GSS Network Resource GSS Locations Region Owner DNS rules Source address lists Domain lists Answer group Answer
Grouped By Location Region Owner Owner Owner Owner Location
Grouped Using Global Site Selector details page Locations details page DNS Rule Builder DNS Rule Wizard Source Address Lists details page Domain Lists details page Answer Group details page Answer details page
Where to Go Next
Chapter 4, Configuring Source Address Lists describes the creation of source address lists, collections of IP addresses or address blocks for known client DNS proxies (or D-proxies).
3-16
OL-4327-01
C H A P T E R
Configuring Source Address Lists

The next step in configuring DNS request handling on your GSS network is to define the addresses from which requests are sent to the GSS. This is accomplished through the creation of source address lists, collections of IP addresses or address blocks for known client DNS proxies (or D-proxies).
Note
The deployment of source address lists is an optional process. A default source address list, named Anywhere, is supplied with the GSS software and matches any request for a domain. Using the source address lists feature, you can enter one or more IP addresses, up to 30 addresses for each list, representing DNS proxies from which requests originate. Each GSS supports up to 60 source address lists. In addition to adding individual addresses, the primary GSSM also allows you to enter IP address blocks conforming to the classless interdomain routing (CIDR) IP addressing scheme. This chapter contains the following major sections:

Creating Source Address Lists Modifying Source Address Lists Deleting Source Address Lists
4-1
Chapter 4 Creating Source Address Lists
Creating Source Address Lists

To configure a source address list:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Source Address Lists navigation link. The Source Address Lists list page appears (Figure 4-1).
Source Address Lists List Page
Figure 4-1
3.
Click the Create Source Address List icon. The Creating New Source Address List details page appears (Figure 4-2).
4-2
OL-4327-01
Chapter 4
Configuring Source Address Lists Creating Source Address Lists
Figure 4-2
Creating New Source Address List - General Configuration
4.
In the General Configuration details page (General Configuration navigation link), perform the following:
a. In the Name field, enter a name for the new Source Address List. Source
Address List names cannot contain spaces.

b. From the Owner drop-down list, select the GSS network resource with
which the Source Address List is associated. The owner may be a hosting customer, an internal department such as human resources, or an IT staff resource.
c. In the Comments text area, enter any comments for the new Source
Address List.
5.
Click the Add Address navigation link to access the Add Addresses section of the page. Add new addresses or address blocks to your list of source addresses (Figure 4-3).
4-3
Chapter 4 Creating Source Address Lists
Figure 4-3
Creating New Source Address List - Add Addresses
6.
In the Add Addresses section of the page, perform the following:

a. Enter the IP addresses, or CIDR address blocks. If you are entering
multiple addresses, separate each one with a semicolon. You can enter up to 30 addresses for each list. You use this interface to add new addresses or address blocks to your list of source addresses. For example:
192.168.100.0/24; 10.89.0.0/16; 10.68.10.1
b. Click the Add button. The GSS software adds the addresses to the Source
Address List.
7.
Click the General Configuration navigation link to view the address block associated with the source address list. The addresses appear under the Current Members section of the details page (Figure 4-4).
4-4
OL-4327-01
Chapter 4
Configuring Source Address Lists Modifying Source Address Lists
Figure 4-4
Creating Source Address List - Current Members List
8.
When you are satisfied with your Source Address List, click the Submit button to save your changes. You return to the Source Address Lists list page.
You can add or remove source addresses from the list at any time. See the Modifying Source Address Lists section that follows.
Modifying Source Address Lists

To modify an existing source address list:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Modify Source Address List icon located to the left of the Source Address List you want to modify. The Modifying Source Address List details page appears.
4-5
Chapter 4 Modifying Source Address Lists
3.
In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the source address list (see Figure 4-2). Source address list names cannot contain spaces. To add more source addresses to the list, click the Add Addresses navigation link. Use the field provided (see Figure 4-3) to enter the names of source address lists you wish to add. Click the Add button to append the new source address to the existing list. To remove addresses from the Source Address List, click the Remove Addresses navigation link. The Remove Addresses section of the page appears (Figure 4-5). Click the check box accompanying each source address you wish to remove from the list, then click the Remove Selected button to remove the selected source addresses from the list.
Modifying Source Address List - Remove Addresses
4.
5.
Figure 4-5
4-6
OL-4327-01
Chapter 4
Configuring Source Address Lists Deleting Source Address Lists
6. 7.
Review your updated source address list under the Current Members section of the details page (see Figure 4-4). Click the Submit button to save your modified source address list. You return to the Source Address List list page.
Deleting Source Address Lists

You cannot delete source address lists that are associated with an existing DNS rule. Before proceeding with these instructions, first verify that none of your DNS rules reference the source address list that you are deleting.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a source address list from your GSS network:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Source Address Lists navigation link. The Source Address Lists list page appears. Click the Modify Source Address List icon located to the left of the Source Address List you want to remove. The Source Address Lists details page appears. Click the Delete Source Address List icon in the upper right corner of the page (Figure 4-6). The GSS software prompts you to confirm your decision to delete the Source Address List.
4.
Note
If an error appears informing you that the source address list is referenced by an existing DNS rule, disassociate the source address list from the DS rule and then attempt to delete the source address list again.
4-7
Figure 4-6
Modifying Source Address List - Delete Icon
5.
Click OK. You return to the Source Address Lists list page. The source address list is removed from the list.
Where to Go Next
Chapter 5, Configuring Domain Lists, describes the creation of domain lists, collections of domain names for Internet or intranet resources, sometimes referred to as hosted domains, that are being requested by your users.
4-8
OL-4327-01
C H A P T E R
Configuring Domain Lists

This chapter describes how to create domain lists. This chapter contains the following major sections:

Domain List Overview Creating Domain Lists Modifying Domain Lists Deleting Domain Lists
Domain List Overview

Domain lists are collections of domain names for Internet or intranet resources, sometimes referred to as hosted domains, that are being requested by your users. Domain lists contain one or more domain names that point to content for which the GSS is acting as the authoritative DNS server and for which you wish to use the GSS technology to balance traffic and user requests. Using the domain lists feature, you can enter complete domain names or any valid regular expression that specifies a pattern by which the GSS can match incoming addresses. The GSS supports POSIX 1003.2 extended regular expressions when matching wildcards.
5-1
Chapter 5 Creating Domain Lists
For example, if you had three hosted domainswww.cisco.com, support.cisco.com, and customer.cisco.comfor which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was responsiblewww1.cisco.com, www2.cisco.com, and so onmanually entering each address may be time-consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
Any request for a hosted domain that matches the pattern is directed accordingly. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list.
Creating Domain Lists

To create a domain list:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Domain Lists navigation link. The Domain Lists list page appears (Figure 5-1).
5-2
OL-4327-01
Chapter 5
Configuring Domain Lists Creating Domain Lists
Figure 5-1
Domain Lists Page
3.
Click the Create Domain List icon. The Creating New Domain List details page appears. (Figure 5-2.)
5-3
Figure 5-2
Creating New Domain List Details Page - General Configuration
4.
a. In the Name field, enter a name for the new Domain List. Domain List
names cannot contain spaces.

b. From the Owner drop-down list, select the contact with whom the
Domain List will be associated.

c. In the Comments text area, enter any comments for the new Domain List.
5-4
OL-4327-01
Chapter 5
5.
Click the Add Domains navigation link to access the Add Domains section of the page. Use this section to add new hosted domains to your list.
Creating New Domain List - Add Domains
Figure 5-3
6.
In the text box provided, enter the names of any hosted domains that you want to add to the domain list. Hosted domains may or may not correspond to standard third-level domain names but cannot exceed 128 characters in length. The following examples could be domain names configured on the GSS:
cisco.com www.cisco.com www.support.cisco.com
5-5
Domain names that use wildcards are also supported by the GSS. You can enter complete domain names or any regular expression that specifies a pattern by which the GSS can match incoming addresses. For example:
.*\.cisco\.com
These should be the domain names of resources for which the GSS is acting as the authoritative DNS server. Domain names that do not use wildcards cannot exceed 128 characters. For domain names with wildcards that are valid regular expressions, the GSS can match strings up to 256 characters long. If you are entering multiple domain names, separate each one with a semicolon, for example:
www.cisco.com; support.cisco.com; cdn.cisco.com
7. 8.
Click the Add button. The domains you entered are added to the Domain List. Click the General Configuration navigation link and view the domains list. The domain names appear under the Current Members section of the details page (Figure 5-4). Click the Submit button to save your domain list changes.
9.
5-6
OL-4327-01
Chapter 5
Figure 5-4
Creating Domain List - Current Members List
5-7
Chapter 5 Modifying Domain Lists
Modifying Domain Lists

To modify an existing domain list:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Domain Lists navigation link. The Domain Lists list page appears (see Figure 5-1). From the Domain Lists list, click the Modify Domain List icon located to the left of the Domains List you want to modify. The Modifying Domain List details page appears. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the domain list (see Figure 5-2). Domain List names cannot contain spaces. To add more domains to the list, click the Add Domains navigation link. Use the text box (see Figure 5-3) provided to enter the names of domains you wish to add. Click the Add button to append the new domains to the existing list. To remove domains from the domain list, click the Remove Domains navigation link. The Remove Domains section of the page appears (Figure 5-5). Click the check box accompanying each domain you wish to remove from the list, then click the Remove Selected button. The deleted domain lists have been removed from the page.
4.
5.
6.
5-8
OL-4327-01
Chapter 5
Configuring Domain Lists Modifying Domain Lists
Figure 5-5
Modifying Domain List - Remove Domains
7. 8.
Review your updated domain lists under the Current Members section of the details page (see Figure 5-4). Click the Submit button to save your changes. You return to the Domain List list page.
5-9
Chapter 5 Deleting Domain Lists
Deleting Domain Lists

You cannot delete domain lists that are associated with an existing DNS rule. Before proceeding with these instructions, first verify that none of your DNS rules reference the domain list that you are deleting.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a domain list from your GSS network:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab Click the Domain Lists navigation link. The Domain Lists list page appears listing existing Domain Lists. Click the Modify Domain List icon located to the left of the Domain List you want to remove. The Modifying Domain Lists details page appears (Figure 5-5).
5-10
OL-4327-01
Chapter 5
Configuring Domain Lists Deleting Domain Lists
Figure 5-6
Modifying Domain List - Delete Icon
4.
Click the Delete Domain List icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the domain list.
Note
If an error appears informing you that the domain list is referenced by a DNS rule, disassociate the domain list from the DNS rule and then attempt to delete the domain list again. Refer to Chapter 8, Building and Modifying DNS Rules. Click OK. You return to the Domain List list page. The domain list is removed from the list.
5.
5-11
Where to Go Next
Chapter 6, Configuring KeepAlives, describes the modification of global keepalives and the creation of shared keepalives.
5-12
OL-4327-01
C H A P T E R
Configuring KeepAlives
A keepalive is a method by which the GSS periodically checks to see if a resource associated with an answer is still active. All answers are validated by configured keepalives as being either online or offline. The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of answer being tracked, the GSS also monitors load and connection information on SLBs that can be used to perform load-based redirection. This chapter contains the following major sections:

Modifying Global KeepAlive Properties Configuring and Modifying Shared VIP KeepAlives
Modifying Global KeepAlive Properties

The GSS includes a set of global keepalive properties that function as the default or minimum values used by the GSS when no other keepalive values are specified. You can modify your global keepalive properties for the GSS using the fields on the Global KeepAlive Properties details page from the Resources tab. Changing a global keepalive property and applying that change is immediate and it modifies the default values of keepalives currently in use by the GSS. For example, if a VIP answer uses a TCP keepalive with all of its associated defaults, and you change the default port value from port 80 to port 23, port 23 automatically becomes the default for the TCP keepalive.
6-1
Chapter 6 Modifying Global KeepAlive Properties
Note
Changing global keepalive properties is an optional process. To modify the GSS keepalive properties:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the KeepAlive Properties navigation link. The Configure Global KeepAlive Properties details page appears (Figure 6-1).
Configure Global KeepAlive Properties Details Page
Figure 6-1
3.
Use the navigation links on the left side of the page to access the individual GSS global keepalive details page and to modify the global properties of the keepalive.
6-2
OL-4327-01
Chapter 6
Configuring KeepAlives Modifying Global KeepAlive Properties
The following procedures describe how to modify the default properties for the individual global keepalives.
Global KeepAlive ConfigurationICMP Global KeepAlive ConfigurationTCP Global KeepAlive ConfigurationHTTP HEAD Global KeepAlive ConfigurationKAL-AP Global KeepAlive ConfigurationCRA Global KeepAlive ConfigurationName Server
Global KeepAlive ConfigurationICMP

To modify the ICMP global keepalive configuration settings, see Figure 6-2 and Figure 6-3 and perform the following steps.
Figure 6-2 ICMP Global KeepAliveStandard KAL Type
6-3
Figure 6-3
ICMP Global KeepAliveFast KAL Type
1.
Select the ICMP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast ICMP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
StandardUses the default detection time of 60 seconds. FastUses the user-selectable Number of Retries parameter to control
the keepalive transmission rate. The default detection time is 4 seconds.
Note
The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method.
6-4
OL-4327-01
Chapter 6
2.
If you selected the Standard KAL Type, in the Minimum Interval field change the minimum frequency with which the GSS attempts to schedule ICMP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. If you selected the Fast KAL Type, modify the following parameters:
In the Number of Retries field, specify the number of times the GSS
3.
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
In the Number of Successful Probes field, specify the number of
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
4.
Click the Submit button to save your ICMP global keepalive modifications.
6-5
Global KeepAlive ConfigurationTCP

To modify the TCP global keepalive global configuration settings, see Figure 6-4 and Figure 6-5 and perform the following steps:
Figure 6-4 TCP Global KeepAliveStandard KAL Type
6-6
OL-4327-01
Chapter 6
Figure 6-5
TCP Global KeepAliveFast KAL Type
1.
Select the TCP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast TCP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
Note
The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method.
OL-4327-01
6-7
2.
In the Destination port field, enter the port on the remote device that is to receive the TCP keepalive request from the GSS. The port range is 1 to 65535. The default port is 80. Specify the TCP keepalive connection termination method:
ResetThe GSS immediately terminates the TCP connection by using a
3.
hard reset. This is the default termination method.

GracefulThe GSS initiates the graceful closing of a TCP connection
by using the standard three-way connection termination method.

4.
If you selected the Standard KAL Type, specify the following parameters:
In the Response Timeout field, specify the length of time allowed before
the GSS re-transmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.
In the Minimum Interval field, specify the minimum frequency with
which the GSS attempts to schedule TCP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.
5.
If you selected the Fast KAL Type, modify the following parameters:
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN. consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
6-8
OL-4327-01
Chapter 6
6.
Click the Submit button to save your TCP global keepalive modifications.
Global KeepAlive ConfigurationHTTP HEAD

To modify the HTTP HEAD keepalive global configuration settings, see Figure 6-6 and Figure 6-7 and perform the following steps:
Figure 6-6 HTTP HEAD Global KeepAliveStandard KAL Type
6-9
Figure 6-7
HTTP HEAD Global KeepAliveFast KAL Type
1.
Select the HTTP HEAD keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast HTTP HEAD keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
Note
The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method.
6-10
OL-4327-01
Chapter 6
2.
In the Destination port field, enter the port on the remote device that is to receive the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default port is 80. In the Path field, enter the default path that is relative to the server website being queried in the HTTP HEAD request. For example: /company/owner Specify the HTTP HEAD keepalive connection termination method:
ResetThe GSS immediately terminates the HTTP HEAD connection
3. 4.
by using a hard reset. This is the default termination method.

GracefulThe GSS initiates the graceful closing of a HTTP HEAD
connection by using the standard three-way connection termination method.

5.
If you selected the Standard KAL Type, specify the following parameters:
In the Response Timeout field, change the length of time allowed before
the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.
In the Minimum Interval field, change the minimum frequency with
which the GSS attempts to schedule HTTP HEAD keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.
6.
If you selected the Fast KAL Type, specify the following parameters:
retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
Note
When using the Graceful termination sequence, there are three packets that require acknowledgement: SYN, HEAD, and FIN.
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
6-11
Note
7.
Click the Submit button to save your HTTP HEAD global keepalive modifications.
Global KeepAlive ConfigurationKAL-AP

To modify the KAL-AP keepalive global configuration setting, see Figure 6-8 and Figure 6-9 and perform the following steps:
Figure 6-8 KAL-AP Global KeepAliveStandard KAL Type
6-12
OL-4327-01
Chapter 6
Figure 6-9
KAL-AP Global KeepAliveFast KAL Type
1.
Select the KAL-AP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast KAL-AP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
6-13
Note
The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method. If you intend to use Content and Application Peering Protocol (CAPP) encryption, in the CAPP Hash Secret field enter an alphanumeric encryption key value. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM. The default CAPP Hash Secret string is hash-not-set. If you selected the Standard KAL Type, in the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule KAL-AP By Tag or KAL-AP By VIP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. If you selected the Fast KAL Type, specify the following parameters:
2.
3.
4.
retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
5.
Click the Submit button to save your KAL-AP global keepalive modifications.
6-14
OL-4327-01
Chapter 6
Global KeepAlive ConfigurationCRA

To modify the CRA keepalive global configuration settings, see Figure 6-10 and perform the following steps:
Figure 6-10 Global KeepAlives Details PageCRA KeepAlive
1.
In the Timing Decay field, change the value to specify how heavily the GSS should weigh recent DNS Round Trip Time (RTT) probe results relative to earlier RTT metrics, with 1 indicating that recent results should not be weighed any more than previous RTT results. The valid entries are 1 to 10. The default is 2. In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule CRA-type keepalives. The valid entries are 1 to 60 seconds. The default is 10 seconds. Click the Submit button to save your CRA global keepalive modifications.
2.
3.
6-15
Global KeepAlive ConfigurationName Server

To modify the Name Server keepalive global configuration settings, see Figure 6-11 and perform the following steps:
Figure 6-11 Global KeepAlives Details PageName Server KeepAlive
1.
In the Query Domain field, change the globally defined domain name that is used to query when utilizing the name server (NS) keepalive. The default is ".". In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule name server query keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. Click the Submit button to save your Name Server global keepalive modifications.
2.
3.
6-16
OL-4327-01
Chapter 6
Configuring KeepAlives Configuring and Modifying Shared VIP KeepAlives
Configuring and Modifying Shared VIP KeepAlives

The GSS supports the use of shared keepalives to minimize traffic between the GSS and the SLBs that it is monitoring. A shared keepalive identifies a common address or resource that can provide status for multiple answers. Shared keepalives are used to periodically provide state information (online, offline) to the GSS for multiple VIP answer types. Once created, you can associated the shared keepalives with VIPs when you create a VIP answer type.
Note
Shared keepalives are not used with name server or CRA answers. All answers are validated by configured keepalives and are not returned if the keepalive indicates that the answer is not viable. If a shared keepalive fails to return a status, all VIPs associated with that shared keepalive are assumed to be offline. If you intend to use the KAL-AP keepalive method with a VIP answer you must configure a shared keepalive. The use of shared keepalives are an option for the ICMP, TCP, and HTTP HEAD keepalive types. This section includes the following procedures:

Creating a Shared VIP KeepAlive Modifying a Shared KeepAlive Deleting a Shared KeepAlive
Creating a Shared VIP KeepAlive

To create a shared VIP keepalive:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears listing all existing shared keepalives (Figure 6-12).
6-17
Chapter 6 Configuring and Modifying Shared VIP KeepAlives
Figure 6-12 Shared KeepAlives Lists Page
3.
Click the Create Shared KeepAlive icon. The Creating New Shared KeepAlives details page appears (Figure 6-13).
6-18
OL-4327-01
Chapter 6
Figure 6-13 Creating New Shared KeepAlives Details Page
4.
At the Type section at the top of the page, choose from one of the four keepalive types as the shared VIP keepalive:
ICMPSends an ICMP echo message (ping) to the specified address.
Online status is determined by the response received from the device, indicating simple connectivity to the network.
TCPSends a TCP handshake to the specified IP address and port
number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.
6-19
HTTP-HeadSends a TCP format HTTP HEAD request to an origin
web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.
KAL-APSends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule. The following procedures describe how to configure the properties for the individual VIP shared keepalives. The default values used for each VIP keepalive is determined by the values specified in the Global Keepalive Properties details page.
Shared KeepAlive ConfigurationICMP Shared KeepAlive ConfigurationTCP Shared KeepAlive ConfigurationHTTP HEAD Shared KeepAlive ConfigurationKAL-AP
6-20
OL-4327-01
Chapter 6
Shared KeepAlive ConfigurationICMP

To define the ICMP shared keepalive configuration, see Figure 6-14 and perform the following steps:
Figure 6-14 Shared KeepAlives Details PageICMP KeepAlive (Fast KAL Type)
1. 2.
Enter the IP address used to test the online status for the linked VIPs. If the ICMP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
6-21
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section. Click the Submit button to save your ICMP shared keepalive configuration. You return to the Shared KeepAlives list page.
3.
Shared KeepAlive ConfigurationTCP

To define the TCP shared keepalive configuration, refer to Figure 6-15 and perform the procedure outlined below.
Figure 6-15 Shared KeepAlives Details PageTCP KeepAlive (Fast KAL Type)
6-22
OL-4327-01
Chapter 6
1. 2.
Enter the IP address used to test the online status for the linked VIPs. In the Destination port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value. Specify the TCP keepalive connection termination method:
DefaultAlways use the globally defined TCP keepalive connection
3.
method.
hard reset.

4.
If the TCP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN.
consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
6-23
5.
Click the Submit button to save your TCP shared keepalive configuration. You return to the Shared KeepAlives list page.
Shared KeepAlive ConfigurationHTTP HEAD

To define the HTTP HEAD shared keepalive configuration, see Figure 6-16 and perform the following steps:
Figure 6-16 Shared KeepAlives Details PageHTTP HEAD KeepAlive (Fast KAL Type)
1. 2.
Enter the IP address used to test the online status for the linked VIPs. In the Destination port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
6-24
OL-4327-01
Chapter 6
3.
In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP. In the Path feld, enter the default path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example:
/company/owner
4.
5.
Specify the HTTP HEAD keepalive connection termination method:

DefaultAlways use the globally defined HTTP HEAD keepalive
connection method.
ResetThe GSS immediately terminates the TCP formatted HTTP
HEAD connection by using a hard reset.

GracefulThe GSS initiates the graceful closing of a TCP formatted
HTTP HEAD connection by using the standard three-way connection termination method.
6.
If the HTTP-HEAD global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
6-25
Note
7.
Click the Submit button to save your HTTP HEAD shared keepalive configuration. You return to the Shared KeepAlives list page.
Shared KeepAlive ConfigurationKAL-AP

To define the KAL-AP shared keepalive configuration, see Figure 6-17 and perform the following steps:
Figure 6-17 Shared KeepAlives Details PageKAL-AP KeepAlive (Fast KAL Type)
6-26
OL-4327-01
Chapter 6
1.
Enter the primary (master) and secondary (backup) IP addresses that will be tested for online status in the fields provided. The secondary IP address is optional. The purpose of the secondary IP address is to query a second Cisco CSS or CSM in a virtual IP (VIP) redundancy and virtual interface redundancy configuration. If you intend to use Content and Application Peering Protocol (CAPP) encryption, check the CAPP Secure box and enter an alphanumeric encryption key value in the CAPP Hash Secret field. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM. If the KAL-AP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
2.
3.
retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
4.
Click Submit to create the new shared keepalive. You return to the Shared KeepAlives list page.
6-27
Modifying a Shared KeepAlive

To modify an existing shared keepalive:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears (see Figure 6-12). Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to modify. The Modify Shared KeepAlive details page appears (Figure 6-18).
Figure 6-18 Modifying Shared KeepAlive Details Page
6-28
OL-4327-01
Chapter 6
4. 5.
Use the fields provided to modify the shared keepalive configuration. Click Submit to save your configuration changes. You return to the Shared KeepAlive list page.
Deleting a Shared KeepAlive

To delete a shared keepalive from your GSS network, and that shared keepalive is in use by the GSS, you must first disassociate any answers that are using the keepalive. Use the procedure that follows to disassociate your answers and remove a shared keepalive from your GSS network.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a shared keepalive:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives lists page appears listing all existing shared keepAlives. Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to remove. The Modifying Shared KeepAlive details page appears. If the shared keepalive is associated with an answer, perform one of the following:
To disassociate all answers from the selected shared keepalive and set the
4.
keepalive type of each of those answers to ICMP using the answers own VIP, click the Set Answers KAL ICMP icon in the upper right corner of the page.
To disassociate all answers from the selected shared keepalive and set the
keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive, click the Set Answers KAL None icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to disassociate all the answers from the existing shared keepalive.
6-29
5. 6.
Click the Delete button in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the shared keepalive. Click OK to confirm your decision. You return to the Shared KeepAlives lists page.
Where to Go Next
Chapter 7, Configuring Answers and Answer Groups, provides you with all the information you need to create and configure GSS answers and answer groups, which are resources that respond to DNS queries.
6-30
OL-4327-01
C H A P T E R
Configuring Answers and Answer Groups

This chapter describes how to create and configure GSS answers and answer groups. It contains the following major sections:

Configuring and Modifying Answers Configuring and Modifying Answer Groups
Configuring and Modifying Answers

In a GSS network, the term answers refers to resources that respond to content queries. When you create an answer using the primary GSSM, you are simply identifying a resource on your GSS network to which queries can be directed and that can provide your users D-proxy with the address of a valid host to serve their request. Examples of GSS answers are:
VIPVirtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, cache, or other geographically dispersed SLBs in a global network deployment. Name ServerA configured DNS name server on your network that can answer queries that the GSS cannot resolve. CRAContent routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a users D-proxy.
OL-4327-01
7-1
Chapter 7 Configuring and Modifying Answers
Once created, answers are grouped together as resource pools from which the GSS, using one of a number of available balance methods in a DNS rule, can choose the most appropriate answer for each user request. In addition, once the query is passed to the answer, intelligence on that resource can be applied in choosing the best host. For example, a request that is routed to VIP associated with a CSS is evaluated by the CSS after it is received and directed to the most suitable host managed by that CSS. In addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource a method by which the GSS can periodically check to see if the resource is still up and running. The keepalive monitoring method available to you varies with the resource type, as explained in this section. This section includes the following procedures:

Creating a VIP-Type Answer Creating a CRA-Type Answer Creating a Name Server-Type Answer Modifying an Answer Suspending an Answer Reactivating an Answer Suspending or Reactivating All Answers in a Location Deleting an Answer
Creating a VIP-Type Answer

The VIP-type answer refers to a virtual IP address (VIP) associated with an SLB device such as a Cisco CSS or CSM. When the GSS receives requests for content that is managed by an SLB, the GSS returns an A-record containing the VIP of the SLB that manages that content. When configuring a VIP-type answer you have the option of configuring one of a variety of different keepalive types to test for that answer. For a KAL-AP keepalive, it is necessary to configure shared keepalives before configuring your answer. Refer to Chapter 6, Configuring KeepAlives for more information on creating shared keepalives.
7-2
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answers
Note
Once an answer is created the Answer type cannot be modified (for example, from VIP to CRA). To configure a VIP-type answer:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (Figure 7-1).
Answers List Page
Figure 7-1
3.
Click the Create Answer icon. The Creating New Answer detail page appears (Figure 7-2).
7-3
Figure 7-2
Creating New Answer Details Page
4.
In the Type field, click the VIP option button. The VIP Answer section appears in the details page (Figure 7-3).
7-4
OL-4327-01
Chapter 7
Figure 7-3
Creating New AnswerVIP Details Page
5. 6.
In the Name field, enter a name for the VIP-type answer you are creating. Specifying a name for the answer is an optional step. From the Location drop-down list, select an GSS location to which the answer corresponds. Specifying a location for an answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the VIP address field, enter the VIP address to which the GSS will forward requests. Choose from one of the five keepalive types for your VIP answer:
NoneDoes not send keepalive queries to the VIP. The GSS assumes
7. 8.
that the VIP is always alive.

ICMPSends an ICMP echo message (ping) to the specified address.
Online status is determined by the response received from the device, indicating simple connectivity to the network.
7-5
TCPSends a TCP handshake to the specified IP address and port
number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.
HTTP-HeadSends a TCP format HTTP HEAD request to an origin
web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.
KAL-APSends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule. The following procedures describe how to configure the properties for the individual VIP keepalives. The default values used for each of the VIP keepalives are determined by the values specified in the Global Keepalive Properties details page.
VIP AnswerICMP KeepAlive VIP AnswerTCP KeepAlive VIP AnswerHTTP HEAD KeepAlive VIP AnswerKAL-AP KeepAlive
7-6
OL-4327-01
Chapter 7
VIP AnswerICMP KeepAlive

To define the ICMP keepalive for your VIP answer, see Figure 7-4 and perform the following steps:
Figure 7-4 Answer Details PageICMP KeepAlive VIP Answer
1.
The VIP Address check box is automatically checked to instruct the GSS to send an ICMP echo message (ping) to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and select an ICMP-type shared keepalive from the Shared ICMP Keepalive drop-down list.
7-7
2.
If the ICMP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
3.
Click the Submit button to save your ICMP keepalive VIP answer. You return to the Answers list page.
7-8
OL-4327-01
Chapter 7
VIP AnswerTCP KeepAlive

To define the TCP shared keepalive for your VIP answer, see Figure 7-5 and perform the following steps:
Figure 7-5 Answer Details PageTCP KeepAlive VIP Answer
1.
The VIP Address check box is automatically checked to instruct the GSS to send a TCP keepalive to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and choose a TCP-type shared keepalive from the Shared TCP Keepalive drop-down list. In the Destination Port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
2.
7-9
3.
If you enabled the VIP Address check box, specify the TCP keepalive connection termination method:
DefaultAlways use the globally defined TCP keepalive connection
method.
hard reset.

4.
If the TCP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN.
consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
5.
Click the Submit button to save your TCP keepalive VIP answer. You return to the Answers list page.
7-10
OL-4327-01
Chapter 7
VIP AnswerHTTP HEAD KeepAlive

To define the HTTP HEAD shared keepalive for your VIP answer, see Figure 7-6 and perform the following steps:
Figure 7-6 Answer Details PageHTTP HEAD KeepAlive VIP Answer
1.
The VIP Address check box is automatically checked to instruct the GSS to send a TCP format HTTP HEAD request to the web server at an address you specified and determine online status. If necessary, uncheck the VIP Address check box and select an HTTP-type shared keepalive from the Shared HTTP HEAD keepalive drop-down list. In the Destination Port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
2.
7-11
3.
In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP. In the Path field, enter the path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example: /company/owner If you enabled the VIP Address check box, specify the HTTP HEAD keepalive connection termination method:
DefaultAlways use the globally defined HTTP HEAD keepalive
4.
5.
connection method.
ResetThe GSS immediately terminates the TCP formatted HTTP
HEAD connection by using a hard reset.

GracefulThe GSS initiates the graceful closing of a TCP formatted
HTTP HEAD connection by using the standard three-way connection termination method.
6.
If the HTTP HEAD global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
Note
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
7-12
OL-4327-01
Chapter 7
Note
7.
Click the Submit button to save your HTTP HEAD keepalive VIP answer. You return to the Answers list page.
VIP AnswerKAL-AP KeepAlive

To define the KAL-AP shared keepalive for your VIP answer, see Figure 7-7 and perform the following steps:
Figure 7-7 Answer Details PageKAL-AP Keepalive VIP Answer
7-13
1.
From the KAL-AP Type drop-down list, select the format of the KAL-AP keepalive query. Your choices are:
KAL-AP By TagEmbeds an alphanumeric tag associated with the VIP
in the KAL-AP request. The tag value is used to match the correct shared keepalive VIP, thus avoiding confusion that can be caused when probing for the status of a VIP that is located behind a firewall network address translation (NAT).
KAL-AP By VIPEmbeds the keepalive VIP address in the KAL-AP
request. The KAL-AP queries the keepalive address to determine online status.
2. 3.
If you chose KAL-AP By VIP, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list. If you chose KAL-AP By Tag, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list, then enter a unique alphanumeric value in the Tag field. This is used as a key by the CSS or GSSM that matches the KAL-AP request with the appropriate VIP. Click the Submit button to save your KAL-AP keepalive VIP answer. You return to the Answers list page.
4.
Creating a CRA-Type Answer

The content routing agent (CRA) answer type relies on content routing agents and the GSS to choose a suitable answer for a given query based on the proximity of two or more possible hosts to the requesting D-proxy. With the CRA answer type, requests received from a particular D-proxy are served by the content server that responds first to the request. Response time is measured using a DNS race, coordinated by the GSS and content routing agents running on each content server. In the race, multiple hosts respond simultaneously to a request. The server with the fastest response time (the shortest network delay between itself and the clients D-proxy) is chosen to serve the content. The CRA answer type is designed to work with the GSS when the boomerang balance method is selected for a DNS rule (utilizing the Boomerang Server component of the GSS).
7-14
OL-4327-01
Chapter 7
Closeness is determined when multiple hosts reply to the requesting D-proxy simultaneously in what is referred to as a DNS race. The GSS coordinates the start of the race so that all CRAs initiate their response at the same time. The first DNS reply to reach the D-proxy is chosen by the name server as the host containing the answer.
Note
Once an answer is created the Answer type cannot be modified (for example, from CRA to VIP). To configure a CRA-type answer type:
1. 2. 3. 4.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2). In the Type selection field, click the CRA option button. The CRA Answer section appears in the details page (Figure 7-8).
7-15
Figure 7-8
Creating New AnswerCRA Answer
5. 6.
In the Name field enter a name for the CRA-type answer being created. Specifying a name for the answer is an optional step. Click the Location drop-down list and select a location for the answer. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the CRA Address field enter the interface or circuit address of the CRA. If you want the GSS to perform keepalive checks on the CRA answer, click the Perform KeepAlive Check check box. Uncheck the Perform KeepAlive option if a static one-way delay value is used. If a one way delay time is required, enter a value, in milliseconds, in the One Way Delay field. This value is used by the GSS to calculate a static round-trip time (RTT), with the one-way delay constituting one-half of the round-trip time that is used for all DNS races involving this answer.
7. 8.
9.
7-16
OL-4327-01
Chapter 7
10. Click Submit to create your new CRA-type answer. You return to the
Answers list page.
Creating a Name Server-Type Answer

A name server (NS) answer type specifies the IP address of a DNS name server to which DNS queries are forwarded from the GSS. Using the name server forwarding feature, queries are forwarded to an external (non-GSS) name server for resolution, with the answer passed back to the GSS name server and from there to the requesting D-proxy. As such, the name server answer type acts as a guaranteed fallback resourcea way to resolve requests that the GSS cannot resolve itselfeither because the requested content is unknown to the GSS, or because the resources that typically handle such requests are unavailable.
Note
Once an answer is created the Answer type cannot be modified (for example, from name server to VIP). To configure a Name Server-type answer:
1. 2. 3. 4.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2). In the Type field, click the Name Server option button. The Name Server Answer section appears in the Creating New Answer details page (Figure 7-9).
7-17
Figure 7-9
Creating New AnswerName Server Answer
5. 6.
In the Name field, enter a name for the name server-type answer you are creating. Specifying a name for the answer is an optional step. From the Location drop-down list, select a GSS location to which the answer corresponds. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the Name Server Address field, enter the IP address of the name server that the GSS is to forward requests to. If you want the GSS to perform keepalive checks on the specified Name Server, click the Perform KeepAlive Check check box. The GSS queries the specified name server address to determine online status.
7. 8.
7-18
OL-4327-01
Chapter 7
9.
If you wish to have the GSS query the name server for a specific domain in determining online status, enter the domain name in the KeepAlive Query Domain field. If no domain is specified, the GSS queries the default query domain. For instructions on configuring the default query domain, see Chapter 6, Configuring KeepAlives.
10. Click Submit to create your new name server-type answer. You return to the
Answers list page.
Modifying an Answer
Once you have configured your answers, they can be modified at any time. However, once an answer is created the answer type cannot be modified (for example, from VIP to CRA). To modify an existing answer:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears. Click the Modify Answer icon located to the left of the answer you want to modify. The Modifying Answer details page appears (Figure 7-10).
7-19
Figure 7-10 Modifying Answer Details Page
4. 5.
Use the fields provided to modify the answer configuration. Click Submit to save your configuration changes. You return to the Answers list page.
Suspending an Answer
If you have created an answer but wish to temporarily stop the GSS from using it, use the suspend feature on the primary GSSM GUI to prevent that answer from being used by any of the currently configured DNS rules. If you have already suspended an answer, use the activate feature to reactivate the answer (see the Reactivating an Answer section). To suspend an answer:
1.
From the primary GSSM GUI, click the DNS Rules tab.
7-20
OL-4327-01
Chapter 7
2. 3. 4. 5.
Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Modify Answer icon located to the left of the answer you want to suspend. The Modifying Answer details page appears (see Figure 7-10). Click the Suspend Answer icon in the upper right corner of the page to suspend an answer. Click OK to confirm your decision to suspend the answer. You return to the Answers list screen. The modified answer has a status of Suspended.
Reactivating an Answer
If you have already suspended an answer, use the activate feature to reactivate the answer. To reactivate an answer:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Modify Answer icon located to the left of the answer you want to activate. All suspended answers have a status of Suspended in the list. The Modifying Answer details page appears (see Figure 7-10). Click the Activate Answer icon in the upper right corner of the page to reactivate an answer. Click OK to confirm your decision to reactivate the answer. You return to the Answers list screen. The modified answer has a status of Active.
4. 5.
Suspending or Reactivating All Answers in a Location

Answers can be grouped and managed according to an established GSS location. Using a location to manage your answers makes it easier for you to quickly suspend or activate answers in a particular area of your network, for example, shutting down one or more data centers for the purposes of software upgrades or regular maintenance. The GSS automatically detects and routes requests around suspended answers.
7-21
Note
Suspending all answers in a location overrides the active or suspended state of an individual answer. To suspend or reactivate answers based on their location:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears. Click the Modify Location icon located to the left of the location that includes answers that you want to suspend or reactivate. The Modifying Location details page appears. Perform one of the following:
To suspend answers associated with this location, click the Suspend All
4.
Answers in This Location icon.

To reactivate suspended answers associated with this location, click the
Activate All Answers in This Location icon.

5. 6.
Confirm your decision to suspend or activate the answers associated with this location. Click OK. You return to the Locations list page.
Deleting an Answer
If you have created an answer but wish to delete it from the GSS, use the delete feature on the primary GSSM GUI to remove that answer.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an answer:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1).
7-22
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
3. 4. 5.
Click the Modify Answer icon located to the left of the answer you want to remove. The Modifying Answer details page appears (see Figure 7-10). Click the Delete Answer icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer. Click OK to confirm your decision. You return to the Answers list page.
Configuring and Modifying Answer Groups

Answer groups are lists of GSS resources that are candidates to respond to DNS queries received from a user for a hosted domain. Using the DNS rules feature, these lists of network resources are associated with a particular balance method, which is used to resolve the request.

In the case of a VIP answer group type, the GSS selects one or more VIPs using the balance method specified in the DNS rule. In the case of a CRA answer group type, all CRAs in the answer group are queried and then race to respond first to the D-proxy with their IP address. In the case of a name server answer group type, the GSS selects a name server using the balance method specified in the DNS rule and forwards the clients request to that name server.
A DNS rule can have up to three balance clauses, each specifying a different answer group from which an answer can be chosen, after taking load threshold, order, and weight factors into account for each answer. Before creating your answer groups, you must first configure the answers that make up those groups. See the Configuring and Modifying Answers section for more information on creating GSS answers. This section includes the following procedures:

Creating an Answer Group Modifying an Answer Group Suspending or Reactivating an Answer Group Suspending or Reactivating All Answers in an Answer Group Associated with an Owner Deleting an Answer Group
7-23
Chapter 7 Configuring and Modifying Answer Groups
Creating an Answer Group

To create an answer group:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (Figure 7-11).
Figure 7-11 Answer Group List Page
3.
Click the Create Answer Group icon. The Creating New Answer Group details page appears (Figure 7-12).
7-24
OL-4327-01
Chapter 7
Figure 7-12 Creating New Answer Group Details PageGeneral Configuration
4.
In the Name field, enter a name for the new answer group. The answer
group name cannot contain spaces.

From the Type drop-down list, choose one of the three options:
Name ServerThe answer group consists of configured name servers CRAThe answer group consists of content routing agents (CRAs) for use with the Boomerang Server component of the GSS VIPThe answer group consists of virtual IPs controlled by an SLB device such as a CSS or CSM
7-25
5.
From the Owner drop-down list, select the GSS owner with which the answer group will be associated. For details about creating an owner, refer to Chapter 3, Configuring Resources. In the Comments text area, enter a description or other instructions regarding the new answer group. Click the Add Answers navigation link to access the Add Answers section of the page (Figure 7-13). Perform the following:
a. Click the check box corresponding to each answer you wish to add to the
6. 7.
answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers and proceed to the next step.
b. Click the Add Selected button. The selected answers are added to the
answer group. Answers can belong to more than one answer group simultaneously.
c. Repeat Steps a and b if your answers span multiple pages.
Note
If an answer is added to multiple answer groups, when viewing the hit count of answers from either the Answer Status list page or the show statistics dns CLI command output, the number of hits provided represents the aggregate number of hits for that answer across all answer groups.
7-26
OL-4327-01
Chapter 7
Figure 7-13 Creating New Answer Group Details PageAdd Answers
8.
Click the General Configuration navigation link to return to the General Configuration section. The newly added answers appear in the Current Members section (Figure 7-14). There are different configuration options depending on the type of answer group.
7-27
Figure 7-14 Creating New Answer Group Details PageCurrent Members
9.
Perform one of the following:
Note
If you are unsure of the purpose of the order, weight, or load threshold settings, refer to Chapter 1, Introducing the Global Site Selector, the Balance Methods section for background information.
If configuring a Name Server type answer group, assign an order and
weight to each Answer in the answer group using the field and drop-down list provided.
If configuring a VIP type answer group, assign an order, load threshold
(LT), and weight to each answer in the answer group using the fields and drop-down lists provided.
7-28
OL-4327-01
Chapter 7
Note
Load thresholds, which allow the GSS to make routing decisions based on how heavily a particular resource is being tasked, can only be assigned to answers using the KAL-AP keepalive.
If configuring CRA, no configuration parameters are required. 10. Click the Submit button to save your answer group.
Modifying an Answer Group

Once you have created your answer groups, you can use the primary GSSM GUI to make modifications to their configurations, adding and removing answers, changing the order, weight, and load thresholds of individual answers. Answers can belong to more than one answer group. However, once you have added answers to an answer group, you cannot change the type of an answer group (for example, from VIP to CRA). To modify an answer group:
1. 2. 3. 4.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11). Click the Modify Answer Group icon located to the left of the answer group you want to modify. The Modify Answer Group details page appears. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, owner, or comments for the answer group. Click the Add Answers navigation link. Click the check box corresponding to each answer you wish to add to the answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers, then click Add Selected, before proceeding to another page of answers. To remove answers from the answer group, click the Remove Answers navigation link. The Remove Answers section of the page appears (Figure 7-15). Click the check box accompanying each answer you wish to remove from the list, then click the Remove Selected button. The deleted answers are removed from the page.
5.
6.
OL-4327-01
7-29
Figure 7-15 Modifying Answer Group - Remove Answers
7. 8.
Review your updated answer group under the Current Members section of the General Configuration details page (see Figure 7-14). Click the Submit button to save your changes. You return to the Answer Groups Lists page.
Suspending or Reactivating an Answer Group

If you have created an answer group but wish to temporarily stop the GSS from directing requests to it, you can use the suspend answer group feature on the primary GSSM GUI to temporarily suspend the answers that make up that group, preventing that answer group from being used by any of the currently configured DNS rules.
7-30
OL-4327-01
Chapter 7
Note
Suspending the answers in one answer group also affects any other answer groups to which those answers belong. If you have already suspended the answers in an answer group, use the activate answers feature to reactivate the answer group. To suspend or reactivate an answer group:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11). Click the Modify Answer Group icon located to the left of the answer group you want to suspend or reactivate. The Modifying Answer Group details page appears (Figure 7-16).
Figure 7-16 Modifying Answer Group - Suspend Answers Icon
7-31
4. 5. 6. 7.
To suspend an answer group, click the Suspend Answers button in the upper right corner of the page. If you are reactivating a suspended answer group, click the Activate Answers icon. Click OK to confirm your decision to suspend or reactivate the answers in the answer group. You return to the Answer Groups list page. To view the status of the answers that you suspended or activated, refer to Chapter 10, Monitoring GSS Performance.
Suspending or Reactivating All Answers in an Answer Group Associated with an Owner

Answers that have been added to answer groups can be grouped and managed according to a GSS owner. Using a GSS owner to manage your answer groups makes it easier for you to quickly suspend or activate related answers. To suspend or reactivate all answers in answer groups associated with a GSS owner:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears (Figure 7-17).
7-32
OL-4327-01
Chapter 7
Figure 7-17 Owners List Page
3.
Click the Modify Owner icon located to the left of the answer group you want to suspend or reactivate. The Modifying Owner details page appears (Figure 7-18).
7-33
Figure 7-18 Modifying Owners Details Page
4.

To suspend all answers in all answer groups associated with this owner,
click the Suspend All Answers in All Groups for This Owner icon in the upper-right corner of the details page.
To reactivate all suspended answers associated with this owner, click the
Activate All Answers in All Groups for This Owner icon in the upper-right corner of the details page.
5.
Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.
7-34
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Where to Go Next
Deleting an Answer Group

If you have created an answer group and want to delete it from the GSS, use the delete feature on the primary GSSM GUI to remove that answer group. You cannot delete answer groups that are linked to DNS rules. Disassociate your answer group from all DNS rules before attempting to delete it (refer to Chapter 8, Building and Modifying DNS Rules). Deleting an answer group does not delete the answers contained in the answer group.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an answer group:
1. 2. 3.
From the primary GSSM GUI, click DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears. Click the Modify Answer Group icon located to the left of the answer group you want to remove. The Modifying Answer Group details page appears (see Figure 7-16). Click the Delete Answer Group icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer group. Click OK to confirm your decision. You return to the Answer Groups list page.
4.
5.
Where to Go Next
Chapter 8, Building and Modifying DNS Rules, describes constructing the DNS rules that govern all global server load balancing on your GSS network.
7-35
7-36
OL-4327-01
C H A P T E R
Building and Modifying DNS Rules

Once you have configured your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will govern all global server load balancing on your GSS network. When building DNS rules, you specify actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). The DNS rule specifies which response (answer) is given to the requesting users local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of your GSS host devices.
Note
Before creating your DNS rules, review Chapter 1, Introducing the Global Site Selector, the GSS Architecture section. This chapter contains the following major sections:

DNS Rule Configuration Overview Building DNS Rules Using the Wizard Building DNS Rules Using the DNS Rule Builder Modifying DNS Rules Suspending a DNS Rule Reactivating a DNS Rule Suspending or Reactivating All DNS Rules Belonging to an Owner
8-1
Chapter 8 DNS Rule Configuration Overview
Deleting a DNS Rule Configuring DNS Rule Filters Removing DNS Rule Filters Delegation to GSS Devices
DNS Rule Configuration Overview

Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:

DNS Rule Wizard DNS Rule Builder
DNS Rule Wizard

The DNS Rule Wizard (Figure 8-1) is an easy-to-use tool that guides you through the process of creating a DNS rule. The DNS Rule Wizard provides explanations for each step in the rule authoring process. The DNS Rule Wizard allows you to create source address lists, domain lists, answer groups, and balance methods on the fly.
Note
Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be created prior to using the wizard.
8-2
OL-4327-01
Chapter 8
Building and Modifying DNS Rules DNS Rule Configuration Overview
Figure 8-1
DNS Rule Wizard - Introduction Page
When you use the wizard, the Next and Back buttons step you forward and backward through the rule-building process. Alternatively, use the navigation links under the Wizard Contents heading to move back and forth to any step in the wizard. To access the DNS Rule Wizard, click the DNS Rules tab and then click the Rule Wizard icon. See the Building DNS Rules Using the Wizardsection for details.
8-3
Chapter 8 DNS Rule Configuration Overview
DNS Rule Builder

If you are an experienced GSS user, you can use the DNS Rule Builder (Figure 8-2) to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created. Using the fields and drop-down menus provided, you can assign a name for your rule and then configure the rule with up to three balance clauses for the GSS to choose an answer.
Figure 8-2 DNS Rule Builder Window
Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. For example, an answer group added while the DNS Rule Builder window is open automatically appears in the drop-down list of answer groups. To access the DNS Rule Builder, click the DNS Rules tab and then click the Open Rule Builder icon. See the Building DNS Rules Using the DNS Rule Buildersection for details.
8-4
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
Building DNS Rules Using the Wizard

To create a DNS rule using the DNS Rule Wizard:
Note
Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be creating prior to using the wizard.
1.
From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-3).
DNS Rules List Page
Figure 8-3
2.
Click the Rule Wizard icon. The DNS Rule Wizard introduction page appears (Figure 8-4). Read this page carefully; it provides an overview of the steps necessary to create a DNS rule.
OL-4327-01
8-5
Chapter 8 Building DNS Rules Using the Wizard
Figure 8-4
DNS Rule WizardIntroduction Page
3.
Click the Next and Back buttons to step forward or backwards through the DNS rule-building process. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the Wizard. The following procedures describe how to configure the properties for the individual pages in the DNS Rule Wizard.
DNS Rule WizardSource Address List Page DNS Rule WizardDomain List Page DNS Rule WizardAnswer Group Page DNS Rule WizardBalance Method Page DNS Rule WizardSummary
8-6
OL-4327-01
Chapter 8
DNS Rule WizardSource Address List Page

This step uses the Source Address List section of the DNS Rule Wizard (Figure 8-5) to identify your source address list.
Figure 8-5 DNS Rule WizardSource Address List Page 1
To have this DNS rule apply to requests originating from any DNS proxy, click the Any Address option, then click Next. See the DNS Rule WizardDomain List Page section for information on using the Domain List detail page in the wizard. To have this DNS Rule apply to requests originating from a list of DNS proxies that you have not yet configured but now want to configure, click the Manually-entered source address list option, then click Next. See the DNS Rule WizardSource Address List Page 2 section for information on using the Source Address List detail page in the wizard.
8-7
To have this DNS rule apply to requests originating from a list of DNS proxies that you have already configured using the Source Address Lists feature, click the Predefined source address list option, then click Next. See the DNS Rule WizardSource Address List Page 3 section for information on using the Domain List detail page in the wizard.
DNS Rule WizardSource Address List Page 2

If you chose the Manually-entered Source Address List option in the Source Address List section of the wizard, perform the following steps to create your Source Address List (Figure 8-6). Once you configure your Source Address List using the wizard, it is available for other DNS rules as well.
Figure 8-6 DNS Rule WizardSource Address List Page 2
8-8
OL-4327-01
Chapter 8
1. 2. 3.
Enter a name for your Source Address List in the List Name field. Optionally, click the List Owner drop-down list and select a GSS owner name. In the space provided, enter one or more source CIDR-format IP addresses that make up the list. You can enter individual IP addresses or address blocks. If you wish to enter multiple IP addresses, separate the addresses using semicolons. For example:
192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16
4.
Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule WizardDomain List Page section for information.

If you selected the Predefined Source Address List option in the Source Address List section of the wizard, perform the following procedure to create your Source Address List (Figure 8-7).
8-9
Figure 8-7
1. 2.
Click the name of the Source Address List in the list to highlight it. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule WizardDomain List Page section for information.
DNS Rule WizardDomain List Page

This step uses the Domain List section of the DNS Rule Wizard (Figure 8-8) to specify the domains that users will be requesting. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list. If using a KAL-AP type answer, the GSS can support up to 1024 domains managed by any single server load balancing device such as a Cisco Content Services Switch (CSS) or Content Switching Module (CSM).
8-10
OL-4327-01
Chapter 8
Figure 8-8
DNS Rule WizardDomains List Page 1
To have the DNS rule apply to requests for a hosted domain that you have not yet configured but now want to configure, click the Manually-entered domain list option, then click Next. See the DNS Rule WizardDomain List Page 2 section for information on using this Domain List detail page in the wizard. To have the DNS Rule apply to requests for a domain from a list of hosted domains already configured using the Domain Lists feature of the primary GSSM, click the Predefined domain list option, then click Next. See the DNS Rule WizardDomain List Page 3 section for information on using this Domain List detail page in the wizard.
8-11
DNS Rule WizardDomain List Page 2

If you chose the Manually-entered Domain List option in the Domain List section of the wizard, perform the following steps to manually configure the domains that users will be requesting(Figure 8-9). Once you have configured your Domain List using the DNS Rule Wizard, it is available for other DNS rules as well.
Figure 8-9 DNS Rule WizardDomains List Page 2
1. 2. 3.
Enter a name for your Domain List in the List Name field. Optionally, click the List Owner drop-down list and select an owner name. In the space provided, enter one or more domain names that make up the list. You can enter complete domain names, or any regular expression that specifies a pattern by which the GSS can match incoming addresses. Any request for a hosted domain that matches that pattern is directed accordingly.
8-12
OL-4327-01
Chapter 8
For example, if you had only three hosted domainswww.cisco.com, support.cisco.com, and customer.cisco.comfor which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was responsiblewww1.cisco.com, www2.cisco.com, and so onmanually entering each address is time consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
4.
When you complete entering the domain names, click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule WizardAnswer Group Page section for information.
DNS Rule WizardDomain List Page 3

If you selected the Predefined Domain List option, this step allows you to select from a list of previously configured domains (Figure 8-10).
8-13
Figure 8-10 DNS Rule WizardDomains List Page 3
1. 2.
Click the name of the domain list so that its name is highlighted. Click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule WizardAnswer Group Page section for information.
8-14
OL-4327-01
Chapter 8
DNS Rule WizardAnswer Group Page

This step of the DNS Rule Wizard uses the Answer Groups section of the wizard (Figure 8-11) to configure an Answer Group.
Figure 8-11 DNS Rule WizardAnswer Group Page 1
8-15
To have this DNS rule respond to the request for the hosted domain using resources (answers) that you have not yet configured, click the Enter addresses option, then click Next. See the DNS Rule Wizard - Answer Group Page 2 section for information on using this Answer Group detail page in the wizard. To have this DNS rule respond to the request for the hosted domain using resources (answers) that you already configured using the Answers and Answer Group features, click the Select an existing answer group option, then click Next. See the DNS Rule Wizard - Answer Group Page 4 section for information on using this Answer Group detail page in the wizard.
DNS Rule Wizard - Answer Group Page 2

If you chose the Enter Addresses option in the Answer Group section of the wizard (Figure 8-12), perform the following steps to create your answers and answer group. Once you configure your Answer Group using the Wizard, it is available for other DNS Rules as well.
8-16
OL-4327-01
Chapter 8
1. 2. 3.
Enter a name for your answer group in the Group Name field. Optionally, select an owner for the answer group by clicking the Group Owner drop-down list and selecting a GSS owner from the list. Select an answer group type by clicking one of the three option buttons provided. Once you select an answer group type, only answers of that type (VIP, NS, or CRA) can be added to the group.
VIPVirtual IP (VIP) addresses associated with an SLB as such the
Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web server, cache or other geographically dispersed SLBs in a global network deployment.
Name ServerA configured DNS name server on your network that can
answer queries that the GSS cannot resolve.

CRAContent routing agents that use a resolution process called DNS
race to send identical and simultaneous requests back to a users D-proxy.

8-17
4.
Click Next to begin configuring answers for your answer group. See the DNS Rule Wizard - Answer Group Page 3 section for information on using this Answer Group detail page in the wizard.

This step uses the Answer Group page of the DNS Rule Wizard to configure answers for the specified answer group type: VIP, NS, or CRA (Figure 8-13).
8-18
OL-4327-01
Chapter 8
1.

If configuring a VIP type answer group, use the following steps to
identify the VIPs that provide the answers that make up the answer group. Assign an order, load threshold, and weight to each answer in the answer group.
a. b. c.
Enter the address of each VIP that belongs to the answer group in the IP Address fields provided. Click the Location drop-down list and select an optional Location. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. If using the Ordered List balance method, assign an order to each VIP listed in the answer group using the Order field provided. The number you assign represents the order of the answer in the list. Subsequent VIPs on the list will only be used in the event that preceding VIPs on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
d.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
e.
If using a KAL-AP-type answer, assign a load threshold between 0 and 255 using the Load Threshold field. If the VIP answer reports a load above the specified threshold the GSS will deem the device unavailable to handle further requests.
If configuring a new name server-type answer group, use the following
steps to identify the name servers that provide the answers that make up the answer group:
a. b.
Enter the address of each name server that belongs to the answer group to the IP Address fields provided. For each name server IP address select an optional location by clicking the Location drop-down list.
8-19
c.
If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A will receive 10 requests for every 1 directed to Answer B. If you are using the Ordered List balance method with this answer group, assign an order to each name server listed in the answer group using the Order drop-down list provided. The number you assign represents the order of the answer in the list. Subsequent name servers on the list will only be used in the event that preceding name servers on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
d.
Note
If configuring a CRA type answer group, use the following steps to
identify the content routing agents (CRAs) that provide the answers that make up the answer group, then assign a location for each answer in the answer group.
a. b. 2.
Enter the address of each CRA that belong to the answer group in the IP Address fields provided. For each CRA IP address, select an optional location by clicking on the Location drop-down list.
Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule WizardBalance Method Page section for information.
8-20
OL-4327-01
Chapter 8

If you selected the Select an Existing Answer Group option, this step allows you to select from a series of previously configured answers (Figure 8-14).
1. 2.
Click the name of the answer group in the list so that the name is highlighted. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule WizardBalance Method Page section for information.
8-21
DNS Rule WizardBalance Method Page

This step of the DNS Rule Wizard uses the Balance Method page of the wizard (Figure 8-15) to select a balance method to use when selecting the answer from your answer group that is best suited to respond to the DNS query. Your choice of balance methods is limited by the type of answer group (name server, VIP, or CRA) you selected. The DNS Rule Wizard only supports selection of a single balance clause. If necessary, you can modify the DNS rule and add additional balance clauses using the DNS Rule Builder (see the Modifying DNS Rules section).
Figure 8-15 DNS Rule WizardBalance Method Page
8-22
OL-4327-01
Chapter 8

1.
If configuring a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
HashedThe GSS selects the answer based on a unique value created
from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

Least LoadedAvailable for VIP-type answer groups only using a
KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.
Ordered ListThe GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding responses or answer are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.
Note
Round RobinThe GSS cycles through the list of answers that are
available as requests are received.

Weighted Round RobinThe GSS cycles through the list of answers
that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
8-23
2.
If you configured a CRA Answer Group to respond to requests:

Boomerang is automatically assigned by the GSS software as the balance
method.
Enter a last gasp address in the Last Gasp field provided. This address
serves as the answer in the event that no content routing agents reply to the request. If you specify a last gasp address, the GSS automatically:
3.
Creates an answer for this address Creates an answer group that contains the last gasp answer Adds a second balance clause to the DNS rule with the suffix -GROUP and uses ordered list as the balance method.
Click Next to proceed to the Summary page of the DNS Rule Wizard. An overview of your rule is provided that supplies information on the selected source address list, domain List, answer group, and balance method. See the DNS Rule WizardSummary section for information.
8-24
OL-4327-01
Chapter 8
DNS Rule WizardSummary

The Summary page (Figure 8-16) provides an overview of your rule, including information on the source address list, domain List, answer group, and balance method chosen.
Figure 8-16 DNS Rule WizardSummary Page
Using the fields provided on the Summary page, complete your DNS rule as follows:
1. 2.
Enter a name for your DNS Rule in the Rule Name field. Optionally, associate the rule with an GSS owner by selecting an owner name from the Rule Owner drop-down list.
8-25
3.
Indicate what type of DNS queries applies to this rule by selecting a query type from the Match DNS Query Type drop-down list:
All - The DNS rule is applied to all DNS queries originating from a host
on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.
Note
When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.
A record - The DNS rule is applied only to answer address record (A
record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.
4.
Select an operating status for the rule from the Rule Status drop-down list:
ActiveThe DNS rule immediately begins processing requests SuspendedThe DNS rule is listed on the DNS Rules list page, but has
a status of suspended. The DNS rule is not used to process any incoming DNS queries.
5.
Click Finish to save your DNS Rule. You return to the DNS Rules list page.
8-26
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the DNS Rule Builder
Building DNS Rules Using the DNS Rule Builder

If you are comfortable with the process of building a DNS rule and have already configured your domain lists, answers, and answer groups, use the DNS Rule Builder to quickly assemble a DNS rule. The DNS Rule Builder is an interface that pulls together all the GSS elements needed to create new DNS rules. Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. In addition, the DNS Rule Builder allows you to configure multiple clauses for your DNS rule; that is, additional answer group and balance method pairs that can be tried in the event that the first answer group and balance method specified does not yield an answer. To create a DNS rule using the DNS Rule Builder:
1.
From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-17).
8-27
Chapter 8 Building DNS Rules Using the DNS Rule Builder
Figure 8-17 DNS Rules List Page
2.
Click the Open Rule Builder icon. The DNS Rule Builder page opens in a separate window (Figure 8-18.)
8-28
OL-4327-01
Chapter 8
Figure 8-18 Create New DNS Rule Window
3. 4. 5.
In the Rule Name field, enter a name for your new DNS Rule. Rule names cannot contain spaces. From the Rule Owner drop-down list, choose a contact with whom the rule will be associated. The default Rule Owner is System. From the Source Address List drop-down list, choose a Source Address List from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.
8-29
6.
From the Domain List drop-down list, choose a domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list. From the Match DNS Query Type drop-down list, indicate what type of DNS queries applies to this rule:
All - The DNS rule is applied to all DNS queries originating from a host
7.
on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.
Note
When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.
A record - The DNS rule is applied only to answer address record (A
record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.
8.
At the Balance Clause 1 heading:

Select the answer group component of your first answer group/balance
method pairing from the drop-down list. This is the first effort the GSS uses to select an answer for the DNS query.
Select the balance method for the answer group from the drop-down list.
Your choice of balance methods changes based on the type of answer group (Name Server, VIP, or CRA) you selected.
8-30
OL-4327-01
Chapter 8
9.
If you selected a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
Note
If you selected a CRA-type Answer Group, the balance method is automatically set to Boomerang.
HashedThe GSS selects the answer based on a unique value created
from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

Least LoadedAvailable for VIP-type answer groups only using a
KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.
Ordered ListThe GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.
Note
Round RobinThe GSS cycles through the list of answers that are
available as requests are received.

Weighted Round RobinThe GSS cycles through the list of answers
that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
8-31
10. If you selected a VIP-type answer group, configure the following
configuration information in the fields provided:

DNS TTLThe duration of time in seconds that the requesting DNS
proxy caches the response sent from the GSS and considers it to be a valid answer.
Return Record CountThe number of address records (A-records) that
you want the GSS to return for requests that match the DNS rule.
11. If you selected a CRA-type answer group, configure the following
configuration information in the fields provided:

DNS TTLThe duration of time in (units) that the requesting DNS
proxy caches the response sent from the GSS and consider it to be a valid answer.
Fragment SizeThe preferred size of the boomerang race response that
is produced by a match to a DNS rule and sent to the requesting client.

Pad SizeThe amount of extra data (in bytes) included with each CRA
response packet and used to evaluate CRA bandwidth as well as latency when making load balancing decisions.
IP TTLThe maximum number of network hops that should be utilized
when returning a response to a CRA from a match on a DNS rule.

SecretA text string, up to 64 characters, that is used to encrypt critical
data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.
Max Prop. DelayThe maximum propagation delay, the maximum
delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA.
Server DelayThe maximum delay (in milliseconds) that is observed
before the boomerang server component of the GSS returns the address of its last gasp server as a response to the requesting name server.
12. If you wish, repeat Step 8 through Step 10 to select additional answer
group/balance method pairings for Balance Clause 2 and Balance Clause 3. These answer pairs are only applied if the preceding clause is unable to provide an answer for the DNS query.
13. Click Save to save your DNS Rule. You return to the DNS Rules list page.
The DNS rule is now active and processing incoming DNS requests.
8-32
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Modifying DNS Rules
Modifying DNS Rules

As with the creation of DNS rules, you can also use the DNS Rule Builder or the DNS Rule Wizard to modify a DNS rule. To modify a previously created DNS rule, perform one of the following: To modify a DNS rule using the DNS Rule Builder:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears. Click the Modify DNS Rule Using Rule Builder Interface button located to the left of the DNS rule you want to modify. The Modify DNS Rule details page opens in a separate window. Make modifications as necessary to the DNS rule. See Building DNS Rules Using the DNS Rule Builder for details about using the DNS Rule Builder. Click Save when you complete your modifications. You return to the DNS Rules list page.
3. 4.
To modify a DNS rule using the DNS Rule Wizard:

1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears. Click the Modify DNS Rule Using Wizard button located to the left of the DNS rule you want to modify. The Modify DNS Rule Wizard appears. Make modifications as necessary to the DNS rule in the DNS Rule Wizard. Click here Building DNS Rules Using the Wizard for details about using the DNS Rule Wizard. Click Finish when you complete your modifications. You return to the DNS Rules list page.
4.
8-33
Chapter 8 Suspending a DNS Rule
Suspending a DNS Rule

If you want to stop requests from being processed by a DNS rule on your GSS, use the suspend feature to temporarily deactivate the rule. You can use the suspend feature to temporarily halt traffic to particular answers while those resources are receiving maintenance. Once a rule has been suspended, you must reactivate it from the primary GSSM GUI before it can again be used to process incoming DNS queries. To suspend a DNS rule from the DNS Rule Builder:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to suspend. The DNS Rule Builder page appears in a separate browser window. Click the Suspend icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to suspend the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16). From the Rule Status drop down list, select the Suspended operating status for the DNS rule. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.
3. 4.
To suspend a DNS rule from the DNS Rule Wizard:

1. 2. 3. 4. 5.
8-34
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Reactivating a DNS Rule
Reactivating a DNS Rule

To reactivate operation of a suspended DNS rule from the DNS Rule Builder:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to activate. All suspended DNS rules have a status of Suspended in the list. The DNS Rule Builder window appears. Click the Activate icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to activate the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16). From the Rule Status drop down list, select the Active operating status for the DSN rule. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.
3. 4.
To reactivate operation of a suspended DNS rule from the DNS Rule Wizard:
1. 2. 3. 4. 5.
8-35
Chapter 8 Suspending or Reactivating All DNS Rules Belonging to an Owner
Suspending or Reactivating All DNS Rules Belonging to an Owner

DNS rules can be grouped and managed according to a GSS owner that has been established and with which the DNS rules have been associated. Using owners to manage your DNS rules makes it easier for you to quickly suspend or activate rules related to a particular group or department within your organization (for example, HR or Sales) without requiring to individually edit each rule that serves that owner. To suspend or reactivate DNS rules belonging to an owner:
1. 2.
From the primary GSSM GUI, click Resources tab. Click the Owners navigation link. The Owners list page appears (Figure 8-19).
Figure 8-19 Owners List Page
8-36
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Suspending or Reactivating All DNS Rules Belonging to an Owner
3.
Click the Modify Owner icon located to the left of the owner responsible for the DNS rules you want to suspend or reactivate. The Modifying Owner details page appears (Figure 8-20).
Figure 8-20 Modifying Owners Details Page
4.

To suspend all DNS rules associated with this owner, click the Suspend
All DNS Rules for This Owner icon in the upper-right corner of the details page.
To reactivate all suspended DNS rules associated with this owner, click
the Activate All DNS Rules for This Owner icon in the upper-right corner of the details page.
5.
Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.
OL-4327-01
8-37
Chapter 8 Deleting a DNS Rule
Deleting a DNS Rule

Use the delete feature on the primary GSSM GUI to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated the DNS rule.
Caution
Deletions of any kind cannot be undone in the GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a DNS rule:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule using rule builder interface icon located to the left of the DNS rule you want to delete. The DNS Rule Builder window appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page.
3. 4.
Configuring DNS Rule Filters

As your GSS network grows, so will your collection of DNS rules for handling traffic to and from your network. In time, it may become difficult to locate the rules that you need. For that reason, the GSS GUI provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in. For example, you can create a filter that will limit your view of the DNS rules to include only those that involve a certain source address list or domain list, use a certain balance method, are owned by a particular user, or have a status of active. To configure a DNS rule filter:
1.
From the primary GSSM GUI, click the DNS Rules tab.
8-38
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Configuring DNS Rule Filters
2.
Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter details page appears (Figure 8-21).
Figure 8-21 Configure DNS Rule List Filter Details Page
3.
To filter your list by any of the properties displayed on the Filter List page, enter a complete or partial (wildcard) value into the fields provided. This page is divided by Source Address List Filter Parameters, Domain List Filter Parameters, Balance Clause Filter Parameters, and DNS Rule Filter Parameters The GSS supports filtering combinations in the properties of all four sections of the details page. Table 8-1 lists the parameters that can be used to filter your DNS rules list and provides explanations and sample entries for each parameter.
8-39
Chapter 8 Configuring DNS Rule Filters
Table 8-1
DNS Rules Filter Parameters
Parameter Name
Description
Selection Examples
Source Address List Filter Parameters
Name assigned to a source VIP1 address list associated with VIP* the DNS rule NameServerList IP address or address block 192.168.110.100 assigned to a source 192.168.* address list associated with the DNS rule Any Name of the owner assigned to the source System address list associated with Education the DNS rule Name assigned to a domain CiscoSystems list associated with the Cisco* DNS rule Domain included on the www.cisco.com domain list associated with support.cisco.com the DNS rule www.* Any Name of the owner assigned to the domain list System associated with the DNS Sales rule Name assigned to an answer group associated with the DNS rule VIP_answer_Group_1 VIP_answer_Group_2 VIP_*
IP Address Block
Owner
Domain List Filter Parameters
Name
Domain
Owner
Balance Clause Filter Parameters
Answer Group Name
8-40
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Configuring DNS Rule Filters
Table 8-1
DNS Rules Filter Parameters (continued)
Parameter Answer Group Owner
Description Name of the owner assigned to the answer group associated with the DNS rule Type of answer group associated with the DNS rule Answer belonging to an answer group associated with the DNS rule Type of balance method (such as boomerang and ordered list) associated with the DNS rule
Selection Examples Any System HR CRA Name Server VIP 192.161.1.2 192.168.* Boomerang Hashed Least Loaded Order List Round-Robin Weighted Round-Robin
Answer Group Type
Contains Answer
Balance Method
DNS Rule Filter Parameters
Name Owner
Name of the DNS rule Name of the owner assigned to the DNS rule
Cisco_Rule Cisco* Any System Sales Any Active Suspended
Status
Status of the DNS rule, either active or suspended
8-41
Chapter 8 Removing DNS Rule Filters
4.
Click Submit to confirm your decision. The DNS Rule list page reappears. The displayed DNS rules are those DNS rules that match your search criteria. If no DNS Rule parameters match the parameters that you used to filter the list, a message appears:
No DNS rules match the filter specification.
Removing DNS Rule Filters

Use the Show All DNS Rules icon on the DNS Rules list page to remove any filters that have been applied to your DNS Rules. The Show All DNS Rules icon removes all filters and displays a complete list of DNS Rules on your GSS network. To remove DNS rule filters:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes, displaying all configured DNS rules.
Delegation to GSS Devices

Once you have configured your GSS devices to connect to your network and have created the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you are ready to complete the final step that integrates your new global server load-balancing device into your networks DNS infrastructure and starts delivering user queries to your GSS: modifying your parent domains DNS server to delegate parts of its name space to your GSSs.
Note
You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.
8-42
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Delegation to GSS Devices
Modifying your DNS servers to accommodate your GSS devices involves the following steps:
1. 2.
Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs Adding glue address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address
Example 8-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type. In Example 8-1, the delegated domains are:

www.cisco.com ftp.cisco.com media.cisco.com
The GSS devices are:

gss1.cisco.com gss2.cisco.com
8-43
Chapter 8 Delegation to GSS Devices
Example 8-1
Sample BIND Zone Configuration File Delegating GSSs
cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. ( 2001111001; serial number 36000; refresh 10 hours 3600 ; retry 1 hour 3600000; expire 42 days 360000; minimum 100 hours ) ; Corporate Name Servers for cisco.com IN NS ns1.cisco.com. IN NS ns2.cisco.com. ns1 IN A 192.168.157.209 ns2 IN A 192.168.150.100 ; Sub-domains delegated to GSS Network www IN NS gss1.cisco.com. IN NS gss2.cisco.com. media IN CNAME www ftp IN NS gss1.cisco.com. IN NS gss2.cisco.com. ; Glue A records with GSS interface addresses ; Cisco GSS Dallas gss1 IN A 172.16.2.3 ; Cisco GSS London gss2 IN A 192.168.3.6 . . .
When reviewing this zone file, remember that there are any number of possible GSS deployments that you can use, some of which may suit your needs and your network better than the example listed. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.
8-44
OL-4327-01
C H A P T E R
GSS Administration and Troubleshooting

This chapter covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM database administration, and GSSM error messages. This chapter contains the following major sections:

Performing Advanced GSS Configuration Tasks Configuring the Primary GSSM Graphical User Interface Printing and Exporting GSSM Data Configuring GSS Security Configuring SNMP on Your GSS Network Backing Up the GSSM Upgrading the Cisco GSS Software Downgrading and Restoring Your GSS Devices Viewing Third-Party Software Versions Primary GSSM Error Messages
9-1
Chapter 9 Performing Advanced GSS Configuration Tasks
Performing Advanced GSS Configuration Tasks

These sections describe the following advanced GSS configuration tasks:

Logically Removing a GSS or Standby GSSM from the Network Changing the GSSM Role in the GSS Network Modifying Network Configuration Settings of a GSS Changing the Startup and Running Configuration Files Loading the Startup Configuration from an External File
Logically Removing a GSS or Standby GSSM from the Network

This section describes the steps to logically remove a GSS or standby GSSM device from your network. You may need to logically remove a GSS from your network when you:

Move a GSS device between GSS networks Send the GSS or standby GSSM out for repair or replacement
Before removing or replacing a GSS or standby GSSM, you should logically remove the GSS from the network before physically removing it.
Note
Do not logically remove the primary GSSM from the GSS network. If you need to take the primary GSSM offline for either maintenance or repair, temporarily switch the roles of the primary and standby GSSMs as outlined in the Changing the GSSM Role in the GSS Network section. To logically remove a GSS or standby GSSM from the network, follow these steps. The first four steps in the instructions assume that the GSS or standby GSSM is operational. If that is not the case, proceed directly to step 5.
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The CLI prompt appears. At the CLI prompt, enable privileged EXEC mode and then global configuration mode on the device. For example:
localhost.localdomain> enable
9-2
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Performing Advanced GSS Configuration Tasks
3.
If possible, use the copy startup-config disk command to backup the startup configuration file on the GSS or standby GSSM device. For example:
localhost.localdomain# copy startup-config disk configfile
4.
Use the gss stop command to stop the GSS software running on the GSS. For example:
localhost.localdomain# gss stop
5.
Use the gss disable command to disable the selected GSS and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS to the initial, disabled state. If the GSS device is to be powered down, also enter the shutdown command. For example:
localhost.localdomain# gss disable localhost.localdomain# shutdown
6. 7. 8.
To logically remove a GSS or a standby GSSM from the network, access the primary GSSM graphical user interface and click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device. list page with the deleted device removed from the list.
9.
10. Click OK to confirm your decision. You return to the Global Site Selectors
For details on physically removing or replacing a GSS from your network, refer to the Cisco Global Site Selector Hardware Installation Guide. To add a GSS or standby GSSM back into the GSS network, follow the procedures outlined in Chapter 2, Setting Up Your GSS. After you configure the GSS or standby GSSM, you may reload the backup copy of the GSS device startup configuration settings (see the Loading the Startup Configuration from an External File section). .
9-3
Changing the GSSM Role in the GSS Network

The GSS software supports multiple GSSMs on a single GSS network, with one GSSM acting as the primary GSSM and another GSSM acting as a standby device. The standby GSSM is capable of temporarily taking over the role as the primary GSSM is the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). Using the CLI, you can manually switch the roles of your primary and standby GSSMs at any time. Before switching GSSM roles, however, both a primary and a standby GSSM must be configured and enabled in your GSS network. Do not attempt to switch roles before both a primary and a standby GSSM have been configured and enabled (refer to Chapter 2, Setting Up Your GSS). In addition, ensure that the designated primary GSSM is offline before you attempt to enable the standby GSSM as the new primary GSSM. Having two primary GSSMs active at the same time may result in the inadvertent loss of configuration changes for your GSS network. Although request routing continues to function in such a situation, GUI configuration changes made on one or both devices may be lost or overwritten, and may not be communicated to your GSS devices. If this dual primary GSSM configuration occurs, the two primary GSSMs change to standby mode and you will need to reconfigure one of the GSSMs as the primary GSSM. Note that the switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. The interim primary GSSM can be used to monitor GSS behavior and make configuration changes if necessary.
Switching the Roles of the Primary and Standby GSSMs

Use the following steps to change the roles of your primary and standby GSSMs. These instructions assume that your primary GSSM is online and functional at the time you are switching GSSM roles. If this is not the case (for example, the primary GSSM is not functional), ignore any steps that apply to accessing the primary GSSM.
1.
Log on to the CLI of the primary GSSM, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The CLI prompt appears.
9-4
OL-4327-01
Chapter 9
2.
Enable privileged EXEC mode. For example:

gssm1.yourdomain.com> enable
3.
If you have not already done so, perform a full backup of your primary GSSM to preserve your current network and configuration settings (see the Performing a Full GSSM Backup section). Configure the current primary GSSM as the standby GSSM. Use the gssm primary-to-standby command to place the primary GSSM in standby mode. For example:
gssm1.yourdomain.com# gssm primary-to-standby
4.
5.
If the GSSM is to be powered down, also enter the shutdown command. For example:
gssm1.yourdomain.com# shutdown
6. 7. 8.
Exit from the CLI of the GSSM. Log on to the standby GSSM. You cannot log in to the GUI of the old primary GSSM once it begins acting in a standby capacity. Enable privileged EXEC mode. For example:
9.
Configure the current standby GSSM to be the temporary primary GSSM for your GSS network. Use the gssm standby-to-primary command to enable your standby GSSM and make it the primary GSSM. For example:
gssm2.yourdomain.com# gssm standby-to-primary
The standby GSSM begins to function in its new role as the primary GSSM.
Note
The configuration changes do not take effect immediately. It can take up to five minutes for the other GSS devices in the network to learn about the new primary GSSM.
10. Exit privileged EXEC mode. The interim primary GSSM is now fully
functional and you can now access the GUI.
9-5
Reversing the Roles of the Interim Primary and Standby GSSMs

To reverse the roles of the interim primary and standby GSSMs back to the original GSS network deployment (assuming both devices are online):
Note
If your original primary GSSM has been replaced by Cisco Systems, contact the Cisco Technical Assistance Center (TAC).
1. 2.
Log on to the CLI of the interim primary GSSM. The CLI prompt appears. Enable privileged EXEC mode. For example:
3.
Perform a full backup of the interim primary GSSM to preserve the current network and configuration settings (see the Performing a Full GSSM Backup section). Use the gssm primary-to-standby command to place the current interim primary GSSM in standby mode and resume its role in the GSS network as the standby GSSM. For example:
gssm2.yourdomain.com# gssm primary-to-standby
4.
5. 6. 7.
Exit from the CLI of the standby GSSM. Log on to the CLI of the primary GSSM from the original network deployment. The CLI prompt appears. Enable privileged EXEC mode. For example:
8.
Use the gssm standby-to-primary command to return the GSS device back to the role as the primary GSSM in the GSS network. For example:
gssm1.yourdomain.com# gssm standby-to-primary
9-6
OL-4327-01
Chapter 9
Modifying Network Configuration Settings of a GSS

Once you have configured your GSS devices in your network, you can use the CLI to modify the configuration settings of those devices. To modify the network configuration of a GSS device:
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
3.
Use the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop
4.
Enter global configuration mode. For example:

gssm1.yourdomain.com# configure gssm1.yourdomain.com(config)#
5.
Use the no form of the network configuration commands to erase configuration settings. For example, to change the IP address assigned to a GSS interface, you would enter:
gssm1.yourdomain.com(config-eth0)# no ip address 10.89.3.24 255.255.255.0 gssm1.yourdomain.com(config-eth0)# exit gssm1.yourdomain.com(config)#
Once you have removed a GSS device setting, you can reregister it with the primary GSSM by following the instructions in Chapter 2, Setting Up Your GSS.
9-7
Changing the Startup and Running Configuration Files

The network configuration for a GSS device includes:

InterfaceEthernet interface being used IP addressNetwork address and subnet mask assigned to the interface GSS communicationsWhich interface (Ethernet 0 or Ethernet 1) is designated for handling GSS-related communications on the device GSS TCP keepalivesWhich interface (Ethernet 0 or Ethernet 1) is designated for outgoing keepalives of type TCP and HTTP HEAD Host nameHost name assigned to the GSS IP default gatewayNetwork gateway used by the device IP name serverNetwork DNS server being used by the device IP routesAll static IP routes SSH enableWhether SSH is enabled on the device Telnet enableWhether Telnet is enabled on the device FTP enableWhether FTP is enabled on the device Startup configurationThe default network configuration. These configuration settings are loaded each time the device is booted. Running configurationThe network configuration currently being used by the GSS device.
Each GSS device tracks two such configurations:

Usually, the running configuration and the startup configuration file are identical. However, once a configuration parameter is modified for any reason, the two must be reconciled using the CLI in one of the following ways:
The running configuration can be saved as the new startup configuration using the copy running-config startup-config command. Any changes to the network configuration of the device are retained and used when the device is next rebooted. The startup configuration can be maintained. In this case, the running configuration is used up until the point at which the device is rebooted, at which time the running configuration is discarded and the startup configuration is restored.
9-8
OL-4327-01
Chapter 9
To change the startup configuration file for a GSS device:

1.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. By default, the host name for GSS devices is localhost.localdomain. This name changes once you configure the host name for the device.
2.
gssm1.yourdomain.com> enable gssm1.yourdomain.com# config gssm1.yourdomain.com(config)#
3.
Make any desired changes to the network configuration of the device. For example, if you wanted to change the device host name, you would use the following command:
gssm1.yourdomain.com(config)# hostname new.yourdomain.com new.yourdomain.com(config)#
4.
Use the copy running-config startup-config command to install the current running configuration as the new startup configuration for the device. For example:
new.yourdomain.com(config)# copy running-config startup-config
5.
Alternatively, use the copy command to achieve the same result, copying the running configuration to the startup configuration. For example:
new.yourdomain.com(config)# copy running-config startup-config
Loading the Startup Configuration from an External File

In addition to copying your running configuration as a new startup configuration, internally you can also upload or download GSS device configuration information from an external file using the copy command. Before attempting to load the startup configuration from a file, make sure that the file has been moved to a local directory on the GSS device. To copy the GSS device startup configuration to or from a disk:
1.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
9-9
Chapter 9 Configuring the Primary GSSM Graphical User Interface
2.

3.
Use the copy command to install a new startup configuration from a file. For example:
gssm1.yourdomain.com# copy disk startup-config filename
where filename is the name of the file containing the startup configuration settings.
4.
Alternatively, copy the current startup configuration to a file for use on other devices or for backup purposes. For example:
gssm1.yourdomain.com# copy startup-config disk filename
where filename is the name of the file created to contain the startup configuration settings.
Configuring the Primary GSSM Graphical User Interface

The primary GSSM GUI provides you with a number of configuration options for modifying the behavior and performance of the primary GSSM web-based GUI. Among the settings you can modify are:

GUI Session Inactivity Timeout EnableCheck box that enables or disables the use of the GUI Session Inactivity Timeout function. GUI Session Inactivity TimeoutNumber of minutes of inactivity that must pass before your primary GSSM GUI session is automatically terminated GSS Reporting IntervalInterval (in seconds) at which GSS devices report their status to the primary GSSM Monitoring Screen Refresh IntervalInterval (in seconds) at which the primary GSSM GUI refreshes displayed content
9-10
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Configuring the Primary GSSM Graphical User Interface
To modify any GUI session settings:

1. 2.
From the primary GSSM GUI, click the Tools tab. Click the GUI Configuration navigation link. The GUI Configuration details page appears (Figure 9-1) listing fields for modifying your GUI session settings.
GUI Configuration Details Page
Figure 9-1
3.
Perform one or more of the following:

To adjust the amount of time without GUI activity that must pass before
the primary GSSM automatically terminates the GUI session, click the GUI Session Inactivity Timeout Enable check box and enter a number in the GUI Session Inactivity Timeout field. This value is the length of time, in minutes, that passes without any user activity before the session is terminated.
9-11
Chapter 9 Printing and Exporting GSSM Data
To adjust the amount of time that must pass before GSS devices report
their status to the primary GSSM, enter a number in the GSS Reporting Interval field. This value is the length of time, in seconds, that passes between reports.
To increase the length of time that passes between automatic screen
refreshes when viewing GSS information from the primary GSSM GUI, enter a number in the Monitoring Screen Refresh Interval field. This value is the length of time, in seconds, that passes between automatic screen refreshes.
4.
Click Submit to update the primary GSSM. The Transaction Complete icon appears in the lower left corner of the configuration area to inform you that the GUI session has been successfully updated.
Printing and Exporting GSSM Data

You can send any data displayed on the primary GSSM GUI to a local or network printer configured on your workstation, or export that data to a flat file for use with other office applications. When printing or exporting data, all information displayed on the primary GSSM GUI is dumped. You cannot select individual pieces of data to output. To print or export GSSM data:
1. 2.
From the primary GSSM GUI, navigate to the list page or details page containing the data you wish to export or print. Perform one of the following:
To export the data, click the Export button. You are prompted to either
save the exported data as a comma-delimited file or open it using your designated CSV editor.
To print the data, click the Print button. The Print dialog box on your
workstation appears, allowing you to choose a printer.
Note
If you need to export the output of all configured fields from the primary GSSM GUI from the GSS CLI (intended for use by a Cisco technical support representative), specify the show tech-support config. Refer to the Cisco Global Site Selector Command Reference.
9-12
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Configuring GSS Security
Configuring GSS Security

Using the primary GSSM GUI, you can control access to the GUI. Using the CLI, you can control login access to individual GSS devices, as well as incoming traffic to your GSS devices. This section includes the following procedures:

Creating and Managing GSSM Login Accounts Creating and Managing GSS CLI Login Accounts Segmenting GSS Traffic by Interface Filtering GSS Traffic Using Access Lists Deploying GSS Devices Behind Firewalls
Creating and Managing GSSM Login Accounts

Using the user administration feature of the GSSM, you can create and maintain login accounts for the primary GSSM GUI. In addition to login name and password information, the user administration feature also allows you to maintain contact information for each user.
Note
Only users who log in to the primary GSSM GUI as administrator have the privileges to create, modify, or remove a GSSM GUI account. This section includes the following procedures:

Creating a GSSM GUI User Account Modifying a GSSM GUI User Account Removing a GSSM GUI User Account Changing Your GSSM GUI Password
9-13
Chapter 9 Configuring GSS Security
Creating a GSSM GUI User Account

To create a GSSM GUI user account:
1. 2.
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (Figure 9-2).
GSSM User Administration List Page
Figure 9-2
3.
Click the Create User icon. The Creating New User details page appears (Figure 9-3).
9-14
OL-4327-01
Chapter 9
Figure 9-3
GSSM User Administration Details Page
4. 5. 6. 7. 8.
In the User Account area, enter the login name for the new account in the Username field. Usernames can contain spaces. In the Password field, enter the alphanumeric password for the new account. In the Re-type Password field, reenter the password for the new account. In the Personal Information area, enter the users first name in the First Name field. In the Last Name field, enter the users last name. The first and last name will be displayed next to the users login, whenever the user logs on to the primary GSSM.
9-15
9.
Optionally, fill in the rest of the users contact information as follows:

Job titleUsers position within your organization DepartmentUsers department PhoneUsers business telephone number E-mailUsers e-mail address CommentsAny important information or comments about the user
account
10. Click Submit to create your new user account. You return to the User
Administration list page.
Modifying a GSSM GUI User Account

To modify an existing GSSM user account:
1. 2. 3.
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts. Click the Modify User icon to the left of the user account that you wish to modify. The Modifying User details page appears (see Figure 9-3) listing fields for modifying your GUI session settings. Use the fields provided to modify the users account, as follows:
UsernameChange the accounts login name. Password/Retype passwordModify the login password for the
4.
account; new passwords must be entered identically in both fields before they are accepted.
First nameModify the users first name. Last nameModify the users last name. Job titleModify the users listed position within your organization. DepartmentModify the users department. PhoneModify the users business phone number. E-mailModify the users e-mail address. CommentsModify comments on the user account.
9-16
OL-4327-01
Chapter 9
5.
Click Submit to save changes to the account. You return to the GSSM User Administration list page.
Removing a GSSM GUI User Account

To delete an existing GSSM GUI user account:
1. 2. 3.
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts. Click the Modify User icon to the left of the user account that you wish to remove. The Modifying User details page appears (see Figure 9-3), displaying that users account information.
Note 4. 5.
You cannot delete the admin account. Click the Delete icon. The software prompts you to confirm your decision to permanently delete the user. Click OK. You return to the GSSM User Administration list page with the user account removed.
Changing Your GSSM GUI Password

Using the change password feature of the primary GSSM GUI, you can change the password for the account that you used to log on to the primary GSSM. You must know the existing password for an account before you can change it to a new value.
Note
If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to default by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command. To change your account password:
1.
From the primary GSSM GUI, click the Tools tab.

OL-4327-01
9-17
2.
Click the Change Password navigation link. The Change Password detail page (Figure 9-4) appears displaying your account name in the Username field
GSSM Change Password Details Page
Figure 9-4
3. 4. 5. 6.
In the Old Password field, enter your existing GSSM login password. In the New Password field, enter the string that you would like to use as the new GSSM login password. In the Re-type New Password field, enter the new password string a second time. This is used to verify that you have entered your password correctly. Click Submit to update your login password.
9-18
OL-4327-01
Chapter 9
Creating and Managing GSS CLI Login Accounts

Using the CLI, you can set user access for each of your GSS devices, including the GSSM. User access to the CLI of your GSSs must be managed individually on each device.
Note
Only the admin account can create and manage GSS logins. This section includes the following procedures:

Creating a GSS User Account Using the CLI Modifying a GSS User Account Using the CLI Deleting a GSS User Account Using the CLI
Creating a GSS User Account Using the CLI

When creating user accounts from the CLI, you must specify the new login, password, and privilege level using a single command. You cannot create a new account without designating a value for each of these configuration settings. Refer to the Cisco Global Site Selector Command Reference for detailed information on the username command. To create a user or administrative login account that can access the CLI of one of your GSS devices:
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and then global configuration mode on the device. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the username command to create and configure your new login account and then press Enter to create the account. For example:
gss1.yourdomain.com(config)# username paulr password mypwd privilege admin User paulr added.
9-19
For a login name, enter an unquoted alphanumeric text string with no spaces and a maximum of 32 characters. Login names must start with an alpha character (for example, A-Z or a-z). The GSS does not support usernames that begin with a numerical value. For a password, enter an unquoted text string with no spaces and a maximum length of 8 characters. To create an administrative account, set the privilege level to admin. To create a user account, set the privilege level to user.
4.
Repeat step 3 for each new user account that you wish to create.
Modifying a GSS User Account Using the CLI

When modifying a GSS user account using the CLI, use the same procedure that you used to create the account: entering the full username, password, and privilege level and substituting new values for the configuration settings that you wish to change.
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and then global configuration mode on the device. For example:
3.
Use the username command to modify your new login account and then press Enter to input the new values. For example:
gss1.yourdomain.com(config)# username paulr password newpwd privilege user User paulr exists, change info? [y/n]: y
4.
Repeat step 3 for each new user account that you wish to modify.
Deleting a GSS User Account Using the CLI

You must have administrative-level access to the GSS to delete login accounts. To delete a login account:
1.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
9-20
OL-4327-01
Chapter 9
2.
3.
Use the username command to delete an existing login account. For example:
gss1.yourdomain.com#(config) username paulr delete User paulr removed
Note 4.
You cannot delete the admin account. Repeat step 3 for each new user account that you wish to delete.
Resetting the CLI Administrator Account Password

If you accidentally forget the password for the GSS administrator account, you can reset it from the GSS CLI. You must have physical access to the GSS device to perform this procedure.
Note
If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to default by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command. To reset the CLI administrator account password:
1.
Attach an ASCII terminal to the GSS console port, following the instructions in the Connecting Cables section of Chapter 3 in the Cisco Global Site Selector Hardware Installation Guide. If the GSS device is currently up and running, enter the reload command to halt and perform a cold restart of your GSS device. For example:
Host# reload
2.
As the GSS reboots, output appears on the console terminal.
9-21
3.
After the BIOS boots and the LILO boot: prompt appears, enter ? (a question mark) to determine which software version the GSS device is running and to enter boot mode.
LILO boot: ? GSS-<software_version> boot:
At the LILO boot: prompt, press Tab or ? to view a listing of the available GSS software images.
Note
Enter the ? command within a few seconds of seeing the LILO boot prompt or the GSS device continues to boot. If you miss the time window to enter the ? command, wait for the GSS to properly complete booting, cycle power to the GSS device, and try again to access the LILO boot prompt. At the boot: prompt, enter GSS-<software_version> RESETADMINCLIPW=1. Use care when entering this command; this CLI command is case-sensitive. For example: boot: GSS-1.1.0
RESETADMINCLIPW=1
4.
If you successfully reset the administrator password, the Resetting admin account CLI password message appears on the console terminal while the GSS device reboots. If the message does not appear, repeat steps 2 through 4 again. Pay close attention when you enter the GSS-<software_version> RESETADMINCLIPW=1 command.
Segmenting GSS Traffic by Interface

GSS devices include two Ethernet interfaces. By default, GSS servers listen for DNS traffic on both Ethernet interfaces.
Note
In the case of inter-GSS communications, GSS devices listen for configuration and status updates on one interface only, which is the first Ethernet interface (eth 0) by default. You can use the gss-communications command to configure which interface is used for interdevice communications on the GSS network. Refer to the Cisco Global Site Selector Command Reference for instructions on using the gss-communications command.
9-22
OL-4327-01
Chapter 9
However, for security reasons you may wish to limit GSS traffic to one interface, or segment traffic by constraining a certain type of traffic on a designated interface. Using the access-list and access-group commands discussed in the Filtering GSS Traffic Using Access Lists section, you can use access lists to limit traffic on either of your GSS interfaces. For example, network management services like Telnet, SSH, and FTP listen on all active interfaces once they are enabled. To force these remote management servers to listen on only the second Ethernet interface, you would use the following CLI commands:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)# gss1.yourdomain.com(config)# destination-port ftp gss1.yourdomain.com(config)# destination-port ssh gss1.yourdomain.com(config)# destination-port telnet gss1.yourdomain.com(config)#
access-list alist1 permit tcp any access-list alist1 permit tcp any access-list alist1 permit tcp any access-group alist1 interface eth1
By default, the above commands would limit the second interface (eth1) to the specified traffic. All other traffic to that interface would be refused. To deny the same traffic on the first interface (eth0), you would use the following commands:
gss1.yourdomain.com(config)# gss1.yourdomain.com(config)# destination-port ftp gss1.yourdomain.com(config)# destination-port ssh gss1.yourdomain.com(config)# destination-port telnet gss1.yourdomain.com(config)# access-list alist1 deny tcp any access-list alist1 deny tcp any access-list alist1 deny tcp any access-group alist1 eth0
9-23
Filtering GSS Traffic Using Access Lists

Using built-in packet filtering features on the GSS, you can instruct your GSSs and GSSMs to permit or refuse specific packets that are received based on a combination of criteria that includes:

Destination port of the packets Requesting host Protocol used (TCP, User Datagram Protocol [UDP], or ICMP)
These packet-filtering tools, called access lists, are created and maintained from the GSS CLI. Access lists are essentially collections of filtering rules that are created using the access-list CLI command and can be applied to one or both of your GSS interfaces using the access-group command. Each access list is a sequential collection of permit and deny conditions that apply to a source network IP address to control whether routed packets are forwarded or blocked at the GSS. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria you specified within the access lists. Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important. When the GSS is deciding whether to forward or block a packet, the software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked. If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries. For detailed information on access list syntax options, refer to the access-list, access-group, and show access-list commands in the Cisco Global Site Selector Command Reference.
9-24
OL-4327-01
Chapter 9
This section includes the following procedures:

Creating an Access List Associating an Access List with a GSS Interface Disassociating an Access List from a GSS Interface Adding Rules to an Access List Removing Rules from an Access List Viewing Access Lists
Creating an Access List

The term access list simply refers to one or more filtering rules that are grouped together. You can create any number of access lists on a given GSS device. After you have created an access list, rules can be appended to or removed from the list at any time. To ensure your GSS functions properly with access lists, identify the ports and protocols normally used by each GSS device. Table 9-1 illustrates the types of expected inbound traffic received by the GSS.
Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic)
Source Port (Remote Device) * 20, 21, 23 * 53 123 *
Destination Port (GSS) 2023 * 53 * 123 161
Protocol TCP TCP
Details FTP, SSH, and Telnet server services on the GSS Return traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic
UDP, TCP GSS DNS server traffic UDP UDP UDP
9-25
Table 9-1
GSS-Related Ports and Protocols (Inbound Traffic)
Source Port (Remote Device) * 1304 * * 20012009 * 30013009 5002
Destination Port (GSS) 443 1304 2000 20012009 * 30013009 * *
Protocol TCP UDP UDP TCP TCP TCP TCP UDP
Details Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication Inter-GSS communication Inter-GSS communication KAL-AP keepalives
*Any legal port number. To create an access list:

1.
Note 2.
You need access to the CLI of your GSS devices to create access lists. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the access-list command to create your first access list. For example, to configure an access list named alist1 containing a rule that allows any traffic using the TCP protocol on port 443 on the GSS device, enter the following:
gss1.yourdomain.com# config gss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port eq 443
9-26
OL-4327-01
Chapter 9
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-list command syntax.
4.
Repeat step 3 for each access list that you wish to add to this device, or see the Adding Rules to an Access List section for instructions on adding more rules to an access list that already exists.
Associating an Access List with a GSS Interface

After you have created an access list, you must associate it with one or both of your GSS interfaces before it can be used to filter incoming traffic to that interface. When no access lists are associated with an interface, all incoming traffic is allowed on that interface. After an access list has been applied, only the type of traffic explicitly permitted by that list is allowed. All other traffic is disallowed. The access-group command is used to associate an access list with a GSS interface.
Note
You need access to the CLI of your GSS devices to associate access lists with GSS interfaces. To associate access lists with a GSS interface:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
3.
Use the access-group command to associate an access list with the GSS interface. For example, to associate the access list named alist1 with the first interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# access-group alist1 interface eth0
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group command syntax.
4.
Repeat step 3 for each access list that you wish to associate with an interface.
OL-4327-01
9-27
Disassociating an Access List from a GSS Interface

After you have associated an access list with one or more of your GSS interfaces, you can dissociate it from that interface using the no form of the access-group command. Disassociating an access list from an interface removes any constraints that the list applied to traffic to that interface.
Note
You need to be able to access the CLI of your GSS devices to disassociate access lists from GSS interfaces. To disassociate an access list from an interface:
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
3.
Use the no access-group command to disassociate an access list from your GSS interface. For example, to disassociate the access list named alist1 from the first interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# no access-group alist1 interface eth0
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group and no access-group command syntax.
4.
Repeat step 3 for each access list that you wish to disassociate from an interface.
Adding Rules to an Access List

Once you have created one or more access lists, you can append rules to them at any time. To add a rule to an access list:
1.
9-28
OL-4327-01
Chapter 9
2.
Enable privileged EXEC mode and access configuration mode. For example:
3.
Use the access-list command to add a new rule to an existing access list. For example, to add a new rule to the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:
gss1.yourdomain.com(config)# access-list alist1 deny tcp host 192.168.1.101
4.
Use the show access-list command to verify that the rule has been added to your access list. For example:
gss1.yourdomain.com(config)# show access-list access-list:alist1 access-list alist1 permit tcp any destination-port eq 443 access-list alist1 deny tcp host 192.168.1.101
5.
Repeat steps 3 and 4 for each rule that you wish to add to this access list.
Removing Rules from an Access List

Once you have created one or more access lists, you can remove rules from them at any time. Access lists must contain at least one rule. Removing the last rule from an access list removes the list itself from the GSS. To remove a rule from an access list:
1. 2.
9-29
3.
Use the no form of the access-list command to remove a rule from an existing access list. For example, to remove the rule from the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:
gss1.yourdomain.com(config)# no access-list alist1 deny tcp host 192.168.1.101
4.
Use the show access-list command to verify that the rule has been removed from your access list. For example:
gss1.yourdomain.com(config)# show access-list access-list:alist1 access-list alist1 permit tcp any destination-port eq 443
5.
Repeat steps 3 and 4 for each rule that you wish to remove from this access list, or from others configured on your system.
Viewing Access Lists

Use the show access-list command to view configured access lists. For example:
gss1.yourdomain.com(config)# show access-list access-list:alist1 access-list alist1 permit tcp any destination-port eq 443
Deploying GSS Devices Behind Firewalls

In addition to the packet-filtering features of the access-list and access-group commands discussed in the Filtering GSS Traffic Using Access Lists section, you can also deploy your GSS devices behind an existing firewall on your enterprise network. The GSS does not support deployment of devices behind a NAT for inter-GSS communication. The communication between the GSSs cannot include an intermediate device behind a NAT because the actual IP address of the devices is embedded in the payload of the packets.
9-30
OL-4327-01
Chapter 9
When configuring your GSS for deployment behind a firewall, at a minimum you will need to allow DNS traffic into the box. If you have multiple GSSs deployed such that traffic between them must pass through a firewall, then you must configure the firewall to also allow inter-GSS communications, and inter-GSS status reporting. Whether you need to allow other traffic in Table 9-2 and Table 9-3 will depend on your GSS configuration (for example, whether you are using KAL-AP keepalives) and your need access to certain GSS services through the firewall (for example, SNMP). To configure your firewall to work with the GSS product, follow the guidelines in Table 9-2 and Table 9-3 to permit inbound and outbound traffic to and from the specified GSS ports. You may also want to use the access-list and access-group commands to enable authorized GSS traffic to the specified ports. By default, all ports not explicitly permitted in your access list are blocked by that interface once the list is associated.
Table 9-2 Inbound Traffic Going Through a Firewall to the GSS
Source Port (Remote Device) * 20, 21, 23 * 53 123 * * 1304 * * 20012009
Destination Port (GSS) 2023 * 53 * 123 161 443 1304 2000 20012009 *
Protocol TCP TCP
Details FTP, SSH, and Telnet server services on the GSS Return traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication
UDP, TCP GSS DNS server traffic UDP UDP UDP TCP UDP UDP TCP TCP
9-31
Table 9-2
Inbound Traffic Going Through a Firewall to the GSS (continued)
Source Port (Remote Device) * 30013009 5002
Destination Port (GSS) 30013009 * *
Protocol TCP TCP UDP
Details Inter-GSS communication Inter-GSS communication KAL-AP keepalives
*Any legal port number.

Table 9-3 Outbound Traffic Originating from the GSS
Source Port (GSS) 2023 * 53

*
Destination Port (Remote Device) * 20, 21, 23

*
Protocol TCP TCP
Details Return traffic of FTP, SSH, and Telnet server services on the GSS Traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication Inter-GSS communication
UDP, TCP GSS DNS server traffic UDP UDP UDP TCP UDP UDP TCP TCP TCP
53 123
*
123 161 443 1304

* *
1304 2000 20012009 * 30013009
2001-2009
*
9-32
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Configuring SNMP on Your GSS Network
Table 9-3
Outbound Traffic Originating from the GSS (continued)
Source Port (GSS) 3001-3009

*
Destination Port (Remote Device) * 5002
Protocol TCP UDP
Details Inter-GSS communication KAL-AP keepalives
*Any legal port number. To configure your GSS devices to function behind a firewall:
1.
Determine what level of access and what services you wish to enable on your GSSs and GSSMs. Determine whether you want to allow FTP, SSH, and Telnet access to the device, or do you wish to permit GUI access to your primary GSSM. Table 9-2 and Table 9-3 show which GSS-related ports and protocols must be enabled for the product to function properly.
2.
Construct your access lists to filter traffic coming to and from your GSS device.
Configuring SNMP on Your GSS Network

Your GSS or GSSM contains an Simple Network Management Protocol (SNMP) agent, ucd-snmp v4.2.3, that enables you to query your GSS devices for standard MIB resources found in MIB-II (RFC-1213) and HOST-RESOURCE-MIB (RFC-1514). SNMP runs on GSS port 161 by default. MIB-II and HOST-RESOURCE-MIB definitions can be obtained from the following Cisco FTP sites: ftp://ftp.cisco.com/pub/mibs/v1 ftp://ftp.cisco.com/pub/mibs/v2 Before you can begin using SNMP to monitor your GSS or GSSM, however, you must first enable the SNMP agent on your GSS device.
9-33
Chapter 9 Configuring SNMP on Your GSS Network

Configuring SNMP on Your GSS Viewing SNMP Status Viewing MIB Files on the GSS
Configuring SNMP on Your GSS

To enable and configure the SNMP agent on your GSS device:
1. 2.
3.
Use the snmp enable command to enable the SNMP agent. For example:
gss1.yourdomain.com(config)# snmp enable
4.
Use the snmp community-string command to specify a SNMP community name for this GSS device. By default, the SNMP community string is public. To change the SNMP community string, enter an unquoted text string with no space and a maximum length of 12 characters. For example:
gss1.yourdomain.com(config)#snmp community-string Enter new Community String:
5.
Use the snmp contact command to specify the name of the contact person for this GSS device. You can also include information on how to contact the person; for example, a phone number or e-mail address. Enter an unquoted text string with a maximum of 255 characters including spaces.For example:
gss1.yourdomain.com(config)#snmp contact Enter new Contact Info: Cisco Systems, Inc.
9-34
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Configuring SNMP on Your GSS Network
6.
Use the snmp location command to specify the physical location of this GSS device. Enter an unquoted text string with a maximum length of 255 characters. For example:
gss1.yourdomain.com(config)#snmp location Enter new Location Info: Boxborough, MA 01719
7.
To disable SNMP or any of the parameters outlined above, use the no form of the snmp command. For example, to disable SNMP for the GSS, enter:
gss1.yourdomain.com(config)# no snmp enable
Viewing SNMP Status

Once SNMP is enabled, you can display the Simple Network Management Protocol (SNMP) operating status on your GSS device using the show snmp command. To view the operating status of SNMP on your GSS device:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
3.
Use the show snmp command to verify that your SNMP agent, ucd-snmp, is enabled or disabled, as well as the community-string, location and contact. For example:
Host# show snmp snmp is enabled snmp settings ------------Community String = <set> Location = Boxborough MA Contact = Cisco Systems
Note
You can also use the gss status command to verify if SNMP is enabled or disabled. See the Configuring SNMP on Your GSS section to change the status of your SNMP agent.
4.
OL-4327-01
9-35
Chapter 9 Configuring SNMP on Your GSS Network
Viewing MIB Files on the GSS

If necessary, you can view the GSS MIB files contained in the /mibs directory on the GSS. The GSS includes a set of standard MIB resources found in MIB-II (RFC-1213) and HOST-RESOURCE-MIB (RFC-1514). MIB-II and HOST-RESOURCE-MIB definitions can be obtained from the following Cisco FTP sites: ftp://ftp.cisco.com/pub/mibs/v1 ftp://ftp.cisco.com/pub/mibs/v2 If you need to copy the MIBs, use the ftp or scp commands. To view the GSS MIB files:
1. 2.
3.
Use the dir command to view the list of GSS MIBs contained in the /mibs directory. For example:
gss.cisco.com#dir /mibs total 1100 drwxr-xr-x 2 root root 4096 drwxrwxrwx 19 root root 4096 -rw-r--r-1 root root 17455 -rw-r--r-1 root root 19850 -rw-r--r-1 root root 64311 -rw-r--r-1 root root 50054 -rw-r--r-1 root root 4660 -rw-r--r-1 root root 52544 -rw-r--r-1 root root 10583 -rw-r--r-1 root root 4015 IANA-ADDRESS-FAMILY-NUMBERS-MIB.txt -rw-r--r-1 root root 4299 -rw-r--r-1 root root 15661 -rw-r--r-1 root root 5066 -rw-r--r-1 root root 71691 -rw-r--r-1 root root 6260 -rw-r--r-1 root root 26781 -rw-r--r-1 root root 23499 -rw-r--r-1 root root 15936 -rw-r--r-1 root root 48703 -rw-r--r-1 root root 2367 -rw-r--r-1 root root 7257 -rw-r--r-1 root root 4400 -rw-r--r-1 root root 1174
Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul
18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18
08:45 08:46 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45
. .. AGENTX-MIB.txt DISMAN-SCHEDULE-MIB.txt DISMAN-SCRIPT-MIB.txt EtherLike-MIB.txt HCNUM-TC.txt HOST-RESOURCES-MIB.txt HOST-RESOURCES-TYPES.txt
IANA-LANGUAGE-MIB.txt IANAifType-MIB.txt IF-INVERTED-STACK-MIB.txt IF-MIB.txt INET-ADDRESS-MIB.txt IP-FORWARD-MIB.txt IP-MIB.txt IPV6-ICMP-MIB.txt IPV6-MIB.txt IPV6-TC.txt IPV6-TCP-MIB.txt IPV6-UDP-MIB.txt RFC-1215.txt
9-36
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Backing Up the GSSM
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
root root root root root root root root root root root root root root root root root root root root root root root root
root root root root root root root root root root root root root root root root root root root root root root root root
3067 79667 147822 4628 15490 20750 5261 19083 8434 21495 38035 33430 8263 25052 8924 38034 3981 10765 2058 3131 2928 8037 30343 4076
Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul
18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18
08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45
RFC1155-SMI.txt RFC1213-MIB.txt RMON-MIB.txt SMUX-MIB.txt SNMP-COMMUNITY-MIB.txt SNMP-FRAMEWORK-MIB.txt SNMP-MPD-MIB.txt SNMP-NOTIFICATION-MIB.txt SNMP-PROXY-MIB.txt SNMP-TARGET-MIB.txt SNMP-USER-BASED-SM-MIB.txt SNMP-VIEW-BASED-ACM-MIB.txt SNMPv2-CONF.txt SNMPv2-MIB.txt SNMPv2-SMI.txt SNMPv2-TC.txt SNMPv2-TM.txt TCP-MIB.txt UCD-DEMO-MIB.txt UCD-DISKIO-MIB.txt UCD-DLMOD-MIB.txt UCD-IPFWACC-MIB.txt UCD-SNMP-MIB.txt UDP-MIB.txt
4.
If desired, use the ftp or scp command to copy the MIB files from the /mibs directory on the GSS to another location on the GSS or to a remote network location.
Backing Up the GSSM

The GSSM database of your primary GSSM is the heart of your GSS network. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts. Because it is so important to the continued operation of your GSS network, it is important that you make frequent backups of your primary GSSM and its database to ensure that if a sudden and unexpected power loss or media failure occurs, your GSSM configuration and database survive, and your GSSM can be quickly restored to operation. The two types of backups that you can perform are:

FullBacks up the GSSM network configuration settings as well as the GSSM database holding GSLB configuration information DatabaseBacks up just the primary GSSM database
9-37
Chapter 9 Backing Up the GSSM
We recommend that you always perform a full backup of the GSSM. From a full backup, you can later restore the same information that is contained in a database-only backup in addition to GSSM platform information (if desired). You do not have the option of restoring GSSM platform information from a database-only backup. The full backup provides you with the flexibility to pick and choose the specific GSSM configuration information you want to restore on the GSSM. Whenever you execute a backup on your primary GSSM, the GSS software automatically creates a tar archive (tarball) of the necessary files. If you are performing a full backup, this file has the .full extension. If you are performing a database backup, the file has the .db extension. When you execute a database restore on your primary GSSM, this archive is automatically unpacked and the database is copied to the GSSM, overwriting the failed database that is there. Backing up your GSSM database requires access to the GSS CLI and the completion of the following actions:
1. 2. 3. 4.
Determining the appropriate time to back up your GSSM Determining whether you need to perform a full backup or database-only backup Performing the backup Moving the backup file to a secure location on your network

Determining When and What Type of Backup to Perform Performing a Full GSSM Backup Performing a GSSM Database Backup
9-38
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Backing Up the GSSM
Determining When and What Type of Backup to Perform

Some general guidelines exist for when and how to back up your primary GSSM. If followed, they help ensure that you are never caught unprepared if you suffer a catastrophic loss of your GSSM.
When to Perform a Full Backup

You should perform a full backup of your GSSM in these situations:

Before switching GSSM roles, making the standby GSSM your primary GSSM on your network Before you perform a GSS software upgrade After you make any changes in the device or network configuration of your GSSM
When to Perform a Database Backup

You should perform a database backup of your GSSM in these situations:

After you make any changes in the device configuration of any of your GSS devices using the GSSM GUI After you make any changes to the GSLB configuration of your GSS network using the GSSM GUI. For example, adding or removing an answer, source address list, DNS rule, or user account
Performing a Full GSSM Backup

You can perform a full primary GSSM backup at any time. Performing a full backup of the primary GSSM requires access to the CLI. To perform a full backup of your primary GSSM:
1. 2.
9-39
Chapter 9 Backing Up the GSSM
3.
Use the gssm database validate command to verify the integrity of your existing database.
gssm1.yourdomain.com# gssm database validate gssm1.yourdomain.com#
4.
Use the gssm backup command to create a full backup of your primary GSSM. You need to supply a filename for your full backup. For example:
gssm1.yourdomain.com# gssm backup full gssmfullbk GSSM database backup succeeded [gssmfullbk.full]
5.
Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM. Either the secure copy (scp) or ftp command can be used to move your full backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmfullbk.full username@server.yourdomain.com:~/
Performing a GSSM Database Backup

You can perform a database backup at any time. Backing up the primary GSSM database requires access to the GSS CLI. To perform a database backup of your primary GSSM:
1. 2.
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm backup command to create backup your primary GSSM database. You need to supply a filename for your database backup. For example:
gssm1.yourdomain.com# gssm backup database gssmdbbk GSSM database backup succeeded [gssmdbbk.db]
9-40
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Upgrading the Cisco GSS Software
4.
Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM. Either the secure copy (scp) or ftp command can be used to move your database backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmdbbk.db server.yourdomain.com:home
Upgrading the Cisco GSS Software

To upgrade to a new software version, you must have access to the GSS download area of the Cisco software download site and to Cisco.com. You must be familiar with the proper procedure for updating your GSS devices and know the CLI commands required to execute the backup. To take full advantage of all of the features and capabilities of the software release, we recommend that you upgrade all GSS devices in your network within the same time frame, starting with the primary GSSM. This upgrade sequence ensures that the other GSS devices properly receive configuration information from, and are able to send statistics to, the primary GSSM. The GSS software upgrade requires that you complete the following procedures in the order listed below:
1. 2. 3. 4.
Verifying the GSSM Role in the GSS Network Backing up and Archiving the Primary GSSM Obtaining the Software Upgrade Upgrading Your GSS Devices
9-41
Chapter 9 Upgrading the Cisco GSS Software
Verifying the GSSM Role in the GSS Network

You can reconfigure the standby GSSM to operate as an interim primary GSSM in the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). Note that the changing of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Before you continue with the upgrade procedure, verify that the roles of the designated primary and standby GSSMs have not changed. To verify the role of the current primary GSSM and the standby GSSM:
1.
At the CLI of the current primary GSSM, enter the following commands:
gssm1.yourdomain.com# cd /home gssm1.yourdomain.com# type ../props.cfg | grep -i fqdn
The following output appears:

controllerFqdn= domain_name
or ip_address
2.
Based on the output value for controllerFqdn, note the following:

If the value of the domain name or IP address is the current primary
GSSM in your network, then the current primary GSSM and standby GSSM configuration is the original configuration and no further action is needed. Proceed to the Backing up and Archiving the Primary GSSM section.
If the value of the domain name or IP address is the current standby
GSSM in your network, then the current primary GSSM and standby GSSM configuration is not the original configuration. In this case, you must reverse the roles of the primary and standby GSSM devices to those of the original GSS network deployment. See the Reversing the Roles of the Interim Primary and Standby GSSMs section.
If the value of the domain name or IP address is not the current primary
GSSM or the standby GSSM in your network, this indicates that the device is not a primary GSSM or is no longer on the network. No further action is required. Proceed to the Backing up and Archiving the Primary GSSM section.
9-42
OL-4327-01
Chapter 9
The next step is to ensure that you have a full (and current) backup of the primary GSSM database and that you archive this backup. Proceed to the Backing up and Archiving the Primary GSSM section.
Backing up and Archiving the Primary GSSM

Before you upgrade your GSS software, ensure that you have a full backup of your primary GSSM database and that you archive the backup by moving it to a remote device. The GSSM database maintains all network and device configuration information, as well the DNS rules that are used by your GSS devices to route DNS queries from users to available hosts. That way, if necessary, you can quickly restore your GSS network to its previous state. You can perform a full backup at any time. Doing so does not interfere with the functions of the primary GSSM or other GSS devices. See the Performing a Full GSSM Backup section for instructions on performing a full backup of your primary GSSM. Performing a full backup requires access to the CLI. You are now ready to obtain the upgrade file and upgrade the software on a GSS device. Proceed to the Obtaining the Software Upgrade section.
Obtaining the Software Upgrade

Before you can update your GSS software, obtain the appropriate software update file from Cisco. To acquire the software update from Cisco, you must:

Access the Cisco.com website and locate the software update files. Download the software update files to a server within your own organization that is accessible using FTP or SCP from your GSSs and GSSMs.
You must have a Cisco.com username and password before attempting to download a software update from Cisco.com. To acquire a Cisco.com login, go to http://www.cisco.com and click the Register link.
9-43
Note
You need a service contract number, Cisco.com registration number and verification key, Partner Initiated Customer Access (PICA) registration number and verification key, or packaged service registration number to obtain a Cisco.com username and password. To add an upgrade file for the GSS software:
1.
Launch your preferred web browser and point it to the Cisco Global Site Selector download page. When prompted, log in to Cisco.com using your designated Cisco.com username and password. The Cisco GSS Software download page appears, listing the available software upgrades for the GSS software product. If you do not have a shortcut to the Cisco Global Site Selector download page:
a. Log in to Cisco.com using your designated Cisco.com username and
2.
password.
b. Access the Software Center from the Technical Support link. c. Select the Content Networking Software link from the Software Center -
Software Products and Downloads page.

d. Select the Cisco Global Site Selector link from the Software Center -
Content Networking page.

e. Select the Download Cisco Global Site Selector link from the Software
Center - Content Networking page. The Cisco GSS Software download page appears, listing the available software upgrades for the Cisco GSS Software product.
Note
When you first access the Content Networking page of the Software Center, you must apply for eligibility for GSS software updates because it is considered a strong encryption image. Under the Cisco Content Networking Cryptographic Software section is the Apply for 3DES Cisco Cryptographic Software Under Export Licensing Controls link. Click this link and complete the Encryption Software Export Distribution Authorization Form. You must complete this step to access and download Global Site Selector software images.
9-44
OL-4327-01
Chapter 9
3.
Locate the .upg file you wish to download by referring to the Release column for the proper release version of the software. The meta file, originally posted for use with GSS version 1.0, is no longer posted for version 1.1(0) and subsequent releases. The meta file is unnecessary for the installation, and is only used as a check to let you verify the file size of the upgrade file. The Cisco Global Site Selector Software download page contains information on the GSS file size, the MD5 checksum, and other important details about the GSS software upgrade file. Use this file information to verify the integrity of the software upgrade file. Click the link for the .upg file. The download page appears. Click the Software License Agreement link. A new browser window opens to display the license agreement. After you have read the license agreement, close the browser window displaying the agreement and return to the Software Download page. Click the filename link labeled Download. If prompted, reenter your username and password. Click Save to file and then choose a location on your workstation to temporarily store the .upg upgrade file. Post the .upg file that you downloaded to a designated area on your network that is accessible to all your GSS devices.
Note
4. 5. 6. 7. 8. 9.
You are now ready to upgrade the software on a GSS device. Proceed to the Upgrading Your GSS Devices section.
Upgrading Your GSS Devices

You must upgrade your GSS devices in the following sequence: the primary GSSM first, followed by the other GSS devices in your network. After you upgrade the primary GSSM, ensure that the GSS device in your network being upgraded has connectivity to the primary GSSM before you perform the software upgrade procedure.
9-45
When executing an upgrade, use the CLI install command. Before proceeding with the installation of the software upgrade, the install command also performs a validation check on the upgrade file, unpacks the upgrade archive, and installs the upgraded software. Finally, the install command restarts the affected GSS device.
Note
Upgrading your GSS devices causes a temporary loss of service for each affected device. To upgrade the GSS software (starting with the primary GSSM):
1. 2.
Log on to the CLI of the GSS device. Use the ftp or scp command to copy the GSS software upgrade file from the network location to a directory on the GSS. Ensure that you set the transfer type to binary. For example, to copy an upgrade file named gss.upg from a remote host, your FTP session might look like the following:
gssm1.yourdomain.com> ftp host.yourdomain.com Connected to host.yourdomain.com. 220 host.yourdomain.com FTP server (Version wu-2.6.1-0.6x.21) ready. Name (host.yourdomain.com:root): admin 331 Password required for admin. Password: 230 User admin logged in. Access restrictions apply. Remote system type is UNIX. Using ascii mode to transfer files. ftp> binary ftp> get (remote-file) gss.upg (local-file) gss.upg local: gss.upg remote: gss.upg 200 PORT command successful. ...
3.

4.
Enter the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop
9-46
OL-4327-01
Chapter 9
5.
Enter the install command to install the upgrade. For example:

gssm1.yourdomain.com# install gss.upg
6.
At the Proceed with install (the device will reboot)? (y/n): prompt, type y to reboot the GSS device. When the GSS reboots, you lose any network CLI connections. Console connections remain active. If you did not previously save changes to the startup-configuration file, the Save current configuration? [y/n]: prompt appears. Type y to continue. The GSS reboots. After the GSS device reboots, log on to the device and enable privileged EXEC mode. Enter the gss status command and verify that the GSS device reaches a Normal Operation state of runmode 4 or 5.
7.
8. 9.
10. Repeat this procedure for the remaining GSS devices in your network.
9-47
Chapter 9 Downgrading and Restoring Your GSS Devices
Downgrading and Restoring Your GSS Devices

If you encounter problems with a software upgrade, you can always restore an earlier version of the GSS software on your GSSs and GSSMs. However, to restore an earlier version of your software, you must have backed up a version of your GSSM database that corresponds to that version. In other words, if you wish to downgrade from GSS Release 3 to GSS Release 1 software, there must be a GSS Release 1 database backup that you can restore; your GSS Release 3 database cannot run on the Release 1 platform because of changes in the database schema between releases. We recommend that you always perform a full backup of the GSSM. From a full backup, you can restore the same information that is contained in a database-only backup in addition to GSSM platform information (if desired). You do not have the option of restoring GSSM platform information from a database-only backup. The full backup provides you with the flexibility to pick and choose the specific GSSM configuration information you want to restore on the GSSM. When downgrading, use the following order of operations to safeguard your critical GSS data and properly restore your GSSM database:
1. 2. 3. 4. 5.
Verify the current software version. Perform a full backup of your primary GSSM. Obtain the software downgrade (.upg) file. Downgrade your GSS device. Verify your downgrade.
In addition, do not attempt to restore an earlier version of the software than the earliest database backup you have available. For example, if the earliest version of the GSS software that you have run is Release 2.0 and your earliest database backup is for Release 2.0, do not attempt to downgrade to a release of the software earlier than 2.0. This section includes the following procedures:

Restoring an Earlier Software Version on Your GSS Devices Restoring Your GSSM from a Full Backup Restoring Your GSSM Database from a Database-Only Backup
9-48
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Downgrading and Restoring Your GSS Devices
Restoring an Earlier Software Version on Your GSS Devices

To restore an earlier version of your GSS software, follow the instructions in the Verifying the GSSM Role in the GSS Network and Upgrading Your GSS Devices sections to acquire and then install the earlier software upgrade. After you have downgraded the software on your GSSM, see the Restoring Your GSSM from a Full Backup section to restore your backed up GSSM database.
Restoring Your GSSM from a Full Backup

When restoring the GSSM from a full backup as opposed to a database backup, you use the last full backup to restore the GSS devices network configuration settings as well as the encryption keys that are used to communicate with other GSS devices. Restoring the GSSM from a full backup should be done when you need to return the device to its exact configuration as of the last full backup. It is not necessary if you are simply rolling back the device to an earlier software version. Use the following procedure to restore an earlier version of the GSSM from a full backup:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Verify that your full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension. Enable privileged EXEC mode. For example:
3.
4.
Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:
atcr1.cisco.com# gss stop atcr1.cisco.com# gss status Cisco GSS - 1.1(0.0.1) - [Mon Sep 15 11:33:47 UTC 2003] gss is not running.
9-49
5.
Once the GSSM has stopped, use the gssm restore command to restore the GSSM from the full backup file. To restore the file gssmfullbk.full, you would enter:
gss1.yourdomain.com# gssm restore gssmfullbk.full
6.
Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).
% WARNING WARNING WARNING Restoring the database will overwrite all existing system configuration. If running, the system will be restarted during this process. Are you sure you wish to continue? (y/n): y Backup file is valid. Timestamp = 2003-Sep-15-14:01:53
7.
Confirm your decision whether to restore GSSM platform information, or only the GSS database. This selection enables you to return the primary GSSM back to the original state prior to the database backup. Platform information includes all configuration parameters set at the CLI, including: interface configuration, hostname, service settings (NTP, SSH, Telnet, FTP, and SNMP), timezone, logging levels, Web certificates, inter-GSS communication certificates, access lists and access groups, CLI user information, GUI user information, and property-set CLI commands.
This backup contains a backup of the platform configuration. 'n' restores just the database. Restoring platform files requires a reboot. Restore Platform files? [y/n]: y
Perform one of the following actions:

Select y to restore GSSM platform information.
Note
Restoring platform information requires a reboot of the GSS at the end of the restore procedure.
Select n to restore only the GSSM database and not the GSSM platform
information. If you choose not to restore GSSM platform information, you must reconfigure the GSSM platform information from the CLI. Refer to Chapter 2, Setting Up Your GSS for details.
9-50
OL-4327-01
Chapter 9
8.
Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y

Select y to restore the GSS network information, such as registered GSS
devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.
Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details. The GSSM continues with the restore process.
Deleting existing database... Creating empty database for restore... Restoring the database... Using GSS network information present in backup file... Restoring platform backup files. Database restored successfully. Reboot Device now? (y/n): y
If you specified to restore GSSM platform information, the GSSM reboots.

9.
Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode (runmode = 5).
9-51
Restoring Your GSSM Database from a Database-Only Backup

You must have a backup of an earlier version of your database file to restore it to run with your downgraded GSS software. You should be aware that the GSS database schema often changes between versions. When you downgrade from a later to an earlier version of the GSSM database, any configuration changes that you entered through the GSSM subsequent to your last upgrade are lost, including configuration changes, device configuration information, and DNS rules. See the Backing Up the GSSM section for details on performing a database backup of the GSSM.
Note
Restoring your GSSM database requires that the GSSM device be stopped and restarted, resulting in the device and the GUI being unavailable for a short period. Use the following procedure to restore an earlier version of the GSSM from a backup:
1. 2. 3.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Verify that the full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension. Enable privileged EXEC mode. For example:
4.
Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:
gss1.yourdomain.com# gss stop gss1.yourdomain.com# gss status Cisco GSS - 1.1(0.0.1) - GSSM - primary [Mon Sep 15 12:58:27 UTC 2003] gss is not running.
9-52
OL-4327-01
Chapter 9
5.
Once the GSSM has stopped, use the gssm restore command to restore the GSSM database from the backup file that corresponds to the software version that you just restored. To restore the file gssmdbbk.db, you would enter:
gss1.yourdomain.com# gssm restore gssmdbbk.db
6.
Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).
% WARNING WARNING WARNING Restoring the database will overwrite all existing system configuration. If running, the system will be restarted during this process. Are you sure you wish to continue? (y/n): Backup file is valid. Timestamp = 2003-Aug-20-14:02:06 Restoring database only (No platform backup present)
7.
Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y

Select y to restore the GSS network information, such as registered GSS
devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.
Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details.
9-53
Chapter 9 Viewing Third-Party Software Versions
The GSSM continues with the restore process.

Deleting existing database... Creating empty database for restore... Restoring the database... Using GSS network information present in backup file... Database restored successfully. GSSM database restore succeeded.
8.
Once you receive confirmation that the database restoration has succeeded, use the gss start command to restart your GSSM. For example:
gss1.yourdomain.com# gss start System started.
9.
Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode ( runmode = 5).
Viewing Third-Party Software Versions

The GSS software relies on a variety of third-party software products to operate properly. For that reason, the GSSM GUI provides a feature that easily allows you to track the third-party software used by the GSS software. To view information on the third-party software currently running on your GSS:
1. 2.
From the GSSM GUI, click the Tools tab. Click the Third-Party Software navigation link. The GSSM Third-Party Software list page appears (Figure 9-5). This page displays the following information:

ProductThird-party software product. For example, RedHat Version 6.2 VersionVersion of the third-party software currently installed on the GSS device URLWeb URL for the software product
9-54
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Viewing Third-Party Software Versions
Figure 9-5
GSSM Third-Party Software List Page
9-55
Chapter 9 Primary GSSM Error Messages
Primary GSSM Error Messages

The following sections describe error messages that you may encounter when using the primary GSSM GUI to manage your GSS network. Error messages are organized by GSSM component. This section contains the following GSSM error messages:

Answer Error Messages Answer Group Error Messages DNS Rule Error Messages Domain List Error Messages Shared KeepAlive Error Messages KeepAlive Error Messages Location Error Messages Owner Error Messages Region Error Messages GSSM Error Messages Source Address List Error Messages User Error Messages
Answer Error Messages

Error Message Invalid answer name. If entered, name must not be the empty string. Explanation The name that you entered for the answer is not valid. Answer
names cannot be blank or contain blank spaces.

Recommended Action Enter a valid alphanumeric answer name of a least 1 and no more than 80 characters in length that does not contain spaces.
9-56
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Primary GSSM Error Messages
Error Message Invalid answer name. Name length must not exceed 80 characters. Explanation The answer name that you entered contains too many characters. Recommended Action Enter a valid alphanumeric answer name of at least 1 and no more than 80 characters in length that does not contain spaces.
Error Message Invalid CRA timing decay. Timing decay must be between 1 and 10. Explanation You entered an invalid number for the CRA timing decay. Recommended Action Enter a number between 1 and 10. Lower timing decay
values mean that more recent DNS races are weighted more heavily than older races. Higher decay values mean that the results of older races are weighted more heavily than more recent races.
Error Message Invalid CRA static RTT value. Static RTT must be between 0 and 1000. Explanation You entered an invalid number for the static round-trip time
(RTT). This is a manually entered value that is used by the GSS to represent the time it takes for traffic to reach and return from a host.
Recommended Action Enter a static RTT value between 0 and 1000.
Error Message A VIP/Name Server/CRA-type answer named answer_name already exists. If specified, name and type must uniquely identify an answer. Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and answer type.
Recommended Action Assign a new name or answer type to your answer to
make it unique.
9-57
Error Message An unnamed VIP/Name Server/CRA-type answer having address IP_address already exists. Name must be specified to configure an answer with the same address as another answer. Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and IP address.
Recommended Action Assign a new name to your answer to make it unique.
Error Message The maximum number of number VIP/Name Server/CRA-type answers has been met. Explanation You are attempting to create an answer when the maximum
number of that type of answer has already been created.

Recommended Action Remove an existing answer of the same type.
Error Message CRA decay value must be specified. Explanation You are attempting to create a CRA answer type without
specifying a decay value. The decay value is required to tell the GSS how to evaluate and weigh DNS race results.
Recommended Action Enter a number between 1 and 10 for the CRA decay,
with 1 causing the GSS to weigh recent DNS race results more heavily, and 10 telling it to weigh them less heavily.
Error Message CRA static RTT must be specified. Explanation You are attempting to create a CRA answer type without
specifying a static round-trip time (RTT) value. The RTT value is used to force the GSS to use a value that you supply as the round-trip time necessary to reach the requesting D-proxy.
Recommended Action Enter a number between 1 and 1000 for the CRA
round-trip time in milliseconds.
9-58
OL-4327-01
Chapter 9
Error Message Invalid keepalive tag. Tag must be at least one character in length. Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have not specified a value for the tag in the field provided.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters
in the Tag field.
Error Message Invalid keepalive tag. Tag length must not exceed 76 characters. Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have specified a value for the tag that contains too many characters.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters
in the Tag field.
Error Message NS-type answer IP Address has the same IP address as GSS GSS_name. GSS IP addresses must not equal any NS-type answers. Explanation You are attempting to create a name server answer type with the
same IP address as a GSS device on the same GSS network. Name server answers cannot use the same address as GSS devices belonging to the same GSS network.
Recommended Action Assign a valid IP address to your name server answer.
9-59
Answer Group Error Messages

Error Message This answer group cannot be deleted because it is referenced by number DNS rule balance clause(s). Explanation You are attempting to delete an answer group that is being
referenced by one or more DNS rules.

Recommended Action Modify any DNS rules that are referencing the answer
group so that those rules do not point to the group, and then try again to delete the group.
Error Message Invalid answer group name. Name must be entered. Explanation You are attempting to create an answer group without assigning a
name to that group. All answer groups must have names of at least one character.
Recommended Action Enter a name for the new answer group in the field
provided, and then click Save.
Error Message Invalid answer group name. Name length must not exceed 80 characters. Explanation You are attempting to assign the answer group an invalid name. Recommended Action Enter an alphanumeric name for the answer group that is
fewer than 80 characters and does not contain spaces.
Error Message Invalid answer group name. Name must not contain spaces. Explanation You are attempting to assign the answer group an invalid name. Recommended Action Enter an alphanumeric name for the answer group that is
9-60
OL-4327-01
Chapter 9
Error Message An answer group named name already exists. Name must uniquely identify an answer group. Explanation You are attempting to assign the answer group a name that is
already being used by a different GSS device.

Recommended Action Enter a unique alphanumeric name for the answer group that is fewer than 80 characters and does not contain spaces.
Error Message The maximum number of number answers per VIP/Name Server/CRA-type group has been met. Explanation You are attempting to add an answer to an answer group to which
the maximum number of answers has already been assigned.

Recommended Action Remove an answer from the group, or add the answer to
a group to which the maximum number of answers has not already been added.
DNS Rule Error Messages

Error Message TTL must be specified for balance method associated with CRA- or VIP-type answer group. Explanation You are attempting to create a balance clause without specifying
a Time To Live (TTL) for answers returned by the clause.

Recommended Action Enter a TTL value between 0 and 604,800 seconds.
Error Message Invalid balance clause TTL. TTL must be between 0 and 604,800. Explanation You are required to specify a Time To Live (TTL) value for
answers provided by the balance clause that you are creating.

Recommended Action Enter a TTL value between 0 and 604,800 seconds.
9-61
Error Message Invalid balance clause position. Position must be between 0 and 2. Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.
Error Message Hash type must be specified for answer group using hash balance method. Explanation You are trying to create an answer group using the balance method
Hashed with the selected answer, but you have not selected one (or more) hash methods: By Domain Name and By Source Address.
Recommended Action Select one or more of the available hash methods by
checking the box corresponding to the methods that you wish to use with this balance clause.
Error Message Balance clause Boomerang fragment size must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a fragment size in the Fragment Size field. The fragment size determines the preferred size of the boomerang race response that is produced by a match to a DNS rule and is sent to the requesting client.
Recommended Action Enter a fragment size between 28 and 1980 in the field
provided. The fragment size must be divisible by 4.
9-62
OL-4327-01
Chapter 9
Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be 0 or between 28 and 1980. Explanation You are attempting to specify an unacceptable fragment size for
this balance clause in the Fragment Size field.

Recommended Action Enter a valid fragment size. Fragment sizes must be
between 28 and 1980, and must be divisible by 4.
Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be a multiple of 4. Explanation You are attempting to specify a fragment for this boomerang
balance clause that is within the acceptable range but not divisible by 4. Fragment sizes must be divisible by 4.
Recommended Action Enter a fragment size between 28 and 1980 that is also
divisible by 4. Zero is also an acceptable fragment size.
Error Message Balance clause Boomerang IP TTL value must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method, but have not specified an IP Time To Live (TTL) in the field provided. The IP TTL specifies the maximum number of network hops that can be used when returning a response to a CRA from a match on a DNS rule.
Recommended Action Enter an IP TTL between 1 and 255 in the field provided
and then click Save.
Error Message Invalid balance clause Boomerang IP TTL. Boomerang IP TTL must be between 1 and 255. Explanation You are attempting to create a balance clause using the boomerang
balance method but have specified an invalid IP Time to Live (TTL).

Recommended Action Enter an IP TTL between 1 and 255 in the field provided
and then click Save.
9-63
Error Message Balance clause Boomerang maximum propagation delay must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a maximum propagation delay (Max Prop. Delay) in the field provided. The maximum propagation delay specifies the maximum length of time (in milliseconds) that is observed before the GSS forwards a Domain Name System (DNS) request to a content routing agent (CRA).
Recommended Action Enter a maximum propagation delay between 1 and
1000 milliseconds in the Max Prop. Delay field.
Error Message Invalid balance clause Boomerang maximum propagation delay. Boomerang maximum propagation delay must be between 1 and 1000. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a valid maximum propagation delay (Max Prop. Delay) in the field provided.
Recommended Action Enter a maximum propagation delay between 1 and
1000 milliseconds in the Max Prop. Delay field.
Error Message Balance clause Boomerang padding size must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a pad size in the Pad Size field. The pad size is the amount of extra data (in bytes) included with each content routing agent (CRA) response packet and is used to evaluate CRA bandwidth as well as latency when routing decisions are made.
Recommended Action Enter a valid pad size between 0 and 2000 in the
Pad Size field.
9-64
OL-4327-01
Chapter 9
Error Message Invalid balance clause Boomerang padding size. Boomerang padding size must be between 0 and 2000. Explanation You are attempting to create a balance clause using the boomerang
balance method but have specified an invalid pad size in the Pad Size field.
Recommended Action Enter a valid pad size between 0 and 2000 in the Pad Size
field.
Error Message Invalid balance clause Boomerang secret. If specified, Boomerang secret must be between 1 and 64 characters in length. Explanation You are attempting to create a balance clause using the boomerang
balance method but have specified an invalid secret in the Secret field. The boomerang secret is a text string consisting of between 1 and 64 characters that is used to encrypt critical data sent between the boomerang server and content routing agents (CRAs). This key must be the same for each configured CRA.
Recommended Action Enter a valid boomerang secret between 1 and 64
characters in the Secret field.
Error Message Balance clause Boomerang server delay must be specified. Explanation You are attempting to create a balance clause using the
boomerang balance method but have not specified a server delay in the Server Delay field. The boomerang server delay is the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards the address of its last gasp server as a response to the requesting name server.
Recommended Action Enter a valid server delay between 32 and
999 milliseconds in the Server Delay field.
9-65
Error Message Invalid balance clause Boomerang server delay. Boomerang server delay must be between 32 and 999. Explanation You are attempting to create a balance clause using the
boomerang balance method but have specified an invalid server delay in the Server Delay field.
Recommended Action Enter a valid server delay between 32 and
999 milliseconds in the Server Delay field.
Error Message Invalid DNS rule name. Name must be entered. Explanation You are attempting to create a DNS rule without assigning a name
to the rule. DNS rules must have names of between 1 and 100 characters.
Recommended Action Assign a name to your DNS rule using the Rule Name
field and then try again to save the rule.
Error Message Invalid DNS rule name. Name length must not exceed 100 characters. Explanation You are attempting to assign a name to your DNS rule that is too
long. The maximum length for DNS rules is 100 characters.

Recommended Action Enter a name for your DNS rule that is between 1 and
100 characters and then attempt to save the rule again.
Error Message Invalid DNS rule name. Name must not contain spaces. Explanation You are attempting to assign your DNS rule a name that contains
spaces.
Recommended Action Enter a valid name for your DNS rule that is between 1
and 100 characters and does not contain spaces.
9-66
OL-4327-01
Chapter 9
Error Message A DNS rule using the specified source address list, domain list, and matching query type already exists. Source address list, domain list, and matching query type must uniquely identify a DNS rule. Explanation You are attempting to create a DNS rule that already exists. DNS
rules must specify a unique combination of source address list, domain list, and matching query type.
Recommended Action Reconfigure your DNS rule so that it does not exactly
match the preexisting rule and then save the rule.
Error Message Duplicate answer group/balance method assignment detected. A DNS rule cannot use the same answer group and balance method in multiple balance clauses. Explanation You are attempting to create two identical answer group and
balance method clauses in your DNS rule. Each clause must use a unique combination of answer groups and balance methods.
Recommended Action Modify one of your answer group and balance method
pairs so that it is no longer identical to the other and then save your DNS rule.
Error Message Balance clause gap detected at position {0,1,2}. Balance clauses must be specified sequentially without gaps. Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.
9-67
Error Message A DNS rule named DNS_Rule_name already exists. Name must uniquely identify a DNS rule. Explanation You are attempting to assign a name to the DNS rule that is
already assigned to another rule. DNS rule names must be unique.

Recommended Action Assign the rule a name that is not already being used and
then save the rule.
Domain List Error Messages

Error Message <domain name> must contain at least one character. Explanation You are attempting to add a domain to a domain list with an
invalid name. Domains in domain lists must have names of at least one character.
Recommended Action Enter a name that is between 1 and 100 characters and
then save your domain list.
Error Message <domain name> character limit exceeded. Explanation You are attempting to add a domain to a domain list using a name
that is too long. Domains in domain lists cannot have names of more than 100 characters.
Recommended Action Enter a new domain name of no more than 100 characters
and then save your domain list.
Error Message Domain specification must not exceed 128 characters. Explanation You are attempting to add a domain to your domain list with a
name that is longer than 128 characters. Domain lists cannot contain domains with names longer than 128 characters.
Recommended Action Replace the domain with a domain name containing
fewer than 128 characters and then save your domain list.
9-68
OL-4327-01
Chapter 9
Error Message <domain name> must not contain spaces. Explanation You are attempting to add a domain to your domain list with a
name that contains spaces. Domains in domain lists cannot have names that contain spaces.
Recommended Action Modify the domain name so that it does not contain
spaces and then save your domain list.
Error Message <domain name> is not a valid regular expression: <regular expression syntax error message here> Explanation You are attempting to add a domain name to a domain list with a
name that contains invalid characters or formatting. Domain names in domain lists must be valid regular expressions.
Recommended Action Modify the domain name so that it is a valid regular
expression and does not contain any invalid characters or formatting. For example, www.cisco.com or .*\.cisco\.com, and then save your domain list.
Error Message <domain name> must not begin or end with '.' Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of the domain name.
Recommended Action Modify the domain name so that it does not contain a
period at the beginning or end of the name and then save your domain list.
Error Message <domain name> component must not begin or end with '-' Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of one component of the domain name. For example, www.cisco-.com.
Recommended Action Modify the domain name so that it does not contain a
dash (-) at the beginning or end of any segment of the name and then save your domain list.
9-69
Error Message <domain name> contains invalid character '<character>' (<ASCII value of the character>) Explanation You are attempting to add a domain to a domain list with a name
that contains an invalid text character. Domains belonging to domain lists must have names that are regular expressions.
Recommended Action Modify the domain name so that it does not contain an
invalid text character and then save your domain list.
Error Message This domain list cannot be deleted because it is referenced by X DNS rule Explanation You are attempting to delete a domain list that is being referenced
by one or more DNS rules.

Recommended Action Modify any DNS rules that use the domain list so that
they no longer reference it and then try again to delete the list.
Error Message Invalid domain list name. Name must be entered. Explanation You are attempting to create a domain list without a name.
Domain lists must have names of at least one character.

Recommended Action Assign a name of at least 1 and no more than
80 characters to your domain list and then save it.
Error Message Invalid domain list name. Name length must not exceed 80 characters. Explanation You are attempting to create a domain list with a name that
is too long.
Recommended Action Assign a name of at least 1 and no more than
80 characters to your domain list and then save it.
9-70
OL-4327-01
Chapter 9
Error Message Invalid domain list name. Name must not contain spaces. Explanation You are attempting to create a domain list with a name that
contains spaces. Domain list names cannot contain spaces.

Recommended Action Assign a name without spaces to your domain list. Names must consist of at least 1 and no more than 80 characters. Save your domain list when you have assigned it a valid name.
Error Message A domain list named '<name>' already exists. Name must uniquely identify a domain list. Explanation You are attempting to assign a name to your domain list that has
already been assigned to another domain list on the same GSS network.
Recommended Action Assign a unique name to your new domain list and then
save the list.
Error Message The maximum number of <limit> domains per list has been met. Explanation You are attempting to add a domain to your domain list when the
maximum number of domains has already been added to that list.

Recommended Action Remove an existing domain from the domain list and
then add the new domain. Alternatively, create a domain list to hold the new domain and any subsequent domains that you wish to add.
9-71
Shared KeepAlive Error Messages

Error Message Invalid CAPP hash secret. Secret must be entered. Explanation You are attempting to create a KAL-AP keepalive using a CAPP
hash secret but have not specified a secret in the field provided.
Recommended Action Enter a CAPP hash secret of no more than 31 characters
in the field provided.
Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters. Explanation You are attempting to create a KAL-AP keepalive using a CAPP
hash secret but have specified a secret that is too long.

Error Message Invalid HTTP HEAD response timeout. Explanation You are attempting to specify an HTTP HEAD response timeout
that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in
the HTTP HEAD response timeout field of the Shared Keepalive details page.
Error Message Response timeout must be between 20 and 60 seconds. Explanation You are attempting to specify an HTTP HEAD response timeout
that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in
the HTTP HEAD response timeout field of the Shared Keepalive details page.
9-72
OL-4327-01
Chapter 9
Error Message Invalid HTTP HEAD destination port. Destination port must be between 1 and 65,535. Explanation You are attempting to specify a port number for HTTP HEAD
traffic that is invalid.

Recommended Action In the HTTP HEAD destination port field in the Shared
Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.
Error Message Invalid HTTP HEAD path. Path length must not exceed 256 characters. Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Error Message Invalid <keepalive type> minimum probe frequency. Frequency must be between <min> and <max>. Explanation You are attempting to specify a minimum probe interval for your
keepalive type that is invalid.

Recommended Action Specify an interval (in seconds) within the range
specified for that keepalive type in the Shared Keepalive details page. The interval range for the CRA keepalive type is between 1 and 60 seconds. For all other keepalive types, it is between 45 and 255 seconds.
9-73
KeepAlive Error Messages

Error Message Duplicate keepalive address detected. A keepalive must not be configured to use the same primary and secondary addresses. Explanation You are trying to configure a KAL-AP keepalive that is identical
to a keepalive of the same type that already exists.

Recommended Action Configure the KAL-AP keepalive to use a different
primary and secondary address.
Error Message Duplicate keepalive primary address '<primaryaddress>' detected. An address can be used by at most one KAL-AP type keepalive. Explanation You are trying to configure a KAL-AP keepalive that uses the
same primary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a primary
IP address that is not already being used by another keepalive.
Error Message Duplicate keepalive secondary address '<secondary address>' detected. An address can be used by at most one KAL-AP type keepalive. Explanation You are trying to configure a KAL-AP keepalive that uses the
same secondary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a secondary
IP address that is not already being used by another keepalive.
9-74
OL-4327-01
Chapter 9
Error Message HEAD Duplicate keepalive detected. An HTTP HEAD keepalive must not use the same address, destination path, host tag, and port as another HTTP HEAD keepalive. Explanation You are trying to configure an HTTP HEAD keepalive that
features an identical configuration to that of another HTTP HEAD keepalive on your GSS network.
Recommended Action Configure the HTTP HEAD keepalive to use a unique
configuration of address, destination path, host tag, and port.
Error Message Duplicate keepalive detected. An ICMP keepalive must not use the same address as another ICMP keepalive. Explanation You are trying to configure an ICMP keepalive with an IP address
that is identical to that of another ICMP keepalive on your GSS network.

Recommended Action Configure the ICMP to use a unique IP address.
Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters. Explanation You are attempting to create a KAL-AP keepalive using a CAPP
hash secret but have specified a secret that is too long.

Error Message Invalid HTTP HEAD destination port. If specified, destination port must be between 0 and 65,535. Explanation You are attempting to specify a port number for HTTP HEAD
traffic that is invalid.

Recommended Action In the HTTP HEAD destination port field in the Shared
Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.
9-75
Error Message Invalid HTTP HEAD host tag. Host tag length must not exceed 128 characters. Explanation You are attempting to create an HTTP HEAD host tag that is
too long.
Recommended Action Enter an HTTP HEAD host tag of no more than
128 characters.
Error Message Invalid HTTP HEAD path. If specified, path length must not exceed 256 characters. Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Location Error Messages

Error Message The location is still being referenced by other objects and cannot be removed. Explanation You are attempting to delete a location that has answers or GSSs
associated with it.

Recommended Action Dissociate any answers or GSSs from the location and
then try again to delete it.
Error Message There already exists a location named <name> in region <region> with the same name. Please specify a different location name. Explanation You are attempting to create a location within this region when
another location with the same name already exists.

Recommended Action Change the name of the location so that it is unique for
the region.
9-76
OL-4327-01
Chapter 9
Owner Error Messages

Error Message Invalid owner name. Name must be entered. Explanation You are attempting to create an owner without assigning the
owner a name.
Recommended Action Owners must have a unique name. Enter a name for the
owner in the field provided and then save the owner.
Error Message Invalid owner name. Name length must not exceed 80 characters. Explanation You are attempting to assign a name to an owner that is too long. Recommended Action Assign your owner a name that is no longer than
80 characters.
Error Message An owner named <owner name> already exists. Name must uniquely identify an owner. Explanation You are attempting to assign your owner a name that is already
assigned to another owner on your GSS network.

Recommended Action Assign a unique name to your owner.
Region Error Messages

Error Message The region is still being referenced by other objects and cannot be removed. Explanation You are attempting to delete a region that is associated with GSSs
on your GSS network.

Recommended Action Disassociate the GSSs from the region and then try again
to delete the region.

9-77
Error Message There already exists a region named <region name>. All region names have to be unique. Explanation You are attempting assign a name to the region that is already
being used by another region on your GSS network.

Recommended Action Assign a unique name to your region.
GSSM Error Messages

Error Message Maximum number of GSSMs exceeded. A GSS network can contain at most 2 GSSMs. Explanation You are attempting to enable a GSSM when there are already two
GSSMs enabled on your GSS network.

Recommended Action If necessary, remove your standby GSSM from your GSS
network and then try again to enable the GSSM.
Error Message The maximum number of <size> <className> has been met. Explanation You are attempting to add a resource to your GSS network when
the maximum number of that resource already exists.

Recommended Action Remove an existing resource of the same type and then
try again to add the new resource.
9-78
OL-4327-01
Chapter 9
Source Address List Error Messages

Error Message Invalid source address block '<block string>'. Address block must specify a host or a network. Explanation You are attempting to specify an invalid source address range. Recommended Action Enter a valid source address or block of source addresses. Source addresses cannot specify a multicast address list.
Error Message Invalid source address block '<blockstring>'. Address block must specify a class A, B, or C host or network. Explanation You are attempting to specify an invalid source address range. Recommended Action Enter a valid source address or block of source addresses. Source addresses cannot specify a multicast address list.
Error Message Invalid source address list name. Name must be entered. Explanation You are attempting to create a source address list without
assigning the list a name.

Recommended Action Enter a name for the source address list in the Name field.
Error Message Invalid source address list name. Name length must not exceed 80 characters. Explanation You are attempting to create a source address list with a name that
is too long.
Recommended Action Enter a valid name for the source address list that has
9-79
Error Message Invalid source address list name. Name must not contain spaces. Explanation You are attempting to create a source address list with a name that
contains spaces. Source address list names cannot contain spaces.

Recommended Action Enter a valid name for the source address list that has
Error Message This source address list cannot be deleted because it is referenced by <number> DNS rules. Explanation You are attempting to delete a source address list that is referenced
by one or more DNS rules.

Recommended Action Disassociate your DNS rules from the source address list using the DNS Rule Builder or DNS Rule Wizard and then attempt to delete the source address list again.
Error Message A source address list named '<name>' already exists. Name must uniquely identify a source address list. Explanation You are attempting to create a source address list using a name
that is already being used by another source address list on your GSS network.
Recommended Action Assign a unique name to your source address list that is
no more than 80 characters and does not contain spaces.
Error Message The maximum number of 30 source address blocks per list has been met. Explanation You are attempting to add a source address block to the source
address list, when the maximum of 30 source address blocks has already been added to the list.
Recommended Action Remove an existing source address block, or create a
source address list for the source address block that you wish to add.
9-80
OL-4327-01
Chapter 9
User Error Messages

Error Message There already exists a user account named <user name>. All user accounts must have a unique username. Explanation You are attempting to create a user account with a name identical
to that of an existing account.

Recommended Action Assign your new user account a unique name.
Error Message You cannot delete the account with username 'admin'. This account must exist. Explanation You are attempting to delete the admin user account. Recommended Action This account cannot be deleted from the GSSM.
Error Message Invalid answer load threshold. Load threshold must be between 2 and 254. Explanation You are attempting to assign an invalid load threshold to your
answer in the LT field.

Recommended Action Assign a load threshold for the answer that is between 2
and 254 in the LT field.
Error Message Invalid answer order. Order must not be negative. Explanation You are attempting to assign a negative order number to your
answer. The order must be a positive number.

Recommended Action Enter a nonnegative whole number for the order.
9-81
9-82
OL-4327-01
C H A P T E R
10
Monitoring GSS Performance

The GSS software features a number of tools for monitoring the status of your GSS devices and of global load balancing on your GSS network. These include CLI-based commands for determining the status of your GSSs, GSSMs (primary and standby), and the embedded GSS database. In addition, the primary GSSM GUI contains pages that display the status of global server load balancing activity. For example, tabulating answer and DNS rule hit counts. This chapter contains the following major sections:

Monitoring GSS and GSSM Status Monitoring GSSM Database Status Monitoring Global Load-Balancing Status Viewing Log Files
Monitoring GSS and GSSM Status

You can easily monitor the status of your GSSs and GSSMs from both the CLI and the GSSM GUI. This section includes the following procedures:

Monitoring the Online Status of GSS Devices from the CLI Monitoring the Status of Your GSS Network from the CLI Monitoring GSS Device Status from the Primary GSSM GUI
10-1
Chapter 10 Monitoring GSS and GSSM Status
Monitoring the Online Status of GSS Devices from the CLI

Use the gss command to display the online status and resource usage of your GSS servers. To monitor the status of a GSS device from the CLI:
1. 2.
3.
Use the gss command to display the current running status of the GSS device that you have logged on to. For example:
gss1.yourdomain.com# gss status verbose Cisco GSS - 1.1(0.0.1) - Development build GSSM - primary [Mon Sep 15 13:16:38 UTC 2003] Normal Operation [runmode = 5] %CPU 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 --START Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 --SERVER Boomerang Config Agent Config Server DNS Server Database GUI Server Keepalive Engine Node Manager Syslog Web Server SNMP
[DISABLED]
10-2
OL-4327-01
Chapter 10
Monitoring GSS Performance Monitoring GSS and GSSM Status
Monitoring the Status of Your GSS Network from the CLI

Use the show statistics command to view the status of any request routing and load balancing component on your GSS devices, including answers, keepalives, domains, and DNS rules. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics command. The following sections provide instructions about using and interpreting the output of the various show statistics command options.

Monitoring the Status of the Boomerang Server on Your GSS Monitoring the Status of the DNS Server on Your GSS Monitoring the Status of Keepalives on Your GSS
Note
If you specify the show statistics command after issuing either the gss start command or the reload command, the GSS device can take approximately one minute before the command can take affect and display the requested statistics.
Monitoring the Status of the Boomerang Server on Your GSS

The boomerang server is a server load-balancing component of the GSS that uses calculations of network delay provided by DNS races between content routing agents (CRAs) to determine which server is best able to respond to a given request. Use the show statistics boomerang command option to view boomerang activity such as DNS races on your GSS device on a domain-by-domain or on a global basis. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics boomerang command. To view DNS race statistics:
1. 2.
10-3
Chapter 10 Monitoring GSS and GSSM Status
3.
Use the show statistics boomerang command to display current boomerang server statistics for a particular domain, or across all domains managed by your GSS. For example:
gss1.yourdomain.com# show statistics boomerang global Boomerang global statistics: Total races: 24
Monitoring the Status of the DNS Server on Your GSS

The DNS server component tracks all DNS-related traffic to and from your GSS device, including information about DNS queries received, responses sent, queries dropped and forwarded, and so on. Using the show statistics dns command option, you can view DNS statistics with regard to your GSS request routing and server load-balancing components such as DNS rules, answers, answer groups, domains, domain lists, source addresses, and source address groups. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics dns command. To view DNS statistics:
1. 2.
3.
Use the show statistics dns command to display statistics from the domain name server (DNS) component of the GSS. For example:
gss1.yourdomain.com# show statistics dns answer Answer Type Total Hits 1-Min 5-Min 30-Min 4-Hr ----------------------------------------------------------------192.168.1.80 VIP 0 0 0 0 0 1.1.5.160 VIP 0 0 0 0 0 192.168.1.24 VIP 0 0 0 0 0 192.168.1.245 VIP 0 0 0 0 0
10-4
OL-4327-01
Chapter 10
Monitoring GSS Performance Monitoring GSS and GSSM Status
Monitoring the Status of Keepalives on Your GSS

The keepalive engine on your GSS device monitors the online status of keepalive objects across your GSS network. Using the show statistics keepalive command option, you can view statistics about the health of your GSS keepalives globally or by keepalive type. Refer to the Cisco Global Site Selector Command Reference for detailed information about the show statistics keepalive command. To view keepalive statistics:
1. 2.
3.
Use the show statistics keepalive command to display current keepalive engine statistics for your GSS network. You can view statistics for all keepalive types on your network, or limit statistics to a particular keepalive type such as ICMP, HTTP HEAD, TCP, KAL-AP, or CRA. For example:
gss1.yourdomain.com# show statistics keepalive tcp all IP: 192.168.50.41 Keepalive => 192.168.50.41 Destination Port: 80 Status: ONLINE Packets Sent: Packets Received: Positive Probe: Negative Probe: Transitions: GID: 105 LID: 5
93188 69891 23297 0 1
10-5
Chapter 10 Monitoring GSSM Database Status
Monitoring GSS Device Status from the Primary GSSM GUI

To monitor the status of your GSS devices from the primary GSSM GUI:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selector list page appears. Click the Modify GSS icon for the GSS or GSSM that you wish to monitor. The device type (GSS or GSSM) appears in the Node Services column. The Global Site Selectors details page appears, displaying configuration and status information about the device at the bottom of the page including:
StatusOnline status VersionSoftware version currently loaded on the device Node servicesCurrent role of the device (GSS, primary or standby
GSSM, or both)
IP addressNetwork address of the device HostnameNetwork host name of the device MACMachine address of the device 4.
Click Cancel to return to the Global Site Selectors list page.
Monitoring GSSM Database Status

The GSS software includes a number of CLI commands that you can use to monitor the status of the GSSM database and its contents. This section includes the following procedures:

Monitoring the Database Status Validating Database Records Creating a Database Validation Report
10-6
OL-4327-01
Chapter 10
Monitoring GSS Performance Monitoring GSSM Database Status
Monitoring the Database Status

To verify that the GSS database on the GSSM is functioning properly:
1. 2.
3.
Use the gssm database status command to display the current running status of the GSS device that you have logged on to. For example:
gss1.yourdomain.com# gssm database status GSSM database is running.
Validating Database Records

To validate the records in your GSSM database:
1. 2.
3.
Use the gssm database validate command to validate the content of your GSSM database. For example:
gss1.yourdomain.com# gssm database validate GSSM database passed validation.
10-7
Chapter 10 Monitoring GSSM Database Status
Creating a Database Validation Report

Should you encounter problems while attempting to validate your GSSM database, you can generate a report, called validation.log, that details which database records failed validation. To generate a database validation report:
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
3.
Use the gssm database report command to generate a validation report on the content of your GSSM database. For example:
gss1.yourdomain.com# gssm database report GSSM database validation report written to validation.log.
4.
Use the type command to view the contents of your validation report. For example:
gss1.yourdomain.com# type validation.log validation.log Start logging at Thu Aug 28 19:17:21 GMT+00:00 2003 - storeAdmin Validating ... Thu Aug 28 19:17:23 GMT+00:00 2003 - ObjectId Object_Name.Field_Name Description Validating FactoryInfo Validating answerElement Validating answerGroup 70 answerGroup.OwnerId Many-To-One List Validating CachingConfig Validating ClusterConfig Validating CmdControl Validating CmdPurgeRd Validating CmdUpdate Validating ConfigProperty Validating Customer Validating DistTree Validating DnsRule Validating DomainElement Validating DomainGroup Validating ENodeConfig Validating ENodeStatus
10-8
OL-4327-01
Chapter 10
Monitoring GSS Performance Monitoring Global Load-Balancing Status
Validating KeepAliveConfig Validating KeepAlive Validating Location Validating OrderedanswerGroup Validating Owner Validating Region Validating RequestHandler Validating RoutedDomain Validating RoutingConfig Validating RrConfig Validating RrStatus Validating SNodeConfig Validating SourceAddressElement Validating SourceAddressGroup Validating SpInfo Validating SystemConfig Validating UpdateInfo Validating UserConfig Validating VirtualCDN Validating WlpanswerElement Validating User Validations End of file validation.log
Monitoring Global Load-Balancing Status

From the primary GSSM GUI, you can monitor the status of global load balancing on your GSS network using a variety of features that filter and condense GSS traffic and statistics. This section includes the following procedures:

Monitoring Answer Hit Counts Monitoring Answer Keepalive Statistics Monitoring Answer Status Monitoring DNS Rule Statistics Monitoring Domain Statistics Monitoring Source Address Statistics Monitoring Global Statistics
10-9
Chapter 10 Monitoring Global Load-Balancing Status
Monitoring Answer Hit Counts

The answer hit counts feature of the primary GSSM GUI provides you with an overview of your GSS answer resources and the number of times that user requests have been directed to each answer device. Looking at answer hit counts is one way to judge how well your GSS resources are being used in responding to user requests. To view the number of hits recorded by each of your GSS answers:
1. 2. 3. 4.
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer Hit Counts navigation link (located under the Contents table of contents). . The Answer Hit Counts list page appears (Figure 10-1).
Figure 10-1 Answer Hit Counts List Page
10-10
OL-4327-01
Chapter 10
Table 10-1 describes the fields on the Answer Hit Counts list page.
Table 10-1 Field Descriptions for Answer Hit Counts List Page
Field Answer Name Type Location Name of the GSSM or GSS

5.
Description IP address of the answer device Name assigned to the answer using the primary GSSM GUI Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Number of requests directed to the answer by each GSS device
Click the column header of any of the displayed columns to sort your answers by a particular property.
Monitoring Answer Keepalive Statistics

The answer keepalive statistics feature of the primary GSSM GUI provides you with an overview of the online status of your GSS answer resources. For each answer configured on your GSS, the answer keepalive statistics feature displays the number of keepalive probes that have been directed to that answer by the primary and the standby GSSM, as well as information about how that keepalive probe was handled. If a large number of keepalive probes are being rejected or are encountering transition conditions, the answer may be offline or may be having problems staying online. To view the online status of each of your GSS answers:
1. 2. 3.
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer KeepAlive Statistics navigation link (located under the Contents table of contents). The Answer KeepAlive Statistics list page appears (Figure 10-2).
10-11
Figure 10-2 Answer Keepalive Statistics List Page
Table 10-2 describes the fields on the Answer KeepAlive Statistics list page.
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Field Answer Type Name Keepalive
Description IP address of the answer device being probed Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) Name assigned to the answer using the primary GSSM GUI The address assigned to the remote device, CRA, or name server that the GSS is to forward requests
10-12
OL-4327-01
Chapter 10
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Field Method
Description The keepalive method used by the answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Number of keepalive probes directed to the answer by each GSS device, as well as a record of how those probes were handled. Statistics are presented in the following order:
Location Name of the GSSM or GSS
Keepalive packets sentTotal number of keepalive probes sent to the answer by each GSS on the network Keepalive packets receivedTotal number of keepalive probes returned from the answer Keepalive positive probe countTotal number of keepalive probes received to which a positive (OK) response was returned Keepalive negative probe countTotal number of keepalive probes received to which a negative response was returned Keepalive transition countTotal number of keepalive probe transitions (for example, from the INIT to the ONLINE state) experienced by the keepalive
4.
10-13
Monitoring Answer Status

The answer status feature of the primary GSSM GUI provides you with an overview of your GSS answer resources and their online status. Answers can be sorted by IP address, name, type, location, or online status according to a particular device. To view the status of your GSS answers:
1. 2. 3.
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer Status navigation link (located under the Contents table of contents). The Answer Status list page appears (Figure 10-3).
Figure 10-3 Answer Status List Page
10-14
OL-4327-01
Chapter 10
Table 10-3 describes the fields on the Answer Status list page.
Table 10-3 Field Descriptions for Answer Status List Page
Field Answer Name Type Location Name of the GSSM or GSS

4.
Description IP address of the answer device Name assigned to the answer using the primary GSSMGUI Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Online status of the answer according to the named device
Monitoring DNS Rule Statistics

The DNS rule statistics feature of the primary GSSM GUI provides you with an overview of your global load-balancing rules, as well as information about how many queries were processed by each rule and how many of those processed queries were successfully matched with answers. To view the status of your DNS rules:
1. 2.
From the primary GSSM GUI, click the Monitoring tab. Click the DNS Rules navigation link. The DNS Rule Statistics list page appears (Figure 10-4).
10-15
Figure 10-4 DNS Rule Statistics List Page
Table 10-4 describes the fields on the DNS Rule Statistics list page.
Table 10-4 Field Descriptions for DNS Rule Statistics List Page
Field Name Owner Name of the GSSM or GSS
Description Name assigned to the answer using the primary GSSM. GSS owner to which the DNS rule has been assigned. Total hit count and successful hit count for the DNS rule from the listed GSS device. Refer to the legend that appears below the listed DNS rules if you are confused about which number represents total hits and which represents successful requests served.
3.
Click the column header of any of the displayed columns to sort your DNS rules by a particular property.
10-16
OL-4327-01
Chapter 10
Monitoring Domain Statistics

The domain statistics feature of the primary GSSM GUI provides you with an overview of the hosted domains that your GSS is serving, as well as information about how many queries were directed to each domain by your DNS rules. The domain hit counts feature tracks the traffic directed to individual domains, not GSS domain lists, which may include one or more domains. To view the status of your hosted domains:
1. 2.
From the primary GSSM GUI, click the Monitoring tab. Click the Domains navigation link. The Domain Hit Counts list page appears (Figure 10-5).
Figure 10-5 Domain Hit Counts List Page
10-17
Table 10-5 describes the fields on the Domain Hit Counts list page.
Table 10-5 Field Descriptions for Domain Statistics List Page
Field Domain Name of the GSSM or GSS

3.
Description DNS domains for which your GSS is responsible; these are the domains contained in your domain lists. Total number of requests for the listed domain from each GSS device
Click the column header of any of the displayed columns to sort the listed domains by a particular property.
Monitoring Source Address Statistics

The source address statistics feature of the primary GSSM GUI provides you with an overview of incoming requests received by each of your source addresses (that is, those addresses from which DNS queries to your GSS originate) from each of your GSS devices. The source address hit counts feature tracks requests from individual address blocks, not from GSS source address lists, which may contain one or more address blocks. To view the statistics for your source address lists:
1. 2.
From the primary GSSM GUI, click the Monitoring tab. Click the Source Addresses navigation link. The Source Address Lists Statistics list page appears (Figure 10-6).
10-18
OL-4327-01
Chapter 10
Figure 10-6 Source Address List Statistics List Page
Table 10-6 describes the fields on the Source Address Lists Statistics list page.
Table 10-6 Field Descriptions for Source Address Statistics List Page
Field Source Address Block
Description Address or range of addresses from which DNS queries originate. Source address blocks make up GSS source address lists. Total number of requests received by the listed GSS device from each address or address block.
Name of the GSSM or GSS

3.
OL-4327-01
10-19
Monitoring Global Statistics

The global statistics feature of the primary GSSM GUI provides you with an overview of your GSS network, providing average statistics for DNS requests received by each GSS device and keepalive messages sent to your answers, as well as the online status of each GSS device. To view the status of your GSS network:
1. 2.
From the primary GSSM GUI, click the Monitoring tab. Click the Global navigation link. The Global Statistics list page (Figure 10-7) appears.
Figure 10-7 Global Statistics List Page
10-20
OL-4327-01
Chapter 10
Table 10-7 describes the fields on the Global Statistics list page.
Table 10-7 Field Descriptions for Global Statistics List Page
Field GSS Status
Description Online status of each GSS device
Unmatched DNS Queries Total number of DNS queries received by each listed device for which no answer could be found DNS Queries/sec Keepalive Probes/sec Average number of DNS queries received each second by each listed GSS device Average number of keepalive probes received by each listed GSS device each second
3.
10-21
Chapter 10 Viewing Log Files
Viewing Log Files

The GSS maintains logged records for a wide range of GSS network activity in the gss.log file as well as through the system logs feature of the GSSM. The following sections help you audit logged information about your GSS devices.

Understanding GSS Logging Levels Viewing Device Logs from the CLI Viewing System Logs from the Primary GSSM GUI
Understanding GSS Logging Levels

The GSS employs eight separate logging levels to identify the wide range of critical and noncritical logged events that may occur on a GSS device. Table 10-8 lists these different logging levels and explains their meanings.
Table 10-8 GSS Logging Levels
Level Number 0
Level Name Emergencies
Description The GSS has become unusable: for example, the device is shutting down and cannot be restarted, or it has experienced a hardware failure. The GSS requires immediate attention: for example, one of the GSS servers is not running. The GSS has encountered a critical condition that requires attention: for example, being unable to connect to the primary GSSM and not having a configuration snapshot to use in the meantime. The GSS has encountered an error condition that requires prompt attention but still enables the device to function: for example, running out of memory.
Alerts
Critical
Errors
10-22
OL-4327-01
Chapter 10
Monitoring GSS Performance Viewing Log Files
Table 10-8 GSS Logging Levels (continued)
Level Number 4
Level Name Warnings
Description The GSS has encountered an error condition that requires attention but is not interfering with the operation of the GSS device: for example, losing contact with the primary GSSM when a local configuration snapshot exists. The GSS has encountered a nonerror condition that should be brought to the administrators attention: for example, a software upgrade. Messages at this level are normal operational messages for the GSS device, such as status or configuration changes. Messages at this level (such as detailed information about DNS request or keepalive handling, specific code path tracking, and so on) are intended for use by technical support personnel.
Notifications
Information
Debug
Viewing Device Logs from the CLI

Each GSS device contains a variety of log files that retain records of both GSS-related activity and the functioning of various GSS subsystems. You can access these log files using the CLI to troubleshoot problems or better understand the behavior of a GSS device. This section includes the following procedures:

Viewing the gss.log File from the CLI Viewing Subsystem Log Files from the CLI Rotating Existing Log Files from the CLI
10-23
Viewing the gss.log File from the CLI

The gss.log file pulls together information that may be of use to customers, such as keepalive, availability, and load statistics for GSS devices. This log file can be viewed from the CLI using the show logs command. Refer to the Cisco Global Site Selector Command Reference for a list of the various log files that are displayed using the show logs command.
Note
The show logs command outputs all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file. To view logged GSS messages in the gss.log file:
1. 2.
3.
Use the show logs command to display logged information for the device on your terminal. For example:
gssm1.yourdomain.com# show logs gss.log Jul 14 21:42:01 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.2.1 Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.4.1 Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.4.1] (Retry Count 3) Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL [192.10.2.1] Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.2.1 Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 1) Jul 14 21:42:09 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds Jul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.2.1 Jul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 2) Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.2.1] Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.3.1]
10-24
OL-4327-01
Chapter 10
Jul 14 21:42:16 [192.10.4.1] Jul 14 21:42:16 [192.10.6.1] Jul 14 21:42:16 [192.10.7.1] Jul 14 21:42:16 [192.10.8.1] Jul 14 21:42:17 Jul 14 21:42:17 Jul 14 21:42:17 3) Jul 14 21:42:19 Jul 14 21:42:22 [192.10.3.1] Jul 14 21:42:22 Jul 14 21:42:22 1) Jul 14 21:42:22 members. Jul 14 21:42:27 Jul 14 21:42:27 2) ...
gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29413)=> Host 192.10.2.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count gss-css2 NMR-7-NODEMGR[1035] Checking process queue for defunct gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count
4.
To limit the output of the show logs command, specify one of the following:
Use the tail option of the show logs command to view just the last ten
lines of logged information. For example:

gssm1.yourdomain.com# show logs tail
Use the follow option of the show logs command to view data that is
appended to the end of the log as it grows. For example:

gssm1.yourdomain.com# show logs follow
Viewing Subsystem Log Files from the CLI

In addition to the gss.log file, each GSS device maintains a number of additional log files that record subsystem-specific information (for example, the keepalive engine or DNS server component of the GSS). Although these log files are not generally associated with specific CLI commands as the gss.log file is, any of them can be viewed from the CLI using the type EXEC command.
10-25
Note
Many GSS subsystem logs output all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file. To view your GSS subsystem log files:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. From privileged EXEC mode, navigate to the directory containing the log file or files that you wish to view. For example:
gssm1.yourdomain.com> cd ../sysout gssm1.yourdomain.com>
3.
Use the type command to display the contents of the log file. For example:
gssm1.yourdomain.com> type dnsserver.log dnsserver.log Starting dnsserver: Mon Jul 1 13:52:50 UTC 2003 [(1221)] 2003-07-10 16:23:08 relog: Booting... Starting dnsserver: Wed Jul 10 16:23:33 UTC 2003 [(1201)] End of file dnsserver.log ]
4.
Use the tail command to view just the last ten lines of the log file. For example:
gssm1.yourdomain.com# tail dnsserver.log
Rotating Existing Log Files from the CLI

You can force the GSS to restart its log files and save archive copies of all existing log files by using the rotate-logs command. This command forces the GSS to save archive copies of all existing log files in the $STATE directory and subdirectories and replaces them with fresh log files.
10-26
OL-4327-01
Chapter 10
Existing log files are archived locally using the following naming convention: logfile_name.log.number where:

logfile_name.log - Name of the archived log file (for example, gss.log or kale.log) . number - An incremented number representing the number of times the logs have been rotated (for example, .3). The number of the most recent rotated log file is .1. The maximum number of log files is 25 for the gss.log file, five for all other log files.
To rotate existing log files:

1. 2.
3.
Use the rotate-logs command to rotate existing log files. For example:
gssm1.yourdomain.com# rotate-logs
If you wish to clear all rotated log files in the $STATE directory and subdirectories, except for the active log files, include the delete-rotated-logs option. For example:
gssm1.yourdomain.com# rotate-logs delete-rotated-logs
10-27
Viewing System Logs from the Primary GSSM GUI

From the primary GSSM GUI, you can view messages logged in the GSS system.log file. This log presents the logged information that is most likely of interest to GSS administrators. However, the system.log file presents only a subset of all logged information. See the Viewing Subsystem Log Files from the CLI section for information about viewing the entire contents of individual GSS log files. This section includes the following procedures:

Viewing System Logs from the GUI Purging System Log Messages from the GUI System Log Messages
Viewing System Logs from the GUI

To view the GSS system logs:
1. 2.
From the primary GSSM GUI, click the Tools tab. Click the System Logs option. The System Log list page appears (Figure 10-8) displaying the following information:
TimeTime in Universal Coordinated Time (UTC) at which the logged
event occurred on the GSS device.

Node typeType of GSS node (GSS or GSSM) on which the logged
event occurred.
Node nameName assigned to the GSS device using the primary
GSSM.
ModuleGSS component logging the message. For example, server or
storeAdmin.
Severity Severity of the logged message; system log messages are
rated using one of four severity levels, as follows:
FatalIndicates that the GSS or one of its components failed. Fatal errors are rare and are usually caused by exceptions from which it is impossible to recover, or by the failure of a GSS component to initialize properly. WarningIndicates a noncritical error or unexpected condition.
10-28
OL-4327-01
Chapter 10
InfoProvides information about the normal operation of the GSS and its components. DebugProvides very detailed information about the internal operations of the GSS or one of its components. Debug log messages are intended for use by Cisco support engineers in their efforts to troubleshoot a problem.
DescriptionText description that explains the event. MessageInformation about any relevant conditions encountered while
the event was being logged.

Figure 10-8 System Log List Page
10-29
3.
Click the column header of any of the displayed columns (except for Severity or Description) to sort the listed domains by a particular property.
Purging System Log Messages from the GUI

You can instruct the GSS to purge system log messages from the GSSM database by using the gssm database purge-log-records CLI command. This option removes the system log messages appearing on the primary GSSM GUI, the System Log list page of the Tools navigation tab. You can instruct the GSS software to:
Purge a quantity of system log messages from the database up to the last n records, where n equals the number of database records back from the last record to be retained when the database is purged. Purge system log messages covering a set time period up to n days before today, where n equals the number of days back from today to be retained when the database is purged. Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
To purge system log messages from the GSSM database:

1. 2.
3.
Use the gssm database purge-log-records command to purge system log messages. For example, to purge all system log messages except for the last 3, enter:
gssm1.yourdomain.com# gssm database purge-log-records count 3
For example, to purge all system log messages except for those generated within the last 7 days, enter:
gssm1.yourdomain.com# gssm database purge-log-records days 7
4.
From the primary GSSM GUI, click the Tools tab, then click the System Logs option. The System Log list page appears. Notice that system log message have been purged based on the criteria specified in the gssm database purge-log-records CLI command.
10-30
OL-4327-01
Chapter 10
System Log Messages

Table 10-9 lists common GSS system messages that may be encountered in the System Log list page. Error messages are listed alphabetically, and each error message is accompanied by a brief description. Contact a Cisco technical support representative if you require more detailed information about the purpose of a message.
Table 10-9 System Log Messages
System Log Message

Deleted a Global Site Selector
Description The named GSS has been deleted from the primary GSSM An error occurred while the device was processing configuration updates from the primary GSSM. The affected device will attempt to recover automatically. The process of marking internally inconsistent database records has failed. Errors can be viewed in the validation log. The GSSM database has failed its internal consistency checks. The system has detected multiple primary GSSMs operating concurrently. The process of marking internally inconsistent database records has been successfully completed. The GSSM database has passed its internal consistency checks. A new GSS is online and identified itself to the primary GSSM. A new standby GSSM came online and identified itself to the primary GSSM. The Cisco GSS software has been stopped from the CLI.
Error occurred while processing received data
Failed store invalidation
Failed store validation
Multiple primary GSSMs detected
Passed store invalidation
Passed store validation
Registered a new Global Site Selector Registered a new standby GSSM
Server is Shutting Down
10-31
Table 10-9 System Log Messages (continued)
System Log Message

Server Started
Description The Cisco GSS software has been started from the CLI. An error has occurred on the standby GSSM embedded database. The process of marking internally inconsistent database records has begun. An internal consistency check has begun for the GSSM database. The GSS GSSM database has failed internal consistency checks. The GSS device has dropped (did not report) a certain number of messages in an effort to throttle message traffic to the GSSM. The primary GSSM has received a report from a GSS device with a GSSM activation time stamp that was not consistent with the primary GSSMs current time. The standby and primary GSSM may have clocks that are not synchronized. A user has changed his or her password using the Change Password details page from the Tools tab.
Standby GSSM database error
Started store invalidation
Started store validation
Store is corrupted
x System
Messages Dropped
Unexpected GSSM activation timestamp warning
User HTTP Password Change
10-32
OL-4327-01
G L O S S ARY
A
answer
Individual resource (virtual IP address [VIP], name server [NS], or content routing agent [CRA]) that is used to reply to a content request. Customer-defined set of virtual IP address (VIP), name server (NS), or content routing agent (CRA) addresses from which an individual answer is selected and used to reply to a content request.
answer group
B
boomerang
Server load-balancing component of the Global Site Selector (GSS) that uses calculations of network delay to select the site closest to the requesting D-proxy. Closeness is determined by conducting DNS races between content routing agents (CRAs) on each host server. The CRA that replies first to the requesting D-proxy is chosen to reply to the request.
C
client
Content consumer, typically a web browser or multimedia stream player, that makes Domain Name System (DNS) requests for domains managed by the Global Site Selector (GSS). Customer deploying content on a Content Delivery Network (CDN), or purchasing hosting services from a service provider or web hosting service. Machine that routes requests for content through Domain Name System (DNS) records.
content provider
content router
GL-1
Glossary
content routing agent (CRA)
Software running on a Content Delivery Network (CDN) or server load-balancing device that provides information to a Global Site Selector (GSS) for making content routing decisions, and handles content routing requests from the GSS. Server load-balancing component for the Catalyst 6000 Switch product. Cisco server load-balancing appliance for Layer 4 through Layer 7 content. Cisco customer purchasing Global Site Selector (GSS) hardware, software, or services. Typically an Internet service provider (ISP), application service provider (ASP), or enterprise customer.
Content Switching Module (CSM) Content Services Switch (CSS) customer
D
data center
Collection of centrally located devices (content servers, transaction servers, or web caches). Central configuration and routing concept of the Global Site Selector (GSS), allowing specific request balance resources, methods, and options to be applied to source address and domain pairs. One or more hosted domains logically grouped for administrative and routing purposes. Clients local name server, which makes iterative DNS queries on behalf of a client. A single recursive query from a client may result in many iterative queries from a D-proxy. Also referred to as local domain name server (LDNS).
DNS rule
domain list
D-proxy
F
fully qualified domain name (FQDN)
Domain name that specifies the named nodes absolute location relative to the Domain Name System (DNS) root in the DNS hierarchy.
GL-2
OL-4327-01
Glossary
G
Global Site Selector Cisco content routing device that intelligently responds to Domain Name (GSS) System (DNS) queries, selecting the best content locations to serve those
queries based on DNS rules created by the customer.

GSS network Global Site Selector Manager (GSSM)
Set of Global Site Selectors (GSSs) in a scaled, redundant GSS deployment. Device that administers a Global Site Selector (GSS) network, storing configuration information and statistics for GSS devices and providing a graphical user interface that GSS administrators use to reconfigure or monitor the performance of their GSS network. System based on the Content Services Switch that directs clients through the Domain Name System (DNS) to different sites based on load and availability. Two versions of GSLB currently exist:

global server load balancing (GSLB)
Rule-based GSLB Zone-based GSLB
H
hosted domain
Any domain managed by the Global Site Selector (GSS). A minimum of two levels is required for delegation (for example, foo.com). Domain wildcards are supported.
GL-3
Glossary
K
keepalive (KAL)
Periodic testing of availability and status of a content service through the sending of intermittent queries to a specified address using one of a variety of methods. The Global Site Selector product uses both primary keepalive and secondary keepalive IP addresses. See keepalive method.
keepalive method
Protocol or strategy used to determine whether a device is online, for example, ICMP, TCP, KAL-AP, HTTP-HEAD, and CRA round-trip time.
L
location
Grouping for devices with common geographical attributes, used for administrative purposes only, and similar to data center or content site. See data center.
N
name server (NS)
Publicly or privately addressable Domain Name System (DNS) server that resolves DNS names to IP addresses. Name servers are used by the Global Site Selector (GSS) for name server forwarding, in which queries that the GSS cannot resolve are forwarded to a designated name server that can resolve them.
O
ordered list
List of possible answers that are used for routing. List members are ranked and tried in order. Answers lower on the list are not tried unless all previous members fail to provide a suitable result.
GL-4
OL-4327-01
Glossary
origin server owner
Machine that serves original or replicated content provider content. Internal department or resource or external customer associated with a group of GSS resources such as domain lists, answer groups, and so on.
R
region
Grouping of Global Site Selector (GSS) locations with common geographic attributes that is used to organize GSS resources.
S
Secure Socket Layer Industry-standard method for protecting and encrypting web communication. (SSL) server load balancer Network device that balances content requests to network resources based on (SLB) content rules and real-time load and availability data collected from those
devices. Server load balancers like the Cisco Content Services Switch (CSS), Content Switching Module (CSM), and LocalDirector provide publicly routable virtual IP addresses (VIPs) while front-ending content servers, firewalls, Secure Socket Layer (SSL) terminators, and caches. Third-party SLBs are supported in a GSS network through the use of Internet Message Control Protocol (ICMP), TCP, and HTTP-HEAD keepalives.
service provider
Cisco customer providing infrastructure for a Content Delivery Network (CDN). Also ISP (Internet service provider) and ASP (application service provider). List of source IPs or source IP blocks that are logically grouped by the system administrator. Type of request routing in which incoming requests from specified D-proxies are routed to statically defined resources that have been identified as being in proximity to the source D-proxies. Client or set of clients receiving a certain style of DNS routing. Subscribers often pay for application services from the Cisco GSS customer.
source address list
static proximity
subscriber
GL-5
Glossary
T
Time To Live (TTL)
Length of time that a response is to be cached and considered valid by the requesting D-proxy.
W
Web Network Services (WebNS)
VxWorks-based operating system and software that runs on the Content Services Switch (CSS).
GL-6
OL-4327-01
I N D EX
A
accessing CLI 2-2, 2-4, 2-5 primary GSSM GUI 2-15 remote connection 2-2 serial connection 2-2 access lists access-group command 9-27 access-list command 9-26 adding rules to 9-28 associating with an interface 9-27 creating 9-25 disassociating from an interface 9-28 filtering traffic 9-24 overview 9-24 removing rules 9-29 viewing 9-30 activating GSS devices 2-18 adding rules to access lists 9-28 administrator account, resetting 9-21 answer activating 1-45 configuring 7-1 CRA-type answer, creating 7-14
CRA-type answer, overview 1-16 deleting 7-22 error messages 9-56 hit count 10-11 keepalive 1-17 keepalive statistics 10-11 modifying all in location 7-21 modifying an answer 7-19 monitoring 10-11 name server-type answer, creating 7-17 name server-type answer, overview 1-16 overview 1-14, 7-1 reactivating 7-21 setting all to ICMP 1-46 setting all to none 1-46 status 10-14 suspending 1-45, 7-20 suspending all answers in a location 7-21 VIP-type answer, creating 7-2 VIP-type answer, overview 1-15 answer group adding answers 7-26 balance method options 1-27 balance methods 7-23 CRA configuration information 8-32
IN-1
Index
creating 7-24 current members 7-27 deleting 7-35 DNS rule 1-12, 1-15 DNS Rule Wizard 8-15 error messages 9-60 general configuration 7-25 load threshold 7-28 modifying 7-29 order 7-28 overview 1-15, 7-23 removing answers 7-29 suspending 7-30 suspending or reactivating all for an owner 7-32 VIP DNS configuration information 8-32 weight 7-28 answer hit counts 10-10 answer keepalive statistics 10-11 Anywhere source address 1-14, 4-1 appliance-based global server load balancing 1-6 A record 8-26, 8-30 associating access list with interface 9-27 audience xx
overview 9-37 procedure 9-39 backup of GSSM database conditions for 9-39 overview 9-37 procedure 9-40 balance clause 7-23, 8-30 balance method answer group options 1-27 answer group pair 7-23 balance clauses 7-23 boomerang 1-26 DNS rule 1-12, 1-15 DNS Rule Wizard 8-22 hash 1-26, 8-23, 8-31 hashed balance method 8-31 least loaded 1-25, 8-31 load threshold option 1-29, 8-19 ordered list 1-24, 8-23, 8-31 order option 1-28, 8-19 overview 1-24 round robin 1-25, 8-23, 8-31 weighted round robin 1-25, 8-23, 8-31 weight option 1-28, 8-19 BIND sample zone configuration file 8-44 boomerang
B
backup of GSSM conditions for 9-39
activity, monitoring 10-3 balance method 1-26 DNS race 1-26
IN-2
OL-4327-01
Index
server 1-27 server, monitoring status 10-3 server status 10-3 browsers supported 1-36
closeness (DNS race) 7-15 communication between nodes 1-33 Content Services Switch data center deployment 1-34 definition G-2 global load-balancing 1-2 GSS network deployment 1-6 VIP answers 1-15 Content Switching Module data center deployment 1-34 definition G-2 global load-balancing 1-2 GSS network deployment 1-6 VIP answers 1-15 copy command 9-9 copying startup configuration to or from disk 9-9 CRA answer, creating 7-14 balance method 1-28, 7-23 closeness 7-15 CRA answer overview 1-16 definition G-2 DNS race 7-15 global keepalive configuration 6-15 keepalive 1-19 last gasp address 8-24 minimum frequency 6-15 one way delay 7-16 overview 1-19
C
Cancel icon 1-43 certificate accepting 2-16 trusting 2-16 changing GSSM role 9-2 startup and running configuration 9-8 CIDR block masking 4-1 clauses (balance clause) in answer group 7-23 CLI accessing 2-2, 2-12 configuring GSS 2-10 device management 1-34 direct serial connection 2-2 GSS device monitoring 10-2 monitoring GSS network statistics 10-3 private and public key pair 2-5 remote connection 2-4 resetting CLI administrator account 9-21 resetting password 9-21 saving session 2-3 user account, creating 9-19
OL-4327-01
IN-3
Index
round-trip time 7-16 timing delay 6-15 Create icon 1-42 CSM See Content Switching Module CSS See Content Services Switch
Delete icon 1-44 deployment configuring name servers 8-42 data center 1-34 GSS devices behind firewall 9-30 locations and regions 3-2 overview 1-31 resources 3-2 typical GSS deployment 1-31 details pages 1-40 disassociating access list from interface 9-28 DNS all 8-26, 8-30 A record 8-26, 8-30 balance clause 8-30 creating DNS rules 8-5 delegation 8-42 DNS queries 8-26, 8-30 glue A records 8-43 hosted domain 1-13 iterative request 1-5 query 1-14 race 1-16, 7-15 recursive request 1-4 request resolution 1-5 routing overview 1-3 sample BIND zone configuration 8-44 server, modifying 8-43 server, monitoring 10-4
D
database backing up 9-40 monitoring status of 10-7 restoring GSSM from full backup 9-49 synchronized with standby GSSM 1-33 validating records 10-7 validation report 10-8 data center definition G-2 deployment 1-34 debug log message 10-29 default password 2-16 username 2-16 delegation definition 1-3 domains to GSS 1-31, 8-43 GSS devices 8-42 subdomains to GSS 1-31, 8-43
IN-4
OL-4327-01
Index
traditional routing 1-3 unmatched queries 10-21 zone configuration file 8-43 DNS race balance method 1-26 closeness 7-15 coordinate start time 7-15 CRAs 1-16 DNS rule activating 1-45 answer 1-12 balance clause 7-23 components 1-12 creating 8-2 definition G-2 deleting 8-38 error messages 9-61 filtering 1-43 filters, configuring 8-38 filters, removing 8-42 hit count 10-15 modifying 8-33 overview 1-12 reactivating 8-35 reactivating all by owner 8-36 removing filters 8-42 showing all rules 1-43 suspending 1-45, 8-34 suspending all by owner 8-36
DNS Rule Builder balance clause 8-30 CRA configuration information 8-32 creating DNS rules 8-27 DNS queries 8-30 modifying DNS rule 8-33 name server balance methods 8-23, 8-31 overview 8-4 VIP answer group configuration information 8-32 VIP balance methods 8-31 DNS rule filter configuring 8-38 parameters 8-39 removing 8-42 DNS Rules tab 1-38 DNS Rule Wizard activating 8-26 answer group, configuring 8-15 balance method, configuring 8-22 creating DNS rules 8-5 domain list, configuring 8-10 icons 1-42, 1-44, 1-45 modifying DNS rule 8-33 overview 8-2 source address list, configuring 8-7 summary 8-25 suspending 8-26 documentation caution and note overview xxiii
OL-4327-01
IN-5
Index
conventions xxi, xxii organization xx related xxi set xxi symbols and conventions xxii domain lists adding domains to 5-2, 5-5, 8-13 creating 5-2 current members 5-6 deleting 5-10 DNS Rule Wizard 8-10 error messages 9-68 general configuration 5-4 maximum domains 1-13 maximum nonwildcard domain length 5-6 modifying 5-8 overview 1-13, 5-1 regular expressions 5-1 removing domains 5-8 wildcards in domains 5-2, 5-6, 8-13 domain name space 1-3 Domain Name System See DNS domains delegating to GSS 1-32, 8-43 hit counts 10-17 maximum length 5-6 maximum name length 5-5 maximum per domain list 1-13, 5-2
wildcards example 8-13 wildcards maximum length 5-6 downgrading GSS device software 9-48 order of operation 9-48 restoring earlier software version 9-49 D-proxy background 1-4 definition G-2 iterative requests 1-5 name server forwarding 1-16 query GSS 1-14
E
error messages 9-56 answer 9-56 answer group 9-60 DNS rule 9-61 domain list 9-68 GSSM 9-78 keepalive 9-74 location 9-76 owner 9-77 region 9-77 shared keepalive 9-72 source address list 9-79 user 9-81 Ethernet interface, segmenting traffic 9-22
IN-6
OL-4327-01
Index
exporting GSSM data 9-12 icon 1-42 Export to CSV icon 1-42
HTTP HEAD configuration settings 6-9 ICMP configuration settings 6-3 KAL-AP configuration settings 6-12 modifying 6-2 name server configuration settings 6-16 overview 6-1 properties, modifying 6-2 standard transmission rate 1-20, 6-4, 6-7, 6-10,
6-13
F
failure detection time, adjusting 1-20 fatal error log message 10-28 filtering GSS traffic 9-24 filters DNS rules 8-38 parameters 8-39, 8-40 removing 8-42 firewall configuring for GSS 9-33 deploying GSS devices 1-32, 9-30 inbound traffic to the GSS 9-31 outbound traffic from the GSS 9-32 permitting traffic to GSS 1-32 FTP, enabling 2-3 full GSSM backup 9-39 fully qualified domain name G-2
TCP configuration settings 6-6 global server load balancing balance clauses 7-23 data centers 1-34 definition G-3 delegation of GSS devices 8-42 global statistics 10-20 monitoring 10-9 overview 1-6 summary 2-23 using the GSS 1-6 Global Site Selector accessing the CLI 2-2, 2-4 accessing the CLI with private/public key pair 2-5 acting as GSSM 1-10, 1-31 activating 2-18 authoritative DNS server 1-7 balancing data centers 1-34 boomerang server 10-3 CLI-based management 1-34
G
global keepalives CRA configuration settings 6-15 fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13
IN-7
Index
communication 1-33 configured as GSSM (primary or standby) 2-12 configuring 2-14 configuring from CLI 2-10 console port, physical access to 2-4 delegation of devices 8-42 deleting devices 2-22 deployment 1-31, 1-32, 1-34, 8-42 direct serial connection 2-2 DNS server, monitoring 10-4 downgrading software 9-48 enable remote connect 2-3, 2-5 factors in responding to a request 1-7 firewalls 9-30, 9-33 global server load balancing 1-6 GSLB configuration 2-23 GUI-based management 1-35 hardware 1-10, 1-11 initial setup 2-8 interact with SLBs 1-6 inter-GSS communications 1-33, 9-22 keepalives overview 1-17, 6-1 locating 1-31 login accounts 9-19 MIBs 9-36 modifying device configuration 2-21 monitoring through CLI 10-2 monitoring through GUI 10-6 network configuration settings 9-7
network deployment 2-6 network management 1-34 online status and resource usage 10-2 overview 1-2, 1-10 packet filtering 1-32 ports and protocols 9-25, 9-31 purging system log messages 10-30 remote access, enabling 2-3 remote connection 2-4 removing or replacing 9-2 reporting interval 9-12 resources, grouping 3-16 restoring earlier software version 9-49 running configuration 9-8 setup configuration decisions 2-6 setup script, configuring with 2-8 software architecture 1-9 startup configuration 9-8 synchronized with GSSM 1-10, 1-33 upgrading software 9-41 user account, creating 9-19 user account, deleting 9-20 user account, modifying 9-20 Global Site Selector Manager activating 2-18 backing up 9-37 changing role in GSS network 9-4 changing the GUI password 9-17 communication 1-33
IN-8
OL-4327-01
Index
configuring, primary 2-13 configuring, standby 2-13 configuring the GUI 9-10 creating user account (GUI) 9-14 database 1-10, 1-33 database, monitoring 10-7 database, restoring from backup 9-52 default username and password 2-16 definition G-3 deployment 1-31 DNS rule configuration interface 2-24, 8-2 DNS rules 1-12 downgrading software 9-48 error messages 9-78 exporting data 9-12 GSLB configuration 2-23 GUI overview 1-36 icons 1-41 initial setup 2-8 inter-GSS communication 1-33 keepalives overview 6-1 locating 1-31 logging on 2-15 login accounts 9-13 modifying user account (GUI) 9-16 monitoring device status from GUI 10-6 online help 1-47 overview 1-10 password 9-17
platform information 9-50 primary 1-10 primary GSSM GUI overview 1-36 printing data 9-12 redundancy 1-33 removing user account (GUI) 9-17 resetting the GUI password 9-17 resources, grouping 3-16 restoring earlier software version 9-49 restoring full backup 9-49 role change 9-4 security 9-13 setup configuration decisions 2-6 standby 1-11 standby, as backup 1-31 standby acting as primary 1-33 switching primary and standby role 9-2 upgrading software 9-41 viewing system logs 10-28 global statistics 10-20 glossary of terms G-1 glue A records 8-43 GSLB See global server load balancing GSS See Global Site Selector gss.log file 10-24 GSSM See Global Site Selector Manager
IN-9
Index
gssm standby-to-primary command 9-5 GSS network changing GSSM role 9-4 configuration 1-10, 1-33 configuration overview 2-6 definition G-3 deployment 1-31 global statistics 10-20 GSLB status 10-9 GSS, removing 9-2 GSSM connectivity 2-12 limiting network traffic 9-22 logically removing a GSS 9-2 logically removing a standby GSSM 9-2 management 1-34 monitoring through CLI 10-3 monitoring through GUI 10-6 organizing 3-2 primary GSSM 1-10 primary GSSM, removing 9-2 resource grouping 3-16 segmenting network traffic 9-22 setup configuration decisions 2-6 standby GSSM, removing 9-2 URL 2-15 GSS-related ports and protocols 9-25 GUI browsers supported 1-36 configuration 9-10, 9-11
details pages 1-40 device management 1-34 icons 1-41 list pages 1-38 logging on 1-36, 2-15 monitoring GSS device status 10-6 navigation 1-41 organization 1-38 overview 1-36 password 9-17 refreshing 1-42, 9-10, 9-12 security 9-13 session inactivity timeout 9-10, 9-11 tabs 1-38 timeout 9-11 understanding 1-36 user account, creating 9-14 user account, modifying 9-16 user account, removing 9-17
H
hashed balance method 1-26, 8-23, 8-31 help navigation link 1-47 obtaining 1-47 primary GSSM Online help overview 1-47 hosted domain definition G-3
IN-10
OL-4327-01
Index
domain names 1-13 name examples 1-13 overview 1-13, 5-1 regular expressions 1-13 requested 1-12 statistics 10-17 HTTP HEAD keepalive default path 6-11, 6-25, 7-12 destination port 6-11, 7-11 global keepalive configuration 6-9 host tag 6-25, 7-12 overview 1-18 shared keepalive configuration 6-24 termination method 6-11, 6-25, 7-12 VIP answer 7-11 HyperTerminal launching 2-2 saving session 2-3
inter-GSS communications 9-22 iterative requests 1-5
K
KAL See keepalive KAL-AP keepalive by tag 7-14 by VIP 7-14 CAPP hash secret 6-14, 6-27 global keepalive configuration 6-12 overview 1-19 primary and secondary IP addresses 6-27 shared keepalive configuration 6-26 VIP answer 7-13 keepalive CRA overview 1-19 CRA type 1-19 definition G-4 deleting a shared keepalive 6-29 error messages 9-72, 9-74 failure detection time, adjusting 1-20 fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13 global properties, modifying 6-2 global properties, overview 6-1 HTTP HEAD connection termination method 6-11, 6-25, 7-12 HTTP HEAD overview 1-18 ICMP type 1-18
I
ICMP keepalive global keepalive configuration 6-3 overview 1-18 shared keepalive configuration 6-21 VIP answer 7-7 icons 1-41 Info log message 10-29 inter-GSS communication 1-33
OL-4327-01
IN-11
Index
KAL-AP overview 1-19 keepalive attempts 1-23, 6-5, 6-8, 6-11, 6-14, 6-22,
6-23, 6-25, 6-27, 7-8, 7-10, 7-12
overview 1-25, 8-23, 8-31 weight option 1-29 list pages overview 1-38 sorting items 1-38 loading startup configuration from external file 9-9 load threshold, balance method option 1-29,
8-19
monitoring status 10-5 name server 1-20 name server overview 1-20 none 1-20 number of retries 1-22, 6-5, 6-8, 6-11, 6-14, 6-23,
6-25, 6-27, 7-8, 7-10, 7-12
overview 1-17 probes 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, 6-23, 6-25,
6-27, 7-8, 7-10, 7-12
location creating 3-6 definition G-4 deleting 3-10 error messages 9-76 modify all answers in 7-21 modifying 3-9 organizing resources 3-16 overview 3-2 suspending all answers 7-21 location overview 1-30 log files logging levels 10-22 rotating 10-26 subsystem 10-25 viewing 10-22 logging levels 10-22
probes per second 10-21 shared keepalive, creating 6-17 shared keepalive, modifying 6-28 shared keepalive overview 6-17 shared VIP keepalives, overview 6-17 standard transmission rate 1-20, 6-4, 6-7, 6-10,
6-13
supported types 1-17 TCP connection termination method 6-8, 6-23,

7-10
TCP overview 1-18 transmission interval formula 1-21 VIP 1-18, 1-19, 6-17
L
last gasp address 8-24 least loaded 8-31 balance method 1-25, 8-23, 8-31
logging on to GSSM GUI 2-15 logically removing standby GSSM from a network 9-2 logically removing a GSS from a network 9-2
IN-12
OL-4327-01
Index
login accounts 9-13 certificate 2-15 default 2-16 GUI 1-36 security 9-13 login accounts creating on GSS 9-19 creating on GSSM 9-14 deleting 9-20 GSSM 9-13 managing 9-19 modifying 9-16, 9-20 removing 9-17
database status 10-7 DNS rule statistics 10-15 DNS server 10-4 global load-balancing status 10-9 global statistics 10-20 GSS network status 10-3 hosted domain statistics 10-17 keepalives 10-5 online status 10-2 resource usage 10-2 source address statistics 10-18 status of GSS devices by CLI 10-2 status of GSS devices from the GUI 10-6 Monitoring tab 1-38
M
messages error 9-56 purging 10-30 system log 10-31 viewing 10-28 MIBs 9-33, 9-36 Modify icon 1-42 monitoring answer hit counts 10-10 answer keepalive statistics 10-11 answer status 10-14 boomerang server status 10-3
N
name server answer type, creating 7-17 authoritative 1-6 authoritative name server (ANS) 1-4 balance method 7-23 balance method options 1-28 balance methods 8-23, 8-31 client name server (CNS) 1-4 definition G-4 DNS resolvers (DNSR) 1-4 forwarding 1-16 intermediate name server (INS) 1-4
IN-13
Index
keepalive 1-20 name server answer overview 1-16 overview 1-4 query 7-19 records, adding to zone configuration file 8-43 root name servers (RNS) 1-4 name server keepalive global keepalive configuration 6-16 minimum frequency 6-16 overview 1-20 query domain 6-16 navigation through the GUI 1-41 network configuration, erasing 9-7 configuration, modifying 9-7 configuration for GSS devices 9-8 deployment 1-31 locating GSS on 1-31 running configuration, changing 9-8 startup configuration, changing 9-8 network management 1-34 CLI-based 1-34 GUI-based 1-35 node communication 1-33 number of retries for keepalive types 1-22, 6-5,
6-8, 6-11, 6-14, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12
O
one-way delay 7-16 Online help overview 1-47 ordered list 8-31 balance method 1-24, 8-23, 8-31 definition G-4 overview 1-24 order option, balance method 1-28, 8-19 origin server G-5 owner creating 3-11 deleting 3-15 error messages 9-77 modifying 3-14 organizing resources 3-16 overview 1-30, 3-2 reactivating all DNS rules 8-36 suspending all answer groups for 7-32 suspending all DNS rules 8-36
P
Partner Initiated Customer Access See PICA password CLI, resetting 9-21 default 2-16 GSSM GUI, changing 9-17
IN-14
OL-4327-01
Index
GSSM GUI, resetting 9-17 logging in 2-16 resetting CLI administrator account 9-21 user account, creating 9-15 PICA 9-44 platform information restoring 9-50 summary 9-50 ports and protocols 9-25, 9-31 primary GSSM changing to standby 9-4 configuring the GUI 9-10 overview 1-10 security 9-13 viewing system logs 10-28 Print icon 1-42 printing GSSM data 9-12 Print icon 1-42 private and public key pairs 2-5 protocols and ports for GSS devices 9-25 proximity DNS race 7-15 purging system log messages 10-30
CRA answer 7-14 DNS request 1-6 DNS rules 1-12 KAL-AP 1-19, 7-14 match DNS query type 8-26 name server 1-20, 6-16 name server answer 7-17 not matched to D-proxy 1-14 query domain 6-16 source addresses 1-13 VIP answer 7-2
R
reactivating all answer groups for an owner 7-32 all answers in an answer group 7-32 all answers in location 7-21 all DNS rules by owner 8-36 answer 7-21 DNS rule 8-35 record database records, validating 10-7 request 8-26, 8-30 redundancy synchronization 1-33 Refresh icon 1-42 refreshing the GUI 1-42, 9-10, 9-12 region creating 3-3
Q
query answers 7-2 balance methods 1-24
IN-15
Index
definition G-5 deleting 3-10 error messages 9-77 modifying 3-8 organizing resources 3-16 overview 1-30, 3-2 regular expressions 1-13, 5-1 remote access enabling 2-3 FTP 2-3 SSH 2-3 Telnet 2-3 remote connection accessing CLI 2-4 SSH 2-4 Telnet 2-4 report answer hit counts 10-10 answer status 10-14 database validation 10-8 DNS rule hit count 10-15 domain hit count 10-17 keepalive statistics 10-11 source address hit count 10-18 reporting interval 9-12 requests iterative 1-5 resolution 1-4, 1-7 resetting
CLI administrator account 9-21 CLI password 9-21 GUI password 9-17 password 9-21 resources configuring 3-1 grouping 3-16 organizing 3-2 Resources tab 1-38 restoring earlier software version 9-49 GSSM database from a backup 9-52 GSSM from full backup 9-49 GSSM platform information 9-50 rotating log files 10-26 round robin 8-31 balance method 1-25, 8-23, 8-31 overview 1-25 round-trip time 7-16 running configuration changing 9-8 saving 9-8
S
sample BIND zone configuration 8-44 secure HTTP address 2-16 security configuration 9-13
IN-16
OL-4327-01
Index
GUI 9-13 segmenting GSS traffic by interface 9-22 server load balancer 1-2, G-5 service provider G-5 session inactivity timeout 9-10, 9-11 setup script 2-8 bypassing 2-8 configuring GSS 2-8 configuring GSSM 2-8 severity log message 10-28 shared keepalive creating 6-17 deleting 6-29 error messages 9-72 modifying 6-28 overview 6-17 shared keepalives HTTP HEAD configuration settings 6-24 ICMP configuration settings 6-21 KAL-AP configuration settings 6-26 TCP configuration settings 6-22 show access-list command 9-30 show logs command 10-24 show statistics command 10-3 boomerang 10-3 dns 10-4 keepalive 10-5 Simple Network Management Protocol (SNMP) community-string 9-34
configuring 9-34 contact information 9-34 enabling 9-34 location 9-35 MIB files, viewing 9-36 overview 9-33 port, changing 9-36 viewing status 9-35 software, restoring earlier version 9-49 software downgrade procedure 9-48 restoring earlier software version 9-49 software update new update file 9-43 obtaining update file 9-43 procedure 9-41 sort DNS rules 8-38 removing 8-42 Sort icon 1-42 source address Anywhere 1-14, 4-1 blocks 1-14, 4-1 hit counts 10-18 maximum per source address list 4-1 overview 1-14 source address and domain hash balance method 1-26, 8-23, 8-31 source address list adding addresses 4-3
OL-4327-01
IN-17
Index
address blocks 4-4 anywhere 1-14 Anywhere (default) 4-1 creating 4-1, 4-2 current members 4-4 definition G-5 deleting 4-7 DNS Rule Wizard 8-7 error messages 9-79 general configuration 4-3 maximum addresses 4-1 modifying 4-5 overview 1-13 removing addresses 4-6 SSH, enabling 2-3 SSL See Secure Socket Layer standby GSSM changing to primary 9-4 definition 1-33 overview 1-11 startup configuration changing 9-8, 9-9 loading from external file 9-9 saving from external file 9-9 static proximity G-5 statistics answer hit counts 10-10 answer keepalive 10-11
answer status 10-14 DNS rule hit count 10-15 global 10-20 hosted domains 10-17 source address 10-18 subdomains, delegation 1-31, 8-43 Submit icon 1-43 subscriber G-5 subsystem log files rotating 10-26 viewing 10-25 suspending all answer groups for an owner 7-32 all answers in a location 7-21 all answers in an answer group 7-32 all DNS rules by owner 8-36 answer 7-20 answer group 7-30 DNS rule 8-34 switching primary and standby GSSM role 9-2 synchronization of primary and standby GSSM 1-33 system log messages 10-31 purging 10-30 severity 10-28 viewing 10-28
IN-18
OL-4327-01
Index
T
tail command option 10-24 TCP keepalive destination port 6-8, 7-9 global keepalive configuration 6-6 overview 1-18 shared keepalive configuration 6-22 termination method 6-8, 6-23, 7-10 VIP answer 7-9 Telnet, enabling 2-3, 2-5 third-party software, viewing information 9-54 Time To Live G-6 Tools tab 1-38 traffic limiting 9-22 segmenting by interface 9-22 troubleshooting 9-56 TTL See Time To Live
user account, creating 9-14 account, modifying 9-16 account, removing 9-17 error messages 9-81 user account creating 9-14 creating for GUI 9-14 creating with CLI 9-19 deleting 9-20 modifying 9-16, 9-20 removing 9-17 user interface details windows 1-40 icons 1-41 list windows 1-38 log on to 2-15 navigation 1-41 organization 1-38 understanding 1-36 username default 2-16 logging in 2-16 user account, creating 9-15
U
update file, obtaining 9-43 upgrading GSS device software 9-41 obtaining update file 9-43 order of operation 9-41 URL, secure HTTP 2-16
V
validating database records 10-7 viewing
IN-19
Index
access lists 9-30 gss.log file 10-24 log files 10-22 MIB files 9-36 SNMP status 9-35 subsystem log files 10-25 system log 10-28 third-party software information 9-54 VIP answer groups 7-23 answers 7-2 balance method options 1-28 balance methods 7-23, 8-23, 8-31 keepalive type 1-18 VIP answer overview 1-15 VIP answer answer types 7-5 creating 7-2 HTTP HEAD keepalive 7-11 ICMP keepalive 7-7 KAL-AP keepalive 7-13 TCP keepalive 7-9 VIP keepalive type HTTP HEAD 1-18 ICMP 1-18 KAL-AP 1-19 TCP 1-18
W
warning log message 10-28 weight balance method overview 1-28, 8-19 least loaded 1-29 round-robin 1-29 weighted round robin balance method 1-25, 8-23, 8-31 overview 1-25 wildcards example 8-13 in domains 5-2, 5-6, 8-13 maximum length in domain names 5-6 wizard creating DNS rules 8-5 DNS Rule Wizard 8-2 overview 8-2 write memory command 9-8
Z
zone configuration file modifying 8-43 sample 8-44
IN-20
OL-4327-01

Cisco Global Site Selector Configuration Guide: Software Version 1.1 January 2004

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cisco Global Site Selector Configuration Guide: Software Version 1.1 January 2004

Загружено:

Авторское право:

Доступные форматы

Cisco Global Site Selector Configuration Guide

Software Version 1.1 January 2004

Cisco Global Site Selector Configuration Guide OL-4327-01