Академический Документы
Профессиональный Документы
Культура Документы
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Text Part Number: OL-4327-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)
Cisco Global Site Selector Configuration Guide Copyright 2003 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xix Audience xx How to Use This Guide xx Related Documentation xxi Symbols and Conventions xxii Obtaining Documentation, Obtaining Support, and Security Guidelines xxiv
1
CHAPTER
Introducing the Global Site Selector 1-1 GSS Overview 1-2 DNS Routing 1-3 DNS Name Servers 1-4 Request Resolution 1-5 GSLB Using the GSS 1-6 GSS Architecture 1-9 Global Site Selectors and Global Site Selector Managers 1-10 GSS 1-10 Primary GSSM 1-10 Standby GSSM 1-11 DNS Rules 1-12 Hosted Domains and Domain Lists 1-13 Source Address and Source Address Lists 1-13 Answers and Answer Groups 1-14 VIP Answers 1-15 Name Server Answers 1-16
iii
Contents
CRA Answers 1-16 Keepalives 1-17 ICMP 1-18 TCP 1-18 HTTP-HEAD 1-18 KAL-AP 1-19 CRA 1-19 Name Server 1-20 None 1-20 Adjusting Failure Detection Time for Keepalives 1-20 Balance Methods 1-24 Ordered List 1-24 Round-Robin 1-25 Weighted Round-Robin 1-25 Least Loaded 1-25 Hash 1-26 Boomerang (DNS Race) 1-26 Balance Method Options for Answer Groups 1-27 Locations and Regions 1-30 Owners 1-30 GSS Network Deployment 1-31 Locating GSS Devices 1-31 Locating GSS Devices Behind Firewalls 1-32 Communication Between GSS Nodes 1-33 Deployment Within Data Centers 1-34 GSS Network Management 1-34 CLI-Based GSS Management 1-34 GUI-Based Primary GSSM Management 1-35 Understanding the Primary GSSM Graphical User Interface 1-36 Graphical User Interface Organization 1-38
Cisco Global Site Selector Configuration Guide
iv
OL-4327-01
Contents
List Pages 1-38 Details Pages 1-40 Navigation 1-41 Primary GSSM GUI Icons and Symbols 1-41 Primary GSSM GUI Online Help 1-47 Where to Go Next 1-48
2
CHAPTER
Setting Up Your GSS 2-1 Accessing the GSS CLI 2-2 Accessing the CLI Using a Direct Serial Connection 2-2 Enabling Remote Access on a GSS Device 2-3 Accessing the CLI Using a Remote Connection 2-4 Accessing the GSS CLI Using a Private and Public Key Pair 2-5 Performing Network Configuration of the GSS 2-6 Configuring the GSS Using the Setup Script 2-8 Configuring the GSS from the CLI 2-10 Configuring a Primary GSSM or Standby GSSM 2-12 Configuring a Global Site Selector 2-14 Logging Into the Primary GSSM Graphical User Interface 2-15 Creating and Modifying GSS Devices 2-18 Activating GSS Devices 2-18 Modifying GSS Device Configuration 2-21 Deleting GSS Devices 2-22 Global Server Load-Balancing Summary 2-23 Where to Go Next 2-24
CHAPTER
Configuring Resources 3-1 Organizing Your GSS Network 3-2 Creating and Modifying Locations and Regions 3-3
Cisco Global Site Selector Configuration Guide
OL-4327-01
Contents
Creating Regions 3-3 Creating Locations 3-6 Modifying Regions 3-8 Modifying Locations 3-9 Deleting Locations and Regions 3-10 Creating and Modifying Owners 3-11 Creating Owners 3-11 Modifying Owners 3-14 Deleting Owners 3-15 Grouping GSS Resources by Location, Region, and Owner 3-16 Where to Go Next 3-16
4
CHAPTER
Configuring Source Address Lists 4-1 Creating Source Address Lists 4-2 Modifying Source Address Lists 4-5 Deleting Source Address Lists 4-7 Where to Go Next 4-8
CHAPTER
Configuring Domain Lists 5-1 Domain List Overview 5-1 Creating Domain Lists 5-2 Modifying Domain Lists 5-8 Deleting Domain Lists 5-10 Where to Go Next 5-12
CHAPTER
Configuring KeepAlives 6-1 Modifying Global KeepAlive Properties 6-1 Global KeepAlive ConfigurationICMP 6-3
vi
OL-4327-01
Contents
Global KeepAlive ConfigurationTCP 6-6 Global KeepAlive ConfigurationHTTP HEAD 6-9 Global KeepAlive ConfigurationKAL-AP 6-12 Global KeepAlive ConfigurationCRA 6-15 Global KeepAlive ConfigurationName Server 6-16 Configuring and Modifying Shared VIP KeepAlives 6-17 Creating a Shared VIP KeepAlive 6-17 Shared KeepAlive ConfigurationICMP 6-21 Shared KeepAlive ConfigurationTCP 6-22 Shared KeepAlive ConfigurationHTTP HEAD 6-24 Shared KeepAlive ConfigurationKAL-AP 6-26 Modifying a Shared KeepAlive 6-28 Deleting a Shared KeepAlive 6-29 Where to Go Next 6-30
7
CHAPTER
Configuring Answers and Answer Groups 7-1 Configuring and Modifying Answers 7-1 Creating a VIP-Type Answer 7-2 VIP AnswerICMP KeepAlive 7-7 VIP AnswerTCP KeepAlive 7-9 VIP AnswerHTTP HEAD KeepAlive 7-11 VIP AnswerKAL-AP KeepAlive 7-13 Creating a CRA-Type Answer 7-14 Creating a Name Server-Type Answer 7-17 Modifying an Answer 7-19 Suspending an Answer 7-20 Reactivating an Answer 7-21 Suspending or Reactivating All Answers in a Location 7-21 Deleting an Answer 7-22 Configuring and Modifying Answer Groups 7-23
Cisco Global Site Selector Configuration Guide
OL-4327-01
vii
Contents
Creating an Answer Group 7-24 Modifying an Answer Group 7-29 Suspending or Reactivating an Answer Group 7-30 Suspending or Reactivating All Answers in an Answer Group Associated with an Owner 7-32 Deleting an Answer Group 7-35 Where to Go Next 7-35
8
CHAPTER
Building and Modifying DNS Rules 8-1 DNS Rule Configuration Overview 8-2 DNS Rule Wizard 8-2 DNS Rule Builder 8-4 Building DNS Rules Using the Wizard 8-5 DNS Rule WizardSource Address List Page 8-7 DNS Rule WizardSource Address List Page 2 8-8 DNS Rule WizardSource Address List Page 3 8-9 DNS Rule WizardDomain List Page 8-10 DNS Rule WizardDomain List Page 2 8-12 DNS Rule WizardDomain List Page 3 8-13 DNS Rule WizardAnswer Group Page 8-15 DNS Rule Wizard - Answer Group Page 2 8-16 DNS Rule Wizard - Answer Group Page 3 8-18 DNS Rule Wizard - Answer Group Page 4 8-21 DNS Rule WizardBalance Method Page 8-22 DNS Rule WizardSummary 8-25 Building DNS Rules Using the DNS Rule Builder 8-27 Modifying DNS Rules 8-33 Suspending a DNS Rule 8-34 Reactivating a DNS Rule 8-35
viii
OL-4327-01
Contents
Suspending or Reactivating All DNS Rules Belonging to an Owner 8-36 Deleting a DNS Rule 8-38 Configuring DNS Rule Filters 8-38 Removing DNS Rule Filters 8-42 Delegation to GSS Devices 8-42
9
CHAPTER
GSS Administration and Troubleshooting 9-1 Performing Advanced GSS Configuration Tasks 9-2 Logically Removing a GSS or Standby GSSM from the Network 9-2 Changing the GSSM Role in the GSS Network 9-4 Switching the Roles of the Primary and Standby GSSMs 9-4 Reversing the Roles of the Interim Primary and Standby GSSMs 9-6 Modifying Network Configuration Settings of a GSS 9-7 Changing the Startup and Running Configuration Files 9-8 Loading the Startup Configuration from an External File 9-9 Configuring the Primary GSSM Graphical User Interface 9-10 Printing and Exporting GSSM Data 9-12 Configuring GSS Security 9-13 Creating and Managing GSSM Login Accounts 9-13 Creating a GSSM GUI User Account 9-14 Modifying a GSSM GUI User Account 9-16 Removing a GSSM GUI User Account 9-17 Changing Your GSSM GUI Password 9-17 Creating and Managing GSS CLI Login Accounts 9-19 Creating a GSS User Account Using the CLI 9-19 Modifying a GSS User Account Using the CLI 9-20 Deleting a GSS User Account Using the CLI 9-20 Resetting the CLI Administrator Account Password 9-21 Segmenting GSS Traffic by Interface 9-22
ix
Contents
Filtering GSS Traffic Using Access Lists 9-24 Creating an Access List 9-25 Associating an Access List with a GSS Interface 9-27 Disassociating an Access List from a GSS Interface 9-28 Adding Rules to an Access List 9-28 Removing Rules from an Access List 9-29 Viewing Access Lists 9-30 Deploying GSS Devices Behind Firewalls 9-30 Configuring SNMP on Your GSS Network 9-33 Configuring SNMP on Your GSS 9-34 Viewing SNMP Status 9-35 Viewing MIB Files on the GSS 9-36 Backing Up the GSSM 9-37 Determining When and What Type of Backup to Perform 9-39 When to Perform a Full Backup 9-39 When to Perform a Database Backup 9-39 Performing a Full GSSM Backup 9-39 Performing a GSSM Database Backup 9-40 Upgrading the Cisco GSS Software 9-41 Verifying the GSSM Role in the GSS Network 9-42 Backing up and Archiving the Primary GSSM 9-43 Obtaining the Software Upgrade 9-43 Upgrading Your GSS Devices 9-45 Downgrading and Restoring Your GSS Devices 9-48 Restoring an Earlier Software Version on Your GSS Devices 9-49 Restoring Your GSSM from a Full Backup 9-49 Restoring Your GSSM Database from a Database-Only Backup 9-52 Viewing Third-Party Software Versions 9-54 Primary GSSM Error Messages 9-56
OL-4327-01
Contents
Answer Error Messages 9-56 Answer Group Error Messages 9-60 DNS Rule Error Messages 9-61 Domain List Error Messages 9-68 Shared KeepAlive Error Messages 9-72 KeepAlive Error Messages 9-74 Location Error Messages 9-76 Owner Error Messages 9-77 Region Error Messages 9-77 GSSM Error Messages 9-78 Source Address List Error Messages 9-79 User Error Messages 9-81
10
CHAPTER
Monitoring GSS Performance 10-1 Monitoring GSS and GSSM Status 10-1 Monitoring the Online Status of GSS Devices from the CLI 10-2 Monitoring the Status of Your GSS Network from the CLI 10-3 Monitoring the Status of the Boomerang Server on Your GSS 10-3 Monitoring the Status of the DNS Server on Your GSS 10-4 Monitoring the Status of Keepalives on Your GSS 10-5 Monitoring GSS Device Status from the Primary GSSM GUI 10-6 Monitoring GSSM Database Status 10-6 Monitoring the Database Status 10-7 Validating Database Records 10-7 Creating a Database Validation Report 10-8 Monitoring Global Load-Balancing Status 10-9 Monitoring Answer Hit Counts 10-10 Monitoring Answer Keepalive Statistics 10-11 Monitoring Answer Status 10-14 Monitoring DNS Rule Statistics 10-15
Cisco Global Site Selector Configuration Guide
OL-4327-01
xi
Contents
Monitoring Domain Statistics 10-17 Monitoring Source Address Statistics 10-18 Monitoring Global Statistics 10-20 Viewing Log Files 10-22 Understanding GSS Logging Levels 10-22 Viewing Device Logs from the CLI 10-23 Viewing the gss.log File from the CLI 10-24 Viewing Subsystem Log Files from the CLI 10-25 Rotating Existing Log Files from the CLI 10-26 Viewing System Logs from the Primary GSSM GUI 10-28 Viewing System Logs from the GUI 10-28 Purging System Log Messages from the GUI 10-30 System Log Messages 10-31
GLOSSARY
INDEX
xii
OL-4327-01
F I G U R E S
Figure 1-1 Figure 1-2 Figure 1-3 Figure 1-4 Figure 1-5 Figure 1-6 Figure 1-7 Figure 1-8 Figure 2-1 Figure 2-2 Figure 2-3 Figure 2-4 Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 4-1 Figure 4-2
GLSB Using the Cisco Global Site Selector Primary GSSM Welcome Window Answers List Page GSSM Online Help
1-39 1-40 1-37
Primary GSSM Welcome Window Modifying GSS Details Page Regions List Page Locations List Page
3-4 2-20
2-17 2-19
Global Site Selectors List Page - Inactive Status Global Site Selectors List Page - Active Status Creating New Region Details Page
3-6 3-7 3-5
2-21
Creating New Location Details Page Modifying Region Details Page Modifying Location Details Page Owners List Page
3-12 3-8 3-9
Creating New Owner Details Page Modifying Owner Details Page Source Address Lists List Page
4-2
3-13
3-14
4-3
xiii
Figures
Figure 4-3 Figure 4-4 Figure 4-5 Figure 4-6 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10 Figure 6-11 Figure 6-12 Figure 6-13 Figure 6-14 Figure 6-15 Figure 6-16 Figure 6-17
Creating New Source Address List - Add Addresses Creating Source Address List - Current Members List Modifying Source Address List - Remove Addresses Modifying Source Address List - Delete Icon Domain Lists Page
5-3 4-8
Creating New Domain List Details Page - General Configuration Creating New Domain List - Add Domains Creating Domain List - Current Members List Modifying Domain List - Remove Domains Modifying Domain List - Delete Icon
5-11 6-2 5-5 5-7 5-9
5-4
Configure Global KeepAlive Properties Details Page ICMP Global KeepAliveStandard KAL Type ICMP Global KeepAliveFast KAL Type TCP Global KeepAliveFast KAL Type
6-4 6-6 6-3
HTTP HEAD Global KeepAliveStandard KAL Type HTTP HEAD Global KeepAliveFast KAL Type KAL-AP Global KeepAliveStandard KAL Type KAL-AP Global KeepAliveFast KAL Type
6-13 6-10 6-12
6-9
6-15 6-16
Global KeepAlives Details PageName Server KeepAlive Creating New Shared KeepAlives Details Page
6-19
Shared KeepAlives Details PageICMP KeepAlive (Fast KAL Type) Shared KeepAlives Details PageTCP KeepAlive (Fast KAL Type)
Shared KeepAlives Details PageHTTP HEAD KeepAlive (Fast KAL Type) Shared KeepAlives Details PageKAL-AP KeepAlive (Fast KAL Type)
Cisco Global Site Selector Configuration Guide
6-26
xiv
OL-4327-01
Figures
Figure 6-18 Figure 7-1 Figure 7-2 Figure 7-3 Figure 7-4 Figure 7-5 Figure 7-6 Figure 7-7 Figure 7-8 Figure 7-9 Figure 7-10 Figure 7-11 Figure 7-12 Figure 7-13 Figure 7-14 Figure 7-15 Figure 7-16 Figure 7-17 Figure 7-18 Figure 8-1 Figure 8-2 Figure 8-3 Figure 8-4 Figure 8-5 Figure 8-6 Figure 8-7 Figure 8-8
6-28
Answer Details PageICMP KeepAlive VIP Answer Answer Details PageTCP KeepAlive VIP Answer
Answer Details PageHTTP HEAD KeepAlive VIP Answer Answer Details PageKAL-AP Keepalive VIP Answer Creating New AnswerCRA Answer Modifying Answer Details Page Answer Group List Page
7-24 7-20 7-16 7-18 7-13
Creating New Answer Group Details PageGeneral Configuration Creating New Answer Group Details PageAdd Answers Modifying Answer Group - Remove Answers Owners List Page
7-33 7-34 8-3 7-30 7-31 7-27 7-28
7-25
Creating New Answer Group Details PageCurrent Members Modifying Answer Group - Suspend Answers Icon Modifying Owners Details Page DNS Rule Builder Window DNS Rules List Page
8-5 8-6 8-7 8-8 8-10 8-4
DNS Rule WizardSource Address List Page 1 DNS Rule WizardSource Address List Page 2 DNS Rule WizardSource Address List Page 3 DNS Rule WizardDomains List Page 1
8-11
xv
Figures
Figure 8-9 Figure 8-10 Figure 8-11 Figure 8-12 Figure 8-13 Figure 8-14 Figure 8-15 Figure 8-16 Figure 8-17 Figure 8-18 Figure 8-19 Figure 8-20 Figure 8-21 Figure 9-1 Figure 9-2 Figure 9-3 Figure 9-4 Figure 9-5 Figure 10-1 Figure 10-2 Figure 10-3 Figure 10-4 Figure 10-5 Figure 10-6 Figure 10-7 Figure 10-8
DNS Rule WizardDomains List Page 2 DNS Rule WizardDomains List Page 3 DNS Rule WizardAnswer Group Page 1 DNS Rule WizardAnswer Group Page 2 DNS Rule WizardAnswer Group Page 3 DNS Rule WizardAnswer Group Page 4 DNS Rule WizardBalance Method Page DNS Rule WizardSummary Page DNS Rules List Page Owners List Page
8-28 8-29 8-25
8-37 8-39
GSSM User Administration List Page GSSM Change Password Details Page GSSM Third-Party Software List Page Answer Hit Counts List Page Answer Status List Page
10-10
10-12
DNS Rule Statistics List Page Domain Hit Counts List Page Global Statistics List Page System Log List Page
10-29
10-19
xvi
OL-4327-01
T A B L E S
Table 1-1 Table 1-2 Table 1-3 Table 3-1 Table 8-1 Table 9-1 Table 9-2 Table 9-3 Table 10-1 Table 10-2 Table 10-3 Table 10-4 Table 10-5 Table 10-6 Table 10-7 Table 10-8 Table 10-9
Keepalive Transmission Rates GSSM GUI Icons and Symbols GSS Network Groupings
3-16
1-21 1-28
GSS-Related Ports and Protocols (Inbound Traffic) Inbound Traffic Going Through a Firewall to the GSS Outbound Traffic Originating from the GSS
9-32
Field Descriptions for Answer Hit Counts List Page Field Descriptions for Answer Status List Page Field Descriptions for Domain Statistics List Page Field Descriptions for Global Statistics List Page GSS Logging Levels System Log Messages
10-22 10-31
10-11 10-12
10-19
xvii
Tables
xviii
OL-4327-01
Preface
This guide includes information on configuring the Cisco Global Site Selector (GSS). It provides procedures for the proper setup, global server load balancing configuration, administration, and monitoring of the GSS product. Steps for troubleshooting many common problems are also provided. This preface describes the following topics:
Audience How to Use This Guide Related Documentation Symbols and Conventions Obtaining Documentation, Obtaining Support, and Security Guidelines
xix
Preface Audience
Audience
To use this configuration guide, you should be familiar with the Cisco Global Site Selector Series hardware. In addition, you should be familiar with basic TCP/IP and networking concepts, router configuration, Domain Name System (DNS), theBerkeley Internet Name Domain (BIND) software or similar DNS products, and your organizations specific network configuration.
Chapter 3, Configuring Resources Chapter 4, Configuring Source Address Lists Chapter 5, Configuring Domain Lists Chapter 6, Configuring KeepAlives Chapter 7, Configuring Answers and Answer Groups Chapter 8, Building and Modifying DNS Rules
xx
OL-4327-01
Chapter/Title Chapter 9, GSS Administration and Troubleshooting Chapter 10, Monitoring GSS Performance
Description Covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM database administration, and GSSM error messages. Describes the tools that you can use to monitor the status of your GSS devices and of global load balancing on your GSS network.
Related Documentation
In addition to this document, the GSS documentation set includes the following: Document Title Global Site Selector Hardware Installation Guide Description Intended to help you install your Cisco Global Site Selector and get it ready for operation. It describes how to prepare your site for installation, how to install the GSS in an equipment rack, and how to maintain and troubleshoot the system hardware.
Release Note for the Cisco Provides information on operating considerations, Global Site Selector caveats, and commands for the Global Site Selector software. Cisco Global Site Selector Provides an alphabetical list of all GSS Command Command Reference Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.
xxi
Commands and keywords are in boldface. Variables for which you supply values are in italics. Elements in square brackets are optional. Alternative keywords are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars. A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.
Screen examples use the following conventions: font Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface
screen
screen
boldface screen
font.
font italic screen font Variables for which you supply values are in italic screen font. This pointer highlights an important line of text in an example. ^ The symbol ^ represents the key labeled Controlfor example, the key combination ^D in a screen display means hold down the Control key while you press the D key. Nonprinting characters, such as passwords, are in angle brackets.
< >
xxii
OL-4327-01
[ ] !, #
Default responses to system prompts are in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
boldface text
Courier text
Instructs the user to enter a keystroke or act on a GUI element. Indicates text that appears in a command line, including the CLI prompt. Indicates commands and text you enter in a command line. Directories and filenames are in italic font.
italic text
Caution
A caution means that a specific action you take could cause a loss of data or adversely impact use of the equipment.
Note
A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is
important.
A bulleted list indicates that the order of the list topics is unimportant.
An indented list indicates that the order of the list subtopics is
unimportant.
xxiii
xxiv
OL-4327-01
C H A P T E R
GSS Overview DNS Routing GSLB Using the GSS GSS Architecture GSS Network Deployment GSS Network Management Understanding the Primary GSSM Graphical User Interface
For background material on DNS-based global server load balancing (GSLB), as it applies to the GSS, refer to the Business Case for Global Server Load Balancing white paper available on Cisco.com.
1-1
GSS Overview
With the growth of the Internet and of Internet-based commerce, there is an increasing demand for high-end networking solutions that can handle sophisticated customer transactions and high traffic loads. Improved content routing is a core technology behind such networking solutions. Global load-balancing devices such as the Cisco Content Services Switch (CSS) and Cisco Content Switching Module (CSM) can balance content requests among two or more servers containing the same content that are connected to a corporate LAN or the Internet. Server load balancing devices ensure that the content consumer is directed to the host that is best suited to handle that consumers request. Increasingly, organizations with a global reach or businesses that provide web and application hosting services require network devices that can perform such complex request routing to two or more redundant, geographically dispersed data centers, improving response times while also providing disaster recovery and failover protection through so-called global server load balancing, or GSLB. The Cisco Global Site Selector (GSS) is a next-generation networking product that provides these services, allowing customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability. Inserted into the traditional DNS routing hierarchy and closely integrated with your Cisco CSS, Cisco CSM, or third-party server load balancers (SLBs), the GSS monitors the health and load of the SLBs in each of your data centers and then uses that information along with customer-controlled routing algorithms to select the best-suited and least-loaded data center in real time. Just as important, the GSS is capable of detecting site outages, ensuring that web-based applications are always online and that customer requests to data centers that suddenly go offline are quickly rerouted to available resources. Finally, the GSS offloads tasks from traditional DNS servers by taking control of the domain resolution process for parts of your domain name space. Because it can respond to requests at a rate of thousands of requests per second, the GSS greatly improves DNS responsiveness to those subdomains.
1-2
OL-4327-01
Chapter 1
DNS Routing
Before you can begin using the GSS product, you must first understand content routing as it currently exists, including DNS and how the introduction of GSS devices on your network will affect content routing and delivery to your customers. This section explains some of the key DNS routing concepts behind the GSS product. Since the early 1980s, content routing on the Internet has been handled using the Domain Name System (DNS), a distributed database of host information that maps domain names to IP addresses. A radical departure from the largely manual system of maintaining lists of domain names that preceded it, DNS vastly improved the ability of those responsible for maintaining the Internet to manage network traffic and load, as well as maintain a consistent and unique list of valid Internet hosts. Almost all transactions that occur across the Internet rely on DNS, including electronic mail, remote terminal access such as Telnet, file transfers using FTP, and web surfing. DNS makes possible the use of easy-to-remember alphanumeric host names instead of numeric IP addresses that bear no relationship to the content on the host. DNS is a robust and flexible system for managing a nearly infinite number of host names, called the domain name space (Figure 1-1). DNS is particularly effective in that it allows local administration of segments (individual domains) of the overall database, yet makes it possible for data in any segment to be available across the entire network, a process known as delegation.
Figure 1-1 Domain Name Space
lnt
net
org
gov
mil
www
1-3
DNS Resolvers (DNSR)Clients that access client name servers. Client Name Server (CNS)A server running DNS software and has the responsibility of finding the requested web site. The CNS is sometimes called the client DNS proxy (D-proxy). Root Name Servers (RNS)A server that resides at the top of the DNS hierarchy. The RNS knows how to locate every extension after the . in the host name. There are many top-level domains, the most common include .org, .edu, .net, .gov, and .mil. There are approximately 13 root servers worldwide for handling all Internet requests. Intermediate Name Server (INS)A server that is used for scaling purposes. When the root name server does not have the IP address of the authoritative name server (ANS), it sends the requesting client name server to an intermediate name server. The intermediate name server then sends the client name server to the authoritative name server. Authoritative Name Server (ANS)A server that is run by an enterprise or is outsourced to a service provider and is authoritative for the domain requested. The authoritative name server responds directly to the client name server (not to the client) with the requested IP address.
1-4
OL-4327-01
Chapter 1
Request Resolution
If the local D-proxy does not have the information requested by the end user, it sends out iterative requests to the name servers that it knows are authoritative for domains close to the requested domain.For example, a request for www.cisco.com causes the D-proxy to check first for another name server that is authoritative for www.cisco.com. The process outlined below summarizes the sequence performed by the DNS infrastructure to return an IP address when a client tries to access the www.cisco.com website. Figure 1-2 illustrates how the DNS request resolution process works.
Figure 1-2 DNS Request Resolution
www.cisco.com com ns
2
Root Name Server www.cisco.com
"."
cisco.com ns
3
Intermediate Name Server (supporting .com)
com
4
hr support
Authoritative Name Server (supporting Cisco.com and all sub-domains, such as www.cisco.com)
tac
svc
software
5 1
Desktop system
78668
1-5
1. 2.
The resolver (client) sends a query for www.cisco.com to the local client name server (D-proxy). The local D-proxy does not have the IP address for www.cisco.com so it sends a query to a root name server (.) asking for the IP address. The root name server responds by referring the D-proxy to the specific name server supporting the .com domain. The root name server can respond to the request in two different ways, the most common way, is to send the D-proxy directly to the authoritative name server for tac.support.cisco.com. Another method, called iterated query, is when the root name server sends the D-proxy to an intermediate name server that knows the address of the authoritative name server tac.support.cisco.com. The local D-proxy sends a query to the intermediate name server which responds, referring the D-proxy to the authoritative name server for cisco.com and all the associated sub-domains. The local D-proxy sends a query to the cisco.com authoritative name server. This name server is authoritative for cisco.com which is the top-level domain. www.cisco.com is a sub-domain of cisco.com so this name sever is authoritative for the requested domain and sends the IP address to the D-proxy. The D-proxy sends the IP address (198.133.219.25) to the client browser. The browser uses this IP address and initiates a connection to the www.cisco.com web site
3.
4.
5.
1-6
OL-4327-01
Chapter 1
When the Cisco GSS is responsible for GSLB services, the DNS process migrates to the GSS. The DNS configuration is the same process as described in the Request Resolution section. The only exception is that the NS-records point to the GSSs located at each data center. Ultimately, the Cisco GSS device determines which data center site should receive the client traffic. As the authoritative name server for a domain or subdomain, the GSS can consider additional information about the resources under its control when it receives requests from client name servers. Among the additional factors that the GSS is capable of considering when responding to a request are:
AvailabilityWhich servers are online and available to respond to the query? ProximityWhich server responded the fastest to a query? LoadWhat type of traffic load is each server handling in the domain? Source of the RequestFrom which D-proxy did the content request originate? PreferenceWhat is the first, second, or third choice of algorithm to use in responding to a query?
This type of load balancing helps to ensure not only that end users are always directed to resources that are online, but also that requests are forwarded to the most suitable device, resulting in increased response time for users. In resolving DNS requests, the Cisco GSS performs a series of distinct operations that take into account the resources under its control and return the best possible answer to the requesting clients D-proxy. The process outlined below discuss how the GSS interacts with various clients as part of the website selection process to return the IP address of the requested content site. Figure 1-3 illustrates how this process works.
1-7
Figure 1-3
GSS 1
1
Mobile
2 4
DNS Global Control Plane
3
Data Center 3
Fixed Wireless
GSS 2
Cable
DSL
Data Center 1
Data Center 2
ISDN/Dial Clients Requesting Web sites Cisco GSS's Response Clients DNS Requests Cisco GSS Tracking Global Resources Layer 3 Communications
97789
1.
A client starts to download an updated version of software from www.cisco.com and types www.cisco.com in the location or address field of the browser. This application is supported at three different data centers. The request is processed by the DNS global control plane infrastructure and arrives at the Cisco GSS device.
2.
1-8
OL-4327-01
Chapter 1
3.
The Cisco GSS offloads the site selection process from the DNS global control plane. The request and site selection are based on the load and health information in conjunction with customer-controlled load-balancing algorithms. The Cisco GSS, in real time, selects a data center that is available and not overloaded. The Cisco GSS sends the IP address of the best server load balancer at a specific data center, in this case the SLB at Data Center 2. The web browser processes the transmitted IP address. The client is directed to the SLB at Data Center 2 by the IP control and forwarding plane.
4. 5. 6.
GSS Architecture
This section describes the key components of a GSS deployment, including hardware and software, as well as GSS networking concepts. It includes:
Global Site Selectors and Global Site Selector Managers DNS Rules Hosted Domains and Domain Lists Source Address and Source Address Lists Answers and Answer Groups Keepalives Balance Methods Locations and Regions Owners
1-9
GSS
The GSS is a Cisco Global Site Selector platform running GSS software and performing routing of DNS queries based on DNS rules and conditions configured using the GSSM. Each GSS is known to and synchronized with the primary GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network must delegate authority to the parent domain GSS DNS server that serves the DNS requests. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device. A device that acts as a GSS may also be serving as the primary GSSM for a GSS network.
Primary GSSM
The primary GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing content routing as well as centralized management functions for the GSS network. The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. Configuration changes initiated on the primary GSSM using the graphical user interface are automatically communicated to each device that the primary GSSM manages. Any GSS device can serve as a GSSM.
1-10
OL-4327-01
Chapter 1
In addition to content routing configuration, a subset of device-monitoring and logging features is accessible from the GSSM GUI, though more extensive inquiries may require access to the GSS CLI for an individual device. Communication between administrators and the primary GSSM uses secure HTTP (HTTPS), and access to the primary GSSM graphical user interface is password-protected.
Standby GSSM
The standby GSSM is a Cisco Global Site Selector platform running Cisco GSS software and performing GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM go offline or become unavailable to communicate with other GSS devices. As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM so that the two devices are never out of step. The GUI is inaccessible on the standby GSSM until it is designated as the primary GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command. You must make sure that your original primary GSSM is offline before attempting to enable the standby GSSM as the new primary GSSM. Having two primary GSSMs active at the same time may result in the inadvertent loss of configuration changes for your GSS network. If this dual primary GSSM configuration occurs, the two primary GSSMs revert to standby mode and you will need to reconfigure one of the GSSMs as the primary GSSM. The standby GSSM is capable of temporarily taking over the role as the primary GSSM is the event that the primary GSSM is unavailable (for example, you need to move the primary GSSM or you want to take it offline for repair or maintenance). The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. The interim primary GSSM can be used to monitor GSS behavior and make configuration changes if necessary. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section.
Cisco Global Site Selector Configuration Guide OL-4327-01
1-11
DNS Rules
The GSS uses DNS rules, as configured by the administrator through the primary GSSM GUI to:
Provide you with centralized command and control of how the GSS will globally load balances a given hosted domain Define the IP address(es) to send to the clients name server (D-proxy) Define the recovery method to use (using up to three load balance clauses)
DNS rules determine how the GSS responds to each query it receives by matching requests received from a known source, or D-proxy, to the most suitable member of a collection of name servers or virtual IP addresses (VIPs). Each DNS rule takes into account four variables:
The source IP address of the requesting D-proxy The requested hosted domain An answer group, which is a group of resources considered for the response A balance method, an algorithm for selecting the best server, together with an answer group, makes up a clause
A DNS rule defines how a request is handled by the GSS by answering the following question: When traffic arrives from a DNS proxy, querying a specific domain name, what resources should be considered for the response, and how should they be balanced? Each GSS network supports a maximum of 4000 DNS rules. Up to three possible response answer group and balance method clauses are available for each DNS rule. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. These clauses are evaluated in order, with parameters established to determine when one clause should be skipped in the event that the first answer group and balance method specified does not yield an answer, and the next clause is used.
1-12
OL-4327-01
Chapter 1
Domain lists are groups of hosted domains that have been delegated to the GSS. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list. Using the DNS rules feature of the primary GSSM graphical user interface, requests for any member of a domain list are matched to an answera resource hosting the content being requestedusing one of a number of balance methods. Refer to Chapter 5, Configuring Domain Lists for more information on configuring domain lists.
1-13
Using DNS rules, the GSS matches source addresses to domains hosted by the GSS using one of a number of different balance methods. Source addresses are taken from the D-proxy (the local name server) to which a requesting client issued a recursive request. The D-proxy iterates the client queries to multiple name servers, eventually querying the GSS, which matches the D-proxy address against its list of configured source addresses. DNS queries received by the GSS do not have to match a specific D-proxy in order to be routed; default routing can be performed on requests that do not emanate from a known source address. A fail safe Anywhere source address list is provided by default. Incoming queries that do not match your configured source address lists are matched to this list. In addition to specific IP addresses, source addresses can also be set up to represent address blocks using variable-prefix-length classless interdomain routing (CIDR) block masking. For example, the following would all be acceptable GSS source addresses:
192.168.1.110 192.168.1.110/32 192.168.1.0/24 192.168.0.0/16
Source addresses are grouped into lists, referred to as source address lists, for the purposes of routing requests. Source address lists can contain between 1 and 30 source addresses, or unique address blocks. Each GSS supports up to 60 source address lists.
VIPVirtual IP (VIP) addresses associated with an SLB such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache or other geographically dispersed SLBs in a global network deployment. Name ServerConfigured DNS name server on your network that can answer queries that the GSS cannot resolve. CRAContent routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a users D-proxy.
1-14
OL-4327-01
Chapter 1
As with domains and source addresses, answers are configured using the primary GSSM GUI by identifying the IP address to which queries can be directed. Once created, answers are grouped together as resource pools called answer groups, from which the GSS, using up to three possible response answer group and balance method clauses in a DNS rule, can choose the most appropriate resource to serve each user request. Each balance method provides a different algorithm for selecting one answer from a configured answer group. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. Depending on the type of answer, further intelligence can be applied to DNS queries to choose the best host. For example, a request that is routed to a VIP associated with a Cisco CSS is routed to the best resource based on load and availability, as determined by the CSS. A request that is routed to a CRA is routed to the best resource based on proximity, as determined in a DNS race conducted by the GSS.
VIP Answers
VIP answers are used by SLBs to represent content hosted on one or more servers under their control. The use of VIP answers allows for traffic to be balanced among multiple origin servers, application servers, or transaction servers in a way that results in faster response times for users and less network congestion for the host. When queried by a clients D-proxy for a domain associated with a VIP answer type, the GSS responds with the VIP address of the SLB best suited to handle that request. The requesting client then contacts the SLB, which load balances the request to the server best suited to respond.
1-15
The requested content is unknown to the GSS. The resources that typically handle such requests are unavailable. To use DNS server features that are not supported by the GSS, such as mail exchanger (type MX) records. To use a third-party content provider for failover and error recovery. To build a tiered DNS system.
CRA Answers
The CRA (content routing agent) answer relies on content routing agents and the GSS to choose a suitable answer for a given query based on the proximity of two or more possible hosts to the requesting D-proxy. With the CRA answer, requests received from a particular D-proxy are served by the content server that responds first to the request. Response time is measured using a DNS race, coordinated by the GSS and content routing agents running on each content server. In the DNS race, multiple hosts respond simultaneously to an A-record request. The server with the fastest response time (the shortest network delay between itself and the clients D-proxy) is chosen to serve the content. For the GSS to initiate a DNS race it needs two pieces of information:
The delay between the GSS and each of the CRAs in each data center. With this data the GSS computes how much time to delay the race from each data center so each CRA starts the race simultaneously. The online status of the CRA through the use of keepalives.
The boomerang balance method uses the DNS race to determine the best site. See the Boomerang (DNS Race) section for more information on this balance method.
Cisco Global Site Selector Configuration Guide
1-16
OL-4327-01
Chapter 1
Keepalives
In addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource, a method by which the GSS can periodically check to see if the resource is still active. A keepalive is a specific interaction (handshake) between the GSS and another device using a commonly supported protocol. A keepalive is designed to test if a specific protocol on the device is functioning properly. If the handshake is successful, then the device is available, active, and able to receive traffic. If the handshake fails, then the device is considered to be unavailable and inactive. All answers are validated by configured keepalives and are not returned by the GSS to the D-proxy if the keepalive indicates that the answer is not viable. The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of resource that you are configuring as a GSS answer (for example, a VIP address associated with a Cisco CSS or a virtual server IP address associated with a CSM), you have the option of configuring a keepalive for that answer that is used to monitor its online status continually and report that information to the GSSM. Routing decisions involving that answer consider that online status information. The GSS also supports the use of shared keepalives to minimize traffic between the GSS and the SLBs that it is monitoring. A shared keepalive identifies a common address or resource that can provide status for multiple answers. Shared keepalives are not used with name server or CRA answers. The sections that follow explain the various keepalive types supported by the GSS:
ICMP TCP HTTP-HEAD KAL-AP CRA Name Server None Adjusting Failure Detection Time for Keepalives
1-17
ICMP
An ICMP keepalive is used when the GSS answer that you are testing is a VIP address, IP address, or a virtual server IP address. The Internet Control Message Protocol (ICMP) keepalive type monitors the health of resources by issuing queries containing ICMP packets to the configured VIP address (or a shared keepalive address) for the answer. Online status is determined by a response from the targeted address, indicating simple connectivity to the network. The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method. See the Adjusting Failure Detection Time for Keepalives section for details.
TCP
A TCP keepalive is used when the GSS answer that you are testing is to a GSLB devices that may be something other than a CSS or CSM. These GSLB remote devices could include webservers, LocalDirectors, WAP gateways, and other devices that can be checked using a TCP keepalive. The TCP keepalive initiates a TCP connection to the remote device by performing the three-way handshake sequence. Once the TCP connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination). The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method. Refer to the Adjusting Failure Detection Time for Keepalives section for details.
HTTP-HEAD
An HTTP HEAD keepalive is used when the GSS answer that you are testing is an HTTP web server acting as a standalone device or managed by an SLB device such as a Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, or Cisco LocalDirector. The HTTP-HEAD keepalive type sends a TCP formatted HTTP HEAD request to a web server at an address that you specify, returning the online status of the device in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK).
1-18
OL-4327-01
Chapter 1
Once the HTTP HEAD connection is established, the GSS terminates the connection. You can choose to terminate the connection from two termination methods: Reset (immediate termination using a hard reset) or Graceful (standard three-way handshake termination). The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method. Refer to the Adjusting Failure Detection Time for Keepalives section for details.
KAL-AP
A KAL-AP (KeepAlive-Appliance Protocol) keepalive is used when the GSS answer that you are testing is a VIP associated with a Cisco CSS or a Cisco CSM. The KAL-AP keepalive type sends a detailed query to both a primary (master) and an optional secondary (backup) circuit address that you specify, returning the online status of each interface as well as information on load. Depending on your GSS network configuration, the KAL-AP keepalive can be used to either query a VIP address directly (KAL-AP By VIP) or query an address by way of an alphanumeric tag (KAL-AP By Tag). Using a KAL-AP By Tag keepalive query can be particularly useful in the following cases:
You are attempting to determine the online status of a device that is located behind a firewall that is performing Network Address Translation (NAT). There are multiple content rule choices on the SLB.
The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method. See the Adjusting Failure Detection Time for Keepalives section for details.
CRA
The CRA keepalive is used when you are testing a CRA answer that responds to DNS race requests. The CRA keepalive type tracks the time required (in milliseconds) for a packet of information to reach the CRA and return to the GSS. The GSS supports up to 200 CRA keepalives.
1-19
Name Server
The name server keepalive sends a query to the IP address of the name server for a query domain that you specify (for example, www.cisco.com). Online Status for the name server answer is determined by the ability of the name server or D-proxy for the query domain to respond to the query and assign the domain to an address. The GSS supports up to 100 name server keepalives.
None
With the keepalive set to None, the GSS assumes that the named answer is always online. Setting the keepalive type to None prevents your GSS from taking online status or load into account when routing. However, a keepalive of None can be useful under certain conditions, such as when adding devices to your GSS network that are not suited to other keepalive types. In general, ICMP is a simple and flexible keepalive type that works with most devices. Using ICMP is preferable to using the None option.
Response Timeout - The length of time allowed before the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds. Minimum Interval - The minimum frequency with which the GSS attempts to schedule a keepalive. The valid entries are 40 to 255 seconds. The default is 40 seconds.
1-20
OL-4327-01
Chapter 1
With fast mode, the GSS controls the failure detection time through use of the following keepalive transmission interval formula: (# Ackd Packets * (Response TO + (Retry TO * # of Retries))) + Timed Wait where: # Ackd Packets = Number of packets that require some form of acknowledgement (how many packets require acknowledgement) Response TO = Response Timeout (how long to wait for a reply for a packet that requires acknowledgement) Retry TO = Retry Timeout (how long to wait for a reply for a retransmitted packet) # of Retries = Number of Retries (how many times the GSS retransmits packets to a potentially failed device before declaring the device offline) Timed Wait = Time for remote side of the connection to close (TCP-based keepalive only) Table 1-1 summarizes how the GSS software calculates the fast keepalive transmission rates.
Table 1-1 Keepalive Transmission Rates
# Ackd Packets (Fixed Value) KAL-AP ICMP TCP (RST) TCP (FIN) HTTP HEAD (RST) HTTP HEAD (FIN) 1 1 1 2 2 3
Transmission Interval
1-21
In the case of a TCP (RST) connection, the default transmission interval for a TCP keepalive would be: (1 * (2 + (2 * 1))) + 0 = 4 seconds You can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and KAL-AP keepalive types. The number of retries defines how many times the GSS retransmits packets to a potentially failed device before declaring the device offline. The range is 1 to 10 retries. The default is 1. As you adjust the number of retries, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The number of retries value is associated with every packet that requires some form of acknowledgement before continuing with a keepalive cycle (ICMP requests, TCP SYN, or TCP FIN). For example, to fully complete a TCP-based keepalive cycle, the TCP-based keepalive retries the SYN packet for the specified number of retries, and then retries the FIN packet for the specified number of retries. In the above example of a TCP (RST) connection, if you change the number of retries from the default value of 1 to a setting of 5 the transmission interval would be: (1 * (2 + (2 * 5))) + 0 = 12 seconds Figure 1-4 illustrates the effect on the keepalive transmission interval as you increase the number of retries value.
1-22
OL-4327-01
Chapter 1
Figure 1-4
70 60 50 40 30 20 10 0
0
4 5 6 Number of Retries
10
You can also define the number of consecutive successful keepalive attempts (probes) that must occur before the GSS identifies that an offline answer is now online. The GSS monitors each keepalive attempt to determine whether it has been successful. The number of successful probes parameter identifies how many consecutive successful keepalive attempts must be recognized by the GSS before bringing an answer back online and reintroducing it back into the GSS network.
1-23
Balance Methods
The GSS supports six unique balance methods that allow you to specify how a GSS answer should be selected to respond to a given DNS query. Each balance method provides a different algorithm for selecting one answer from a configured answer group. The sections that follow explain the various balance methods supported by the GSS:
Ordered List Round-Robin Weighted Round-Robin Least Loaded Hash (based on source address or hosted domain) Boomerang (DNS race)
Ordered List
Using the ordered list balance method, each resource within an answer group (for example, an SLB VIP or a name server) is assigned a number that corresponds to the rank of that answer within the group. The number you assign represents the order of the answer on the list. Subsequent VIPs or name servers, on the list will only be used in the event that preceding VIPs or name server on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group. Using the ranking of each answer, the GSS tries each resource in the order that has been prescribed, selecting the first available (live) answer to serve a user request. List members are given precedence and tried in order, and a member is not used unless all previous members fail to provide a suitable result. The ordered list method is typically useful in managing resources across multiple content sites in which a deterministic method for selecting answers is required.
1-24
OL-4327-01
Chapter 1
See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the ordered list balance method.
Round-Robin
Using the round-robin balance method, each resource within an answer group is tried in turn, with the GSS cycling through the list of answers, selecting the next answer in line for each request. In this way, the GSS can resolve requests by evenly distributing the load among possible answers. The round-robin balance method is useful when balancing requests among multiple, active data centers that are hosting identical content; for example between SLBs at a primary and at an active standby site that serves requests. See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the round-robin balance method.
Weighted Round-Robin
As with the round-robin balance method, the weighted round-robin method cycles through a list of defined answers, choosing each available answer in turn. However, with weighted round-robin, an additional weight factor is assigned to each answer, biasing the GSS toward certain servers, so that they are used more often. See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the weighted round-robin balance method.
Least Loaded
Using the least loaded balance method, the GSS resolves requests to the least loaded of all resources, as reported by the KAL-AP keepalive process, which provides the GSS with detailed information on the SLB load and availability. The least loaded balance method resolves the request by determining the least number of connections on a CSM or the least-loaded CSS.
1-25
See the Balance Method Options for Answer Groups section for information on how the GSS determines which answer to select when using the least loaded balance method.
Hash
Using the source address and domain hash balance method, elements of the clients DNS proxy IP address and the requesting clients domain are extracted and used to create a unique value, referred to as a hash value. The unique hash value is attached to and used to identify a VIP that is chosen to serve the DNS query. The use of hash values makes it possible to stick traffic from a particular requesting client to a specific VIP, ensuring that future requests from that client are routed to the same VIP. This type of continuity can be used to facilitate features such as online shopping baskets in which client-specific data is expected to persist even when client connectivity to a site is terminated or interrupted. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.
By Source AddressThe GSS selects the answer based on a hash value created from the source address of the request. By Domain NameThe GSS selects the answer based on a hash value created from the requested domain name.
1-26
OL-4327-01
Chapter 1
For the GSS to initiate a DNS race, it needs to establish two pieces of information for each CRA:
The delay between the GSS and each of the CRAs in each data center. With this data, the GSS computes how long to delay the race from each data center, so that each CRA starts the race simultaneously. The online status of the CRAs. With this data, the GSS knows not to forward requests to any CRA that is not responding.
The Boomerang server on the GSS gathers this information by sending keepalive messages at predetermined intervals. This data, along with the IP addresses of the CRAs, is used to request the exact start time of the DNS race. Finally, for the CRA response to be accepted by the D-proxy, each CRA must spoof the IP address of the GSS to which the DNS request was sent when responding.
1-27
Table 1-2
Balance Methods Used Hash Least loaded Ordered list Round-robin Weighted round-robin
Name server
Order Weight
CRA
None
The following sections explain each of the balance method options available for an answer in an answer group.
Order
The order option is used when the balance method for the answer group is Ordered List. Answers on the list are given precedence based upon their position in the list in responding to requests.
Weight
The weight option is used when the balance method for the answer group is weighted round-robin or least loaded. Weights are specified by a number between 1 and 10 and indicate the capacity of the answer to respond to requests. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A receives 10 requests for every 1 directed to Answer B.
1-28
OL-4327-01
Chapter 1
When used with the weighted round-robin balance method, the number listed is used by the GSS to create a ratio of the number of times the answer is used to respond before the next answer on the list is tried. When used with the least-loaded balance method, the number listed is used by the GSS as the divisor in calculating the load number associated with the answer, which is used to create a bias in favor of answers with greater capacity.
Load Threshold
The load threshold is used when the answer type is VIP and the keepalive method is KAL-AP to determine whether an answer is available, regardless of the balance method used. The load threshold specifies a number between 2 and 254 that is compared to the load being reported by the answer device. If the answers load is greater than the specified threshold, the answer is considered offline and unavailable to serve further requests. The load threshold value can also be used in conjunction with the weight assigned to an answer, with the weight acting as a divisor for the load threshold in calculating capacity. When there are multiple answers to choose from, the GSS software compares the load threshold to the load reported by the answer device to determine if the answer is available, and then selects the answer.
1-29
LocationsLogical groupings for GSS resources that correspond to geographical areas such as a city, data center, or content site RegionsHigher-level geographical groupings that contain one or more locations
In addition to allowing you to easily sort and navigate long lists of answers and DNS rules, the use of logical groupings such as locations and regions makes it easier to perform bulk administration of GSS resources. For example, in the primary GSSM, you can suspend or activate all answers linked to a particular GSS data center, shutting down a site for scheduled maintenance and then bringing it back online with only a few mouse clicks.
Owners
Owners serve a purpose similar to that of locations and regions in the GSS, providing a simple way to organize and identify groups of related GSS resources. However, whereas regions and locations are used to make geographical sense of your GSS network, owners are used to group resources according to other organizational schemes. For example, a service provider using the GSS to manage multiple hosting sites might create an owner for each web or application hosting customer. With this organizational scheme, domain lists containing that customers hosted content as well as DNS rules, answer groups, and source address lists that specify how traffic to those domains should be processed, can all be associated with and managed through the owner. Deployed on a corporate intranet, owners can be used to segregate GSS resources on a department-by-department basis, or to allocate specific resources to IT personnel. For example, you could create an owner for the finance, human resources, and sales departments so that resources corresponding to each can be viewed and managed together.
1-30
OL-4327-01
Chapter 1
Locating GSS Devices Locating GSS Devices Behind Firewalls Communication Between GSS Nodes Deployment Within Data Centers
1-31
Options are available for delegating responsibility for your domain to your GSS devices, depending on traffic patterns to and from your domain. For example, given a network containing five GSS devices, you might choose to modify your parent domain DNS servers so that all traffic sent to your domain is directed to each of your GSS devices. Or you might choose to have a subset of your traffic delegated to one or more of your GSSs, with other devices handling other segments of your traffic. Refer to Chapter 8, Building and Modifying DNS Rules, the Delegation to GSS Devices section for information on modifying your networks DNS configuration to accommodate the addition of GSSs to your network.
1-32
OL-4327-01
Chapter 1
1-33
Initial configuration of GSS and GSSM (primary and standby) devices Software upgrades and downgrades on GSSs and GSSMs Database and configuration backups, and database restore operations
1-34
OL-4327-01
Chapter 1
In addition, the CLI is used for network configuration of your GSS devices, including:
Network address and host name configuration Network interface configuration Access control for your GSS devices, including IP filtering and traffic segmentation
The CLI can also be used for status monitoring and logging for each GSS device. Refer to the Cisco Global Site Selector Command Reference for an alphabetical list of all GSS Command Line Interface (CLI) commands including syntax, options, and related commands. This document also describes how to use the CLI interface.
Configuring DNS request handling and global server load balancing through the creation of DNS rules and monitoring of keepalives Monitoring GSS network resources Monitoring request routing and GSS statistics
See the Understanding the Primary GSSM Graphical User Interface section for background details anout the GUI.
1-35
1-36
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
Figure 1-5
The sections describes the organization and structure of the primary GSSM GUI and includes:
Graphical User Interface Organization List Pages Details Pages Navigation Primary GSSM GUI Icons and Symbols Primary GSSM GUI Online Help
Review this information before using the primary GSSM to define global load balancing for your GSS network.
1-37
DNS Rules TabContains pages for creating and modifying DNS rules, including the creation of source address lists, (hosted) domain lists, answers, answer groups, and shared keepalives. Resources TabContains pages for creating and modifying GSS network resources such as GSSs, locations, regions, and owners. You can also modify global keepalive properties from the Resources tab. Monitoring TabContains pages for monitoring the performance of content routing on your GSS network, such as displays of hit counts organized by source address, domain, answer method, or DNS rule. Tools TabContains pages for performing the administrative functions for the GSS network, such as creating login accounts, managing account passwords, and viewing system logs.
Within each of these major functional areas, you access specific pages by choosing them from navigation links in the upper left-hand corner of the primary GSSM GUI. The navigation link varies according to the selected tab. Navigation links are present on all GUI pages. Once you have selected a page, information on your GSS related to that feature is further organized into two areas: list pages and details page, which are described in the sections that follow.
List Pages
List pages appear throughout the primary GSSM GUI to provide you with a feature-specific overview. For example, clicking the Answers tab (located on the DNS Rules tab) displays the Answers list page showing all of the answers currently configured on the listed GSS network. List pages present data in tabular format, providing a detailed look at resources available on your GSS network. List pages are also the location from which new resources (for example, DNS rules or answer groups) are added to the GSS network or existing resources modified.
1-38
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
List pages enable you to sort resources by any one of a number of properties that are listed on the screen, quickly locating a particular resource by an identifying characteristic such as name, owner, or type. You can sort information in ascending or descending order by any column. To sort the information in a list page, click the column header for the column containing the information by which you wish to sort the list. The GSS software temporarily retains information that you modify for a list page, allowing you to navigate to any of the details pages associated with the active list page while retaining the list page settings. The sort field, sort order, and rows per page are temporarily stored in memory for the active list page. Once you navigate to another list page the GSS software discards the modifications for the previous list page. Figure 1-6 shows an example of a primary GSSM Answers list page.
Figure 1-6 Answers List Page
1-39
Details Pages
Details pages appear throughout the primary GSS GUI to provide specific configuration information for a specific GSS function, enabling you to create or to modify those properties. For example, in Figure 1-6, clicking the Answers navigation link displays the Answers list page. Adjacent to each answer is an icon depicting a pad and pencil, called the Modify icon. Clicking the Modify icon displays the details page for that answer (Figure 1-7), allowing you to modify the properties of an answer or deleting the answer.
Figure 1-7 Modifying Answer Details Page
1-40
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
Navigation
Although the primary GSSM graphical user interface is viewed as a series of web pages using a standard browser, navigating among pages is not the same as moving around different websites, or even within a single site. Instead, you navigate from one content area of the primary GSSM GUI using the tabs for each of the major funational areas: DNS Rules, Resources, Monitoring, and Tools. Online Help is located as a navigation link at the top of each page. Once within a major content area, you access a particular feature or move between features using the navigation links. Choosing a feature from the navigation links immediately transfers you to that page in the graphical user interface. To move back from a details page to the corresponding list page, click another navigation link, or click either the Submit or Cancel buttons from the details page. For example, to return to the Global Site Selectors list page after viewing the details for one of your GSSs, click a different navigation link (or click the Cancel button). If you made configuration changes to a GSS that you wish to retain, click the Submit button. Any of these actions returns you to the Global Site Selectors list page.
Note
Do not use your web browser Back or Forward buttons to move between pages in the primary GSSM GUI. Clicking Back cancels any unsaved changes in the primary GSSM.
1-41
Table 1-3
Icon or Symbol
Purpose
Location
Modify icon. Opens the associated List pages item for editing in a details page, displaying configuration settings on the details page. Sort icon. Indicates that the items listed in a list table are sorted in descending order according to the property listed in this column. List pages
List pages Create icon/Open DNS Rules Builder icon. Opens the associated details page to accept user input for configuration. List pages and Detail Print icon. When you view GSS resources or monitor GSS network pages activity, clicking Print allows you to print data displayed in the page using your local or network printer Export to CSV icon. When you view GSS resources or monitor GSS network activity, clicking Export allows you to save data displayed in the window to a comma-delimited flat file for use in other applications. List pages
Refresh icon. When you view GSS List pages resources or monitor GSS network activity, clicking Refresh forces the GSSM window to update its content. Run Wizard icon. Opens the associated DNS rule for editing using the DNS Rules Wizard. DNS Rules list page
1-42
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
Table 1-3
Icon or Symbol
Purpose
Location
DNS Rules list page Filter DNS Rule List icon. Provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in. DNS Rules list page Show All DNS Rules icon. Removes all filters, displaying a complete list of DNS rules for your GSS. * Asterisk. Required field. Indicates Details pages that a value is required in the adjacent field before the item can be successfully saved. Detail pages Submit icon. Saves the configuration information. When editing specific GSS system or device configuration information, clicking Submit returns you to the associated list screen. Cancel icon. Cancels any configuration changes that were entered. When editing specific GSS system and device configuration information, clicking Cancel returns you to the associated list screen. Detail pages
1-43
Table 1-3
Icon or Symbol
Purpose
Location
Detail pages Delete icon. When you view configuration information for GSS resources, clicking Delete allows you to delete the resource from the GSS network.
Note
Deletions of any kind cannot be undone in the primary GSSM GUI. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.
Next icon. Moves forward to the DNS Rules wizard next page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard. DNS Rules wizard Back icon. Moves backwards to the previous page in the DNS Rules Wizard. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the wizard.
1-44
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
Table 1-3
Icon or Symbol
Purpose Finish icon. Saves changes to the DNS rule. You return to the DNS Rules list page.
Activate Answer icon. Reactivates a single suspended answer, all suspended answers associated with an owner, or all suspended answers associated with a location. Suspend Answer icon. Temporarily stops the GSS from using a single answer, all answers in all groups for an owner, or all answers in a location. Activate DNS Rule icon. Reactivates a single suspended DNS Rule or all suspended DNS Rules associated with an Owner.
Modifying Answer, Modifying Owner, and Modifying Location detail page Modifying Answer, Modifying Owner, and Modifying Location detail page Modify DNS Rules and Modifying Owner detail pages
Modify DNS Rules Suspend DNS Rules icon. Stop requests from being processed by a and Modifying Owner single DNS rule or all suspended detail pages DNS rules associated with an owner on your GSS.
1-45
Table 1-3
Icon or Symbol
Purpose
Location
Modifying Shared Set Answers KAL ICMP icon. Keepalive details page Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to ICMP using the answers own VIP. Modifying Shared Set Answers KAL None icon. Keepalive details page Disassociates all answers from a selected shared keepalive and sets the keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive.
1-46
OL-4327-01
Chapter 1
Introducing the Global Site Selector Understanding the Primary GSSM Graphical User Interface
1-47
The GSS Online Help system contains several navigational aids to assist you in finding the information you need quickly and easily. The navigation frame is contained in the left frame of each Help topic. The navigation frame contains the following three tabs:
ContentsDisplays all the topics in the GSSM Online Help system in a tiered format. Help topics are grouped into logical books by function. Books of Help topics may contain sub-books with additional topics. You can expand or collapse the contents to suit your needs. Note that the contents also automatically synchronizes with the Help topic you are currently viewing. IndexDisplays a list of terms that allows you to look up topics based on keywords similar to the index at the back of a book. If only one topic is associated with the Index entry, that topic displays immediately when you double-click the entry. If more than one topic is associated with an Index entry, the Help system displays a Topics Found dialog box that allows you to select the topic you want to display from a list of topics. SearchProvides a full-text search tool that allows you to display a list of Help topics related to words you enter in the text box. You can then select a topic and click Display to view that topic.
Where to Go Next
Chapter 2, Setting Up Your GSS describes the process of configuring the Global Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or Global Site Selector (GSS) device.
1-48
OL-4327-01
C H A P T E R
Accessing the GSS CLI Performing Network Configuration of the GSS Creating and Modifying GSS Devices Global Server Load-Balancing Summary
For detailed instructions on command syntax and use of GSS CLI commands, refer to the Cisco Global Site Selector Command Reference.
2-1
Accessing the CLI Using a Direct Serial Connection Enabling Remote Access on a GSS Device Accessing the CLI Using a Remote Connection Accessing the GSS CLI Using a Private and Public Key Pair
Launch HyperTerminal. The Connection Description window appears. Enter a name for your session in the Name field. Click OK. The Connect To window appears. From the drop-down list, choose the COM port to which the device is connected. Click OK. The Port Properties window appears. Set the port properties as follows:
Baud Rate = 9600 Data Bits = 8 Flow Control = none Parity = none Stop Bits = 1
2-2
OL-4327-01
Chapter 2
7. 8.
Once a session is created, choose Save As from the File menu to save the connection description. Saving the connection description has the following two advantages:
The next time you launch HyperTerminal, the session is listed as an option under Start > Programs > Accessories > HyperTerminal > Name_of_session. This option lets you reach the CLI prompt directly without going through the configuration steps. You can connect your cable to a different device without configuring a new HyperTerminal session. If you use this option, make sure that you connect to the same port on the new device as was configured in the saved HyperTerminal session. Otherwise, a blank screen appears without a prompt.
Enable privileged EXEC mode and then global configuration mode on the device. For example:
localhost.localdomain> enable localhost.localdomain# config localhost.localdomain(config)#
2.
From global configuration mode, use the enable command to activate the remote access protocol you need (SSH, Telnet, or FTP). For example, to enable SSH connections to the GSS device, you would enter the following command:
localhost.localdomain(config)# ssh enable
2-3
3.
Repeat step 2 for each required remote access protocol using the ftp command and the telnet command.
Note 4.
To disable SSH, Telnet, or FTP, use the no form of the command. Save your configuration changes to memory. For example:
localhost.localdomain(config)# copy running-config startup-config
5.
Note
We recommend using SSH connections because SSH lets you communicate securely over insecure channels and provides strong authentication. You must have physical access to the GSS device to setup remote access by Telnet or SSH connection. Refer to the Cisco Global Site Selector Hardware Installation Guide for instructions on connecting a console cable to your Cisco Global Site Selector series hardware. To access the GSS CLI using your preferred SSH or Telnet client:
1. 2.
Enter the host name or IP address of the GSS device (Global Site Selector or Global Site Selector Manager). Specify your GSS administrative username and password to log on to the GSS device.
Once you have logged on remotely, use the CLI commands described in this document and in the Cisco Global Site Selector Command Reference.
2-4
OL-4327-01
Chapter 2
Accessing the GSS CLI Using a Private and Public Key Pair
The GSS supports remote login to the device over an SSH session using private and public key pairs for authentication. In this method of remote connection, you use a generated private/public key pair to participate in a secure communication by encrypting and decrypting messages. Use of a private and public key pair bypasses the normal username and password authentication process. This remote access method may be useful when running scripts that connect to the GSS automatically. You generate the private key and the corresponding public key as a key pair on a server separate from the GSS and then copy the public key to the GSS /home directory. To access the GSS CLI using a private and public key pair:
1.
Generate the SSH private key and the corresponding SSH public key as a key pair on a server separate from the GSS. Refer to the documentation included with the SSH software for details on generating the private and public key pair. Enable privileged EXEC mode. For example:
localhost.localdomain> enable
2.
3.
Use the scp command to securely copy the generated public key from the server to the GSS /home directory. For example:
localhost.localdomain# scp myusername@1myhost:~/mykey.pub . myusername@1myhost password: mykey.pub 100% |*****************************| 241 00:00
4.
Use the type command to append the public key to the /home/.ssh/authorized_keys file. The /home/.ssh/authorized_keys file is a special file that the GSS software looks for when authenticating public/private keys. For example:
localhost.localdomain# cd .ssh localhost.localdomain# type ../mykey.pub >> authorized_keys
5.
Activate an SSH session from the remote host to the GSS using the private key. For example, on most Unix systems you would enter the following command line:
ssh -i private.key gss.cisco.com
2-5
Specify a hostname for the GSS device Configure Ethernet 0 and Ethernet 1 Configure a default gateway Enter the IP addresses of the name servers (up to 8) Configure a remote access protocol (FTP, Telnet, or SSH) so you can administer the GSS device remotely in the future.
Depending on your network requirements for the GSS device, make your configuration of GSSM (primary and standby) and GSS based on the following information:
Primary GSSMThe primary GSSM performs content routing as well as centralized management functions for the GSS network. The primary GSSM serves as the organizing point of the GSS network, hosting the embedded GSS database that contains configuration information for all your GSS resources, such as individual GSSs and DNS rules. Other GSS devices report their status to the primary GSSM. The primary GSSM offers a single, centralized GUI for monitoring and administering your entire GSS network. Standby GSSMThe standby GSSM performs GSLB functions for the GSS network even while operating in standby mode. In addition, the standby GSSM can be configured to act as the GSSM should the primary GSSM need to go offline for repair or maintenance, or becomes unavailable to communicate with other GSS devices. As with the primary GSSM, the standby GSSM is configured to run the GSSM GUI and contains a duplicate copy of the embedded GSS database that is currently installed on the primary GSSM. Any configuration or network changes affecting the GSS network are synchronized between the primary and the standby GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm standby-to-primary CLI command.
2-6
OL-4327-01
Chapter 2
Note
The switching of roles between the designated primary GSSM and the standby GSSM is intended to be a temporary GSS network configuration until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network as described in Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section. GSSThe GSS performs routing of DNS queries based on DNS rules and conditions configured using the primary GSSM. Each GSS is known to and synchronized with the GSSM, but individual GSSs do not report their presence or status to one another. Each GSS on your network delegates authority to the GSSs that serve DNS requests. Each GSS is managed separately using the Cisco CLI. GUI support is not available on a GSS device.
A typical GSS deployment may contain up to eight GSS devices on a corporate intranet or the Internet. At least one GSSand no more than two GSSsmust be configured as GSSMs. The primary GSSM monitors the other GSS devices on the network and offer features for managing and monitoring request routing services using a GUI accessible through secure HTTP. Only one primary GSSM can be active at any time, with the second GSSM serving as a standby, or backup device. Network configuration requires that you enter into privileged EXEC mode on the CLI, so your login must have adequate permissions to do so. After you enable your GSSM and GSS devices, use the primary GSSM to activate each device on your network. See the Creating and Modifying GSS Devices section for more information. This section includes the following procedures:
Configuring the GSS Using the Setup Script Configuring the GSS from the CLI Configuring a Primary GSSM or Standby GSSM Configuring a Global Site Selector Logging Into the Primary GSSM Graphical User Interface
2-7
If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide). At the Do you want to continue? (y/n) [no]: prompt type y to continue (or press Enter to accept the default of No and bypass running the setup script). If you chose to bypass the setup script, you can either:
Manually configure the GSS from the CLI as described in the Configuring the GSS from the CLI section. Use the setup CLI command at a later point in time to configure basic configuration information (as described in this procedure).
Note
The setup command cannot be executed while the GSS is running. You must issue the gss stop command before executing the setup command. At the Hostname prompt, specify a qualified hostname for the GSS device. For example:
Enter the Hostname of this device: gssm1.yourdomain.com
3.
4.
At the Interface eth0 and eth1 prompts, specify the IP address and subnet mask for each interface to be used on the GSS device. For example:
* Interface eth1 (Inactive) Do you want to change this? (y/n) [n]: y Do you want to activate this interface? (y/n) [n]: y Enter the IP address: 192.168.1.3 Enter the netmask: 255.255.255.0
Once you run the setup script there are additional configuration parameters that you can specify for each Ethernet interface using the interface ethernet CLI command (such as the autosense, duplex, and speed options). Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.
2-8
OL-4327-01
Chapter 2
5.
At the default gateway prompt, enter gateway information for the GSS device. For example:
Do you want to configure a default gateway? (y/n) [y]: Enter the default gateway [10.86.208.1]: 10.89.12.100
6.
At the Name Servers prompt, configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers in a list. Enter a dash ('-') at a blank entry to instruct the GSS to stop requesting name servers. For example:
Enter the IP addresses for up to 8 Name Servers. Enter a dash ('-') at a blank entry to stop entering Name Servers. At least one Name Server is required for this setup script. Enter Name Server 1 [161.44.124.122]: 168.10.12.1 Enter Name Server 2: 192.168.1.2 Enter Name Server 3: -
7.
At the Remote Access prompt, activate the remote access protocol required for the GSS device. For example:
* Remote Access Do you want to enable FTP access? (y/n) [y]: n Do you want to enable Telnet access? (y/n) [n]: y Do you want to enable SSH access? (y/n) [y]: y
8.
The setup script prompts you through a series of questions about configuring the device as a GSSM (primary or standby) or as a GSS. Perform one of the following actions:
If you want to configure the device as the primary GSSM: a. b.
At the
At the Do
(y/n) [y]:
At the Do At the Do
(y/n) [y]:
prompt type n.
the Hostname or IP address of the Primary GSSM
At the Enter
prompt specify the hostname or IP address of the primary GSSM for your network.
[192.168.3.4]: Cisco Global Site Selector Configuration Guide OL-4327-01
2-9
At the Do
prompt type n.
At the Enter
prompt specify the hostname or IP address of the primary GSSM for your network.
[192.168.3.4]:
9.
When completed, the software prompts you to perform one of the following:
Apply as the Running ConfigurationApplies setup configuration
configuration changes. Once configuration setup is complete, the GSS software prompts you to log into the primary GSSM GUI and finish device setup (as described in the Logging Into the Primary GSSM Graphical User Interface section).
If you have not already done so, power on and boot the GSS (as described in the Cisco Global Site Selector Hardware Installation Guide). Log on to the CLI, following the instructions in Accessing the GSS CLI. The GSS CLI prompt appears. By default, the hostname for GSS devices is localhost.localdomain. This name changes once you configure the hostname for the device.
3.
Enable privileged EXEC mode and then global configuration mode on the device. For example:
localhost.localdomain> enable localhost.localdomain# config localhost.localdomain(config)#
2-10
OL-4327-01
Chapter 2
4.
Configure a qualified hostname and default gateway information for the GSS device. For example:
Host(config)# hostname gssm1.yourdomain.com gssm1.yourdomain.com(config)# ip default-gateway 10.89.12.100
5.
From global configuration mode, enter interface configuration mode and configure the attributes of GSS interface Ethernet 0 or Ethernet 1. Each GSS device contains two Ethernet interfaces, 0 and 1. For example:
gssm1.yourdomain.com(config)# interface ethernet 0 gssm1.yourdomain.com(config-eth0)# speed 100 gssm1.yourdomain.com(config-eth0)# duplex full
Refer to the Cisco Global Site Selector Command Reference for detailed information on the interface ethernet command.
Note
Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the interface ethernet command. Use the gss-communications command to configure a GSS Ethernet interface as the designated network interface for GSS device communications. For example:
gssm1.yourdomain.com(config-eth0)# gss-communications
6.
Note
Interface commands cannot be executed while the GSS is running (for example, serving DNS requests). You must issue the gss stop command before executing the gss-communications command. Configure the IP address and subnet mask that are to be used by the interface. For example:
gssm1.yourdomain.com(config-eth0)# ip address 10.89.3.24 255.255.255.0 gssm1.yourdomain.com(config-eth0)# exit gssm1.yourdomain.com(config)#
7.
2-11
8.
Configure the domain name server or servers to be used by the GSS device. You can enter individual addresses or specify up to eight name servers using a comma-separated or space-separated list. For example:
gss1.yourdomain.com(config)# ip name-server 128.10.12.1 gss1.yourdomain.com(config)# ip name-server 128.100.12.1, 128.110.12.1
9.
The next step is to configure the device as either a GSSM (primary or standby) or as a GSS:
If configuring the device as a GSSM (primary or standby), proceed to the Configuring a Primary GSSM or Standby GSSM section. If configuring the device as a GSS, proceed to the Configuring a Global Site Selector section.
2-12
OL-4327-01
Chapter 2
c. Ensure the GSS is properly configured (see either the Configuring the
GSS Using the Setup Script section or the Configuring the GSS from the CLI section).
2.
network, use the gss enable gssm-primary command to enable your GSS device and make it the primary GSSM. For example:
gssm1.yourdomain.com# gss enable gssm-primary
Note
If a database already exists on this GSS device an error message appears. Use the gss disable command to disable the selected GSS device and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS device to the initial, disabled state.
If this GSSM is to be a standby (backup) GSSM for your GSS, use the
gss enable gssm-standby command to place the GSSM in standby mode and associate it with the DNS name or IP address of the primary GSSM. The standby GSSM is intended to be a backup device to be used on a temporary basis until the primary GSSM can come back online. For example:
gssm1.yourdomain.com# gss enable gssm-standby 192.168.1.110
Note
You must have a primary GSSM configured and enabled before you can enable a standby GSSM.
3.
If you fail to save your configuration changes, the GSS device reverts to its previous settings upon a reboot.
2-13
For the primary GSSM, you can now access the GUI using your preferred web browser by pointing that browser to the URL of the primary GSSM. See the Logging Into the Primary GSSM Graphical User Interface section for details. After enabling the primary GSSM GUI, you can use it to activate each GSS device on your network. See the Creating and Modifying GSS Devices section. If, at a later point, you need to move the primary GSSM or you want to take it offline for repair or maintenance, the standby GSSM is capable of temporarily taking over the role as the primary GSSM until the original primary GSSM is back online. Once the original primary GSSM is available, reassign the two GSSMs to their original roles in the GSS network. Refer to Chapter 9, GSS Administration and Troubleshooting, the Logically Removing a GSS or Standby GSSM from the Network section.
c. Ensure the GSS is properly configured (see either the Configuring the
GSS Using the Setup Script section or the Configuring the GSS from the CLI section).
d. Enable a remote access protocol on the GSS device (such as Telnet or
2-14
OL-4327-01
Chapter 2
2.
Exit global configuration mode and then use the gss command to enable your GSS device as a GSS and direct it to the primary GSSM in your GSS network. Specify either the domain name or the network address of the primary GSSM. For example:
gss1.yourdomain.com(config)# exit gss1.yourdomain.com# gss enable gss gssm1.yourdomain.com
3.
If you fail to save your configuration changes, the device reverts to its previous settings upon a reboot.
4.
Use the primary GSSM to activate each GSS device on your network. See the Creating and Modifying GSS Devices section.
When first logging on to the primary GSSM GUI, you can use the system default administrative account and password. After accessing the GUI, create and maintain additional user accounts and passwords using the user administration features primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for more information on creating user accounts.
Note
The user accounts and passwords that you create for the primary GSSM GUI are maintained separately from the usernames and passwords used to log on to your GSS devices using the CLI (using the username command). To log on to the primary GSSM GUI:
1.
Open your preferred Internet web browser application, such as Internet Explorer or Netscape Navigator.
2-15
2.
In the address field, enter the secure HTTP address of your GSSM. For example:
https://gssm1.yourdomain.com
Note
If you have trouble locating the primary GSSM DNS name, remember that the GSS network uses secure connections, so the address of the GSSM will feature https:// (secure HTTP) in the place of the more common http://. If prompted to accept a certificate from the primary GSSM, click Yes to accept the certificate signed by Cisco Systems and proceed to the GUI.
If you are using Internet Explorer and want to install the certificate, at the
3.
Security Alert dialog box click View Certificate, and then choose the Install Certificate option and follow the prompts of the Certificate Manager Import Wizard.
If you are using Netscape and you want to install the certificate, at the
New Site Certificate dialog box click Next and follow the prompts of the New Site Certificate Wizard.
Note
Take the extra steps to trust certificates from Cisco Systems, Inc., which prevents you from having to approve a certificate every time you log on to a GSSM. Refer to the online help for your browser for instructions on trusting certificates from a particular owner or website. When prompted to log on to the primary GSSM, enter your username and password in the fields provided, then click OK. If this is your first time logging on to the GSSM, use the default account name and password to access the GUI as follows:
Usernameadmin Passworddefault
4.
5.
The GSSM Welcome page appears (Figure 2-1). Refer to Chapter 1, Introducing the Global Site Selector, the Understanding the Primary GSSM Graphical User Interface section for information on navigating through the primary GSSM GUI.
2-16
OL-4327-01
Chapter 2
Figure 2-1
2-17
Activating GSS Devices Modifying GSS Device Configuration Deleting GSS Devices
2-18
OL-4327-01
Chapter 2
2.
Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (Figure 2-2). All active devices are listed with an Online status. The devices you need to activate are listed with an Inactive status.
Global Site Selectors List Page - Inactive Status
Figure 2-2
2-19
3.
Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (Figure 2-3).
Modifying GSS Details Page
Figure 2-3
4. 5.
Check the Activate check box. (This check box does not appear in the Modifying GSS details page after a GSS device has been activated.) Click the Submit button. You return to the Global Site Selector list page. The status of the device that you activated is listed as Online. Assuming that the device is functioning properly and that network connectivity between the device and the primary GSSM is good, the status of the device changes to Online within approximately 30 seconds.
2-20
OL-4327-01
Chapter 2
Figure 2-4
6.
Repeat Steps 1 through 5 for each inactive GSS or standby GSSM that you need to activate.
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears (see Figure 2-2). All active devices are listed with an online status. The devices you need to activate are listed with an inactive status.
2-21
3. 4.
Click the Modify GSS icon for the first GSS that you wish to activate. The Modifying GSS details page appears (see Figure 2-3). In the Global Site Selector Name field, enter a new name for the device. This is not the same name as the hostname, which can only be changed using the CLI. It is used to easily distinguish one GSS device from another in the primary GSSM list pages, where many devices may appear together. From the Location drop-down list, select a new device location. Click Submit to save your changes. You return to the Global Site Selector list page.
5. 6.
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device. Click OK to confirm your decision. You return to the Global Site Selectors list page with the deleted device removed from the list. To reconfigure the GSS device, refer to either the Configuring a Primary GSSM or Standby GSSM section or the Configuring a Global Site Selector section.
4. 5. 6.
2-22
OL-4327-01
Chapter 2
Create regions, locations, and ownersOptional. Use these groupings to organize your GSS network resources by customer account, physical location, owner, or other organizing principle. Refer to Chapter 3, Configuring Resources for details. Create one or more source address listsOptional. Use these lists of addresses to identify the name servers (D-proxy) that forward requests for the specified domains. The default source address list is Anywhere to match any incoming DNS request to the domains. Refer to Chapter 4, Configuring Source Address Lists for details. Create one or more domain listsEstablish lists of Internet domains, possibly using wildcards, that are managed by the GSS and queried by users. Refer to Chapter 5, Configuring Domain Lists for details. Modify the default global keepalive settings or create any shared keepalivesOptional. These are GSS network resources that are regularly polled to monitor the online status of one or more GSS resources linked to the keepalive. Shared keepalives are required for any answer that uses the KAL-AP keepalive type. Refer to Chapter 6, Configuring KeepAlives for details. Create one or more answersAnswers are resources that match requests to domains. Refer to Chapter 7, Configuring Answers and Answer Groups for details.
2.
3.
4.
5.
2-23
6.
Create one or more answer groupsAnswer groups are collections of resources that balance requests for content. Refer to Chapter 7, Configuring Answers and Answer Groups for details. Build your DNS rulesProcesses incoming DNS requests using the DNS Rule Builder or DNS Rule Wizard. Refer to Chapter 8, Building and Modifying DNS Rules for details.
7.
Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:
DNS Rule WizardAn easy-to-use tool that guides you through the process of creating a DNS rule. DNS Rule BuilderIf you are an experienced GSS user, you can use the DNS Rule Builder to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created.
Where to Go Next
Chapter 3, Configuring Resources, includes instructions on organizing resources on your GSS network as locations, regions, and owners.
2-24
OL-4327-01
C H A P T E R
Configuring Resources
This chapter describes what you need to establish global server load-balancing resources. Before you configure request routing, make sure that you have configured your hardware devices as described in Chapter 2, Setting Up Your GSS. You must have a primary GSSM configured and enabled before you can configure request routing and server load balancing on the GSS network. Ideally, you have a standby GSSM configured as well. If you will be deploying GSSs in addition to your primary GSSM and standby GSSM, these devices will identify themselves to the primary GSSM and appear on the GSSM GUI when you access the Resources tab and click the Global Site Selectors navigation link. This chapter contains the following major sections:
Organizing Your GSS Network Creating and Modifying Locations and Regions Creating and Modifying Owners Grouping GSS Resources by Location, Region, and Owner
3-1
Configuring Resources
LocationsLogical groupings for GSS resources that correspond to geographical entities such as a city, data center, or content site RegionsHigher-level geographical groupings that contain one or more locations OwnersGroupings that correspond to business or organizational relationships; for example, customers, internal departments, and IT personnel
Keep in mind that it is not a requirement that regions and locations correspond to actual geographical sites. They are simply organizing concepts that allow you to group GSS resources and exist in a one (region) to many (locations) relationship. In addition to providing an organizational scheme for your GSS network, locations can also be used for bulk management of GSS resources, such as answers. Answers can be grouped and managed according to a GSS location that has been established and with which answers have been associated. Using a location to manage your answers makes it easier for you to quickly suspend or activate answers in a particular area of your network, for example, shutting down one or more data centers for the purposes of software upgrades or regular maintenance. Refer to Chapter 7, Configuring Answers and Answer Groups, for more information.
3-2
OL-4327-01
Chapter 3
Note
We recommend that you create regions before you create locations. This section includes the following procedures:
Creating Regions Creating Locations Modifying Regions Modifying Locations Deleting Locations and Regions
Creating Regions
To create a region:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Regions navigation link. The Regions list page appears (Figure 3-1).
3-3
Configuring Resources
Figure 3-1
3.
Click the Create Regions icon. The Creating New Region details page appears (Figure 3-2).
3-4
OL-4327-01
Chapter 3
Figure 3-2
4. 5. 6.
In the Name field, enter the name for your new region. In the Comments field, enter descriptive information or important notes regarding the new region. Click Submit to save changes to your new region. You return to the Region list page. Your new region appears in the list and can be used to help you organize other GSS resources.
3-5
Configuring Resources
Creating Locations
To create a location:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears (Figure 3-3).
Locations List Page
Figure 3-3
3.
Click the Create Location icon. The Creating New Location details page appears (Figure 3-4).
3-6
OL-4327-01
Chapter 3
Figure 3-4
4. 5.
In the Name field, enter the name for your new location. Click the Region drop-down list and choose a region with which the location will be associated. There should be a logical connection between region and location. In the Comments field, enter descriptive information or important notes regarding the new region or location. Click Submit to save your new location. You return to the Locations list page. Your new location appears in the list and can be used to help you organize other GSS resources.
6. 7.
3-7
Configuring Resources
Modifying Regions
To modify a GSS region:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Regions navigation link. The Regions list page appears. From the Regions list, click the Modify Region icon located to the left of the list you want to modify. The Modifying Region details page appears (Figure 3-5).
Modifying Region Details Page
Figure 3-5
4. 5.
In the Name field, change the name of the region, if desired. In the Comments field, enter or modify the descriptive information or notes regarding the region.
3-8
OL-4327-01
Chapter 3
6.
Click Submit to save the changes to your region. You return to the Regions list page.
Modifying Locations
To modify a GSS location:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears. From the Locations list, click the Modify Location icon located to the left of the list you want to modify. The Modifying Location details page appears (Figure 3-6).
Modifying Location Details Page
Figure 3-6
3-9
Configuring Resources
4. 5. 6. 7.
In the Name field, change the name of the location, if desired. If wish to move the location to a new region, click the Region drop-down list and select a new region with which the location will be associated. In the Comments field, enter or modify the descriptive information or notes regarding the location. Click Submit to save the changes to your location. You return to the Locations list page.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your primary GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete regions and locations:
1. 2. 3. 4. 5.
From the primary GSSM GUI, click the Resources tab. Click either the Locations or Regions navigation link, depending on what type of resource you intend to delete. The list page appears. Click the Modify icon for the location or region that you want to delete. The details page appears, displaying configuration information for that resource. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the Region or Location. Click OK. You return to the list page with the Region or Location removed.
If an error appears informing you that a GSS resource is still linked to the region or location you want to delete, disassociate that resource and then attempt to delete the grouping again.
3-10
OL-4327-01
Chapter 3
Chapter 7, Configuring Answers and Answer Groups, the Suspending or Reactivating All Answers in an Answer Group Associated with an Owner section Chapter 8, Building and Modifying DNS Rules, the Suspending or Reactivating All DNS Rules Belonging to an Owner section
Creating Owners
To create an owner:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears displaying a list of all configured owners on your GSS network and providing an overview of the resources assigned to each owner (Figure 3-7).
3-11
Configuring Resources
Figure 3-7
3.
Click the Create Owner icon. The Creating New Owner details page appears (Figure 3-8).
3-12
OL-4327-01
Chapter 3
Figure 3-8
4. 5. 6.
In the Name field, enter the contact name for your new Owner. In the Comments field, enter other descriptive or contact information for the new owner. Click Submit to save the new Owner. You return to the Owners list page. Your new owner is listed and can now be used to help you organize other GSS resources.
3-13
Configuring Resources
Modifying Owners
To modify an owner:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears. From the Owners list, click the Modify Owner icon located to the left of the list you want to modify. The Modifying Owner details page appears (Figure 3-9).
Modifying Owner Details Page
Figure 3-9
4.
In the Name field, enter a new name for your new owner, if desired.
3-14
OL-4327-01
Chapter 3
5. 6.
In the Comments field, enter or modify the descriptive information or notes regarding the owner. Click Submit to save the changes to the owner. You return to the Owners list page.
Deleting Owners
Before you attempt to delete an owner, be sure that you know what dependencies that resource has. For example, answer groups, DNS rules, and domain lists associated with an owner will, if that owner is deleted, automatically be associated with the System owner account.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an owner:
1. 2. 3. 4. 5.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears. From the Owners list, click the Modify Owner icon located to the left of the list you want to delete. The Modifying Owner details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the owner. Click OK. You return to the Owners list screen with the owner removed.
3-15
Configuring Resources
GSS Network Resource GSS Locations Region Owner DNS rules Source address lists Domain lists Answer group Answer
Grouped Using Global Site Selector details page Locations details page DNS Rule Builder DNS Rule Wizard Source Address Lists details page Domain Lists details page Answer Group details page Answer details page
Where to Go Next
Chapter 4, Configuring Source Address Lists describes the creation of source address lists, collections of IP addresses or address blocks for known client DNS proxies (or D-proxies).
3-16
OL-4327-01
C H A P T E R
Note
The deployment of source address lists is an optional process. A default source address list, named Anywhere, is supplied with the GSS software and matches any request for a domain. Using the source address lists feature, you can enter one or more IP addresses, up to 30 addresses for each list, representing DNS proxies from which requests originate. Each GSS supports up to 60 source address lists. In addition to adding individual addresses, the primary GSSM also allows you to enter IP address blocks conforming to the classless interdomain routing (CIDR) IP addressing scheme. This chapter contains the following major sections:
Creating Source Address Lists Modifying Source Address Lists Deleting Source Address Lists
4-1
From the primary GSSM GUI, click the DNS Rules tab. Click the Source Address Lists navigation link. The Source Address Lists list page appears (Figure 4-1).
Source Address Lists List Page
Figure 4-1
3.
Click the Create Source Address List icon. The Creating New Source Address List details page appears (Figure 4-2).
4-2
OL-4327-01
Chapter 4
Figure 4-2
4.
In the General Configuration details page (General Configuration navigation link), perform the following:
a. In the Name field, enter a name for the new Source Address List. Source
which the Source Address List is associated. The owner may be a hosting customer, an internal department such as human resources, or an IT staff resource.
c. In the Comments text area, enter any comments for the new Source
Address List.
5.
Click the Add Address navigation link to access the Add Addresses section of the page. Add new addresses or address blocks to your list of source addresses (Figure 4-3).
4-3
Figure 4-3
6.
multiple addresses, separate each one with a semicolon. You can enter up to 30 addresses for each list. You use this interface to add new addresses or address blocks to your list of source addresses. For example:
192.168.100.0/24; 10.89.0.0/16; 10.68.10.1
b. Click the Add button. The GSS software adds the addresses to the Source
Address List.
7.
Click the General Configuration navigation link to view the address block associated with the source address list. The addresses appear under the Current Members section of the details page (Figure 4-4).
4-4
OL-4327-01
Chapter 4
Figure 4-4
8.
When you are satisfied with your Source Address List, click the Submit button to save your changes. You return to the Source Address Lists list page.
You can add or remove source addresses from the list at any time. See the Modifying Source Address Lists section that follows.
From the primary GSSM GUI, click the DNS Rules tab. Click the Modify Source Address List icon located to the left of the Source Address List you want to modify. The Modifying Source Address List details page appears.
4-5
3.
In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the source address list (see Figure 4-2). Source address list names cannot contain spaces. To add more source addresses to the list, click the Add Addresses navigation link. Use the field provided (see Figure 4-3) to enter the names of source address lists you wish to add. Click the Add button to append the new source address to the existing list. To remove addresses from the Source Address List, click the Remove Addresses navigation link. The Remove Addresses section of the page appears (Figure 4-5). Click the check box accompanying each source address you wish to remove from the list, then click the Remove Selected button to remove the selected source addresses from the list.
Modifying Source Address List - Remove Addresses
4.
5.
Figure 4-5
4-6
OL-4327-01
Chapter 4
6. 7.
Review your updated source address list under the Current Members section of the details page (see Figure 4-4). Click the Submit button to save your modified source address list. You return to the Source Address List list page.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a source address list from your GSS network:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Source Address Lists navigation link. The Source Address Lists list page appears. Click the Modify Source Address List icon located to the left of the Source Address List you want to remove. The Source Address Lists details page appears. Click the Delete Source Address List icon in the upper right corner of the page (Figure 4-6). The GSS software prompts you to confirm your decision to delete the Source Address List.
4.
Note
If an error appears informing you that the source address list is referenced by an existing DNS rule, disassociate the source address list from the DS rule and then attempt to delete the source address list again.
4-7
Figure 4-6
5.
Click OK. You return to the Source Address Lists list page. The source address list is removed from the list.
Where to Go Next
Chapter 5, Configuring Domain Lists, describes the creation of domain lists, collections of domain names for Internet or intranet resources, sometimes referred to as hosted domains, that are being requested by your users.
4-8
OL-4327-01
C H A P T E R
Domain List Overview Creating Domain Lists Modifying Domain Lists Deleting Domain Lists
5-1
For example, if you had three hosted domainswww.cisco.com, support.cisco.com, and customer.cisco.comfor which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was responsiblewww1.cisco.com, www2.cisco.com, and so onmanually entering each address may be time-consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
Any request for a hosted domain that matches the pattern is directed accordingly. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list.
From the primary GSSM GUI, click the DNS Rules tab. Click the Domain Lists navigation link. The Domain Lists list page appears (Figure 5-1).
5-2
OL-4327-01
Chapter 5
Figure 5-1
3.
Click the Create Domain List icon. The Creating New Domain List details page appears. (Figure 5-2.)
5-3
Figure 5-2
4.
In the General Configuration details page (General Configuration navigation link), perform the following:
a. In the Name field, enter a name for the new Domain List. Domain List
5-4
OL-4327-01
Chapter 5
5.
Click the Add Domains navigation link to access the Add Domains section of the page. Use this section to add new hosted domains to your list.
Creating New Domain List - Add Domains
Figure 5-3
6.
In the text box provided, enter the names of any hosted domains that you want to add to the domain list. Hosted domains may or may not correspond to standard third-level domain names but cannot exceed 128 characters in length. The following examples could be domain names configured on the GSS:
cisco.com www.cisco.com www.support.cisco.com
5-5
Domain names that use wildcards are also supported by the GSS. You can enter complete domain names or any regular expression that specifies a pattern by which the GSS can match incoming addresses. For example:
.*\.cisco\.com
These should be the domain names of resources for which the GSS is acting as the authoritative DNS server. Domain names that do not use wildcards cannot exceed 128 characters. For domain names with wildcards that are valid regular expressions, the GSS can match strings up to 256 characters long. If you are entering multiple domain names, separate each one with a semicolon, for example:
www.cisco.com; support.cisco.com; cdn.cisco.com
7. 8.
Click the Add button. The domains you entered are added to the Domain List. Click the General Configuration navigation link and view the domains list. The domain names appear under the Current Members section of the details page (Figure 5-4). Click the Submit button to save your domain list changes.
9.
5-6
OL-4327-01
Chapter 5
Figure 5-4
5-7
From the primary GSSM GUI, click the DNS Rules tab. Click the Domain Lists navigation link. The Domain Lists list page appears (see Figure 5-1). From the Domain Lists list, click the Modify Domain List icon located to the left of the Domains List you want to modify. The Modifying Domain List details page appears. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, comments, or owner for the domain list (see Figure 5-2). Domain List names cannot contain spaces. To add more domains to the list, click the Add Domains navigation link. Use the text box (see Figure 5-3) provided to enter the names of domains you wish to add. Click the Add button to append the new domains to the existing list. To remove domains from the domain list, click the Remove Domains navigation link. The Remove Domains section of the page appears (Figure 5-5). Click the check box accompanying each domain you wish to remove from the list, then click the Remove Selected button. The deleted domain lists have been removed from the page.
4.
5.
6.
5-8
OL-4327-01
Chapter 5
Figure 5-5
7. 8.
Review your updated domain lists under the Current Members section of the details page (see Figure 5-4). Click the Submit button to save your changes. You return to the Domain List list page.
5-9
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a domain list from your GSS network:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab Click the Domain Lists navigation link. The Domain Lists list page appears listing existing Domain Lists. Click the Modify Domain List icon located to the left of the Domain List you want to remove. The Modifying Domain Lists details page appears (Figure 5-5).
5-10
OL-4327-01
Chapter 5
Figure 5-6
4.
Click the Delete Domain List icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the domain list.
Note
If an error appears informing you that the domain list is referenced by a DNS rule, disassociate the domain list from the DNS rule and then attempt to delete the domain list again. Refer to Chapter 8, Building and Modifying DNS Rules. Click OK. You return to the Domain List list page. The domain list is removed from the list.
5.
5-11
Where to Go Next
Chapter 6, Configuring KeepAlives, describes the modification of global keepalives and the creation of shared keepalives.
5-12
OL-4327-01
C H A P T E R
Configuring KeepAlives
A keepalive is a method by which the GSS periodically checks to see if a resource associated with an answer is still active. All answers are validated by configured keepalives as being either online or offline. The GSS uses keepalives to collect and track information on everything from the simple online status of VIPs to services and applications running on a server. Depending on the type of answer being tracked, the GSS also monitors load and connection information on SLBs that can be used to perform load-based redirection. This chapter contains the following major sections:
Modifying Global KeepAlive Properties Configuring and Modifying Shared VIP KeepAlives
6-1
Configuring KeepAlives
Note
Changing global keepalive properties is an optional process. To modify the GSS keepalive properties:
1. 2.
From the primary GSSM GUI, click the Resources tab. Click the KeepAlive Properties navigation link. The Configure Global KeepAlive Properties details page appears (Figure 6-1).
Configure Global KeepAlive Properties Details Page
Figure 6-1
3.
Use the navigation links on the left side of the page to access the individual GSS global keepalive details page and to modify the global properties of the keepalive.
6-2
OL-4327-01
Chapter 6
The following procedures describe how to modify the default properties for the individual global keepalives.
Global KeepAlive ConfigurationICMP Global KeepAlive ConfigurationTCP Global KeepAlive ConfigurationHTTP HEAD Global KeepAlive ConfigurationKAL-AP Global KeepAlive ConfigurationCRA Global KeepAlive ConfigurationName Server
6-3
Configuring KeepAlives
Figure 6-3
1.
Select the ICMP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast ICMP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
StandardUses the default detection time of 60 seconds. FastUses the user-selectable Number of Retries parameter to control
Note
The GSS supports up to 500 ICMP keepalives when using the standard detection method and up to 100 ICMP keepalives when using the fast detection method.
6-4
OL-4327-01
Chapter 6
2.
If you selected the Standard KAL Type, in the Minimum Interval field change the minimum frequency with which the GSS attempts to schedule ICMP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. If you selected the Fast KAL Type, modify the following parameters:
In the Number of Retries field, specify the number of times the GSS
3.
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
In the Number of Successful Probes field, specify the number of
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
4.
Click the Submit button to save your ICMP global keepalive modifications.
6-5
Configuring KeepAlives
6-6
OL-4327-01
Chapter 6
Figure 6-5
1.
Select the TCP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast TCP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
StandardUses the default detection time of 60 seconds. FastUses the user-selectable Number of Retries parameter to control
Note
The GSS supports up to 500 TCP keepalives when using the standard detection method and up to 100 TCP keepalives when using the fast detection method.
Cisco Global Site Selector Configuration Guide
OL-4327-01
6-7
Configuring KeepAlives
2.
In the Destination port field, enter the port on the remote device that is to receive the TCP keepalive request from the GSS. The port range is 1 to 65535. The default port is 80. Specify the TCP keepalive connection termination method:
ResetThe GSS immediately terminates the TCP connection by using a
3.
If you selected the Standard KAL Type, specify the following parameters:
In the Response Timeout field, specify the length of time allowed before
the GSS re-transmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.
In the Minimum Interval field, specify the minimum frequency with
which the GSS attempts to schedule TCP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.
5.
If you selected the Fast KAL Type, modify the following parameters:
In the Number of Retries field, specify the number of times the GSS
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN. consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
6-8
OL-4327-01
Chapter 6
6.
Click the Submit button to save your TCP global keepalive modifications.
6-9
Configuring KeepAlives
Figure 6-7
1.
Select the HTTP HEAD keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast HTTP HEAD keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
StandardUses the default detection time of 60 seconds. FastUses the user-selectable Number of Retries parameter to control
Note
The GSS supports up to 500 HTTP HEAD keepalives when using the standard detection method and up to 100 HTTP HEAD keepalives when using the fast detection method.
6-10
OL-4327-01
Chapter 6
2.
In the Destination port field, enter the port on the remote device that is to receive the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. The default port is 80. In the Path field, enter the default path that is relative to the server website being queried in the HTTP HEAD request. For example: /company/owner Specify the HTTP HEAD keepalive connection termination method:
ResetThe GSS immediately terminates the HTTP HEAD connection
3. 4.
If you selected the Standard KAL Type, specify the following parameters:
In the Response Timeout field, change the length of time allowed before
the GSS retransmits data to a device that is not responding to a request. The valid entries are 20 to 60 seconds. The default is 20 seconds.
In the Minimum Interval field, change the minimum frequency with
which the GSS attempts to schedule HTTP HEAD keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.
6.
If you selected the Fast KAL Type, specify the following parameters:
In the Number of Retries field, specify the number of times the GSS
retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
Note
When using the Graceful termination sequence, there are three packets that require acknowledgement: SYN, HEAD, and FIN.
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
6-11
Configuring KeepAlives
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
7.
Click the Submit button to save your HTTP HEAD global keepalive modifications.
6-12
OL-4327-01
Chapter 6
Figure 6-9
1.
Select the KAL-AP keepalive rate by clicking one of the KAL Type option buttons. You can specify whether the GSS is to use the standard or fast KAL-AP keepalive transmission rate. The failure detection time, as it relates to the GSS, is the amount of time between when a device failure occurs and when the GSS determines the failure occurred. This is the longest period of time the GSS will take to mark an answer offline.
StandardUses the default detection time of 60 seconds. FastUses the user-selectable Number of Retries parameter to control
6-13
Configuring KeepAlives
Note
The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives when using the standard detection method and up to 40 primary and 40 secondary KAL-AP keepalives when using the fast detection method. If you intend to use Content and Application Peering Protocol (CAPP) encryption, in the CAPP Hash Secret field enter an alphanumeric encryption key value. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM. The default CAPP Hash Secret string is hash-not-set. If you selected the Standard KAL Type, in the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule KAL-AP By Tag or KAL-AP By VIP keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. If you selected the Fast KAL Type, specify the following parameters:
In the Number of Retries field, specify the number of times the GSS
2.
3.
4.
retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. The default is 1.
In the Number of Successful Probes field, specify the number of
consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. The default is 1.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
5.
Click the Submit button to save your KAL-AP global keepalive modifications.
6-14
OL-4327-01
Chapter 6
1.
In the Timing Decay field, change the value to specify how heavily the GSS should weigh recent DNS Round Trip Time (RTT) probe results relative to earlier RTT metrics, with 1 indicating that recent results should not be weighed any more than previous RTT results. The valid entries are 1 to 10. The default is 2. In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule CRA-type keepalives. The valid entries are 1 to 60 seconds. The default is 10 seconds. Click the Submit button to save your CRA global keepalive modifications.
2.
3.
6-15
Configuring KeepAlives
1.
In the Query Domain field, change the globally defined domain name that is used to query when utilizing the name server (NS) keepalive. The default is ".". In the Minimum Interval field, change the minimum frequency with which the GSS attempts to schedule name server query keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds. Click the Submit button to save your Name Server global keepalive modifications.
2.
3.
6-16
OL-4327-01
Chapter 6
Note
Shared keepalives are not used with name server or CRA answers. All answers are validated by configured keepalives and are not returned if the keepalive indicates that the answer is not viable. If a shared keepalive fails to return a status, all VIPs associated with that shared keepalive are assumed to be offline. If you intend to use the KAL-AP keepalive method with a VIP answer you must configure a shared keepalive. The use of shared keepalives are an option for the ICMP, TCP, and HTTP HEAD keepalive types. This section includes the following procedures:
Creating a Shared VIP KeepAlive Modifying a Shared KeepAlive Deleting a Shared KeepAlive
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears listing all existing shared keepalives (Figure 6-12).
6-17
Configuring KeepAlives
3.
Click the Create Shared KeepAlive icon. The Creating New Shared KeepAlives details page appears (Figure 6-13).
6-18
OL-4327-01
Chapter 6
4.
At the Type section at the top of the page, choose from one of the four keepalive types as the shared VIP keepalive:
ICMPSends an ICMP echo message (ping) to the specified address.
Online status is determined by the response received from the device, indicating simple connectivity to the network.
TCPSends a TCP handshake to the specified IP address and port
number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.
6-19
Configuring KeepAlives
web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.
KAL-APSends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule. The following procedures describe how to configure the properties for the individual VIP shared keepalives. The default values used for each VIP keepalive is determined by the values specified in the Global Keepalive Properties details page.
Shared KeepAlive ConfigurationICMP Shared KeepAlive ConfigurationTCP Shared KeepAlive ConfigurationHTTP HEAD Shared KeepAlive ConfigurationKAL-AP
6-20
OL-4327-01
Chapter 6
1. 2.
Enter the IP address used to test the online status for the linked VIPs. If the ICMP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
6-21
Configuring KeepAlives
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section. Click the Submit button to save your ICMP shared keepalive configuration. You return to the Shared KeepAlives list page.
3.
6-22
OL-4327-01
Chapter 6
1. 2.
Enter the IP address used to test the online status for the linked VIPs. In the Destination port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value. Specify the TCP keepalive connection termination method:
DefaultAlways use the globally defined TCP keepalive connection
3.
method.
ResetThe GSS immediately terminates the TCP connection by using a
hard reset.
GracefulThe GSS initiates the graceful closing of a TCP connection
If the TCP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN.
consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
6-23
Configuring KeepAlives
5.
Click the Submit button to save your TCP shared keepalive configuration. You return to the Shared KeepAlives list page.
1. 2.
Enter the IP address used to test the online status for the linked VIPs. In the Destination port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
6-24
OL-4327-01
Chapter 6
3.
In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP. In the Path feld, enter the default path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example:
/company/owner
4.
5.
connection method.
ResetThe GSS immediately terminates the TCP formatted HTTP
HTTP HEAD connection by using the standard three-way connection termination method.
6.
If the HTTP-HEAD global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits an HTTP HEAD packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
When using the Graceful termination sequence, there are three packets that require acknowledgement: SYN, HEAD, and FIN.
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
6-25
Configuring KeepAlives
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
7.
Click the Submit button to save your HTTP HEAD shared keepalive configuration. You return to the Shared KeepAlives list page.
6-26
OL-4327-01
Chapter 6
1.
Enter the primary (master) and secondary (backup) IP addresses that will be tested for online status in the fields provided. The secondary IP address is optional. The purpose of the secondary IP address is to query a second Cisco CSS or CSM in a virtual IP (VIP) redundancy and virtual interface redundancy configuration. If you intend to use Content and Application Peering Protocol (CAPP) encryption, check the CAPP Secure box and enter an alphanumeric encryption key value in the CAPP Hash Secret field. This is the alphanumeric value used to encrypt interbox communications using CAPP. The same encryption value must also be configured on the Cisco CSS or CSM. If the KAL-AP global keepalive configuration is set to the Fast KAL Type, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
2.
3.
retransmits an KAL-AP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
In the Number of Successful Probes field, specify the number of
consecutive successful KAL-AP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
4.
Click Submit to create the new shared keepalive. You return to the Shared KeepAlives list page.
6-27
Configuring KeepAlives
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives list page appears (see Figure 6-12). Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to modify. The Modify Shared KeepAlive details page appears (Figure 6-18).
6-28
OL-4327-01
Chapter 6
4. 5.
Use the fields provided to modify the shared keepalive configuration. Click Submit to save your configuration changes. You return to the Shared KeepAlive list page.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a shared keepalive:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Shared KeepAlives navigation link. The Shared KeepAlives lists page appears listing all existing shared keepAlives. Click the Modify Shared KeepAlive icon located to the left of the shared keepalive you want to remove. The Modifying Shared KeepAlive details page appears. If the shared keepalive is associated with an answer, perform one of the following:
To disassociate all answers from the selected shared keepalive and set the
4.
keepalive type of each of those answers to ICMP using the answers own VIP, click the Set Answers KAL ICMP icon in the upper right corner of the page.
To disassociate all answers from the selected shared keepalive and set the
keepalive type of each of those answers to none, meaning that the GSS assumes they are always alive, click the Set Answers KAL None icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to disassociate all the answers from the existing shared keepalive.
Cisco Global Site Selector Configuration Guide OL-4327-01
6-29
Configuring KeepAlives
5. 6.
Click the Delete button in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the shared keepalive. Click OK to confirm your decision. You return to the Shared KeepAlives lists page.
Where to Go Next
Chapter 7, Configuring Answers and Answer Groups, provides you with all the information you need to create and configure GSS answers and answer groups, which are resources that respond to DNS queries.
6-30
OL-4327-01
C H A P T E R
VIPVirtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, cache, or other geographically dispersed SLBs in a global network deployment. Name ServerA configured DNS name server on your network that can answer queries that the GSS cannot resolve. CRAContent routing agents that use a resolution process called DNS race to send identical and simultaneous responses back to a users D-proxy.
Cisco Global Site Selector Configuration Guide
OL-4327-01
7-1
Once created, answers are grouped together as resource pools from which the GSS, using one of a number of available balance methods in a DNS rule, can choose the most appropriate answer for each user request. In addition, once the query is passed to the answer, intelligence on that resource can be applied in choosing the best host. For example, a request that is routed to VIP associated with a CSS is evaluated by the CSS after it is received and directed to the most suitable host managed by that CSS. In addition to specifying a resource, each answer also provides you with the option of specifying a keepalive for that resource a method by which the GSS can periodically check to see if the resource is still up and running. The keepalive monitoring method available to you varies with the resource type, as explained in this section. This section includes the following procedures:
Creating a VIP-Type Answer Creating a CRA-Type Answer Creating a Name Server-Type Answer Modifying an Answer Suspending an Answer Reactivating an Answer Suspending or Reactivating All Answers in a Location Deleting an Answer
7-2
OL-4327-01
Chapter 7
Note
Once an answer is created the Answer type cannot be modified (for example, from VIP to CRA). To configure a VIP-type answer:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (Figure 7-1).
Answers List Page
Figure 7-1
3.
Click the Create Answer icon. The Creating New Answer detail page appears (Figure 7-2).
7-3
Figure 7-2
4.
In the Type field, click the VIP option button. The VIP Answer section appears in the details page (Figure 7-3).
7-4
OL-4327-01
Chapter 7
Figure 7-3
5. 6.
In the Name field, enter a name for the VIP-type answer you are creating. Specifying a name for the answer is an optional step. From the Location drop-down list, select an GSS location to which the answer corresponds. Specifying a location for an answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the VIP address field, enter the VIP address to which the GSS will forward requests. Choose from one of the five keepalive types for your VIP answer:
NoneDoes not send keepalive queries to the VIP. The GSS assumes
7. 8.
Online status is determined by the response received from the device, indicating simple connectivity to the network.
7-5
number of the remote device to determine service viability (three-way handshake and connection termination method), returning the online status of the device.
HTTP-HeadSends a TCP format HTTP HEAD request to an origin
web server at a specified address. Online status of the device is determined in the form of an HTTP Response Status Code of 200 (for example, HTTP/1.0 200 OK) from the server as well as information on the web page status and content size.
KAL-APSends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs respond with information about a hosted domain name, host VIP address, or a configured tag on a content rule. The following procedures describe how to configure the properties for the individual VIP keepalives. The default values used for each of the VIP keepalives are determined by the values specified in the Global Keepalive Properties details page.
VIP AnswerICMP KeepAlive VIP AnswerTCP KeepAlive VIP AnswerHTTP HEAD KeepAlive VIP AnswerKAL-AP KeepAlive
7-6
OL-4327-01
Chapter 7
1.
The VIP Address check box is automatically checked to instruct the GSS to send an ICMP echo message (ping) to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and select an ICMP-type shared keepalive from the Shared ICMP Keepalive drop-down list.
7-7
2.
If the ICMP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits an ICMP echo request packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
In the Number of Successful Probes field, specify the number of
consecutive successful ICMP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
3.
Click the Submit button to save your ICMP keepalive VIP answer. You return to the Answers list page.
7-8
OL-4327-01
Chapter 7
1.
The VIP Address check box is automatically checked to instruct the GSS to send a TCP keepalive to the VIP address of the remote device and determine online status. If necessary, uncheck the VIP Address check box and choose a TCP-type shared keepalive from the Shared TCP Keepalive drop-down list. In the Destination Port field enter the port on the remote device that is to receive the TCP keepalive request. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
2.
7-9
3.
If you enabled the VIP Address check box, specify the TCP keepalive connection termination method:
DefaultAlways use the globally defined TCP keepalive connection
method.
ResetThe GSS immediately terminates the TCP connection by using a
hard reset.
GracefulThe GSS initiates the graceful closing of a TCP connection
If the TCP global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
When using the Graceful termination sequence, there are two packets that require acknowledgement: SYN and FIN.
consecutive successful TCP keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
5.
Click the Submit button to save your TCP keepalive VIP answer. You return to the Answers list page.
7-10
OL-4327-01
Chapter 7
1.
The VIP Address check box is automatically checked to instruct the GSS to send a TCP format HTTP HEAD request to the web server at an address you specified and determine online status. If necessary, uncheck the VIP Address check box and select an HTTP-type shared keepalive from the Shared HTTP HEAD keepalive drop-down list. In the Destination Port field enter the port on the remote device that receives the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to 65535. If you do not specify a destination port, the GSS uses the globally configured value.
2.
7-11
3.
In the Host Tag field, enter an optional domain name that is sent to the VIP as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB to resolve the keepalive request to a particular website even when multiple sites are represented by the same VIP. In the Path field, enter the path that is relative to the server website being queried in the HTTP HEAD request. If you do not specify a default path, the GSS uses the globally configured value. For example: /company/owner If you enabled the VIP Address check box, specify the HTTP HEAD keepalive connection termination method:
DefaultAlways use the globally defined HTTP HEAD keepalive
4.
5.
connection method.
ResetThe GSS immediately terminates the TCP formatted HTTP
HTTP HEAD connection by using the standard three-way connection termination method.
6.
If the HTTP HEAD global keepalive configuration is set to the Fast KAL Type and the VIP Address is checked, specify the following parameters in the Fast Keepalive Settings section:
In the Number of Retries field, specify the number of times the GSS
retransmits a TCP packet before declaring the device offline. As you adjust the Number of Retries parameter, you change the detection time determined by the GSS. By increasing the number of retries you increase the detection time. Reducing the number of retries has the reverse effect. The range is 1 to 10 retries. If you do not specify a value, the GSS uses the globally configured value.
Note
When using the Graceful termination sequence, there are three packets that require acknowledgement: SYN, HEAD, and FIN.
consecutive successful HTTP HEAD keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (and reintroducing it back into the GSS network). The range is 1 to 5 probes. If you do not specify a value, the GSS uses the globally configured value.
7-12
OL-4327-01
Chapter 7
Note
For background details on keepalive detection time, refer to Chapter 1, Introducing the Global Site Selector, the Keepalives section.
7.
Click the Submit button to save your HTTP HEAD keepalive VIP answer. You return to the Answers list page.
7-13
1.
From the KAL-AP Type drop-down list, select the format of the KAL-AP keepalive query. Your choices are:
KAL-AP By TagEmbeds an alphanumeric tag associated with the VIP
in the KAL-AP request. The tag value is used to match the correct shared keepalive VIP, thus avoiding confusion that can be caused when probing for the status of a VIP that is located behind a firewall network address translation (NAT).
KAL-AP By VIPEmbeds the keepalive VIP address in the KAL-AP
request. The KAL-AP queries the keepalive address to determine online status.
2. 3.
If you chose KAL-AP By VIP, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list. If you chose KAL-AP By Tag, select the appropriate KAL-AP type keepalive from the Shared KAL-AP Keepalive drop-down list, then enter a unique alphanumeric value in the Tag field. This is used as a key by the CSS or GSSM that matches the KAL-AP request with the appropriate VIP. Click the Submit button to save your KAL-AP keepalive VIP answer. You return to the Answers list page.
4.
7-14
OL-4327-01
Chapter 7
Closeness is determined when multiple hosts reply to the requesting D-proxy simultaneously in what is referred to as a DNS race. The GSS coordinates the start of the race so that all CRAs initiate their response at the same time. The first DNS reply to reach the D-proxy is chosen by the name server as the host containing the answer.
Note
Once an answer is created the Answer type cannot be modified (for example, from CRA to VIP). To configure a CRA-type answer type:
1. 2. 3. 4.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2). In the Type selection field, click the CRA option button. The CRA Answer section appears in the details page (Figure 7-8).
7-15
Figure 7-8
5. 6.
In the Name field enter a name for the CRA-type answer being created. Specifying a name for the answer is an optional step. Click the Location drop-down list and select a location for the answer. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the CRA Address field enter the interface or circuit address of the CRA. If you want the GSS to perform keepalive checks on the CRA answer, click the Perform KeepAlive Check check box. Uncheck the Perform KeepAlive option if a static one-way delay value is used. If a one way delay time is required, enter a value, in milliseconds, in the One Way Delay field. This value is used by the GSS to calculate a static round-trip time (RTT), with the one-way delay constituting one-half of the round-trip time that is used for all DNS races involving this answer.
7. 8.
9.
7-16
OL-4327-01
Chapter 7
10. Click Submit to create your new CRA-type answer. You return to the
Note
Once an answer is created the Answer type cannot be modified (for example, from name server to VIP). To configure a Name Server-type answer:
1. 2. 3. 4.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Create Answer icon. The Creating New Answer details page appears (see Figure 7-2). In the Type field, click the Name Server option button. The Name Server Answer section appears in the Creating New Answer details page (Figure 7-9).
7-17
Figure 7-9
5. 6.
In the Name field, enter a name for the name server-type answer you are creating. Specifying a name for the answer is an optional step. From the Location drop-down list, select a GSS location to which the answer corresponds. Specifying a location for the answer is an optional step. For details about creating a location, refer to Chapter 3, Configuring Resources. In the Name Server Address field, enter the IP address of the name server that the GSS is to forward requests to. If you want the GSS to perform keepalive checks on the specified Name Server, click the Perform KeepAlive Check check box. The GSS queries the specified name server address to determine online status.
7. 8.
7-18
OL-4327-01
Chapter 7
9.
If you wish to have the GSS query the name server for a specific domain in determining online status, enter the domain name in the KeepAlive Query Domain field. If no domain is specified, the GSS queries the default query domain. For instructions on configuring the default query domain, see Chapter 6, Configuring KeepAlives.
10. Click Submit to create your new name server-type answer. You return to the
Modifying an Answer
Once you have configured your answers, they can be modified at any time. However, once an answer is created the answer type cannot be modified (for example, from VIP to CRA). To modify an existing answer:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears. Click the Modify Answer icon located to the left of the answer you want to modify. The Modifying Answer details page appears (Figure 7-10).
7-19
4. 5.
Use the fields provided to modify the answer configuration. Click Submit to save your configuration changes. You return to the Answers list page.
Suspending an Answer
If you have created an answer but wish to temporarily stop the GSS from using it, use the suspend feature on the primary GSSM GUI to prevent that answer from being used by any of the currently configured DNS rules. If you have already suspended an answer, use the activate feature to reactivate the answer (see the Reactivating an Answer section). To suspend an answer:
1.
From the primary GSSM GUI, click the DNS Rules tab.
7-20
OL-4327-01
Chapter 7
2. 3. 4. 5.
Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Modify Answer icon located to the left of the answer you want to suspend. The Modifying Answer details page appears (see Figure 7-10). Click the Suspend Answer icon in the upper right corner of the page to suspend an answer. Click OK to confirm your decision to suspend the answer. You return to the Answers list screen. The modified answer has a status of Suspended.
Reactivating an Answer
If you have already suspended an answer, use the activate feature to reactivate the answer. To reactivate an answer:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1). Click the Modify Answer icon located to the left of the answer you want to activate. All suspended answers have a status of Suspended in the list. The Modifying Answer details page appears (see Figure 7-10). Click the Activate Answer icon in the upper right corner of the page to reactivate an answer. Click OK to confirm your decision to reactivate the answer. You return to the Answers list screen. The modified answer has a status of Active.
4. 5.
7-21
Note
Suspending all answers in a location overrides the active or suspended state of an individual answer. To suspend or reactivate answers based on their location:
1. 2. 3.
From the primary GSSM GUI, click the Resources tab. Click the Locations navigation link. The Locations list page appears. Click the Modify Location icon located to the left of the location that includes answers that you want to suspend or reactivate. The Modifying Location details page appears. Perform one of the following:
To suspend answers associated with this location, click the Suspend All
4.
Confirm your decision to suspend or activate the answers associated with this location. Click OK. You return to the Locations list page.
Deleting an Answer
If you have created an answer but wish to delete it from the GSS, use the delete feature on the primary GSSM GUI to remove that answer.
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an answer:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answers navigation link. The Answers list page appears (see Figure 7-1).
7-22
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
3. 4. 5.
Click the Modify Answer icon located to the left of the answer you want to remove. The Modifying Answer details page appears (see Figure 7-10). Click the Delete Answer icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer. Click OK to confirm your decision. You return to the Answers list page.
In the case of a VIP answer group type, the GSS selects one or more VIPs using the balance method specified in the DNS rule. In the case of a CRA answer group type, all CRAs in the answer group are queried and then race to respond first to the D-proxy with their IP address. In the case of a name server answer group type, the GSS selects a name server using the balance method specified in the DNS rule and forwards the clients request to that name server.
A DNS rule can have up to three balance clauses, each specifying a different answer group from which an answer can be chosen, after taking load threshold, order, and weight factors into account for each answer. Before creating your answer groups, you must first configure the answers that make up those groups. See the Configuring and Modifying Answers section for more information on creating GSS answers. This section includes the following procedures:
Creating an Answer Group Modifying an Answer Group Suspending or Reactivating an Answer Group Suspending or Reactivating All Answers in an Answer Group Associated with an Owner Deleting an Answer Group
7-23
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (Figure 7-11).
3.
Click the Create Answer Group icon. The Creating New Answer Group details page appears (Figure 7-12).
7-24
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
4.
In the General Configuration details page (General Configuration navigation link), perform the following:
In the Name field, enter a name for the new answer group. The answer
Name ServerThe answer group consists of configured name servers CRAThe answer group consists of content routing agents (CRAs) for use with the Boomerang Server component of the GSS VIPThe answer group consists of virtual IPs controlled by an SLB device such as a CSS or CSM
7-25
5.
From the Owner drop-down list, select the GSS owner with which the answer group will be associated. For details about creating an owner, refer to Chapter 3, Configuring Resources. In the Comments text area, enter a description or other instructions regarding the new answer group. Click the Add Answers navigation link to access the Add Answers section of the page (Figure 7-13). Perform the following:
a. Click the check box corresponding to each answer you wish to add to the
6. 7.
answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers and proceed to the next step.
b. Click the Add Selected button. The selected answers are added to the
answer group. Answers can belong to more than one answer group simultaneously.
c. Repeat Steps a and b if your answers span multiple pages.
Note
If an answer is added to multiple answer groups, when viewing the hit count of answers from either the Answer Status list page or the show statistics dns CLI command output, the number of hits provided represents the aggregate number of hits for that answer across all answer groups.
7-26
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
8.
Click the General Configuration navigation link to return to the General Configuration section. The newly added answers appear in the Current Members section (Figure 7-14). There are different configuration options depending on the type of answer group.
7-27
9.
Note
If you are unsure of the purpose of the order, weight, or load threshold settings, refer to Chapter 1, Introducing the Global Site Selector, the Balance Methods section for background information.
weight to each Answer in the answer group using the field and drop-down list provided.
If configuring a VIP type answer group, assign an order, load threshold
(LT), and weight to each answer in the answer group using the fields and drop-down lists provided.
7-28
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
Note
Load thresholds, which allow the GSS to make routing decisions based on how heavily a particular resource is being tasked, can only be assigned to answers using the KAL-AP keepalive.
If configuring CRA, no configuration parameters are required. 10. Click the Submit button to save your answer group.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11). Click the Modify Answer Group icon located to the left of the answer group you want to modify. The Modify Answer Group details page appears. In the General Configuration details page (General Configuration navigation link), use the fields provided to modify the name, owner, or comments for the answer group. Click the Add Answers navigation link. Click the check box corresponding to each answer you wish to add to the answer group. If the list of answers on your GSS network spans more than one page, select the answers from only the first page of answers, then click Add Selected, before proceeding to another page of answers. To remove answers from the answer group, click the Remove Answers navigation link. The Remove Answers section of the page appears (Figure 7-15). Click the check box accompanying each answer you wish to remove from the list, then click the Remove Selected button. The deleted answers are removed from the page.
Cisco Global Site Selector Configuration Guide
5.
6.
OL-4327-01
7-29
7. 8.
Review your updated answer group under the Current Members section of the General Configuration details page (see Figure 7-14). Click the Submit button to save your changes. You return to the Answer Groups Lists page.
7-30
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
Note
Suspending the answers in one answer group also affects any other answer groups to which those answers belong. If you have already suspended the answers in an answer group, use the activate answers feature to reactivate the answer group. To suspend or reactivate an answer group:
1. 2. 3.
From the primary GSSM GUI, click the DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears (see Figure 7-11). Click the Modify Answer Group icon located to the left of the answer group you want to suspend or reactivate. The Modifying Answer Group details page appears (Figure 7-16).
7-31
4. 5. 6. 7.
To suspend an answer group, click the Suspend Answers button in the upper right corner of the page. If you are reactivating a suspended answer group, click the Activate Answers icon. Click OK to confirm your decision to suspend or reactivate the answers in the answer group. You return to the Answer Groups list page. To view the status of the answers that you suspended or activated, refer to Chapter 10, Monitoring GSS Performance.
From the primary GSSM GUI, click the Resources tab. Click the Owners navigation link. The Owners list page appears (Figure 7-17).
7-32
OL-4327-01
Chapter 7
Configuring Answers and Answer Groups Configuring and Modifying Answer Groups
3.
Click the Modify Owner icon located to the left of the answer group you want to suspend or reactivate. The Modifying Owner details page appears (Figure 7-18).
7-33
4.
click the Suspend All Answers in All Groups for This Owner icon in the upper-right corner of the details page.
To reactivate all suspended answers associated with this owner, click the
Activate All Answers in All Groups for This Owner icon in the upper-right corner of the details page.
5.
Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.
7-34
OL-4327-01
Chapter 7
Caution
Deletions of any kind cannot be undone in the primary GSSM. If you might use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete an answer group:
1. 2. 3.
From the primary GSSM GUI, click DNS Rules tab. Click the Answer Groups navigation link. The Answer Groups list page appears. Click the Modify Answer Group icon located to the left of the answer group you want to remove. The Modifying Answer Group details page appears (see Figure 7-16). Click the Delete Answer Group icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the answer group. Click OK to confirm your decision. You return to the Answer Groups list page.
4.
5.
Where to Go Next
Chapter 8, Building and Modifying DNS Rules, describes constructing the DNS rules that govern all global server load balancing on your GSS network.
7-35
7-36
OL-4327-01
C H A P T E R
Note
Before creating your DNS rules, review Chapter 1, Introducing the Global Site Selector, the GSS Architecture section. This chapter contains the following major sections:
DNS Rule Configuration Overview Building DNS Rules Using the Wizard Building DNS Rules Using the DNS Rule Builder Modifying DNS Rules Suspending a DNS Rule Reactivating a DNS Rule Suspending or Reactivating All DNS Rules Belonging to an Owner
8-1
Deleting a DNS Rule Configuring DNS Rule Filters Removing DNS Rule Filters Delegation to GSS Devices
Note
Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be created prior to using the wizard.
8-2
OL-4327-01
Chapter 8
Figure 8-1
When you use the wizard, the Next and Back buttons step you forward and backward through the rule-building process. Alternatively, use the navigation links under the Wizard Contents heading to move back and forth to any step in the wizard. To access the DNS Rule Wizard, click the DNS Rules tab and then click the Rule Wizard icon. See the Building DNS Rules Using the Wizardsection for details.
8-3
Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. For example, an answer group added while the DNS Rule Builder window is open automatically appears in the drop-down list of answer groups. To access the DNS Rule Builder, click the DNS Rules tab and then click the Open Rule Builder icon. See the Building DNS Rules Using the DNS Rule Buildersection for details.
Cisco Global Site Selector Configuration Guide
8-4
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be creating prior to using the wizard.
1.
From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-3).
DNS Rules List Page
Figure 8-3
2.
Click the Rule Wizard icon. The DNS Rule Wizard introduction page appears (Figure 8-4). Read this page carefully; it provides an overview of the steps necessary to create a DNS rule.
Cisco Global Site Selector Configuration Guide
OL-4327-01
8-5
Figure 8-4
3.
Click the Next and Back buttons to step forward or backwards through the DNS rule-building process. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the Wizard. The following procedures describe how to configure the properties for the individual pages in the DNS Rule Wizard.
DNS Rule WizardSource Address List Page DNS Rule WizardDomain List Page DNS Rule WizardAnswer Group Page DNS Rule WizardBalance Method Page DNS Rule WizardSummary
8-6
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
To have this DNS rule apply to requests originating from any DNS proxy, click the Any Address option, then click Next. See the DNS Rule WizardDomain List Page section for information on using the Domain List detail page in the wizard. To have this DNS Rule apply to requests originating from a list of DNS proxies that you have not yet configured but now want to configure, click the Manually-entered source address list option, then click Next. See the DNS Rule WizardSource Address List Page 2 section for information on using the Source Address List detail page in the wizard.
8-7
To have this DNS rule apply to requests originating from a list of DNS proxies that you have already configured using the Source Address Lists feature, click the Predefined source address list option, then click Next. See the DNS Rule WizardSource Address List Page 3 section for information on using the Domain List detail page in the wizard.
8-8
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
1. 2. 3.
Enter a name for your Source Address List in the List Name field. Optionally, click the List Owner drop-down list and select a GSS owner name. In the space provided, enter one or more source CIDR-format IP addresses that make up the list. You can enter individual IP addresses or address blocks. If you wish to enter multiple IP addresses, separate the addresses using semicolons. For example:
192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16
4.
Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule WizardDomain List Page section for information.
8-9
Figure 8-7
1. 2.
Click the name of the Source Address List in the list to highlight it. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule WizardDomain List Page section for information.
8-10
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
Figure 8-8
To have the DNS rule apply to requests for a hosted domain that you have not yet configured but now want to configure, click the Manually-entered domain list option, then click Next. See the DNS Rule WizardDomain List Page 2 section for information on using this Domain List detail page in the wizard. To have the DNS Rule apply to requests for a domain from a list of hosted domains already configured using the Domain Lists feature of the primary GSSM, click the Predefined domain list option, then click Next. See the DNS Rule WizardDomain List Page 3 section for information on using this Domain List detail page in the wizard.
8-11
1. 2. 3.
Enter a name for your Domain List in the List Name field. Optionally, click the List Owner drop-down list and select an owner name. In the space provided, enter one or more domain names that make up the list. You can enter complete domain names, or any regular expression that specifies a pattern by which the GSS can match incoming addresses. Any request for a hosted domain that matches that pattern is directed accordingly.
8-12
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
For example, if you had only three hosted domainswww.cisco.com, support.cisco.com, and customer.cisco.comfor which the GSS was responsible, you might want to enter only those domains in your domain list, as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was responsiblewww1.cisco.com, www2.cisco.com, and so onmanually entering each address is time consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
4.
When you complete entering the domain names, click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule WizardAnswer Group Page section for information.
8-13
1. 2.
Click the name of the domain list so that its name is highlighted. Click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule WizardAnswer Group Page section for information.
8-14
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
8-15
To have this DNS rule respond to the request for the hosted domain using resources (answers) that you have not yet configured, click the Enter addresses option, then click Next. See the DNS Rule Wizard - Answer Group Page 2 section for information on using this Answer Group detail page in the wizard. To have this DNS rule respond to the request for the hosted domain using resources (answers) that you already configured using the Answers and Answer Group features, click the Select an existing answer group option, then click Next. See the DNS Rule Wizard - Answer Group Page 4 section for information on using this Answer Group detail page in the wizard.
8-16
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
1. 2. 3.
Enter a name for your answer group in the Group Name field. Optionally, select an owner for the answer group by clicking the Group Owner drop-down list and selecting a GSS owner from the list. Select an answer group type by clicking one of the three option buttons provided. Once you select an answer group type, only answers of that type (VIP, NS, or CRA) can be added to the group.
VIPVirtual IP (VIP) addresses associated with an SLB as such the
Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web server, cache or other geographically dispersed SLBs in a global network deployment.
Name ServerA configured DNS name server on your network that can
8-17
4.
Click Next to begin configuring answers for your answer group. See the DNS Rule Wizard - Answer Group Page 3 section for information on using this Answer Group detail page in the wizard.
8-18
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
1.
identify the VIPs that provide the answers that make up the answer group. Assign an order, load threshold, and weight to each answer in the answer group.
a. b. c.
Enter the address of each VIP that belongs to the answer group in the IP Address fields provided. Click the Location drop-down list and select an optional Location. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. If using the Ordered List balance method, assign an order to each VIP listed in the answer group using the Order field provided. The number you assign represents the order of the answer in the list. Subsequent VIPs on the list will only be used in the event that preceding VIPs on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
d.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
e.
If using a KAL-AP-type answer, assign a load threshold between 0 and 255 using the Load Threshold field. If the VIP answer reports a load above the specified threshold the GSS will deem the device unavailable to handle further requests.
steps to identify the name servers that provide the answers that make up the answer group:
a. b.
Enter the address of each name server that belongs to the answer group to the IP Address fields provided. For each name server IP address select an optional location by clicking the Location drop-down list.
8-19
c.
If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A will receive 10 requests for every 1 directed to Answer B. If you are using the Ordered List balance method with this answer group, assign an order to each name server listed in the answer group using the Order drop-down list provided. The number you assign represents the order of the answer in the list. Subsequent name servers on the list will only be used in the event that preceding name servers on the list are unavailable. The GSS supports gaps in numbering in an ordered list.
d.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
identify the content routing agents (CRAs) that provide the answers that make up the answer group, then assign a location for each answer in the answer group.
a. b. 2.
Enter the address of each CRA that belong to the answer group in the IP Address fields provided. For each CRA IP address, select an optional location by clicking on the Location drop-down list.
Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule WizardBalance Method Page section for information.
8-20
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
1. 2.
Click the name of the answer group in the list so that the name is highlighted. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule WizardBalance Method Page section for information.
8-21
8-22
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
If configuring a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
HashedThe GSS selects the answer based on a unique value created
from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.
By Source AddressThe GSS selects the answer based on a hash value created from the source address of the request. By Domain NameThe GSS selects the answer based on a hash value created from the requested domain name.
KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.
Ordered ListThe GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding responses or answer are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
Round RobinThe GSS cycles through the list of answers that are
that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
8-23
2.
method.
Enter a last gasp address in the Last Gasp field provided. This address
serves as the answer in the event that no content routing agents reply to the request. If you specify a last gasp address, the GSS automatically:
3.
Creates an answer for this address Creates an answer group that contains the last gasp answer Adds a second balance clause to the DNS rule with the suffix -GROUP and uses ordered list as the balance method.
Click Next to proceed to the Summary page of the DNS Rule Wizard. An overview of your rule is provided that supplies information on the selected source address list, domain List, answer group, and balance method. See the DNS Rule WizardSummary section for information.
8-24
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the Wizard
Using the fields provided on the Summary page, complete your DNS rule as follows:
1. 2.
Enter a name for your DNS Rule in the Rule Name field. Optionally, associate the rule with an GSS owner by selecting an owner name from the Rule Owner drop-down list.
8-25
3.
Indicate what type of DNS queries applies to this rule by selecting a query type from the Match DNS Query Type drop-down list:
All - The DNS rule is applied to all DNS queries originating from a host
on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.
Note
When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.
record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.
4.
Select an operating status for the rule from the Rule Status drop-down list:
ActiveThe DNS rule immediately begins processing requests SuspendedThe DNS rule is listed on the DNS Rules list page, but has
a status of suspended. The DNS rule is not used to process any incoming DNS queries.
5.
Click Finish to save your DNS Rule. You return to the DNS Rules list page.
8-26
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the DNS Rule Builder
From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-17).
8-27
2.
Click the Open Rule Builder icon. The DNS Rule Builder page opens in a separate window (Figure 8-18.)
8-28
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the DNS Rule Builder
3. 4. 5.
In the Rule Name field, enter a name for your new DNS Rule. Rule names cannot contain spaces. From the Rule Owner drop-down list, choose a contact with whom the rule will be associated. The default Rule Owner is System. From the Source Address List drop-down list, choose a Source Address List from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.
8-29
6.
From the Domain List drop-down list, choose a domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list. From the Match DNS Query Type drop-down list, indicate what type of DNS queries applies to this rule:
All - The DNS rule is applied to all DNS queries originating from a host
7.
on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.
Note
When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.
record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.
8.
method pairing from the drop-down list. This is the first effort the GSS uses to select an answer for the DNS query.
Select the balance method for the answer group from the drop-down list.
Your choice of balance methods changes based on the type of answer group (Name Server, VIP, or CRA) you selected.
8-30
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Building DNS Rules Using the DNS Rule Builder
9.
If you selected a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
Note
If you selected a CRA-type Answer Group, the balance method is automatically set to Boomerang.
HashedThe GSS selects the answer based on a unique value created
from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.
By Source AddressThe GSS selects the answer based on a hash value created from the source address of the request. By Domain NameThe GSS selects the answer based on a hash value created from the requested domain name.
KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.
Ordered ListThe GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.
Note
For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
Round RobinThe GSS cycles through the list of answers that are
that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
Cisco Global Site Selector Configuration Guide OL-4327-01
8-31
proxy caches the response sent from the GSS and considers it to be a valid answer.
Return Record CountThe number of address records (A-records) that
you want the GSS to return for requests that match the DNS rule.
11. If you selected a CRA-type answer group, configure the following
proxy caches the response sent from the GSS and consider it to be a valid answer.
Fragment SizeThe preferred size of the boomerang race response that
response packet and used to evaluate CRA bandwidth as well as latency when making load balancing decisions.
IP TTLThe maximum number of network hops that should be utilized
data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.
Max Prop. DelayThe maximum propagation delay, the maximum
delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA.
Server DelayThe maximum delay (in milliseconds) that is observed
before the boomerang server component of the GSS returns the address of its last gasp server as a response to the requesting name server.
12. If you wish, repeat Step 8 through Step 10 to select additional answer
group/balance method pairings for Balance Clause 2 and Balance Clause 3. These answer pairs are only applied if the preceding clause is unable to provide an answer for the DNS query.
13. Click Save to save your DNS Rule. You return to the DNS Rules list page.
The DNS rule is now active and processing incoming DNS requests.
8-32
OL-4327-01
Chapter 8
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears. Click the Modify DNS Rule Using Rule Builder Interface button located to the left of the DNS rule you want to modify. The Modify DNS Rule details page opens in a separate window. Make modifications as necessary to the DNS rule. See Building DNS Rules Using the DNS Rule Builder for details about using the DNS Rule Builder. Click Save when you complete your modifications. You return to the DNS Rules list page.
3. 4.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears. Click the Modify DNS Rule Using Wizard button located to the left of the DNS rule you want to modify. The Modify DNS Rule Wizard appears. Make modifications as necessary to the DNS rule in the DNS Rule Wizard. Click here Building DNS Rules Using the Wizard for details about using the DNS Rule Wizard. Click Finish when you complete your modifications. You return to the DNS Rules list page.
4.
8-33
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to suspend. The DNS Rule Builder page appears in a separate browser window. Click the Suspend icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to suspend the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16). From the Rule Status drop down list, select the Suspended operating status for the DNS rule. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.
3. 4.
8-34
OL-4327-01
Chapter 8
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to activate. All suspended DNS rules have a status of Suspended in the list. The DNS Rule Builder window appears. Click the Activate icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to activate the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16). From the Rule Status drop down list, select the Active operating status for the DSN rule. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.
3. 4.
To reactivate operation of a suspended DNS rule from the DNS Rule Wizard:
1. 2. 3. 4. 5.
8-35
From the primary GSSM GUI, click Resources tab. Click the Owners navigation link. The Owners list page appears (Figure 8-19).
8-36
OL-4327-01
Chapter 8
Building and Modifying DNS Rules Suspending or Reactivating All DNS Rules Belonging to an Owner
3.
Click the Modify Owner icon located to the left of the owner responsible for the DNS rules you want to suspend or reactivate. The Modifying Owner details page appears (Figure 8-20).
4.
All DNS Rules for This Owner icon in the upper-right corner of the details page.
To reactivate all suspended DNS rules associated with this owner, click
the Activate All DNS Rules for This Owner icon in the upper-right corner of the details page.
5.
Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.
Cisco Global Site Selector Configuration Guide
OL-4327-01
8-37
Caution
Deletions of any kind cannot be undone in the GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details. To delete a DNS rule:
1. 2.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Modify DNS Rule using rule builder interface icon located to the left of the DNS rule you want to delete. The DNS Rule Builder window appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the DNS rule. Click OK to confirm your decision. You return to the DNS Rule list page.
3. 4.
From the primary GSSM GUI, click the DNS Rules tab.
8-38
OL-4327-01
Chapter 8
2.
Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter details page appears (Figure 8-21).
3.
To filter your list by any of the properties displayed on the Filter List page, enter a complete or partial (wildcard) value into the fields provided. This page is divided by Source Address List Filter Parameters, Domain List Filter Parameters, Balance Clause Filter Parameters, and DNS Rule Filter Parameters The GSS supports filtering combinations in the properties of all four sections of the details page. Table 8-1 lists the parameters that can be used to filter your DNS rules list and provides explanations and sample entries for each parameter.
8-39
Table 8-1
Parameter Name
Description
Selection Examples
Name assigned to a source VIP1 address list associated with VIP* the DNS rule NameServerList IP address or address block 192.168.110.100 assigned to a source 192.168.* address list associated with the DNS rule Any Name of the owner assigned to the source System address list associated with Education the DNS rule Name assigned to a domain CiscoSystems list associated with the Cisco* DNS rule Domain included on the www.cisco.com domain list associated with support.cisco.com the DNS rule www.* Any Name of the owner assigned to the domain list System associated with the DNS Sales rule Name assigned to an answer group associated with the DNS rule VIP_answer_Group_1 VIP_answer_Group_2 VIP_*
IP Address Block
Owner
Name
Domain
Owner
8-40
OL-4327-01
Chapter 8
Table 8-1
Description Name of the owner assigned to the answer group associated with the DNS rule Type of answer group associated with the DNS rule Answer belonging to an answer group associated with the DNS rule Type of balance method (such as boomerang and ordered list) associated with the DNS rule
Selection Examples Any System HR CRA Name Server VIP 192.161.1.2 192.168.* Boomerang Hashed Least Loaded Order List Round-Robin Weighted Round-Robin
Contains Answer
Balance Method
Name Owner
Name of the DNS rule Name of the owner assigned to the DNS rule
Status
8-41
4.
Click Submit to confirm your decision. The DNS Rule list page reappears. The displayed DNS rules are those DNS rules that match your search criteria. If no DNS Rule parameters match the parameters that you used to filter the list, a message appears:
No DNS rules match the filter specification.
From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes, displaying all configured DNS rules.
Note
You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.
8-42
OL-4327-01
Chapter 8
Modifying your DNS servers to accommodate your GSS devices involves the following steps:
1. 2.
Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs Adding glue address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address
Example 8-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type. In Example 8-1, the delegated domains are:
gss1.cisco.com gss2.cisco.com
8-43
Example 8-1
cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. ( 2001111001; serial number 36000; refresh 10 hours 3600 ; retry 1 hour 3600000; expire 42 days 360000; minimum 100 hours ) ; Corporate Name Servers for cisco.com IN NS ns1.cisco.com. IN NS ns2.cisco.com. ns1 IN A 192.168.157.209 ns2 IN A 192.168.150.100 ; Sub-domains delegated to GSS Network www IN NS gss1.cisco.com. IN NS gss2.cisco.com. media IN CNAME www ftp IN NS gss1.cisco.com. IN NS gss2.cisco.com. ; Glue A records with GSS interface addresses ; Cisco GSS Dallas gss1 IN A 172.16.2.3 ; Cisco GSS London gss2 IN A 192.168.3.6 . . .
When reviewing this zone file, remember that there are any number of possible GSS deployments that you can use, some of which may suit your needs and your network better than the example listed. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.
8-44
OL-4327-01
C H A P T E R
Performing Advanced GSS Configuration Tasks Configuring the Primary GSSM Graphical User Interface Printing and Exporting GSSM Data Configuring GSS Security Configuring SNMP on Your GSS Network Backing Up the GSSM Upgrading the Cisco GSS Software Downgrading and Restoring Your GSS Devices Viewing Third-Party Software Versions Primary GSSM Error Messages
9-1
Logically Removing a GSS or Standby GSSM from the Network Changing the GSSM Role in the GSS Network Modifying Network Configuration Settings of a GSS Changing the Startup and Running Configuration Files Loading the Startup Configuration from an External File
Move a GSS device between GSS networks Send the GSS or standby GSSM out for repair or replacement
Before removing or replacing a GSS or standby GSSM, you should logically remove the GSS from the network before physically removing it.
Note
Do not logically remove the primary GSSM from the GSS network. If you need to take the primary GSSM offline for either maintenance or repair, temporarily switch the roles of the primary and standby GSSMs as outlined in the Changing the GSSM Role in the GSS Network section. To logically remove a GSS or standby GSSM from the network, follow these steps. The first four steps in the instructions assume that the GSS or standby GSSM is operational. If that is not the case, proceed directly to step 5.
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The CLI prompt appears. At the CLI prompt, enable privileged EXEC mode and then global configuration mode on the device. For example:
localhost.localdomain> enable
9-2
OL-4327-01
Chapter 9
3.
If possible, use the copy startup-config disk command to backup the startup configuration file on the GSS or standby GSSM device. For example:
localhost.localdomain# copy startup-config disk configfile
4.
Use the gss stop command to stop the GSS software running on the GSS. For example:
localhost.localdomain# gss stop
5.
Use the gss disable command to disable the selected GSS and remove any existing configuration, including deleting the GSSM database from the GSS device. This option returns the GSS to the initial, disabled state. If the GSS device is to be powered down, also enter the shutdown command. For example:
localhost.localdomain# gss disable localhost.localdomain# shutdown
6. 7. 8.
To logically remove a GSS or a standby GSSM from the network, access the primary GSSM graphical user interface and click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selectors list page appears. From the Global Site Selectors list, click the Modify GSS icon located to the left of the GSS device you want to delete. The Modifying GSS details page appears. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the GSS device. list page with the deleted device removed from the list.
9.
10. Click OK to confirm your decision. You return to the Global Site Selectors
For details on physically removing or replacing a GSS from your network, refer to the Cisco Global Site Selector Hardware Installation Guide. To add a GSS or standby GSSM back into the GSS network, follow the procedures outlined in Chapter 2, Setting Up Your GSS. After you configure the GSS or standby GSSM, you may reload the backup copy of the GSS device startup configuration settings (see the Loading the Startup Configuration from an External File section). .
9-3
Log on to the CLI of the primary GSSM, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The CLI prompt appears.
9-4
OL-4327-01
Chapter 9
2.
3.
If you have not already done so, perform a full backup of your primary GSSM to preserve your current network and configuration settings (see the Performing a Full GSSM Backup section). Configure the current primary GSSM as the standby GSSM. Use the gssm primary-to-standby command to place the primary GSSM in standby mode. For example:
gssm1.yourdomain.com# gssm primary-to-standby
4.
5.
If the GSSM is to be powered down, also enter the shutdown command. For example:
gssm1.yourdomain.com# shutdown
6. 7. 8.
Exit from the CLI of the GSSM. Log on to the standby GSSM. You cannot log in to the GUI of the old primary GSSM once it begins acting in a standby capacity. Enable privileged EXEC mode. For example:
gssm2.yourdomain.com> enable
9.
Configure the current standby GSSM to be the temporary primary GSSM for your GSS network. Use the gssm standby-to-primary command to enable your standby GSSM and make it the primary GSSM. For example:
gssm2.yourdomain.com# gssm standby-to-primary
The standby GSSM begins to function in its new role as the primary GSSM.
Note
The configuration changes do not take effect immediately. It can take up to five minutes for the other GSS devices in the network to learn about the new primary GSSM.
10. Exit privileged EXEC mode. The interim primary GSSM is now fully
9-5
Note
If your original primary GSSM has been replaced by Cisco Systems, contact the Cisco Technical Assistance Center (TAC).
1. 2.
Log on to the CLI of the interim primary GSSM. The CLI prompt appears. Enable privileged EXEC mode. For example:
gssm2.yourdomain.com> enable
3.
Perform a full backup of the interim primary GSSM to preserve the current network and configuration settings (see the Performing a Full GSSM Backup section). Use the gssm primary-to-standby command to place the current interim primary GSSM in standby mode and resume its role in the GSS network as the standby GSSM. For example:
gssm2.yourdomain.com# gssm primary-to-standby
4.
5. 6. 7.
Exit from the CLI of the standby GSSM. Log on to the CLI of the primary GSSM from the original network deployment. The CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable
8.
Use the gssm standby-to-primary command to return the GSS device back to the role as the primary GSSM in the GSS network. For example:
gssm1.yourdomain.com# gssm standby-to-primary
9-6
OL-4327-01
Chapter 9
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable
3.
Use the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop
4.
5.
Use the no form of the network configuration commands to erase configuration settings. For example, to change the IP address assigned to a GSS interface, you would enter:
gssm1.yourdomain.com(config-eth0)# no ip address 10.89.3.24 255.255.255.0 gssm1.yourdomain.com(config-eth0)# exit gssm1.yourdomain.com(config)#
Once you have removed a GSS device setting, you can reregister it with the primary GSSM by following the instructions in Chapter 2, Setting Up Your GSS.
9-7
InterfaceEthernet interface being used IP addressNetwork address and subnet mask assigned to the interface GSS communicationsWhich interface (Ethernet 0 or Ethernet 1) is designated for handling GSS-related communications on the device GSS TCP keepalivesWhich interface (Ethernet 0 or Ethernet 1) is designated for outgoing keepalives of type TCP and HTTP HEAD Host nameHost name assigned to the GSS IP default gatewayNetwork gateway used by the device IP name serverNetwork DNS server being used by the device IP routesAll static IP routes SSH enableWhether SSH is enabled on the device Telnet enableWhether Telnet is enabled on the device FTP enableWhether FTP is enabled on the device Startup configurationThe default network configuration. These configuration settings are loaded each time the device is booted. Running configurationThe network configuration currently being used by the GSS device.
Usually, the running configuration and the startup configuration file are identical. However, once a configuration parameter is modified for any reason, the two must be reconciled using the CLI in one of the following ways:
The running configuration can be saved as the new startup configuration using the copy running-config startup-config command. Any changes to the network configuration of the device are retained and used when the device is next rebooted. The startup configuration can be maintained. In this case, the running configuration is used up until the point at which the device is rebooted, at which time the running configuration is discarded and the startup configuration is restored.
9-8
OL-4327-01
Chapter 9
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. By default, the host name for GSS devices is localhost.localdomain. This name changes once you configure the host name for the device.
2.
Enable privileged EXEC mode and then global configuration mode on the device. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com# config gssm1.yourdomain.com(config)#
3.
Make any desired changes to the network configuration of the device. For example, if you wanted to change the device host name, you would use the following command:
gssm1.yourdomain.com(config)# hostname new.yourdomain.com new.yourdomain.com(config)#
4.
Use the copy running-config startup-config command to install the current running configuration as the new startup configuration for the device. For example:
new.yourdomain.com(config)# copy running-config startup-config
5.
Alternatively, use the copy command to achieve the same result, copying the running configuration to the startup configuration. For example:
new.yourdomain.com(config)# copy running-config startup-config
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
9-9
2.
3.
Use the copy command to install a new startup configuration from a file. For example:
gssm1.yourdomain.com# copy disk startup-config filename
where filename is the name of the file containing the startup configuration settings.
4.
Alternatively, copy the current startup configuration to a file for use on other devices or for backup purposes. For example:
gssm1.yourdomain.com# copy startup-config disk filename
where filename is the name of the file created to contain the startup configuration settings.
GUI Session Inactivity Timeout EnableCheck box that enables or disables the use of the GUI Session Inactivity Timeout function. GUI Session Inactivity TimeoutNumber of minutes of inactivity that must pass before your primary GSSM GUI session is automatically terminated GSS Reporting IntervalInterval (in seconds) at which GSS devices report their status to the primary GSSM Monitoring Screen Refresh IntervalInterval (in seconds) at which the primary GSSM GUI refreshes displayed content
9-10
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Configuring the Primary GSSM Graphical User Interface
From the primary GSSM GUI, click the Tools tab. Click the GUI Configuration navigation link. The GUI Configuration details page appears (Figure 9-1) listing fields for modifying your GUI session settings.
GUI Configuration Details Page
Figure 9-1
3.
the primary GSSM automatically terminates the GUI session, click the GUI Session Inactivity Timeout Enable check box and enter a number in the GUI Session Inactivity Timeout field. This value is the length of time, in minutes, that passes without any user activity before the session is terminated.
9-11
To adjust the amount of time that must pass before GSS devices report
their status to the primary GSSM, enter a number in the GSS Reporting Interval field. This value is the length of time, in seconds, that passes between reports.
To increase the length of time that passes between automatic screen
refreshes when viewing GSS information from the primary GSSM GUI, enter a number in the Monitoring Screen Refresh Interval field. This value is the length of time, in seconds, that passes between automatic screen refreshes.
4.
Click Submit to update the primary GSSM. The Transaction Complete icon appears in the lower left corner of the configuration area to inform you that the GUI session has been successfully updated.
From the primary GSSM GUI, navigate to the list page or details page containing the data you wish to export or print. Perform one of the following:
To export the data, click the Export button. You are prompted to either
save the exported data as a comma-delimited file or open it using your designated CSV editor.
To print the data, click the Print button. The Print dialog box on your
Note
If you need to export the output of all configured fields from the primary GSSM GUI from the GSS CLI (intended for use by a Cisco technical support representative), specify the show tech-support config. Refer to the Cisco Global Site Selector Command Reference.
9-12
OL-4327-01
Chapter 9
Creating and Managing GSSM Login Accounts Creating and Managing GSS CLI Login Accounts Segmenting GSS Traffic by Interface Filtering GSS Traffic Using Access Lists Deploying GSS Devices Behind Firewalls
Note
Only users who log in to the primary GSSM GUI as administrator have the privileges to create, modify, or remove a GSSM GUI account. This section includes the following procedures:
Creating a GSSM GUI User Account Modifying a GSSM GUI User Account Removing a GSSM GUI User Account Changing Your GSSM GUI Password
9-13
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (Figure 9-2).
GSSM User Administration List Page
Figure 9-2
3.
Click the Create User icon. The Creating New User details page appears (Figure 9-3).
9-14
OL-4327-01
Chapter 9
Figure 9-3
4. 5. 6. 7. 8.
In the User Account area, enter the login name for the new account in the Username field. Usernames can contain spaces. In the Password field, enter the alphanumeric password for the new account. In the Re-type Password field, reenter the password for the new account. In the Personal Information area, enter the users first name in the First Name field. In the Last Name field, enter the users last name. The first and last name will be displayed next to the users login, whenever the user logs on to the primary GSSM.
9-15
9.
account
10. Click Submit to create your new user account. You return to the User
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts. Click the Modify User icon to the left of the user account that you wish to modify. The Modifying User details page appears (see Figure 9-3) listing fields for modifying your GUI session settings. Use the fields provided to modify the users account, as follows:
UsernameChange the accounts login name. Password/Retype passwordModify the login password for the
4.
account; new passwords must be entered identically in both fields before they are accepted.
First nameModify the users first name. Last nameModify the users last name. Job titleModify the users listed position within your organization. DepartmentModify the users department. PhoneModify the users business phone number. E-mailModify the users e-mail address. CommentsModify comments on the user account.
9-16
OL-4327-01
Chapter 9
5.
Click Submit to save changes to the account. You return to the GSSM User Administration list page.
From the primary GSSM GUI, click the Tools tab. Click the User Administration navigation link. The GUI Configuration list page appears (see Figure 9-2) listing existing user accounts. Click the Modify User icon to the left of the user account that you wish to remove. The Modifying User details page appears (see Figure 9-3), displaying that users account information.
Note 4. 5.
You cannot delete the admin account. Click the Delete icon. The software prompts you to confirm your decision to permanently delete the user. Click OK. You return to the GSSM User Administration list page with the user account removed.
Note
If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to default by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command. To change your account password:
1.
OL-4327-01
9-17
2.
Click the Change Password navigation link. The Change Password detail page (Figure 9-4) appears displaying your account name in the Username field
GSSM Change Password Details Page
Figure 9-4
3. 4. 5. 6.
In the Old Password field, enter your existing GSSM login password. In the New Password field, enter the string that you would like to use as the new GSSM login password. In the Re-type New Password field, enter the new password string a second time. This is used to verify that you have entered your password correctly. Click Submit to update your login password.
9-18
OL-4327-01
Chapter 9
Only the admin account can create and manage GSS logins. This section includes the following procedures:
Creating a GSS User Account Using the CLI Modifying a GSS User Account Using the CLI Deleting a GSS User Account Using the CLI
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and then global configuration mode on the device. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the username command to create and configure your new login account and then press Enter to create the account. For example:
gss1.yourdomain.com(config)# username paulr password mypwd privilege admin User paulr added.
9-19
For a login name, enter an unquoted alphanumeric text string with no spaces and a maximum of 32 characters. Login names must start with an alpha character (for example, A-Z or a-z). The GSS does not support usernames that begin with a numerical value. For a password, enter an unquoted text string with no spaces and a maximum length of 8 characters. To create an administrative account, set the privilege level to admin. To create a user account, set the privilege level to user.
4.
Repeat step 3 for each new user account that you wish to create.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and then global configuration mode on the device. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the username command to modify your new login account and then press Enter to input the new values. For example:
gss1.yourdomain.com(config)# username paulr password newpwd privilege user User paulr exists, change info? [y/n]: y
4.
Repeat step 3 for each new user account that you wish to modify.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
9-20
OL-4327-01
Chapter 9
2.
Enable privileged EXEC mode and then global configuration mode on the device. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the username command to delete an existing login account. For example:
gss1.yourdomain.com#(config) username paulr delete User paulr removed
Note 4.
You cannot delete the admin account. Repeat step 3 for each new user account that you wish to delete.
Note
If you change the Administration password that is used to log in to the primary GSSM GUI, and then either lose or forget the password, you can reset the password back to default by entering the reset-gui-admin-password CLI command. Refer to the Cisco Global Site Selector Command Reference for details on using this command. To reset the CLI administrator account password:
1.
Attach an ASCII terminal to the GSS console port, following the instructions in the Connecting Cables section of Chapter 3 in the Cisco Global Site Selector Hardware Installation Guide. If the GSS device is currently up and running, enter the reload command to halt and perform a cold restart of your GSS device. For example:
Host# reload
2.
9-21
3.
After the BIOS boots and the LILO boot: prompt appears, enter ? (a question mark) to determine which software version the GSS device is running and to enter boot mode.
LILO boot: ? GSS-<software_version> boot:
At the LILO boot: prompt, press Tab or ? to view a listing of the available GSS software images.
Note
Enter the ? command within a few seconds of seeing the LILO boot prompt or the GSS device continues to boot. If you miss the time window to enter the ? command, wait for the GSS to properly complete booting, cycle power to the GSS device, and try again to access the LILO boot prompt. At the boot: prompt, enter GSS-<software_version> RESETADMINCLIPW=1. Use care when entering this command; this CLI command is case-sensitive. For example: boot: GSS-1.1.0
RESETADMINCLIPW=1
4.
If you successfully reset the administrator password, the Resetting admin account CLI password message appears on the console terminal while the GSS device reboots. If the message does not appear, repeat steps 2 through 4 again. Pay close attention when you enter the GSS-<software_version> RESETADMINCLIPW=1 command.
Note
In the case of inter-GSS communications, GSS devices listen for configuration and status updates on one interface only, which is the first Ethernet interface (eth 0) by default. You can use the gss-communications command to configure which interface is used for interdevice communications on the GSS network. Refer to the Cisco Global Site Selector Command Reference for instructions on using the gss-communications command.
9-22
OL-4327-01
Chapter 9
However, for security reasons you may wish to limit GSS traffic to one interface, or segment traffic by constraining a certain type of traffic on a designated interface. Using the access-list and access-group commands discussed in the Filtering GSS Traffic Using Access Lists section, you can use access lists to limit traffic on either of your GSS interfaces. For example, network management services like Telnet, SSH, and FTP listen on all active interfaces once they are enabled. To force these remote management servers to listen on only the second Ethernet interface, you would use the following CLI commands:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)# gss1.yourdomain.com(config)# destination-port ftp gss1.yourdomain.com(config)# destination-port ssh gss1.yourdomain.com(config)# destination-port telnet gss1.yourdomain.com(config)#
access-list alist1 permit tcp any access-list alist1 permit tcp any access-list alist1 permit tcp any access-group alist1 interface eth1
By default, the above commands would limit the second interface (eth1) to the specified traffic. All other traffic to that interface would be refused. To deny the same traffic on the first interface (eth0), you would use the following commands:
gss1.yourdomain.com(config)# gss1.yourdomain.com(config)# destination-port ftp gss1.yourdomain.com(config)# destination-port ssh gss1.yourdomain.com(config)# destination-port telnet gss1.yourdomain.com(config)# access-list alist1 deny tcp any access-list alist1 deny tcp any access-list alist1 deny tcp any access-group alist1 eth0
9-23
Destination port of the packets Requesting host Protocol used (TCP, User Datagram Protocol [UDP], or ICMP)
These packet-filtering tools, called access lists, are created and maintained from the GSS CLI. Access lists are essentially collections of filtering rules that are created using the access-list CLI command and can be applied to one or both of your GSS interfaces using the access-group command. Each access list is a sequential collection of permit and deny conditions that apply to a source network IP address to control whether routed packets are forwarded or blocked at the GSS. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria you specified within the access lists. Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important. When the GSS is deciding whether to forward or block a packet, the software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked. If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries. For detailed information on access list syntax options, refer to the access-list, access-group, and show access-list commands in the Cisco Global Site Selector Command Reference.
9-24
OL-4327-01
Chapter 9
Creating an Access List Associating an Access List with a GSS Interface Disassociating an Access List from a GSS Interface Adding Rules to an Access List Removing Rules from an Access List Viewing Access Lists
Details FTP, SSH, and Telnet server services on the GSS Return traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic
9-25
Table 9-1
Details Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication Inter-GSS communication Inter-GSS communication KAL-AP keepalives
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
Note 2.
You need access to the CLI of your GSS devices to create access lists. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the access-list command to create your first access list. For example, to configure an access list named alist1 containing a rule that allows any traffic using the TCP protocol on port 443 on the GSS device, enter the following:
gss1.yourdomain.com# config gss1.yourdomain.com(config)# access-list alist1 permit tcp any destination-port eq 443
9-26
OL-4327-01
Chapter 9
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-list command syntax.
4.
Repeat step 3 for each access list that you wish to add to this device, or see the Adding Rules to an Access List section for instructions on adding more rules to an access list that already exists.
Note
You need access to the CLI of your GSS devices to associate access lists with GSS interfaces. To associate access lists with a GSS interface:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the access-group command to associate an access list with the GSS interface. For example, to associate the access list named alist1 with the first interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# access-group alist1 interface eth0
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group command syntax.
4.
Repeat step 3 for each access list that you wish to associate with an interface.
Cisco Global Site Selector Configuration Guide
OL-4327-01
9-27
Note
You need to be able to access the CLI of your GSS devices to disassociate access lists from GSS interfaces. To disassociate an access list from an interface:
1. 2.
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the no access-group command to disassociate an access list from your GSS interface. For example, to disassociate the access list named alist1 from the first interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# no access-group alist1 interface eth0
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-group and no access-group command syntax.
4.
Repeat step 3 for each access list that you wish to disassociate from an interface.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears.
9-28
OL-4327-01
Chapter 9
2.
Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the access-list command to add a new rule to an existing access list. For example, to add a new rule to the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:
gss1.yourdomain.com(config)# access-list alist1 deny tcp host 192.168.1.101
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-list command syntax.
4.
Use the show access-list command to verify that the rule has been added to your access list. For example:
gss1.yourdomain.com(config)# show access-list access-list:alist1 access-list alist1 permit tcp any destination-port eq 443 access-list alist1 deny tcp host 192.168.1.101
5.
Repeat steps 3 and 4 for each rule that you wish to add to this access list.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
9-29
3.
Use the no form of the access-list command to remove a rule from an existing access list. For example, to remove the rule from the access list named alist1 that blocks all traffic from host 192.168.1.101, you would enter the following:
gss1.yourdomain.com(config)# no access-list alist1 deny tcp host 192.168.1.101
Refer to the Cisco Global Site Selector Command Reference for an explanation of access-list command syntax.
4.
Use the show access-list command to verify that the rule has been removed from your access list. For example:
gss1.yourdomain.com(config)# show access-list access-list:alist1 access-list alist1 permit tcp any destination-port eq 443
5.
Repeat steps 3 and 4 for each rule that you wish to remove from this access list, or from others configured on your system.
9-30
OL-4327-01
Chapter 9
When configuring your GSS for deployment behind a firewall, at a minimum you will need to allow DNS traffic into the box. If you have multiple GSSs deployed such that traffic between them must pass through a firewall, then you must configure the firewall to also allow inter-GSS communications, and inter-GSS status reporting. Whether you need to allow other traffic in Table 9-2 and Table 9-3 will depend on your GSS configuration (for example, whether you are using KAL-AP keepalives) and your need access to certain GSS services through the firewall (for example, SNMP). To configure your firewall to work with the GSS product, follow the guidelines in Table 9-2 and Table 9-3 to permit inbound and outbound traffic to and from the specified GSS ports. You may also want to use the access-list and access-group commands to enable authorized GSS traffic to the specified ports. By default, all ports not explicitly permitted in your access list are blocked by that interface once the list is associated.
Table 9-2 Inbound Traffic Going Through a Firewall to the GSS
Destination Port (GSS) 2023 * 53 * 123 161 443 1304 2000 20012009 *
Details FTP, SSH, and Telnet server services on the GSS Return traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication
UDP, TCP GSS DNS server traffic UDP UDP UDP TCP UDP UDP TCP TCP
9-31
Table 9-2
Details Return traffic of FTP, SSH, and Telnet server services on the GSS Traffic of FTP and Telnet GSS CLI commands GSS software reverse lookup and dnslookup queries Network Time Protocol (NTP) updates Simple Network Management Protocol (SNMP) traffic Primary GSSM GUI CRA keepalives Inter-GSS periodic status reporting Inter-GSS communication Inter-GSS communication Inter-GSS communication
UDP, TCP GSS DNS server traffic UDP UDP UDP TCP UDP UDP TCP TCP TCP
53 123
*
2001-2009
*
9-32
OL-4327-01
Chapter 9
Table 9-3
*Any legal port number. To configure your GSS devices to function behind a firewall:
1.
Determine what level of access and what services you wish to enable on your GSSs and GSSMs. Determine whether you want to allow FTP, SSH, and Telnet access to the device, or do you wish to permit GUI access to your primary GSSM. Table 9-2 and Table 9-3 show which GSS-related ports and protocols must be enabled for the product to function properly.
2.
Construct your access lists to filter traffic coming to and from your GSS device.
9-33
Configuring SNMP on Your GSS Viewing SNMP Status Viewing MIB Files on the GSS
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode and access configuration mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com# gss1.yourdomain.com# config gss1.yourdomain.com(config)#
3.
Use the snmp enable command to enable the SNMP agent. For example:
gss1.yourdomain.com(config)# snmp enable
4.
Use the snmp community-string command to specify a SNMP community name for this GSS device. By default, the SNMP community string is public. To change the SNMP community string, enter an unquoted text string with no space and a maximum length of 12 characters. For example:
gss1.yourdomain.com(config)#snmp community-string Enter new Community String:
5.
Use the snmp contact command to specify the name of the contact person for this GSS device. You can also include information on how to contact the person; for example, a phone number or e-mail address. Enter an unquoted text string with a maximum of 255 characters including spaces.For example:
gss1.yourdomain.com(config)#snmp contact Enter new Contact Info: Cisco Systems, Inc.
9-34
OL-4327-01
Chapter 9
6.
Use the snmp location command to specify the physical location of this GSS device. Enter an unquoted text string with a maximum length of 255 characters. For example:
gss1.yourdomain.com(config)#snmp location Enter new Location Info: Boxborough, MA 01719
7.
To disable SNMP or any of the parameters outlined above, use the no form of the snmp command. For example, to disable SNMP for the GSS, enter:
gss1.yourdomain.com(config)# no snmp enable
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
3.
Use the show snmp command to verify that your SNMP agent, ucd-snmp, is enabled or disabled, as well as the community-string, location and contact. For example:
Host# show snmp snmp is enabled snmp settings ------------Community String = <set> Location = Boxborough MA Contact = Cisco Systems
Note
You can also use the gss status command to verify if SNMP is enabled or disabled. See the Configuring SNMP on Your GSS section to change the status of your SNMP agent.
Cisco Global Site Selector Configuration Guide
4.
OL-4327-01
9-35
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
3.
Use the dir command to view the list of GSS MIBs contained in the /mibs directory. For example:
gss.cisco.com#dir /mibs total 1100 drwxr-xr-x 2 root root 4096 drwxrwxrwx 19 root root 4096 -rw-r--r-1 root root 17455 -rw-r--r-1 root root 19850 -rw-r--r-1 root root 64311 -rw-r--r-1 root root 50054 -rw-r--r-1 root root 4660 -rw-r--r-1 root root 52544 -rw-r--r-1 root root 10583 -rw-r--r-1 root root 4015 IANA-ADDRESS-FAMILY-NUMBERS-MIB.txt -rw-r--r-1 root root 4299 -rw-r--r-1 root root 15661 -rw-r--r-1 root root 5066 -rw-r--r-1 root root 71691 -rw-r--r-1 root root 6260 -rw-r--r-1 root root 26781 -rw-r--r-1 root root 23499 -rw-r--r-1 root root 15936 -rw-r--r-1 root root 48703 -rw-r--r-1 root root 2367 -rw-r--r-1 root root 7257 -rw-r--r-1 root root 4400 -rw-r--r-1 root root 1174
Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul
18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18
08:45 08:46 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45
IANA-LANGUAGE-MIB.txt IANAifType-MIB.txt IF-INVERTED-STACK-MIB.txt IF-MIB.txt INET-ADDRESS-MIB.txt IP-FORWARD-MIB.txt IP-MIB.txt IPV6-ICMP-MIB.txt IPV6-MIB.txt IPV6-TC.txt IPV6-TCP-MIB.txt IPV6-UDP-MIB.txt RFC-1215.txt
9-36
OL-4327-01
Chapter 9
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
root root root root root root root root root root root root root root root root root root root root root root root root
root root root root root root root root root root root root root root root root root root root root root root root root
3067 79667 147822 4628 15490 20750 5261 19083 8434 21495 38035 33430 8263 25052 8924 38034 3981 10765 2058 3131 2928 8037 30343 4076
Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul
18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18
08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45 08:45
RFC1155-SMI.txt RFC1213-MIB.txt RMON-MIB.txt SMUX-MIB.txt SNMP-COMMUNITY-MIB.txt SNMP-FRAMEWORK-MIB.txt SNMP-MPD-MIB.txt SNMP-NOTIFICATION-MIB.txt SNMP-PROXY-MIB.txt SNMP-TARGET-MIB.txt SNMP-USER-BASED-SM-MIB.txt SNMP-VIEW-BASED-ACM-MIB.txt SNMPv2-CONF.txt SNMPv2-MIB.txt SNMPv2-SMI.txt SNMPv2-TC.txt SNMPv2-TM.txt TCP-MIB.txt UCD-DEMO-MIB.txt UCD-DISKIO-MIB.txt UCD-DLMOD-MIB.txt UCD-IPFWACC-MIB.txt UCD-SNMP-MIB.txt UDP-MIB.txt
4.
If desired, use the ftp or scp command to copy the MIB files from the /mibs directory on the GSS to another location on the GSS or to a remote network location.
FullBacks up the GSSM network configuration settings as well as the GSSM database holding GSLB configuration information DatabaseBacks up just the primary GSSM database
9-37
We recommend that you always perform a full backup of the GSSM. From a full backup, you can later restore the same information that is contained in a database-only backup in addition to GSSM platform information (if desired). You do not have the option of restoring GSSM platform information from a database-only backup. The full backup provides you with the flexibility to pick and choose the specific GSSM configuration information you want to restore on the GSSM. Whenever you execute a backup on your primary GSSM, the GSS software automatically creates a tar archive (tarball) of the necessary files. If you are performing a full backup, this file has the .full extension. If you are performing a database backup, the file has the .db extension. When you execute a database restore on your primary GSSM, this archive is automatically unpacked and the database is copied to the GSSM, overwriting the failed database that is there. Backing up your GSSM database requires access to the GSS CLI and the completion of the following actions:
1. 2. 3. 4.
Determining the appropriate time to back up your GSSM Determining whether you need to perform a full backup or database-only backup Performing the backup Moving the backup file to a secure location on your network
Determining When and What Type of Backup to Perform Performing a Full GSSM Backup Performing a GSSM Database Backup
9-38
OL-4327-01
Chapter 9
Before switching GSSM roles, making the standby GSSM your primary GSSM on your network Before you perform a GSS software upgrade After you make any changes in the device or network configuration of your GSSM
After you make any changes in the device configuration of any of your GSS devices using the GSSM GUI After you make any changes to the GSLB configuration of your GSS network using the GSSM GUI. For example, adding or removing an answer, source address list, DNS rule, or user account
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
9-39
3.
Use the gssm database validate command to verify the integrity of your existing database.
gssm1.yourdomain.com# gssm database validate gssm1.yourdomain.com#
4.
Use the gssm backup command to create a full backup of your primary GSSM. You need to supply a filename for your full backup. For example:
gssm1.yourdomain.com# gssm backup full gssmfullbk GSSM database backup succeeded [gssmfullbk.full]
5.
Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM. Either the secure copy (scp) or ftp command can be used to move your full backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmfullbk.full username@server.yourdomain.com:~/
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm backup command to create backup your primary GSSM database. You need to supply a filename for your database backup. For example:
gssm1.yourdomain.com# gssm backup database gssmdbbk GSSM database backup succeeded [gssmdbbk.db]
9-40
OL-4327-01
Chapter 9
4.
Copy or move the backup file off your primary GSSM after you receive confirmation that the GSSM successfully created your full backup. This ensures that the backup is not lost if a media failure or other catastrophic loss occurs on your primary GSSM. Either the secure copy (scp) or ftp command can be used to move your database backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmdbbk.db server.yourdomain.com:home
Verifying the GSSM Role in the GSS Network Backing up and Archiving the Primary GSSM Obtaining the Software Upgrade Upgrading Your GSS Devices
9-41
At the CLI of the current primary GSSM, enter the following commands:
gssm1.yourdomain.com# cd /home gssm1.yourdomain.com# type ../props.cfg | grep -i fqdn
or ip_address
2.
GSSM in your network, then the current primary GSSM and standby GSSM configuration is the original configuration and no further action is needed. Proceed to the Backing up and Archiving the Primary GSSM section.
If the value of the domain name or IP address is the current standby
GSSM in your network, then the current primary GSSM and standby GSSM configuration is not the original configuration. In this case, you must reverse the roles of the primary and standby GSSM devices to those of the original GSS network deployment. See the Reversing the Roles of the Interim Primary and Standby GSSMs section.
If the value of the domain name or IP address is not the current primary
GSSM or the standby GSSM in your network, this indicates that the device is not a primary GSSM or is no longer on the network. No further action is required. Proceed to the Backing up and Archiving the Primary GSSM section.
9-42
OL-4327-01
Chapter 9
The next step is to ensure that you have a full (and current) backup of the primary GSSM database and that you archive this backup. Proceed to the Backing up and Archiving the Primary GSSM section.
Access the Cisco.com website and locate the software update files. Download the software update files to a server within your own organization that is accessible using FTP or SCP from your GSSs and GSSMs.
You must have a Cisco.com username and password before attempting to download a software update from Cisco.com. To acquire a Cisco.com login, go to http://www.cisco.com and click the Register link.
9-43
Note
You need a service contract number, Cisco.com registration number and verification key, Partner Initiated Customer Access (PICA) registration number and verification key, or packaged service registration number to obtain a Cisco.com username and password. To add an upgrade file for the GSS software:
1.
Launch your preferred web browser and point it to the Cisco Global Site Selector download page. When prompted, log in to Cisco.com using your designated Cisco.com username and password. The Cisco GSS Software download page appears, listing the available software upgrades for the GSS software product. If you do not have a shortcut to the Cisco Global Site Selector download page:
a. Log in to Cisco.com using your designated Cisco.com username and
2.
password.
b. Access the Software Center from the Technical Support link. c. Select the Content Networking Software link from the Software Center -
Center - Content Networking page. The Cisco GSS Software download page appears, listing the available software upgrades for the Cisco GSS Software product.
Note
When you first access the Content Networking page of the Software Center, you must apply for eligibility for GSS software updates because it is considered a strong encryption image. Under the Cisco Content Networking Cryptographic Software section is the Apply for 3DES Cisco Cryptographic Software Under Export Licensing Controls link. Click this link and complete the Encryption Software Export Distribution Authorization Form. You must complete this step to access and download Global Site Selector software images.
9-44
OL-4327-01
Chapter 9
3.
Locate the .upg file you wish to download by referring to the Release column for the proper release version of the software. The meta file, originally posted for use with GSS version 1.0, is no longer posted for version 1.1(0) and subsequent releases. The meta file is unnecessary for the installation, and is only used as a check to let you verify the file size of the upgrade file. The Cisco Global Site Selector Software download page contains information on the GSS file size, the MD5 checksum, and other important details about the GSS software upgrade file. Use this file information to verify the integrity of the software upgrade file. Click the link for the .upg file. The download page appears. Click the Software License Agreement link. A new browser window opens to display the license agreement. After you have read the license agreement, close the browser window displaying the agreement and return to the Software Download page. Click the filename link labeled Download. If prompted, reenter your username and password. Click Save to file and then choose a location on your workstation to temporarily store the .upg upgrade file. Post the .upg file that you downloaded to a designated area on your network that is accessible to all your GSS devices.
Note
4. 5. 6. 7. 8. 9.
You are now ready to upgrade the software on a GSS device. Proceed to the Upgrading Your GSS Devices section.
9-45
When executing an upgrade, use the CLI install command. Before proceeding with the installation of the software upgrade, the install command also performs a validation check on the upgrade file, unpacks the upgrade archive, and installs the upgraded software. Finally, the install command restarts the affected GSS device.
Note
Upgrading your GSS devices causes a temporary loss of service for each affected device. To upgrade the GSS software (starting with the primary GSSM):
1. 2.
Log on to the CLI of the GSS device. Use the ftp or scp command to copy the GSS software upgrade file from the network location to a directory on the GSS. Ensure that you set the transfer type to binary. For example, to copy an upgrade file named gss.upg from a remote host, your FTP session might look like the following:
gssm1.yourdomain.com> ftp host.yourdomain.com Connected to host.yourdomain.com. 220 host.yourdomain.com FTP server (Version wu-2.6.1-0.6x.21) ready. Name (host.yourdomain.com:root): admin 331 Password required for admin. Password: 230 User admin logged in. Access restrictions apply. Remote system type is UNIX. Using ascii mode to transfer files. ftp> binary ftp> get (remote-file) gss.upg (local-file) gss.upg local: gss.upg remote: gss.upg 200 PORT command successful. ...
3.
4.
Enter the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop
9-46
OL-4327-01
Chapter 9
5.
6.
At the Proceed with install (the device will reboot)? (y/n): prompt, type y to reboot the GSS device. When the GSS reboots, you lose any network CLI connections. Console connections remain active. If you did not previously save changes to the startup-configuration file, the Save current configuration? [y/n]: prompt appears. Type y to continue. The GSS reboots. After the GSS device reboots, log on to the device and enable privileged EXEC mode. Enter the gss status command and verify that the GSS device reaches a Normal Operation state of runmode 4 or 5.
7.
8. 9.
10. Repeat this procedure for the remaining GSS devices in your network.
9-47
Verify the current software version. Perform a full backup of your primary GSSM. Obtain the software downgrade (.upg) file. Downgrade your GSS device. Verify your downgrade.
In addition, do not attempt to restore an earlier version of the software than the earliest database backup you have available. For example, if the earliest version of the GSS software that you have run is Release 2.0 and your earliest database backup is for Release 2.0, do not attempt to downgrade to a release of the software earlier than 2.0. This section includes the following procedures:
Restoring an Earlier Software Version on Your GSS Devices Restoring Your GSSM from a Full Backup Restoring Your GSSM Database from a Database-Only Backup
9-48
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Downgrading and Restoring Your GSS Devices
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Verify that your full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
3.
4.
Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:
atcr1.cisco.com# gss stop atcr1.cisco.com# gss status Cisco GSS - 1.1(0.0.1) - [Mon Sep 15 11:33:47 UTC 2003] gss is not running.
9-49
5.
Once the GSSM has stopped, use the gssm restore command to restore the GSSM from the full backup file. To restore the file gssmfullbk.full, you would enter:
gss1.yourdomain.com# gssm restore gssmfullbk.full
6.
Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).
% WARNING WARNING WARNING Restoring the database will overwrite all existing system configuration. If running, the system will be restarted during this process. Are you sure you wish to continue? (y/n): y Backup file is valid. Timestamp = 2003-Sep-15-14:01:53
7.
Confirm your decision whether to restore GSSM platform information, or only the GSS database. This selection enables you to return the primary GSSM back to the original state prior to the database backup. Platform information includes all configuration parameters set at the CLI, including: interface configuration, hostname, service settings (NTP, SSH, Telnet, FTP, and SNMP), timezone, logging levels, Web certificates, inter-GSS communication certificates, access lists and access groups, CLI user information, GUI user information, and property-set CLI commands.
This backup contains a backup of the platform configuration. 'n' restores just the database. Restoring platform files requires a reboot. Restore Platform files? [y/n]: y
Note
Restoring platform information requires a reboot of the GSS at the end of the restore procedure.
Select n to restore only the GSSM database and not the GSSM platform
information. If you choose not to restore GSSM platform information, you must reconfigure the GSSM platform information from the CLI. Refer to Chapter 2, Setting Up Your GSS for details.
9-50
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Downgrading and Restoring Your GSS Devices
8.
Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y
devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.
Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details. The GSSM continues with the restore process.
Deleting existing database... Creating empty database for restore... Restoring the database... Using GSS network information present in backup file... Restoring platform backup files. Database restored successfully. Reboot Device now? (y/n): y
Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode (runmode = 5).
9-51
Note
Restoring your GSSM database requires that the GSSM device be stopped and restarted, resulting in the device and the GUI being unavailable for a short period. Use the following procedure to restore an earlier version of the GSSM from a backup:
1. 2. 3.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Verify that the full backup of the GSSM is at a location that is accessible from the GSSM that you are restoring. Full backups have a .full file extension. Enable privileged EXEC mode. For example:
gss1.yourdomain.com> enable gss1.yourdomain.com#
4.
Stop the GSS software on the GSSM and then use the gss status command to confirm that the GSSM has stopped. For example:
gss1.yourdomain.com# gss stop gss1.yourdomain.com# gss status Cisco GSS - 1.1(0.0.1) - GSSM - primary [Mon Sep 15 12:58:27 UTC 2003] gss is not running.
9-52
OL-4327-01
Chapter 9
GSS Administration and Troubleshooting Downgrading and Restoring Your GSS Devices
5.
Once the GSSM has stopped, use the gssm restore command to restore the GSSM database from the backup file that corresponds to the software version that you just restored. To restore the file gssmdbbk.db, you would enter:
gss1.yourdomain.com# gssm restore gssmdbbk.db
6.
Confirm your decision to overwrite GSS system configuration information on the GSSM and restart the GSSM device. Enter y for yes (or n to stop the restore process).
% WARNING WARNING WARNING Restoring the database will overwrite all existing system configuration. If running, the system will be restarted during this process. Are you sure you wish to continue? (y/n): Backup file is valid. Timestamp = 2003-Aug-20-14:02:06 Restoring database only (No platform backup present)
7.
Confirm your decision to restore the GSS network information for remote devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n): y
devices, GSS device status, node information, and IP addresses. This is the network information displayed in the Global Site Selectors list table in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS network information does not include DNS rules, answers, keepalive, and so on. Those configuration elements are automatically restored as part of the database restore process.
Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information, you must disable and enable each device, then reregister the device with the primary GSSM, which may result in a temporary network service outage. Refer to Chapter 2, Setting Up Your GSS for details.
9-53
8.
Once you receive confirmation that the database restoration has succeeded, use the gss start command to restart your GSSM. For example:
gss1.yourdomain.com# gss start System started.
9.
Use the gss status command to confirm that your restored GSSM is up and running in normal operation mode ( runmode = 5).
From the GSSM GUI, click the Tools tab. Click the Third-Party Software navigation link. The GSSM Third-Party Software list page appears (Figure 9-5). This page displays the following information:
ProductThird-party software product. For example, RedHat Version 6.2 VersionVersion of the third-party software currently installed on the GSS device URLWeb URL for the software product
9-54
OL-4327-01
Chapter 9
Figure 9-5
9-55
Answer Error Messages Answer Group Error Messages DNS Rule Error Messages Domain List Error Messages Shared KeepAlive Error Messages KeepAlive Error Messages Location Error Messages Owner Error Messages Region Error Messages GSSM Error Messages Source Address List Error Messages User Error Messages
9-56
OL-4327-01
Chapter 9
Error Message Invalid answer name. Name length must not exceed 80 characters. Explanation The answer name that you entered contains too many characters. Recommended Action Enter a valid alphanumeric answer name of at least 1 and no more than 80 characters in length that does not contain spaces.
Error Message Invalid CRA timing decay. Timing decay must be between 1 and 10. Explanation You entered an invalid number for the CRA timing decay. Recommended Action Enter a number between 1 and 10. Lower timing decay
values mean that more recent DNS races are weighted more heavily than older races. Higher decay values mean that the results of older races are weighted more heavily than more recent races.
Error Message Invalid CRA static RTT value. Static RTT must be between 0 and 1000. Explanation You entered an invalid number for the static round-trip time
(RTT). This is a manually entered value that is used by the GSS to represent the time it takes for traffic to reach and return from a host.
Recommended Action Enter a static RTT value between 0 and 1000.
Error Message A VIP/Name Server/CRA-type answer named answer_name already exists. If specified, name and type must uniquely identify an answer. Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and answer type.
Recommended Action Assign a new name or answer type to your answer to
make it unique.
9-57
Error Message An unnamed VIP/Name Server/CRA-type answer having address IP_address already exists. Name must be specified to configure an answer with the same address as another answer. Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and IP address.
Recommended Action Assign a new name to your answer to make it unique.
Error Message The maximum number of number VIP/Name Server/CRA-type answers has been met. Explanation You are attempting to create an answer when the maximum
Error Message CRA decay value must be specified. Explanation You are attempting to create a CRA answer type without
specifying a decay value. The decay value is required to tell the GSS how to evaluate and weigh DNS race results.
Recommended Action Enter a number between 1 and 10 for the CRA decay,
with 1 causing the GSS to weigh recent DNS race results more heavily, and 10 telling it to weigh them less heavily.
Error Message CRA static RTT must be specified. Explanation You are attempting to create a CRA answer type without
specifying a static round-trip time (RTT) value. The RTT value is used to force the GSS to use a value that you supply as the round-trip time necessary to reach the requesting D-proxy.
Recommended Action Enter a number between 1 and 1000 for the CRA
9-58
OL-4327-01
Chapter 9
Error Message Invalid keepalive tag. Tag must be at least one character in length. Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have not specified a value for the tag in the field provided.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters
Error Message Invalid keepalive tag. Tag length must not exceed 76 characters. Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have specified a value for the tag that contains too many characters.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters
Error Message NS-type answer IP Address has the same IP address as GSS GSS_name. GSS IP addresses must not equal any NS-type answers. Explanation You are attempting to create a name server answer type with the
same IP address as a GSS device on the same GSS network. Name server answers cannot use the same address as GSS devices belonging to the same GSS network.
Recommended Action Assign a valid IP address to your name server answer.
9-59
group so that those rules do not point to the group, and then try again to delete the group.
Error Message Invalid answer group name. Name must be entered. Explanation You are attempting to create an answer group without assigning a
name to that group. All answer groups must have names of at least one character.
Recommended Action Enter a name for the new answer group in the field
Error Message Invalid answer group name. Name length must not exceed 80 characters. Explanation You are attempting to assign the answer group an invalid name. Recommended Action Enter an alphanumeric name for the answer group that is
Error Message Invalid answer group name. Name must not contain spaces. Explanation You are attempting to assign the answer group an invalid name. Recommended Action Enter an alphanumeric name for the answer group that is
9-60
OL-4327-01
Chapter 9
Error Message An answer group named name already exists. Name must uniquely identify an answer group. Explanation You are attempting to assign the answer group a name that is
Error Message The maximum number of number answers per VIP/Name Server/CRA-type group has been met. Explanation You are attempting to add an answer to an answer group to which
a group to which the maximum number of answers has not already been added.
Error Message Invalid balance clause TTL. TTL must be between 0 and 604,800. Explanation You are required to specify a Time To Live (TTL) value for
9-61
Error Message Invalid balance clause position. Position must be between 0 and 2. Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.
Error Message Hash type must be specified for answer group using hash balance method. Explanation You are trying to create an answer group using the balance method
Hashed with the selected answer, but you have not selected one (or more) hash methods: By Domain Name and By Source Address.
Recommended Action Select one or more of the available hash methods by
checking the box corresponding to the methods that you wish to use with this balance clause.
Error Message Balance clause Boomerang fragment size must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a fragment size in the Fragment Size field. The fragment size determines the preferred size of the boomerang race response that is produced by a match to a DNS rule and is sent to the requesting client.
Recommended Action Enter a fragment size between 28 and 1980 in the field
9-62
OL-4327-01
Chapter 9
Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be 0 or between 28 and 1980. Explanation You are attempting to specify an unacceptable fragment size for
Error Message Invalid balance clause Boomerang fragment size. Boomerang fragment size must be a multiple of 4. Explanation You are attempting to specify a fragment for this boomerang
balance clause that is within the acceptable range but not divisible by 4. Fragment sizes must be divisible by 4.
Recommended Action Enter a fragment size between 28 and 1980 that is also
Error Message Balance clause Boomerang IP TTL value must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method, but have not specified an IP Time To Live (TTL) in the field provided. The IP TTL specifies the maximum number of network hops that can be used when returning a response to a CRA from a match on a DNS rule.
Recommended Action Enter an IP TTL between 1 and 255 in the field provided
Error Message Invalid balance clause Boomerang IP TTL. Boomerang IP TTL must be between 1 and 255. Explanation You are attempting to create a balance clause using the boomerang
9-63
Error Message Balance clause Boomerang maximum propagation delay must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a maximum propagation delay (Max Prop. Delay) in the field provided. The maximum propagation delay specifies the maximum length of time (in milliseconds) that is observed before the GSS forwards a Domain Name System (DNS) request to a content routing agent (CRA).
Recommended Action Enter a maximum propagation delay between 1 and
Error Message Invalid balance clause Boomerang maximum propagation delay. Boomerang maximum propagation delay must be between 1 and 1000. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a valid maximum propagation delay (Max Prop. Delay) in the field provided.
Recommended Action Enter a maximum propagation delay between 1 and
Error Message Balance clause Boomerang padding size must be specified. Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a pad size in the Pad Size field. The pad size is the amount of extra data (in bytes) included with each content routing agent (CRA) response packet and is used to evaluate CRA bandwidth as well as latency when routing decisions are made.
Recommended Action Enter a valid pad size between 0 and 2000 in the
9-64
OL-4327-01
Chapter 9
Error Message Invalid balance clause Boomerang padding size. Boomerang padding size must be between 0 and 2000. Explanation You are attempting to create a balance clause using the boomerang
balance method but have specified an invalid pad size in the Pad Size field.
Recommended Action Enter a valid pad size between 0 and 2000 in the Pad Size
field.
Error Message Invalid balance clause Boomerang secret. If specified, Boomerang secret must be between 1 and 64 characters in length. Explanation You are attempting to create a balance clause using the boomerang
balance method but have specified an invalid secret in the Secret field. The boomerang secret is a text string consisting of between 1 and 64 characters that is used to encrypt critical data sent between the boomerang server and content routing agents (CRAs). This key must be the same for each configured CRA.
Recommended Action Enter a valid boomerang secret between 1 and 64
Error Message Balance clause Boomerang server delay must be specified. Explanation You are attempting to create a balance clause using the
boomerang balance method but have not specified a server delay in the Server Delay field. The boomerang server delay is the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards the address of its last gasp server as a response to the requesting name server.
Recommended Action Enter a valid server delay between 32 and
9-65
Error Message Invalid balance clause Boomerang server delay. Boomerang server delay must be between 32 and 999. Explanation You are attempting to create a balance clause using the
boomerang balance method but have specified an invalid server delay in the Server Delay field.
Recommended Action Enter a valid server delay between 32 and
Error Message Invalid DNS rule name. Name must be entered. Explanation You are attempting to create a DNS rule without assigning a name
to the rule. DNS rules must have names of between 1 and 100 characters.
Recommended Action Assign a name to your DNS rule using the Rule Name
Error Message Invalid DNS rule name. Name length must not exceed 100 characters. Explanation You are attempting to assign a name to your DNS rule that is too
Error Message Invalid DNS rule name. Name must not contain spaces. Explanation You are attempting to assign your DNS rule a name that contains
spaces.
Recommended Action Enter a valid name for your DNS rule that is between 1
9-66
OL-4327-01
Chapter 9
Error Message A DNS rule using the specified source address list, domain list, and matching query type already exists. Source address list, domain list, and matching query type must uniquely identify a DNS rule. Explanation You are attempting to create a DNS rule that already exists. DNS
rules must specify a unique combination of source address list, domain list, and matching query type.
Recommended Action Reconfigure your DNS rule so that it does not exactly
Error Message Duplicate answer group/balance method assignment detected. A DNS rule cannot use the same answer group and balance method in multiple balance clauses. Explanation You are attempting to create two identical answer group and
balance method clauses in your DNS rule. Each clause must use a unique combination of answer groups and balance methods.
Recommended Action Modify one of your answer group and balance method
pairs so that it is no longer identical to the other and then save your DNS rule.
Error Message Balance clause gap detected at position {0,1,2}. Balance clauses must be specified sequentially without gaps. Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance clauses, which must be created in order, with no gaps between clauses. For example, if you are using only one balance clause, it must appear in the first position. It cannot be listed in the second or third positions with the first position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder so that they are listed in the proper order, with no gaps between them.
9-67
Error Message A DNS rule named DNS_Rule_name already exists. Name must uniquely identify a DNS rule. Explanation You are attempting to assign a name to the DNS rule that is
invalid name. Domains in domain lists must have names of at least one character.
Recommended Action Enter a name that is between 1 and 100 characters and
Error Message <domain name> character limit exceeded. Explanation You are attempting to add a domain to a domain list using a name
that is too long. Domains in domain lists cannot have names of more than 100 characters.
Recommended Action Enter a new domain name of no more than 100 characters
Error Message Domain specification must not exceed 128 characters. Explanation You are attempting to add a domain to your domain list with a
name that is longer than 128 characters. Domain lists cannot contain domains with names longer than 128 characters.
Recommended Action Replace the domain with a domain name containing
fewer than 128 characters and then save your domain list.
9-68
OL-4327-01
Chapter 9
Error Message <domain name> must not contain spaces. Explanation You are attempting to add a domain to your domain list with a
name that contains spaces. Domains in domain lists cannot have names that contain spaces.
Recommended Action Modify the domain name so that it does not contain
Error Message <domain name> is not a valid regular expression: <regular expression syntax error message here> Explanation You are attempting to add a domain name to a domain list with a
name that contains invalid characters or formatting. Domain names in domain lists must be valid regular expressions.
Recommended Action Modify the domain name so that it is a valid regular
expression and does not contain any invalid characters or formatting. For example, www.cisco.com or .*\.cisco\.com, and then save your domain list.
Error Message <domain name> must not begin or end with '.' Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of the domain name.
Recommended Action Modify the domain name so that it does not contain a
period at the beginning or end of the name and then save your domain list.
Error Message <domain name> component must not begin or end with '-' Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of one component of the domain name. For example, www.cisco-.com.
Recommended Action Modify the domain name so that it does not contain a
dash (-) at the beginning or end of any segment of the name and then save your domain list.
Cisco Global Site Selector Configuration Guide OL-4327-01
9-69
Error Message <domain name> contains invalid character '<character>' (<ASCII value of the character>) Explanation You are attempting to add a domain to a domain list with a name
that contains an invalid text character. Domains belonging to domain lists must have names that are regular expressions.
Recommended Action Modify the domain name so that it does not contain an
Error Message This domain list cannot be deleted because it is referenced by X DNS rule Explanation You are attempting to delete a domain list that is being referenced
they no longer reference it and then try again to delete the list.
Error Message Invalid domain list name. Name must be entered. Explanation You are attempting to create a domain list without a name.
Error Message Invalid domain list name. Name length must not exceed 80 characters. Explanation You are attempting to create a domain list with a name that
is too long.
Recommended Action Assign a name of at least 1 and no more than
9-70
OL-4327-01
Chapter 9
Error Message Invalid domain list name. Name must not contain spaces. Explanation You are attempting to create a domain list with a name that
Error Message A domain list named '<name>' already exists. Name must uniquely identify a domain list. Explanation You are attempting to assign a name to your domain list that has
already been assigned to another domain list on the same GSS network.
Recommended Action Assign a unique name to your new domain list and then
Error Message The maximum number of <limit> domains per list has been met. Explanation You are attempting to add a domain to your domain list when the
then add the new domain. Alternatively, create a domain list to hold the new domain and any subsequent domains that you wish to add.
9-71
hash secret but have not specified a secret in the field provided.
Recommended Action Enter a CAPP hash secret of no more than 31 characters
Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters. Explanation You are attempting to create a KAL-AP keepalive using a CAPP
Error Message Invalid HTTP HEAD response timeout. Explanation You are attempting to specify an HTTP HEAD response timeout
that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in
the HTTP HEAD response timeout field of the Shared Keepalive details page.
Error Message Response timeout must be between 20 and 60 seconds. Explanation You are attempting to specify an HTTP HEAD response timeout
that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in
the HTTP HEAD response timeout field of the Shared Keepalive details page.
9-72
OL-4327-01
Chapter 9
Error Message Invalid HTTP HEAD destination port. Destination port must be between 1 and 65,535. Explanation You are attempting to specify a port number for HTTP HEAD
Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.
Error Message Invalid HTTP HEAD path. Path length must not exceed 256 characters. Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Error Message Invalid <keepalive type> minimum probe frequency. Frequency must be between <min> and <max>. Explanation You are attempting to specify a minimum probe interval for your
specified for that keepalive type in the Shared Keepalive details page. The interval range for the CRA keepalive type is between 1 and 60 seconds. For all other keepalive types, it is between 45 and 255 seconds.
9-73
Error Message Duplicate keepalive primary address '<primaryaddress>' detected. An address can be used by at most one KAL-AP type keepalive. Explanation You are trying to configure a KAL-AP keepalive that uses the
same primary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a primary
Error Message Duplicate keepalive secondary address '<secondary address>' detected. An address can be used by at most one KAL-AP type keepalive. Explanation You are trying to configure a KAL-AP keepalive that uses the
same secondary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a secondary
9-74
OL-4327-01
Chapter 9
Error Message HEAD Duplicate keepalive detected. An HTTP HEAD keepalive must not use the same address, destination path, host tag, and port as another HTTP HEAD keepalive. Explanation You are trying to configure an HTTP HEAD keepalive that
features an identical configuration to that of another HTTP HEAD keepalive on your GSS network.
Recommended Action Configure the HTTP HEAD keepalive to use a unique
Error Message Duplicate keepalive detected. An ICMP keepalive must not use the same address as another ICMP keepalive. Explanation You are trying to configure an ICMP keepalive with an IP address
Error Message Invalid CAPP hash secret. Secret length must not exceed 31 characters. Explanation You are attempting to create a KAL-AP keepalive using a CAPP
Error Message Invalid HTTP HEAD destination port. If specified, destination port must be between 0 and 65,535. Explanation You are attempting to specify a port number for HTTP HEAD
Keepalive details page, enter a port number between 1 and 65,535 through which HTTP HEAD keepalive traffic will pass. The default port is 80.
9-75
Error Message Invalid HTTP HEAD host tag. Host tag length must not exceed 128 characters. Explanation You are attempting to create an HTTP HEAD host tag that is
too long.
Recommended Action Enter an HTTP HEAD host tag of no more than
128 characters.
Error Message Invalid HTTP HEAD path. If specified, path length must not exceed 256 characters. Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Error Message There already exists a location named <name> in region <region> with the same name. Please specify a different location name. Explanation You are attempting to create a location within this region when
the region.
Cisco Global Site Selector Configuration Guide
9-76
OL-4327-01
Chapter 9
owner a name.
Recommended Action Owners must have a unique name. Enter a name for the
Error Message Invalid owner name. Name length must not exceed 80 characters. Explanation You are attempting to assign a name to an owner that is too long. Recommended Action Assign your owner a name that is no longer than
80 characters.
Error Message An owner named <owner name> already exists. Name must uniquely identify an owner. Explanation You are attempting to assign your owner a name that is already
9-77
Error Message There already exists a region named <region name>. All region names have to be unique. Explanation You are attempting assign a name to the region that is already
Error Message The maximum number of <size> <className> has been met. Explanation You are attempting to add a resource to your GSS network when
9-78
OL-4327-01
Chapter 9
Error Message Invalid source address block '<blockstring>'. Address block must specify a class A, B, or C host or network. Explanation You are attempting to specify an invalid source address range. Recommended Action Enter a valid source address or block of source addresses. Source addresses cannot specify a multicast address list.
Error Message Invalid source address list name. Name must be entered. Explanation You are attempting to create a source address list without
Error Message Invalid source address list name. Name length must not exceed 80 characters. Explanation You are attempting to create a source address list with a name that
is too long.
Recommended Action Enter a valid name for the source address list that has
9-79
Error Message Invalid source address list name. Name must not contain spaces. Explanation You are attempting to create a source address list with a name that
Error Message This source address list cannot be deleted because it is referenced by <number> DNS rules. Explanation You are attempting to delete a source address list that is referenced
Error Message A source address list named '<name>' already exists. Name must uniquely identify a source address list. Explanation You are attempting to create a source address list using a name
that is already being used by another source address list on your GSS network.
Recommended Action Assign a unique name to your source address list that is
Error Message The maximum number of 30 source address blocks per list has been met. Explanation You are attempting to add a source address block to the source
address list, when the maximum of 30 source address blocks has already been added to the list.
Recommended Action Remove an existing source address block, or create a
source address list for the source address block that you wish to add.
9-80
OL-4327-01
Chapter 9
Error Message You cannot delete the account with username 'admin'. This account must exist. Explanation You are attempting to delete the admin user account. Recommended Action This account cannot be deleted from the GSSM.
Error Message Invalid answer load threshold. Load threshold must be between 2 and 254. Explanation You are attempting to assign an invalid load threshold to your
Error Message Invalid answer order. Order must not be negative. Explanation You are attempting to assign a negative order number to your
9-81
9-82
OL-4327-01
C H A P T E R
10
Monitoring GSS and GSSM Status Monitoring GSSM Database Status Monitoring Global Load-Balancing Status Viewing Log Files
Monitoring the Online Status of GSS Devices from the CLI Monitoring the Status of Your GSS Network from the CLI Monitoring GSS Device Status from the Primary GSSM GUI
10-1
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gss command to display the current running status of the GSS device that you have logged on to. For example:
gss1.yourdomain.com# gss status verbose Cisco GSS - 1.1(0.0.1) - Development build GSSM - primary [Mon Sep 15 13:16:38 UTC 2003] Normal Operation [runmode = 5] %CPU 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 --START Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 Jun17 --SERVER Boomerang Config Agent Config Server DNS Server Database GUI Server Keepalive Engine Node Manager Syslog Web Server SNMP
[DISABLED]
10-2
OL-4327-01
Chapter 10
Monitoring the Status of the Boomerang Server on Your GSS Monitoring the Status of the DNS Server on Your GSS Monitoring the Status of Keepalives on Your GSS
Note
If you specify the show statistics command after issuing either the gss start command or the reload command, the GSS device can take approximately one minute before the command can take affect and display the requested statistics.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
10-3
3.
Use the show statistics boomerang command to display current boomerang server statistics for a particular domain, or across all domains managed by your GSS. For example:
gss1.yourdomain.com# show statistics boomerang global Boomerang global statistics: Total races: 24
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the show statistics dns command to display statistics from the domain name server (DNS) component of the GSS. For example:
gss1.yourdomain.com# show statistics dns answer Answer Type Total Hits 1-Min 5-Min 30-Min 4-Hr ----------------------------------------------------------------192.168.1.80 VIP 0 0 0 0 0 1.1.5.160 VIP 0 0 0 0 0 192.168.1.24 VIP 0 0 0 0 0 192.168.1.245 VIP 0 0 0 0 0
10-4
OL-4327-01
Chapter 10
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the show statistics keepalive command to display current keepalive engine statistics for your GSS network. You can view statistics for all keepalive types on your network, or limit statistics to a particular keepalive type such as ICMP, HTTP HEAD, TCP, KAL-AP, or CRA. For example:
gss1.yourdomain.com# show statistics keepalive tcp all IP: 192.168.50.41 Keepalive => 192.168.50.41 Destination Port: 80 Status: ONLINE Packets Sent: Packets Received: Positive Probe: Negative Probe: Transitions: GID: 105 LID: 5
10-5
From the primary GSSM GUI, click the Resources tab. Click the Global Site Selectors navigation link. The Global Site Selector list page appears. Click the Modify GSS icon for the GSS or GSSM that you wish to monitor. The device type (GSS or GSSM) appears in the Node Services column. The Global Site Selectors details page appears, displaying configuration and status information about the device at the bottom of the page including:
StatusOnline status VersionSoftware version currently loaded on the device Node servicesCurrent role of the device (GSS, primary or standby
GSSM, or both)
IP addressNetwork address of the device HostnameNetwork host name of the device MACMachine address of the device 4.
Monitoring the Database Status Validating Database Records Creating a Database Validation Report
10-6
OL-4327-01
Chapter 10
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm database status command to display the current running status of the GSS device that you have logged on to. For example:
gss1.yourdomain.com# gssm database status GSSM database is running.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm database validate command to validate the content of your GSSM database. For example:
gss1.yourdomain.com# gssm database validate GSSM database passed validation.
10-7
Log on to the CLI, following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm database report command to generate a validation report on the content of your GSSM database. For example:
gss1.yourdomain.com# gssm database report GSSM database validation report written to validation.log.
4.
Use the type command to view the contents of your validation report. For example:
gss1.yourdomain.com# type validation.log validation.log Start logging at Thu Aug 28 19:17:21 GMT+00:00 2003 - storeAdmin Validating ... Thu Aug 28 19:17:23 GMT+00:00 2003 - ObjectId Object_Name.Field_Name Description Validating FactoryInfo Validating answerElement Validating answerGroup 70 answerGroup.OwnerId Many-To-One List Validating CachingConfig Validating ClusterConfig Validating CmdControl Validating CmdPurgeRd Validating CmdUpdate Validating ConfigProperty Validating Customer Validating DistTree Validating DnsRule Validating DomainElement Validating DomainGroup Validating ENodeConfig Validating ENodeStatus
10-8
OL-4327-01
Chapter 10
Validating KeepAliveConfig Validating KeepAlive Validating Location Validating OrderedanswerGroup Validating Owner Validating Region Validating RequestHandler Validating RoutedDomain Validating RoutingConfig Validating RrConfig Validating RrStatus Validating SNodeConfig Validating SourceAddressElement Validating SourceAddressGroup Validating SpInfo Validating SystemConfig Validating UpdateInfo Validating UserConfig Validating VirtualCDN Validating WlpanswerElement Validating User Validations End of file validation.log
Monitoring Answer Hit Counts Monitoring Answer Keepalive Statistics Monitoring Answer Status Monitoring DNS Rule Statistics Monitoring Domain Statistics Monitoring Source Address Statistics Monitoring Global Statistics
10-9
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer Hit Counts navigation link (located under the Contents table of contents). . The Answer Hit Counts list page appears (Figure 10-1).
10-10
OL-4327-01
Chapter 10
Table 10-1 describes the fields on the Answer Hit Counts list page.
Table 10-1 Field Descriptions for Answer Hit Counts List Page
Description IP address of the answer device Name assigned to the answer using the primary GSSM GUI Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Number of requests directed to the answer by each GSS device
Click the column header of any of the displayed columns to sort your answers by a particular property.
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer KeepAlive Statistics navigation link (located under the Contents table of contents). The Answer KeepAlive Statistics list page appears (Figure 10-2).
10-11
Table 10-2 describes the fields on the Answer KeepAlive Statistics list page.
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Description IP address of the answer device being probed Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) Name assigned to the answer using the primary GSSM GUI The address assigned to the remote device, CRA, or name server that the GSS is to forward requests
10-12
OL-4327-01
Chapter 10
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Field Method
Description The keepalive method used by the answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Number of keepalive probes directed to the answer by each GSS device, as well as a record of how those probes were handled. Statistics are presented in the following order:
Keepalive packets sentTotal number of keepalive probes sent to the answer by each GSS on the network Keepalive packets receivedTotal number of keepalive probes returned from the answer Keepalive positive probe countTotal number of keepalive probes received to which a positive (OK) response was returned Keepalive negative probe countTotal number of keepalive probes received to which a negative response was returned Keepalive transition countTotal number of keepalive probe transitions (for example, from the INIT to the ONLINE state) experienced by the keepalive
4.
Click the column header of any of the displayed columns to sort your answers by a particular property.
10-13
From the primary GSSM GUI, click the Monitoring tab. Click the Answers navigation link. Click the Answer Status navigation link (located under the Contents table of contents). The Answer Status list page appears (Figure 10-3).
10-14
OL-4327-01
Chapter 10
Table 10-3 describes the fields on the Answer Status list page.
Table 10-3 Field Descriptions for Answer Status List Page
Description IP address of the answer device Name assigned to the answer using the primary GSSMGUI Type of answer: VIP (virtual IP address), NS (name server), or CRA (content routing agent) GSS network location into which the answer has been grouped Online status of the answer according to the named device
Click the column header of any of the displayed columns to sort your answers by a particular property.
From the primary GSSM GUI, click the Monitoring tab. Click the DNS Rules navigation link. The DNS Rule Statistics list page appears (Figure 10-4).
10-15
Table 10-4 describes the fields on the DNS Rule Statistics list page.
Table 10-4 Field Descriptions for DNS Rule Statistics List Page
Description Name assigned to the answer using the primary GSSM. GSS owner to which the DNS rule has been assigned. Total hit count and successful hit count for the DNS rule from the listed GSS device. Refer to the legend that appears below the listed DNS rules if you are confused about which number represents total hits and which represents successful requests served.
3.
Click the column header of any of the displayed columns to sort your DNS rules by a particular property.
10-16
OL-4327-01
Chapter 10
From the primary GSSM GUI, click the Monitoring tab. Click the Domains navigation link. The Domain Hit Counts list page appears (Figure 10-5).
10-17
Table 10-5 describes the fields on the Domain Hit Counts list page.
Table 10-5 Field Descriptions for Domain Statistics List Page
Description DNS domains for which your GSS is responsible; these are the domains contained in your domain lists. Total number of requests for the listed domain from each GSS device
Click the column header of any of the displayed columns to sort the listed domains by a particular property.
From the primary GSSM GUI, click the Monitoring tab. Click the Source Addresses navigation link. The Source Address Lists Statistics list page appears (Figure 10-6).
10-18
OL-4327-01
Chapter 10
Table 10-6 describes the fields on the Source Address Lists Statistics list page.
Table 10-6 Field Descriptions for Source Address Statistics List Page
Description Address or range of addresses from which DNS queries originate. Source address blocks make up GSS source address lists. Total number of requests received by the listed GSS device from each address or address block.
Click the column header of any of the displayed columns to sort the listed domains by a particular property.
Cisco Global Site Selector Configuration Guide
OL-4327-01
10-19
From the primary GSSM GUI, click the Monitoring tab. Click the Global navigation link. The Global Statistics list page (Figure 10-7) appears.
10-20
OL-4327-01
Chapter 10
Table 10-7 describes the fields on the Global Statistics list page.
Table 10-7 Field Descriptions for Global Statistics List Page
Unmatched DNS Queries Total number of DNS queries received by each listed device for which no answer could be found DNS Queries/sec Keepalive Probes/sec Average number of DNS queries received each second by each listed GSS device Average number of keepalive probes received by each listed GSS device each second
3.
Click the column header of any of the displayed columns to sort the listed domains by a particular property.
10-21
Understanding GSS Logging Levels Viewing Device Logs from the CLI Viewing System Logs from the Primary GSSM GUI
Level Number 0
Description The GSS has become unusable: for example, the device is shutting down and cannot be restarted, or it has experienced a hardware failure. The GSS requires immediate attention: for example, one of the GSS servers is not running. The GSS has encountered a critical condition that requires attention: for example, being unable to connect to the primary GSSM and not having a configuration snapshot to use in the meantime. The GSS has encountered an error condition that requires prompt attention but still enables the device to function: for example, running out of memory.
Alerts
Critical
Errors
10-22
OL-4327-01
Chapter 10
Level Number 4
Description The GSS has encountered an error condition that requires attention but is not interfering with the operation of the GSS device: for example, losing contact with the primary GSSM when a local configuration snapshot exists. The GSS has encountered a nonerror condition that should be brought to the administrators attention: for example, a software upgrade. Messages at this level are normal operational messages for the GSS device, such as status or configuration changes. Messages at this level (such as detailed information about DNS request or keepalive handling, specific code path tracking, and so on) are intended for use by technical support personnel.
Notifications
Information
Debug
Viewing the gss.log File from the CLI Viewing Subsystem Log Files from the CLI Rotating Existing Log Files from the CLI
10-23
Note
The show logs command outputs all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file. To view logged GSS messages in the gss.log file:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the show logs command to display logged information for the device on your terminal. For example:
gssm1.yourdomain.com# show logs gss.log Jul 14 21:42:01 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.2.1 Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.4.1 Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.4.1] (Retry Count 3) Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL [192.10.2.1] Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.2.1 Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 1) Jul 14 21:42:09 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds Jul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.2.1 Jul 14 21:42:12 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count 2) Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.2.1] Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => [192.10.3.1]
10-24
OL-4327-01
Chapter 10
Jul 14 21:42:16 [192.10.4.1] Jul 14 21:42:16 [192.10.6.1] Jul 14 21:42:16 [192.10.7.1] Jul 14 21:42:16 [192.10.8.1] Jul 14 21:42:17 Jul 14 21:42:17 Jul 14 21:42:17 3) Jul 14 21:42:19 Jul 14 21:42:22 [192.10.3.1] Jul 14 21:42:22 Jul 14 21:42:22 1) Jul 14 21:42:22 members. Jul 14 21:42:27 Jul 14 21:42:27 2) ...
gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive => gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29413)=> Host 192.10.2.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.2.1] (Retry Count gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29411)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count gss-css2 NMR-7-NODEMGR[1035] Checking process queue for defunct gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29412)=> Host 192.10.3.1 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.3.1] (Retry Count
4.
To limit the output of the show logs command, specify one of the following:
Use the tail option of the show logs command to view just the last ten
Use the follow option of the show logs command to view data that is
10-25
Note
Many GSS subsystem logs output all logged information to your terminal session. This output may be quite large and exceed the buffer size that you have set. If you wish to capture all logged information, adjust the size of your screen buffer. Otherwise, use the tail or follow options to limit the output of the file. To view your GSS subsystem log files:
1. 2.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. From privileged EXEC mode, navigate to the directory containing the log file or files that you wish to view. For example:
gssm1.yourdomain.com> cd ../sysout gssm1.yourdomain.com>
3.
Use the type command to display the contents of the log file. For example:
gssm1.yourdomain.com> type dnsserver.log dnsserver.log Starting dnsserver: Mon Jul 1 13:52:50 UTC 2003 [(1221)] 2003-07-10 16:23:08 relog: Booting... Starting dnsserver: Wed Jul 10 16:23:33 UTC 2003 [(1201)] End of file dnsserver.log ]
4.
Use the tail command to view just the last ten lines of the log file. For example:
gssm1.yourdomain.com# tail dnsserver.log
10-26
OL-4327-01
Chapter 10
Existing log files are archived locally using the following naming convention: logfile_name.log.number where:
logfile_name.log - Name of the archived log file (for example, gss.log or kale.log) . number - An incremented number representing the number of times the logs have been rotated (for example, .3). The number of the most recent rotated log file is .1. The maximum number of log files is 25 for the gss.log file, five for all other log files.
Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the rotate-logs command to rotate existing log files. For example:
gssm1.yourdomain.com# rotate-logs
If you wish to clear all rotated log files in the $STATE directory and subdirectories, except for the active log files, include the delete-rotated-logs option. For example:
gssm1.yourdomain.com# rotate-logs delete-rotated-logs
10-27
Viewing System Logs from the GUI Purging System Log Messages from the GUI System Log Messages
From the primary GSSM GUI, click the Tools tab. Click the System Logs option. The System Log list page appears (Figure 10-8) displaying the following information:
TimeTime in Universal Coordinated Time (UTC) at which the logged
event occurred.
Node nameName assigned to the GSS device using the primary
GSSM.
ModuleGSS component logging the message. For example, server or
storeAdmin.
Severity Severity of the logged message; system log messages are
FatalIndicates that the GSS or one of its components failed. Fatal errors are rare and are usually caused by exceptions from which it is impossible to recover, or by the failure of a GSS component to initialize properly. WarningIndicates a noncritical error or unexpected condition.
10-28
OL-4327-01
Chapter 10
InfoProvides information about the normal operation of the GSS and its components. DebugProvides very detailed information about the internal operations of the GSS or one of its components. Debug log messages are intended for use by Cisco support engineers in their efforts to troubleshoot a problem.
DescriptionText description that explains the event. MessageInformation about any relevant conditions encountered while
10-29
3.
Click the column header of any of the displayed columns (except for Severity or Description) to sort the listed domains by a particular property.
Purge a quantity of system log messages from the database up to the last n records, where n equals the number of database records back from the last record to be retained when the database is purged. Purge system log messages covering a set time period up to n days before today, where n equals the number of days back from today to be retained when the database is purged. Log on to the CLI following the instructions in Chapter 2, Setting Up Your GSS, the Accessing the GSS CLI section. The GSS CLI prompt appears. Enable privileged EXEC mode. For example:
gssm1.yourdomain.com> enable gssm1.yourdomain.com#
3.
Use the gssm database purge-log-records command to purge system log messages. For example, to purge all system log messages except for the last 3, enter:
gssm1.yourdomain.com# gssm database purge-log-records count 3
For example, to purge all system log messages except for those generated within the last 7 days, enter:
gssm1.yourdomain.com# gssm database purge-log-records days 7
4.
From the primary GSSM GUI, click the Tools tab, then click the System Logs option. The System Log list page appears. Notice that system log message have been purged based on the criteria specified in the gssm database purge-log-records CLI command.
10-30
OL-4327-01
Chapter 10
Description The named GSS has been deleted from the primary GSSM An error occurred while the device was processing configuration updates from the primary GSSM. The affected device will attempt to recover automatically. The process of marking internally inconsistent database records has failed. Errors can be viewed in the validation log. The GSSM database has failed its internal consistency checks. The system has detected multiple primary GSSMs operating concurrently. The process of marking internally inconsistent database records has been successfully completed. The GSSM database has passed its internal consistency checks. A new GSS is online and identified itself to the primary GSSM. A new standby GSSM came online and identified itself to the primary GSSM. The Cisco GSS software has been stopped from the CLI.
10-31
Description The Cisco GSS software has been started from the CLI. An error has occurred on the standby GSSM embedded database. The process of marking internally inconsistent database records has begun. An internal consistency check has begun for the GSSM database. The GSS GSSM database has failed internal consistency checks. The GSS device has dropped (did not report) a certain number of messages in an effort to throttle message traffic to the GSSM. The primary GSSM has received a report from a GSS device with a GSSM activation time stamp that was not consistent with the primary GSSMs current time. The standby and primary GSSM may have clocks that are not synchronized. A user has changed his or her password using the Change Password details page from the Tools tab.
Store is corrupted
x System
Messages Dropped
10-32
OL-4327-01
G L O S S ARY
A
answer
Individual resource (virtual IP address [VIP], name server [NS], or content routing agent [CRA]) that is used to reply to a content request. Customer-defined set of virtual IP address (VIP), name server (NS), or content routing agent (CRA) addresses from which an individual answer is selected and used to reply to a content request.
answer group
B
boomerang
Server load-balancing component of the Global Site Selector (GSS) that uses calculations of network delay to select the site closest to the requesting D-proxy. Closeness is determined by conducting DNS races between content routing agents (CRAs) on each host server. The CRA that replies first to the requesting D-proxy is chosen to reply to the request.
C
client
Content consumer, typically a web browser or multimedia stream player, that makes Domain Name System (DNS) requests for domains managed by the Global Site Selector (GSS). Customer deploying content on a Content Delivery Network (CDN), or purchasing hosting services from a service provider or web hosting service. Machine that routes requests for content through Domain Name System (DNS) records.
content provider
content router
GL-1
Glossary
Software running on a Content Delivery Network (CDN) or server load-balancing device that provides information to a Global Site Selector (GSS) for making content routing decisions, and handles content routing requests from the GSS. Server load-balancing component for the Catalyst 6000 Switch product. Cisco server load-balancing appliance for Layer 4 through Layer 7 content. Cisco customer purchasing Global Site Selector (GSS) hardware, software, or services. Typically an Internet service provider (ISP), application service provider (ASP), or enterprise customer.
D
data center
Collection of centrally located devices (content servers, transaction servers, or web caches). Central configuration and routing concept of the Global Site Selector (GSS), allowing specific request balance resources, methods, and options to be applied to source address and domain pairs. One or more hosted domains logically grouped for administrative and routing purposes. Clients local name server, which makes iterative DNS queries on behalf of a client. A single recursive query from a client may result in many iterative queries from a D-proxy. Also referred to as local domain name server (LDNS).
DNS rule
domain list
D-proxy
F
fully qualified domain name (FQDN)
Domain name that specifies the named nodes absolute location relative to the Domain Name System (DNS) root in the DNS hierarchy.
GL-2
OL-4327-01
Glossary
G
Global Site Selector Cisco content routing device that intelligently responds to Domain Name (GSS) System (DNS) queries, selecting the best content locations to serve those
Set of Global Site Selectors (GSSs) in a scaled, redundant GSS deployment. Device that administers a Global Site Selector (GSS) network, storing configuration information and statistics for GSS devices and providing a graphical user interface that GSS administrators use to reconfigure or monitor the performance of their GSS network. System based on the Content Services Switch that directs clients through the Domain Name System (DNS) to different sites based on load and availability. Two versions of GSLB currently exist:
H
hosted domain
Any domain managed by the Global Site Selector (GSS). A minimum of two levels is required for delegation (for example, foo.com). Domain wildcards are supported.
GL-3
Glossary
K
keepalive (KAL)
Periodic testing of availability and status of a content service through the sending of intermittent queries to a specified address using one of a variety of methods. The Global Site Selector product uses both primary keepalive and secondary keepalive IP addresses. See keepalive method.
keepalive method
Protocol or strategy used to determine whether a device is online, for example, ICMP, TCP, KAL-AP, HTTP-HEAD, and CRA round-trip time.
L
location
Grouping for devices with common geographical attributes, used for administrative purposes only, and similar to data center or content site. See data center.
N
name server (NS)
Publicly or privately addressable Domain Name System (DNS) server that resolves DNS names to IP addresses. Name servers are used by the Global Site Selector (GSS) for name server forwarding, in which queries that the GSS cannot resolve are forwarded to a designated name server that can resolve them.
O
ordered list
List of possible answers that are used for routing. List members are ranked and tried in order. Answers lower on the list are not tried unless all previous members fail to provide a suitable result.
GL-4
OL-4327-01
Glossary
Machine that serves original or replicated content provider content. Internal department or resource or external customer associated with a group of GSS resources such as domain lists, answer groups, and so on.
R
region
Grouping of Global Site Selector (GSS) locations with common geographic attributes that is used to organize GSS resources.
S
Secure Socket Layer Industry-standard method for protecting and encrypting web communication. (SSL) server load balancer Network device that balances content requests to network resources based on (SLB) content rules and real-time load and availability data collected from those
devices. Server load balancers like the Cisco Content Services Switch (CSS), Content Switching Module (CSM), and LocalDirector provide publicly routable virtual IP addresses (VIPs) while front-ending content servers, firewalls, Secure Socket Layer (SSL) terminators, and caches. Third-party SLBs are supported in a GSS network through the use of Internet Message Control Protocol (ICMP), TCP, and HTTP-HEAD keepalives.
service provider
Cisco customer providing infrastructure for a Content Delivery Network (CDN). Also ISP (Internet service provider) and ASP (application service provider). List of source IPs or source IP blocks that are logically grouped by the system administrator. Type of request routing in which incoming requests from specified D-proxies are routed to statically defined resources that have been identified as being in proximity to the source D-proxies. Client or set of clients receiving a certain style of DNS routing. Subscribers often pay for application services from the Cisco GSS customer.
static proximity
subscriber
GL-5
Glossary
T
Time To Live (TTL)
Length of time that a response is to be cached and considered valid by the requesting D-proxy.
W
Web Network Services (WebNS)
VxWorks-based operating system and software that runs on the Content Services Switch (CSS).
GL-6
OL-4327-01
I N D EX
A
accessing CLI 2-2, 2-4, 2-5 primary GSSM GUI 2-15 remote connection 2-2 serial connection 2-2 access lists access-group command 9-27 access-list command 9-26 adding rules to 9-28 associating with an interface 9-27 creating 9-25 disassociating from an interface 9-28 filtering traffic 9-24 overview 9-24 removing rules 9-29 viewing 9-30 activating GSS devices 2-18 adding rules to access lists 9-28 administrator account, resetting 9-21 answer activating 1-45 configuring 7-1 CRA-type answer, creating 7-14
CRA-type answer, overview 1-16 deleting 7-22 error messages 9-56 hit count 10-11 keepalive 1-17 keepalive statistics 10-11 modifying all in location 7-21 modifying an answer 7-19 monitoring 10-11 name server-type answer, creating 7-17 name server-type answer, overview 1-16 overview 1-14, 7-1 reactivating 7-21 setting all to ICMP 1-46 setting all to none 1-46 status 10-14 suspending 1-45, 7-20 suspending all answers in a location 7-21 VIP-type answer, creating 7-2 VIP-type answer, overview 1-15 answer group adding answers 7-26 balance method options 1-27 balance methods 7-23 CRA configuration information 8-32
IN-1
Index
creating 7-24 current members 7-27 deleting 7-35 DNS rule 1-12, 1-15 DNS Rule Wizard 8-15 error messages 9-60 general configuration 7-25 load threshold 7-28 modifying 7-29 order 7-28 overview 1-15, 7-23 removing answers 7-29 suspending 7-30 suspending or reactivating all for an owner 7-32 VIP DNS configuration information 8-32 weight 7-28 answer hit counts 10-10 answer keepalive statistics 10-11 Anywhere source address 1-14, 4-1 appliance-based global server load balancing 1-6 A record 8-26, 8-30 associating access list with interface 9-27 audience xx
overview 9-37 procedure 9-39 backup of GSSM database conditions for 9-39 overview 9-37 procedure 9-40 balance clause 7-23, 8-30 balance method answer group options 1-27 answer group pair 7-23 balance clauses 7-23 boomerang 1-26 DNS rule 1-12, 1-15 DNS Rule Wizard 8-22 hash 1-26, 8-23, 8-31 hashed balance method 8-31 least loaded 1-25, 8-31 load threshold option 1-29, 8-19 ordered list 1-24, 8-23, 8-31 order option 1-28, 8-19 overview 1-24 round robin 1-25, 8-23, 8-31 weighted round robin 1-25, 8-23, 8-31 weight option 1-28, 8-19 BIND sample zone configuration file 8-44 boomerang
B
backup of GSSM conditions for 9-39
IN-2
OL-4327-01
Index
server 1-27 server, monitoring status 10-3 server status 10-3 browsers supported 1-36
closeness (DNS race) 7-15 communication between nodes 1-33 Content Services Switch data center deployment 1-34 definition G-2 global load-balancing 1-2 GSS network deployment 1-6 VIP answers 1-15 Content Switching Module data center deployment 1-34 definition G-2 global load-balancing 1-2 GSS network deployment 1-6 VIP answers 1-15 copy command 9-9 copying startup configuration to or from disk 9-9 CRA answer, creating 7-14 balance method 1-28, 7-23 closeness 7-15 CRA answer overview 1-16 definition G-2 DNS race 7-15 global keepalive configuration 6-15 keepalive 1-19 last gasp address 8-24 minimum frequency 6-15 one way delay 7-16 overview 1-19
Cisco Global Site Selector Configuration Guide
C
Cancel icon 1-43 certificate accepting 2-16 trusting 2-16 changing GSSM role 9-2 startup and running configuration 9-8 CIDR block masking 4-1 clauses (balance clause) in answer group 7-23 CLI accessing 2-2, 2-12 configuring GSS 2-10 device management 1-34 direct serial connection 2-2 GSS device monitoring 10-2 monitoring GSS network statistics 10-3 private and public key pair 2-5 remote connection 2-4 resetting CLI administrator account 9-21 resetting password 9-21 saving session 2-3 user account, creating 9-19
OL-4327-01
IN-3
Index
round-trip time 7-16 timing delay 6-15 Create icon 1-42 CSM See Content Switching Module CSS See Content Services Switch
Delete icon 1-44 deployment configuring name servers 8-42 data center 1-34 GSS devices behind firewall 9-30 locations and regions 3-2 overview 1-31 resources 3-2 typical GSS deployment 1-31 details pages 1-40 disassociating access list from interface 9-28 DNS all 8-26, 8-30 A record 8-26, 8-30 balance clause 8-30 creating DNS rules 8-5 delegation 8-42 DNS queries 8-26, 8-30 glue A records 8-43 hosted domain 1-13 iterative request 1-5 query 1-14 race 1-16, 7-15 recursive request 1-4 request resolution 1-5 routing overview 1-3 sample BIND zone configuration 8-44 server, modifying 8-43 server, monitoring 10-4
D
database backing up 9-40 monitoring status of 10-7 restoring GSSM from full backup 9-49 synchronized with standby GSSM 1-33 validating records 10-7 validation report 10-8 data center definition G-2 deployment 1-34 debug log message 10-29 default password 2-16 username 2-16 delegation definition 1-3 domains to GSS 1-31, 8-43 GSS devices 8-42 subdomains to GSS 1-31, 8-43
IN-4
OL-4327-01
Index
traditional routing 1-3 unmatched queries 10-21 zone configuration file 8-43 DNS race balance method 1-26 closeness 7-15 coordinate start time 7-15 CRAs 1-16 DNS rule activating 1-45 answer 1-12 balance clause 7-23 components 1-12 creating 8-2 definition G-2 deleting 8-38 error messages 9-61 filtering 1-43 filters, configuring 8-38 filters, removing 8-42 hit count 10-15 modifying 8-33 overview 1-12 reactivating 8-35 reactivating all by owner 8-36 removing filters 8-42 showing all rules 1-43 suspending 1-45, 8-34 suspending all by owner 8-36
DNS Rule Builder balance clause 8-30 CRA configuration information 8-32 creating DNS rules 8-27 DNS queries 8-30 modifying DNS rule 8-33 name server balance methods 8-23, 8-31 overview 8-4 VIP answer group configuration information 8-32 VIP balance methods 8-31 DNS rule filter configuring 8-38 parameters 8-39 removing 8-42 DNS Rules tab 1-38 DNS Rule Wizard activating 8-26 answer group, configuring 8-15 balance method, configuring 8-22 creating DNS rules 8-5 domain list, configuring 8-10 icons 1-42, 1-44, 1-45 modifying DNS rule 8-33 overview 8-2 source address list, configuring 8-7 summary 8-25 suspending 8-26 documentation caution and note overview xxiii
Cisco Global Site Selector Configuration Guide
OL-4327-01
IN-5
Index
conventions xxi, xxii organization xx related xxi set xxi symbols and conventions xxii domain lists adding domains to 5-2, 5-5, 8-13 creating 5-2 current members 5-6 deleting 5-10 DNS Rule Wizard 8-10 error messages 9-68 general configuration 5-4 maximum domains 1-13 maximum nonwildcard domain length 5-6 modifying 5-8 overview 1-13, 5-1 regular expressions 5-1 removing domains 5-8 wildcards in domains 5-2, 5-6, 8-13 domain name space 1-3 Domain Name System See DNS domains delegating to GSS 1-32, 8-43 hit counts 10-17 maximum length 5-6 maximum name length 5-5 maximum per domain list 1-13, 5-2
wildcards example 8-13 wildcards maximum length 5-6 downgrading GSS device software 9-48 order of operation 9-48 restoring earlier software version 9-49 D-proxy background 1-4 definition G-2 iterative requests 1-5 name server forwarding 1-16 query GSS 1-14
E
error messages 9-56 answer 9-56 answer group 9-60 DNS rule 9-61 domain list 9-68 GSSM 9-78 keepalive 9-74 location 9-76 owner 9-77 region 9-77 shared keepalive 9-72 source address list 9-79 user 9-81 Ethernet interface, segmenting traffic 9-22
IN-6
OL-4327-01
Index
exporting GSSM data 9-12 icon 1-42 Export to CSV icon 1-42
HTTP HEAD configuration settings 6-9 ICMP configuration settings 6-3 KAL-AP configuration settings 6-12 modifying 6-2 name server configuration settings 6-16 overview 6-1 properties, modifying 6-2 standard transmission rate 1-20, 6-4, 6-7, 6-10,
6-13
F
failure detection time, adjusting 1-20 fatal error log message 10-28 filtering GSS traffic 9-24 filters DNS rules 8-38 parameters 8-39, 8-40 removing 8-42 firewall configuring for GSS 9-33 deploying GSS devices 1-32, 9-30 inbound traffic to the GSS 9-31 outbound traffic from the GSS 9-32 permitting traffic to GSS 1-32 FTP, enabling 2-3 full GSSM backup 9-39 fully qualified domain name G-2
TCP configuration settings 6-6 global server load balancing balance clauses 7-23 data centers 1-34 definition G-3 delegation of GSS devices 8-42 global statistics 10-20 monitoring 10-9 overview 1-6 summary 2-23 using the GSS 1-6 Global Site Selector accessing the CLI 2-2, 2-4 accessing the CLI with private/public key pair 2-5 acting as GSSM 1-10, 1-31 activating 2-18 authoritative DNS server 1-7 balancing data centers 1-34 boomerang server 10-3 CLI-based management 1-34
G
global keepalives CRA configuration settings 6-15 fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13
IN-7
Index
communication 1-33 configured as GSSM (primary or standby) 2-12 configuring 2-14 configuring from CLI 2-10 console port, physical access to 2-4 delegation of devices 8-42 deleting devices 2-22 deployment 1-31, 1-32, 1-34, 8-42 direct serial connection 2-2 DNS server, monitoring 10-4 downgrading software 9-48 enable remote connect 2-3, 2-5 factors in responding to a request 1-7 firewalls 9-30, 9-33 global server load balancing 1-6 GSLB configuration 2-23 GUI-based management 1-35 hardware 1-10, 1-11 initial setup 2-8 interact with SLBs 1-6 inter-GSS communications 1-33, 9-22 keepalives overview 1-17, 6-1 locating 1-31 login accounts 9-19 MIBs 9-36 modifying device configuration 2-21 monitoring through CLI 10-2 monitoring through GUI 10-6 network configuration settings 9-7
Cisco Global Site Selector Configuration Guide
network deployment 2-6 network management 1-34 online status and resource usage 10-2 overview 1-2, 1-10 packet filtering 1-32 ports and protocols 9-25, 9-31 purging system log messages 10-30 remote access, enabling 2-3 remote connection 2-4 removing or replacing 9-2 reporting interval 9-12 resources, grouping 3-16 restoring earlier software version 9-49 running configuration 9-8 setup configuration decisions 2-6 setup script, configuring with 2-8 software architecture 1-9 startup configuration 9-8 synchronized with GSSM 1-10, 1-33 upgrading software 9-41 user account, creating 9-19 user account, deleting 9-20 user account, modifying 9-20 Global Site Selector Manager activating 2-18 backing up 9-37 changing role in GSS network 9-4 changing the GUI password 9-17 communication 1-33
IN-8
OL-4327-01
Index
configuring, primary 2-13 configuring, standby 2-13 configuring the GUI 9-10 creating user account (GUI) 9-14 database 1-10, 1-33 database, monitoring 10-7 database, restoring from backup 9-52 default username and password 2-16 definition G-3 deployment 1-31 DNS rule configuration interface 2-24, 8-2 DNS rules 1-12 downgrading software 9-48 error messages 9-78 exporting data 9-12 GSLB configuration 2-23 GUI overview 1-36 icons 1-41 initial setup 2-8 inter-GSS communication 1-33 keepalives overview 6-1 locating 1-31 logging on 2-15 login accounts 9-13 modifying user account (GUI) 9-16 monitoring device status from GUI 10-6 online help 1-47 overview 1-10 password 9-17
platform information 9-50 primary 1-10 primary GSSM GUI overview 1-36 printing data 9-12 redundancy 1-33 removing user account (GUI) 9-17 resetting the GUI password 9-17 resources, grouping 3-16 restoring earlier software version 9-49 restoring full backup 9-49 role change 9-4 security 9-13 setup configuration decisions 2-6 standby 1-11 standby, as backup 1-31 standby acting as primary 1-33 switching primary and standby role 9-2 upgrading software 9-41 viewing system logs 10-28 global statistics 10-20 glossary of terms G-1 glue A records 8-43 GSLB See global server load balancing GSS See Global Site Selector gss.log file 10-24 GSSM See Global Site Selector Manager
IN-9
Index
gssm standby-to-primary command 9-5 GSS network changing GSSM role 9-4 configuration 1-10, 1-33 configuration overview 2-6 definition G-3 deployment 1-31 global statistics 10-20 GSLB status 10-9 GSS, removing 9-2 GSSM connectivity 2-12 limiting network traffic 9-22 logically removing a GSS 9-2 logically removing a standby GSSM 9-2 management 1-34 monitoring through CLI 10-3 monitoring through GUI 10-6 organizing 3-2 primary GSSM 1-10 primary GSSM, removing 9-2 resource grouping 3-16 segmenting network traffic 9-22 setup configuration decisions 2-6 standby GSSM, removing 9-2 URL 2-15 GSS-related ports and protocols 9-25 GUI browsers supported 1-36 configuration 9-10, 9-11
details pages 1-40 device management 1-34 icons 1-41 list pages 1-38 logging on 1-36, 2-15 monitoring GSS device status 10-6 navigation 1-41 organization 1-38 overview 1-36 password 9-17 refreshing 1-42, 9-10, 9-12 security 9-13 session inactivity timeout 9-10, 9-11 tabs 1-38 timeout 9-11 understanding 1-36 user account, creating 9-14 user account, modifying 9-16 user account, removing 9-17
H
hashed balance method 1-26, 8-23, 8-31 help navigation link 1-47 obtaining 1-47 primary GSSM Online help overview 1-47 hosted domain definition G-3
IN-10
OL-4327-01
Index
domain names 1-13 name examples 1-13 overview 1-13, 5-1 regular expressions 1-13 requested 1-12 statistics 10-17 HTTP HEAD keepalive default path 6-11, 6-25, 7-12 destination port 6-11, 7-11 global keepalive configuration 6-9 host tag 6-25, 7-12 overview 1-18 shared keepalive configuration 6-24 termination method 6-11, 6-25, 7-12 VIP answer 7-11 HyperTerminal launching 2-2 saving session 2-3
K
KAL See keepalive KAL-AP keepalive by tag 7-14 by VIP 7-14 CAPP hash secret 6-14, 6-27 global keepalive configuration 6-12 overview 1-19 primary and secondary IP addresses 6-27 shared keepalive configuration 6-26 VIP answer 7-13 keepalive CRA overview 1-19 CRA type 1-19 definition G-4 deleting a shared keepalive 6-29 error messages 9-72, 9-74 failure detection time, adjusting 1-20 fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13 global properties, modifying 6-2 global properties, overview 6-1 HTTP HEAD connection termination method 6-11, 6-25, 7-12 HTTP HEAD overview 1-18 ICMP type 1-18
Cisco Global Site Selector Configuration Guide
I
ICMP keepalive global keepalive configuration 6-3 overview 1-18 shared keepalive configuration 6-21 VIP answer 7-7 icons 1-41 Info log message 10-29 inter-GSS communication 1-33
OL-4327-01
IN-11
Index
KAL-AP overview 1-19 keepalive attempts 1-23, 6-5, 6-8, 6-11, 6-14, 6-22,
6-23, 6-25, 6-27, 7-8, 7-10, 7-12
overview 1-25, 8-23, 8-31 weight option 1-29 list pages overview 1-38 sorting items 1-38 loading startup configuration from external file 9-9 load threshold, balance method option 1-29,
8-19
monitoring status 10-5 name server 1-20 name server overview 1-20 none 1-20 number of retries 1-22, 6-5, 6-8, 6-11, 6-14, 6-23,
6-25, 6-27, 7-8, 7-10, 7-12
overview 1-17 probes 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, 6-23, 6-25,
6-27, 7-8, 7-10, 7-12
location creating 3-6 definition G-4 deleting 3-10 error messages 9-76 modify all answers in 7-21 modifying 3-9 organizing resources 3-16 overview 3-2 suspending all answers 7-21 location overview 1-30 log files logging levels 10-22 rotating 10-26 subsystem 10-25 viewing 10-22 logging levels 10-22
probes per second 10-21 shared keepalive, creating 6-17 shared keepalive, modifying 6-28 shared keepalive overview 6-17 shared VIP keepalives, overview 6-17 standard transmission rate 1-20, 6-4, 6-7, 6-10,
6-13
TCP overview 1-18 transmission interval formula 1-21 VIP 1-18, 1-19, 6-17
L
last gasp address 8-24 least loaded 8-31 balance method 1-25, 8-23, 8-31
Cisco Global Site Selector Configuration Guide
logging on to GSSM GUI 2-15 logically removing standby GSSM from a network 9-2 logically removing a GSS from a network 9-2
IN-12
OL-4327-01
Index
login accounts 9-13 certificate 2-15 default 2-16 GUI 1-36 security 9-13 login accounts creating on GSS 9-19 creating on GSSM 9-14 deleting 9-20 GSSM 9-13 managing 9-19 modifying 9-16, 9-20 removing 9-17
database status 10-7 DNS rule statistics 10-15 DNS server 10-4 global load-balancing status 10-9 global statistics 10-20 GSS network status 10-3 hosted domain statistics 10-17 keepalives 10-5 online status 10-2 resource usage 10-2 source address statistics 10-18 status of GSS devices by CLI 10-2 status of GSS devices from the GUI 10-6 Monitoring tab 1-38
M
messages error 9-56 purging 10-30 system log 10-31 viewing 10-28 MIBs 9-33, 9-36 Modify icon 1-42 monitoring answer hit counts 10-10 answer keepalive statistics 10-11 answer status 10-14 boomerang server status 10-3
N
name server answer type, creating 7-17 authoritative 1-6 authoritative name server (ANS) 1-4 balance method 7-23 balance method options 1-28 balance methods 8-23, 8-31 client name server (CNS) 1-4 definition G-4 DNS resolvers (DNSR) 1-4 forwarding 1-16 intermediate name server (INS) 1-4
IN-13
Index
keepalive 1-20 name server answer overview 1-16 overview 1-4 query 7-19 records, adding to zone configuration file 8-43 root name servers (RNS) 1-4 name server keepalive global keepalive configuration 6-16 minimum frequency 6-16 overview 1-20 query domain 6-16 navigation through the GUI 1-41 network configuration, erasing 9-7 configuration, modifying 9-7 configuration for GSS devices 9-8 deployment 1-31 locating GSS on 1-31 running configuration, changing 9-8 startup configuration, changing 9-8 network management 1-34 CLI-based 1-34 GUI-based 1-35 node communication 1-33 number of retries for keepalive types 1-22, 6-5,
6-8, 6-11, 6-14, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12
O
one-way delay 7-16 Online help overview 1-47 ordered list 8-31 balance method 1-24, 8-23, 8-31 definition G-4 overview 1-24 order option, balance method 1-28, 8-19 origin server G-5 owner creating 3-11 deleting 3-15 error messages 9-77 modifying 3-14 organizing resources 3-16 overview 1-30, 3-2 reactivating all DNS rules 8-36 suspending all answer groups for 7-32 suspending all DNS rules 8-36
P
Partner Initiated Customer Access See PICA password CLI, resetting 9-21 default 2-16 GSSM GUI, changing 9-17
IN-14
OL-4327-01
Index
GSSM GUI, resetting 9-17 logging in 2-16 resetting CLI administrator account 9-21 user account, creating 9-15 PICA 9-44 platform information restoring 9-50 summary 9-50 ports and protocols 9-25, 9-31 primary GSSM changing to standby 9-4 configuring the GUI 9-10 overview 1-10 security 9-13 viewing system logs 10-28 Print icon 1-42 printing GSSM data 9-12 Print icon 1-42 private and public key pairs 2-5 protocols and ports for GSS devices 9-25 proximity DNS race 7-15 purging system log messages 10-30
CRA answer 7-14 DNS request 1-6 DNS rules 1-12 KAL-AP 1-19, 7-14 match DNS query type 8-26 name server 1-20, 6-16 name server answer 7-17 not matched to D-proxy 1-14 query domain 6-16 source addresses 1-13 VIP answer 7-2
R
reactivating all answer groups for an owner 7-32 all answers in an answer group 7-32 all answers in location 7-21 all DNS rules by owner 8-36 answer 7-21 DNS rule 8-35 record database records, validating 10-7 request 8-26, 8-30 redundancy synchronization 1-33 Refresh icon 1-42 refreshing the GUI 1-42, 9-10, 9-12 region creating 3-3
Q
query answers 7-2 balance methods 1-24
IN-15
Index
definition G-5 deleting 3-10 error messages 9-77 modifying 3-8 organizing resources 3-16 overview 1-30, 3-2 regular expressions 1-13, 5-1 remote access enabling 2-3 FTP 2-3 SSH 2-3 Telnet 2-3 remote connection accessing CLI 2-4 SSH 2-4 Telnet 2-4 report answer hit counts 10-10 answer status 10-14 database validation 10-8 DNS rule hit count 10-15 domain hit count 10-17 keepalive statistics 10-11 source address hit count 10-18 reporting interval 9-12 requests iterative 1-5 resolution 1-4, 1-7 resetting
CLI administrator account 9-21 CLI password 9-21 GUI password 9-17 password 9-21 resources configuring 3-1 grouping 3-16 organizing 3-2 Resources tab 1-38 restoring earlier software version 9-49 GSSM database from a backup 9-52 GSSM from full backup 9-49 GSSM platform information 9-50 rotating log files 10-26 round robin 8-31 balance method 1-25, 8-23, 8-31 overview 1-25 round-trip time 7-16 running configuration changing 9-8 saving 9-8
S
sample BIND zone configuration 8-44 secure HTTP address 2-16 security configuration 9-13
IN-16
OL-4327-01
Index
GUI 9-13 segmenting GSS traffic by interface 9-22 server load balancer 1-2, G-5 service provider G-5 session inactivity timeout 9-10, 9-11 setup script 2-8 bypassing 2-8 configuring GSS 2-8 configuring GSSM 2-8 severity log message 10-28 shared keepalive creating 6-17 deleting 6-29 error messages 9-72 modifying 6-28 overview 6-17 shared keepalives HTTP HEAD configuration settings 6-24 ICMP configuration settings 6-21 KAL-AP configuration settings 6-26 TCP configuration settings 6-22 show access-list command 9-30 show logs command 10-24 show statistics command 10-3 boomerang 10-3 dns 10-4 keepalive 10-5 Simple Network Management Protocol (SNMP) community-string 9-34
configuring 9-34 contact information 9-34 enabling 9-34 location 9-35 MIB files, viewing 9-36 overview 9-33 port, changing 9-36 viewing status 9-35 software, restoring earlier version 9-49 software downgrade procedure 9-48 restoring earlier software version 9-49 software update new update file 9-43 obtaining update file 9-43 procedure 9-41 sort DNS rules 8-38 removing 8-42 Sort icon 1-42 source address Anywhere 1-14, 4-1 blocks 1-14, 4-1 hit counts 10-18 maximum per source address list 4-1 overview 1-14 source address and domain hash balance method 1-26, 8-23, 8-31 source address list adding addresses 4-3
Cisco Global Site Selector Configuration Guide
OL-4327-01
IN-17
Index
address blocks 4-4 anywhere 1-14 Anywhere (default) 4-1 creating 4-1, 4-2 current members 4-4 definition G-5 deleting 4-7 DNS Rule Wizard 8-7 error messages 9-79 general configuration 4-3 maximum addresses 4-1 modifying 4-5 overview 1-13 removing addresses 4-6 SSH, enabling 2-3 SSL See Secure Socket Layer standby GSSM changing to primary 9-4 definition 1-33 overview 1-11 startup configuration changing 9-8, 9-9 loading from external file 9-9 saving from external file 9-9 static proximity G-5 statistics answer hit counts 10-10 answer keepalive 10-11
answer status 10-14 DNS rule hit count 10-15 global 10-20 hosted domains 10-17 source address 10-18 subdomains, delegation 1-31, 8-43 Submit icon 1-43 subscriber G-5 subsystem log files rotating 10-26 viewing 10-25 suspending all answer groups for an owner 7-32 all answers in a location 7-21 all answers in an answer group 7-32 all DNS rules by owner 8-36 answer 7-20 answer group 7-30 DNS rule 8-34 switching primary and standby GSSM role 9-2 synchronization of primary and standby GSSM 1-33 system log messages 10-31 purging 10-30 severity 10-28 viewing 10-28
IN-18
OL-4327-01
Index
T
tail command option 10-24 TCP keepalive destination port 6-8, 7-9 global keepalive configuration 6-6 overview 1-18 shared keepalive configuration 6-22 termination method 6-8, 6-23, 7-10 VIP answer 7-9 Telnet, enabling 2-3, 2-5 third-party software, viewing information 9-54 Time To Live G-6 Tools tab 1-38 traffic limiting 9-22 segmenting by interface 9-22 troubleshooting 9-56 TTL See Time To Live
user account, creating 9-14 account, modifying 9-16 account, removing 9-17 error messages 9-81 user account creating 9-14 creating for GUI 9-14 creating with CLI 9-19 deleting 9-20 modifying 9-16, 9-20 removing 9-17 user interface details windows 1-40 icons 1-41 list windows 1-38 log on to 2-15 navigation 1-41 organization 1-38 understanding 1-36 username default 2-16 logging in 2-16 user account, creating 9-15
U
update file, obtaining 9-43 upgrading GSS device software 9-41 obtaining update file 9-43 order of operation 9-41 URL, secure HTTP 2-16
V
validating database records 10-7 viewing
IN-19
Index
access lists 9-30 gss.log file 10-24 log files 10-22 MIB files 9-36 SNMP status 9-35 subsystem log files 10-25 system log 10-28 third-party software information 9-54 VIP answer groups 7-23 answers 7-2 balance method options 1-28 balance methods 7-23, 8-23, 8-31 keepalive type 1-18 VIP answer overview 1-15 VIP answer answer types 7-5 creating 7-2 HTTP HEAD keepalive 7-11 ICMP keepalive 7-7 KAL-AP keepalive 7-13 TCP keepalive 7-9 VIP keepalive type HTTP HEAD 1-18 ICMP 1-18 KAL-AP 1-19 TCP 1-18
W
warning log message 10-28 weight balance method overview 1-28, 8-19 least loaded 1-29 round-robin 1-29 weighted round robin balance method 1-25, 8-23, 8-31 overview 1-25 wildcards example 8-13 in domains 5-2, 5-6, 8-13 maximum length in domain names 5-6 wizard creating DNS rules 8-5 DNS Rule Wizard 8-2 overview 8-2 write memory command 9-8
Z
zone configuration file modifying 8-43 sample 8-44
IN-20
OL-4327-01