cisco global site selector
DESCRIPTION
Cisco Global Site Selector. Vikas Deolaliker. Product Manager, ECBU. September, 2011. Global Site Selector. Product overview. Cisco GSS in a Nutshell. Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider. ACE GSS4492R-K9 HW - PowerPoint PPT PresentationTRANSCRIPT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Cisco Global Site Selector
Vikas Deolaliker
Product Manager, ECBU
September, 2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
PRODUCT OVERVIEWGlobal Site Selector
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cisco GSS in a NutshellDNS Services DNS authority for A-records and AAAA records
(Rel. 4.1)Answers of type: A-record, AAAA, NS and CRADdos for DNS Security12K – 28K DNS RPS depending upon configuration complexity
GSS Network Configuration Limits
Destination: 2000 hosted domains (128 chars with wildcards)Source: 60 Source Address ListsResources: 4000 VIPs across 256 SLBs (increasing to 8K in Rel 4.1)KALs: MP, ICMP, TCP, HTTP/Head, KAL-AP, SNMP, CRA, NSPolicy: 4000 DNS rules across GSS Network
GSLB Services
Availability: Site Level FailoverGSLB Methods: Geographical, Topological, Least Loaded, Client Source Resolver Hast, Ordered List, Ratio, RR/WRRResource Affinity: Sticky, Cookies.
Management, Monitoring & Logging
User Interface: GUI (with new Cisco Kubric Look & feel) & CLIAuthorization: RBACManagement Station Support: ANM Support
Pricing $ 20K plus licenses for DDOS, GeoIP
• License free IPv6 Support• DDoS Protection• Geographical and Resource Affinity• Supports Cisco ACE/CSS/CSM
http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_installation_and_configuration_guides_list.html
ACE GSS4492R-K9 HWSF-GSS-V1.3-K9 SWSF-GSS-DDOSLIC DDoSSF-GSS-GIPLICFX GeoIP GSLB SupportSF-GSS-V6LICFX IPv6 Support
Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
More specifically …• Provides Universal DNS-based Disaster Recovery – redirects clients to
back-up data center for any device that support SNMP MIB and uses DNS
• Protects the DNS infrastructure with DNS-based DDOS mitigation software
• Delivers Advance Global Traffic Management Global Server Load Balancing (GSLB) for geographically dispersed Server Load Balancers and CachesConnect clients to the best server based on:
Network topology Server load Availability of content and devices
GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS Security policies.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Release 4.1 Highlights
Key Benefits1. Route clients based on
geographical proximity to application
2. Support for IPv6 addressing for clients and servers
3. Extreme scalability for cloud datacenters
4. Reduce operational costs through enhanced GUI and ANM integration
a
User2001:0DB8:AC10:FE01::
LDNS
GSS Networ
k
SLB2001:0DB8:AC10:FE01::
Datacenter A
SLB2001:0DB8:AC10:FE01::
Datacenter B
b
dc
Globally route clients based on
- Geographical Proximity
- RTT Proximity
- Site Persistence
- Site Health
Available on CCO: September 22nd, 2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Geolocation Based Global Delivery
(a) GeoIP based Proximity• Proximity calculations using GeoIP distances
(b) GeoRegions: GeoIP based Regions• Regions based on GeoIP database entries. (Add
single country or multiple countries). Granularity down to states
• Sticky support for GeoRegions
(c) GeoSAL: GeoIP based Source Address Lists
• SALs can be based on GeoIP based Regions
(d) New GUI Design (Kubric Look & Feel)• GUI option to configure all GeoIP
functionality
User2001:0DB8:AC10:FE01::
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
b d
ca
Geolocation Highlights
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Data Center C Data Center A Data Center D
Data Center B
Internet
Servers
ACE GSS
User2001:0DB8:AC10:FE01::
LDNS
Internet
GeoProximity
• Override RTT based Proximity
• Pick the application based on geographical distance between probing device and client LDNS
• Licensable Feature
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
GeoRegions
o Define Regions based on logical groups. For example BRIC (Brazil, Russia, India, China).
o Create geographically grouped resource pools. For example, US-Central-Datacenter Use the regions to group resources (VIPs, NS, CRA) and clients (source address lists)
o Define persistence policy based on GeoRegions
GeoRegions
US-Central-Datacenter
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Operational Flexibility
• ANM• Import GSSM configuration into ANM
and monitor VIP status and DNS rules status/hit count statistics from ANM GUI
• Suspend/Activate VIPs/Rules/GSS SW Rel Num from ANM GUI
• HTTPs KAL• Add HTTPS-HEAD to existing KAL
types: ICMP, TCP, HTTP HEAD, KAL-AP, Scripted KAL, CRA, and Name Server
• Global Shared KeepAlive Activate/Suspend
• GUI Logging
Lower the Operation Expense
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Ease of Management• GSS is a system not a device
Self synchronization of upto 16 GSSes Single Point of management via GUI Does not sacrifice device level access (SSH to box) Any GSS can run GUI and a 2nd GSS serves as standby
• Easy to use Interface IOS Syntax 100 new CLI commands since v1.3 Single interface for monitoring, troubleshooting and configuration Supports Import/Export of Configuration in industry standard formats Role based Access Control Remote Syslog Support
• Management Integration with ANM ANM - support the activation and suspension of a DNS rules and answers ANM – communicates to the primary GSS manager (PGSSM) via CLI, RMI
and SSH. Configuration parameters to establish this communication is the GSS IP address and SSH credentials
Four of eight Administrators Logon consumed by ANM ANM issues commands to the PGSSM then the PGSSM relays these
commands to the rest of the GSSs in the cluster.
GSS Network
Ease of Management
ANM
GSSGUI
GSS network is managed as a system – reduces number of touchpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
IDN Support
1. Internationalized Domain Names (IDNs) are domain names that contain non-ASCII characters. (for example, Arabic or Chinese).
2. The ASCII form of an IDN label is termed as "A-label". Non-ascii code uses Unicode form or "U-label".
3. GSS can be configured for non-ascii URL
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
DNSSEC Ready
1. DNSSEC requests are automatically forwarded *matching* non-A DNS queries to the external name server.
2. For *matching* A queries with DO (DNS OK) flag setGSS forwards the request to the external name server and the external NS provides a DNSSEC response which the GSS forwards to the D-proxy;
3. For all rest, GSS responds back as it currently does with a plain DNS response.
Configuration is quick and simple. gss2-tb1.cisco.com# configure terminal
gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.enableEDNS 1
gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Extreme Scalability
(a) Thousand of Applications- GSS answers are VIPs declared on ACE. In Rel
4.1, GSS support 256 ACEs and 8000 VIPs and 2000 domains
(b) Vast Pools of Resources- KeepAlive is the way GSS monitors resources
behind the VIP that it serves. KAL-AP is Cisco proprietary keepalive. In Rel 4.1, GSS supports 128 KAL-APs configuration.
(c) Global Clients and Servers- GSS responds with VIPs that are closest to the requesting client (LDNS). In Rel 4.1, GSS uses GeoIP to determine proximity in addition to existing probing mechanisms.
(d) ANM for Cluster Management- ANM can activate/suspend answers on GSS and manage all 16 GSSes in a cluster
a
User
LDNS
GSS Netwo
rk
ACE
Datacenter A
ACE
Datacenter B
b
c
d
Utilization
Utilization
Global Application Delivery
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
End to End Solutions: GSS, ACE, N7K
Integration Points(a) Wide Area Vmotion (OTV/DWS)
- GSS upon notification of a vmotion changes the answer for an query thereby helping customer preserve WAN bandwidth
(b) ACE Virtualization- GSS treats ACE contexts as separate ACE
devices thereby enabling virtual datacenters for each customer B, C, D, …
(c) Virtual GSS- With Rel 5.1 (CY12), vGSS can offer dedicated GSS functionality per VLAN.
a
UserLDNS
GSS Netwo
rk
ACE
SecondaryDatacenter
ACE
Primary Datacenter
ACE+GSS Cloud Solution
D BC vm vm B cb
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
GSS IPv6 SupportComponent IPv6 is Supported on …
Platform & Tools access-group, access-list, interface ip, ip default-gateway, ip route, ip anycast, setup, ping, dnslookup, show, traceroute, tcpdump, ftp, scp, telnet
KAL ICP, TCP, HTTP, HTTPs, KALAP
Resource Grouping
VIP, Name Server, CRA, Locations, Regions, Zones
Traffic Management
Proximity, DNS Rules
GSLB Response with AAAA for queries from IPv4 or IPv6 LDNSRespond with both A and AAAA records if availableDNS Rules supports IPv6 Source Address Lists and AAAA Query type filters
SNMP and Monitoring
IPv6 SNMP MIB Support
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
GSS 4.1 – Q4CY11(a) GeoIP based GSLB
• GeoIP based proximity • GeoIP based DNS Rules and Sticky
(b) IPv6 • Support for AAAA response• Support for persistence• IPv6 Management over IPv6 interface
(c) New GUI Design (Kubric Look & Feel)
(d) Configuration Scalability• 8000 answers
a
User2001:0DB8:AC10:FE01::
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
b
dc
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
GSS Release Map
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb
2011 2012
Release 3.3 (Private Only) - Geo IP Proximity - 8K Answers Support - ANM support for 8K Answers
Release 3.2 - HTTPs KAL - Workaround DNSSEC - Bug Fixes
Release 4.1 - IPv6 Support - Geo IP GSLB - ANM support for 8K Answers
Release 4.1.1 - IPv6 dot.ONE release - Bug Fixes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
2011Release 4.1 (September, 2011)
IPv6 Support (AAAA)GeoIP (Proximity, GeoRegions, GeoSALs)
2012GSS Direction
Release 3.2 (Feb, 2011)HTTPs KALDNSSec ForwardingCritical Bug Fixes
Release 5.0 (CC’ed)DNSSec with FIPSSOA & NS RecordHW Refresh
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
GlobalStrike GSS 5.1
1. Security and Compliance• (a) DNSSEC strengthens the integrity of DNS Query/Response
transaction from threats such as • Forged or bogus response• Removal of Records (RRs) in responses• Incorrect application of wildcard expansion rules
• (b) USGv6 and IPv6 Ph 2 Logo certification• FIPS compliant or validated encryption with acceleration• Common Criteria EAL-2
2. Platfom Refresh• (c) UCS server based appliance (San Luis)• vGSS
3. GeoIP Enhancements• (d) Logical Grouping of Geo Regions
4. KAL- AP• Enhancements and scalability
Key Asks in GlobalStrike
a
User2001:0DB8:AC10:FE01::
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
b
dc
Concept Committed 8/22/2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
GSS Roadmap Rel 4.0Q4CY11
Rel 5.01HCY12
1 1
2
1
2
3 3
4 4DCI Services• Automation to support
Vmotion over DCI
User
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
24
3 DCI Services• Automation through
integration with ANM• Exploring LISP Support
GSLB Services
• Geo IP based Proximity
DNS Services
• IPv6: Support for AAAA, A6, CNAME DNS Records
DNS Services
• DNSSEc with FIPS• SOA & NS Record Support
GSLB Services
• Share KAL Status Among Peers
• KAL-AP with VIP Capacity/Load
Operation Optimization
• Audit Logs • Log Source IP • Sync CLI and GUI User• View KAL logs through GUI
Operational Optimization
• Authentication using AD• Automated Backup• Activate/Suspend Answers• Enhanced Reporting• Alerts/Alarms
5 5Hardware Platform• GSS-4492R
Hardware Platform• Hardware Refresh with
FIPS compliance
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Ease of Deployment
Mobile FixedWireless
Dedicated/ATM/FR
ISDN/Dial
IP Control/Forwarding Plane
Cable DSL
Data Center #1
DNS Global Control Plane
ClientsRequestingWeb Sites
DNS RequestsDNS ResponseLayer 3 CommunicationsDNS Resolvers (DNSR): IE, Firefox, etc.
BINDCNR
QIPISP#1
ISP#2Client Name servers(D-proxy)
ISP#3
Root Name Server
Data Center #2
Intermediate Name Server
Supporting: .com
GSS becomes the Authoritive Name Server for the entire Zone supporting all applications for
the SP
DNS
DNS
GSS participates in the DNS infrastructure – Lower Latency
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
www.fifa.com
Use Case: Policy based GSLB
User
Mes
h Li
nk
nameserver.fifa.comwww.fifa.com “NS” Record 10.86.191.150 “NS” Record 10.86.191.134
VIP=10.86.191.147
SLB
Datacenter B
DN
S qu
ery
ww
w.fi
fa.c
om A” Record
10.86.191.147
Proximity Selects Answer based on lowest RTT. RTT measured between client’s d-
proxy and a probing device (Cisco Router and/or GSS)
GSS uses DRP to communicate with probes
Disaster Recovery Site Health Check
Datacenter Load KAL-AP
Ratio based GLSB
GSLB Can Redirect Traffic Based On
DNS GSS Milan10.86.191.134
DNS
GSS Johannesburg10.86.191.150
SLB
Datacenter AVIP=10.86.191.131
1 Add NS Record for both GSSes
2 Create Mesh Link
3 Add DNS Rules + SAL + DDL + Qtype + Add Clauses
P-DNS216.1.1.1
DN
S Query
ww
w.fifa.com
10.8
6.19
1.13
4
DNS Query,
www.fifa.com
GSLB policy enables redirection based on proximity, site health, server load and user preferences
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 23
Mobile
FixedWireless
Cable
DSL
Dedicated/ATM/FR
ISDN/Dial TokyoData
Center #2
DNS Global Control Plane
Resolver
Use Case: BCDR
DNS Name Servers
NJ Back-up
Data Center #3
ChicagoData
Center #1
IP Control/Forwarding Plane
GSS Cluster
Recovering Service Availability after FailureActive-Passive Design Network fail-over can happen within 10s Application/Server
Recovery time is based on the time it take to complete data Synchronization of back-end data base, application servers and Web servers
Supported by Cisco’s SolutionsGSS, CSS, CSM, ACE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 24
Mobile
FixedWireless
Cable
DSL
Dedicated/ATM/FR
ISDN/Dial TokyoData
Center #2
DNS Global Control Plane
Resolver
Use Case: Securing DNS Infrastructure
Compromised DNS Name Servers or DNS bots
NJ Back-up
Data Center #3
ChicagoData
Center #1
IP Control/Forwarding Plane
Provides Security Focused, highly available, DNS/DHCP/TFTP infrastructure for one or more data centers.
Automatically identifies DNS-based DDOS attack and mitigates the attacks
Rate limits these specific DNS Request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
GSS Release 3.1.2
Before After
1 1
21 2
3 3
No support for IDNA
Limited Integration with SLB Management (ANM)
Bug Fixes
IDNA Support
4 4
4 Tentative
Bug Fixes
KALs did not support HTTPs transport
KALs on HTTPs Transport
User
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
KAL
2 Integration with SLB Management (ANM)
43
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
GSS Release 3.2.0
Before After
1 1
24 2
3 3
No HTTPs KAL
DNSSec Deployments Break
GUI based ConfigChanges not logged
HTTPs KAL
4 4
Audit Log for GUI basedConfig Changes
SSL Vulnerabilities Secure Communication on SSL
User
LDNS
GSS Network
SLB
Datacenter A
SLB
Datacenter B
KAL
2 DNSSec workaround to forward A4 records
13
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
GSS Competitive Side by SideFeature F5 GTM Netscalar
GSLBBrocade GSLB RadWare
GSLBCisco
DNS Services
DNS Services Uses Bind Uses Bind Uses Bind Uses Bind CNR*
DNS Defense Yes No No Unknown Yes
GSLB Services
Dedicated Appl. Yes Yes No Yes Yes
GLSB Functions Yes, 7 methods Yes, 3 method Yes, 3 methods Yes, 3 methods Yes, 7 methods
Dynamic Ratio Yes No No Unknown Yes
Persistence Yes Yes No Yes Yes
Topological Yes No No Yes Yes (manual load)
Geographical Yes Yes Yes Yes Yes (manual load)
Management
GUI, CLI and Wizard
Yes No No Unknown Yes
Administrative Login Authentication
Local Only Local Only Local Only Local Only RADIUS and RBAC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
GSS Performance & Configuration ScalabilityPerformance
Single VIP (ans/sec) 30,000
Complex Configuration (ans/sec) 13,000
NS Forwarding 1500
Configuration LimitsDNS Rules 4000
VIP (Standard/Shared) 2000/4000
# of Active SLBs Probed 256
Max active GSSes in Mesh 16
HTTP Probes (Standard/Fast) 500/100
ICMP Probes (Standard/Fast) 750/150
TCP Probes (Standard/Fast) 1500/150
Scripted SNMP Probes (Standard/Fast) 384/120
KALAP Probes (Standard/Fast) 128/40
Configuration LimitsAnswer Groups (per group max) 2000 (100)
Name Server addresses for NS Forwarding (max per answer group)
100 (30)
DNS Race CRA Devices (max per race, max per answer group)
200 (20,20)
Source IP Addresses configurable for DNS Rules 500
Source Address Groups (Max per group) 60 (30)
Hosted Domains (Max per SLB) 2000 (1000)
Hosted Domain Lists (Max per Domain List) 2000 (500)
Administrative Owners 500
Administrative Regions (Locations) 20 (1000)
Max user ids 256
Max GUI (CLI) sessions 128 (8)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Questions?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
BACKUP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Security Focused Functionality
• Improves availability and resiliency of DNS infrastructure with high performance and self protecting DDOS software
• Offloads and optimizes BIND/DNS processing and selects the best site based on:– Intelligent load balancing algorithms &
“clauses”– Proximity to user request– Data center and server loads, availability
& health– Persistence to prevent lost session
information
• Complete and Centralized DNS/DHCP/TFTP management for network-enabled applications
• Security conscious features:• DDOS Mitigation Software• Client to GSS and GSS to GSS
communication encrypted• Private DNS code base
• Supports all DNS-compatible devices• Can be deployed with or without content
switches
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Improving DNS Survivability
Detects and mitigates the DNS focused Distributed Denial of Service (DDoS) attacks. Multiple defenses including source verificationWith the granularity and accuracy to provide new levels of business continuity by processing only legitimate DNS requestsDelivering the performance and architecture suitable for the largest enterprises and providers
Addresses DDoS attacks today, and its network-based behavioral anomaly capability will be extended to additional DNS focused threats
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Security Focused GSS deployment
ISP-1 ISP-2
PublicWeb Servers
Secure Web Servers
DNS Server
Datacenter A
Cisco GSS
Why here?- Public IP and DNS Host Names - Layers of firewalls and Nating
between DNS and internal servers
Not here?- If hacked private IP available- - DNS traffic Tunneled though
firewall- Violates recommend “Split DNS”
Best Practices
Others
DMZ
Un-secure DNS traffic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 34
Shared KeepaliveType kal-ap
10.86.191.129 | 10.86.191.145
AnswerGroup grp-bxbAnswer-1 (NY)Answer-1(Bos)
Answer-1(NY) VIP-A 10.86.191.131
Answer-1(Bos) VIP-A 10.86.191.147
Answer-2(NY) VIP-B 10.86.191.136
Answer-2(Bos) VIP-B 10.86.191.153
AnswerGroup grp-rtpAnswer-2 (NY)Answer-2(Bos)
Domain List bxb www.bxb.com
Source Address List Asia124.0.0.0 – 145.0.0.0
87.0.0.0 - 94.0.0.0
Domain List rest www.bxb.com www.sjc.com
Source Address List - Anywhere 0.0.0.0 – 255.255.255.255
Rule – bxb.com
Source Address List Anywhere
Domain List bxb
Balance Clause 1: AnswerGroup grp-bxb Balance Method Round Robin
Balance Clause 2:Balance Clause 3:
Rule – goodFellas.com
Source Address List Asia
Domain List rest
Balance Clause 1: AnswerGroup grp-bxb Balance Method Round Robin
Balance Clause 2:Balance Clause 3:
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
GSS vs F5 GTMFeature GSS F5Global Traffic Management
Advance Multi-Site Traffic Management w/ Persistence Yes Yes
Integrate DC selection with Server Load Yes Yes
Universal Health checks for Traffic Management Yes YesLeverages Cisco Router Technology for DC selection Yes NO!
Business Continuance
Provides HA for any type of DNS traffic Yes YesManageability Yes
Dynamic configuration , secure Auto-sync Yes
Network Server Consolidation
Appliance Based DNS Yes (but we have retired CNR) Yes (with Bind)
Full DHCP/TFTP Services Yes (but we have retired CNR) NO!
Security Focused DNS Infrastructure
Integrated DNS-based DDOS protection Yes NO!
Protects BIND Infrastructure Yes NO!Not-Subject to BIND vulnerabilities Yes NO!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
GSLB Core Balance FunctionsLoad Balancing Methods
1. Ordered List- Uses next VIPs when all previous VIPs are
overloaded or down
6. Source Address and Domain hash- IP address of client’s DNS proxy and domain used- Always sticks same client to same VIP
2. Static Based on Client’s DNS Address- Maps IP address of client’s DNS to available VIPs
7. DNS Race– Initiates race of A-record responses to client– Finds closest SLB to client’s d-proxy
3. Round Robin – Cycles through available VIPs in order
8. DRP-based Dynamic Network Proximity – Actively localizes client traffic by probing the client
DNS Name servers and routing the client to the closest data center based on the lowest RTT measurement.
– Scales to greater than 400,000
4. Weighted Round Robin– Weighting causes repeat hits (up to 10) to a VIP
9. Global Sticky DNS Database– Dynamically tracks where clients are sent then
ensures they are sent to the same device for subsequent requests
– Entries are based the IP address of client name server and the domain name requested
– Sticky answers are shared between GSSs
5. Least Loaded– Least connections on CSM and least loaded on CSS– Load communicated via CAPP UDP
10. Drop– Silently discards the DNS request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
CSS-BCSS-A
ServersSite 1 Keepalives:TCPICMPHTTP-HeadSNMP
CSS-BCSS-A
ServersSite 2
Keep Alives (KAL)
• KALs – back-end process gathers state and load information from devices within the data center such as local server load balancers, and origin servers
• KAL can be grouped and logically “AND” together
• V2.0 added a new KAL type --- SNMP based
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Types of GSLB Solutions
Underlying Platform
Network Insertion Pros Cons Dominant Use Case
DNS Based GLSB DNS AuthorityDNS ProxyDNS Traffic Intercept
Accurate Load InfoAccurate Proximity Info
Proximity between Client and Resolver
Caching at client/server/proxy
Disaster Recovery and Business Continuance
Global Traffic Management
DNS Security
Host Route Injection
SLB Add-OnRouter Add-OnServer Add-On
No new protocols requiredGSLB is a routing problem
Support for multiple ISPRoute FlappingLess accurate Load/Proximity Info
No dominant use case
Triangle Data Flow SLB Add-On Accurate Proximity Reverse Path Traffic Localization to nearest Datacenter
GSS is a DNS based GSLB Solution
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
GSS 3.2.0 Bug Fixes
Identifier Headline CommentsCSCsz42912 Request to implement the show mem command in SNMP CSCtc38727 Manual Reactivation answers in OS with secondary circuit specified kalap CSCtc39127 GSS Running Config is gone, GUI is unavailable but is passing traffic CSCtd01467 IMPORTANT TLS/SSL SECURITY UPDATE CSCte64381 Cisco GSS not functioning as per Internet DNS Standards Fix for ChrystlerCSCtf30643 getBulkRequest with max repetitions 0 crashes snmp on GSS CSCtg60511 GSS sticky mesh staying in INIT state and not replicating sticky entries CSCti20170 High rate of tcp dns request causing dnsserver to crash COPART issueCSCti91605 GSS running out of inodes, unable to ssh CSCti93734 During initialzation GSS returns NXDomain CSCtj23186 Need check to prevent answer-group being added to dns rule w/out answers CSCtj24854 GSS running out of inodes, needs cleanup on /tmp JPMC issueCSCtj28476 ENH: Need to add "core-files verbose" output to gss tech-report Enh request from escalation
CSCtj55505 Tech report should be enhanced & add more sticky and selector logsTo get more debugs from cases like stream the world
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Thank you.