global site selector

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Global Site Selector

ADBU Product Management


PRODUCT UPDATEGlobal Site Selector


Highlights

3X R&D headcount increase YoY! Release 4.1 (Q4CY11)

New Feature: GeoIP SupportIPv6 SupportSupport for Existing HW GSS4492R

Concept Committing Release 5.1 (HW refresh, DNSSEC) in 1HCY11


2011

2010

Release 4.1 (Q4CY11)IPv6 Support (AAAA)Full GeoIP GSLB

2012GSS Planning

Release 3.2 (Feb, 2011)HTTPs KALDNSSec ForwardingCritical Bug Fixes

Release 3.3Available as private image – not on CCOConfiguration Scalability (8K Answers)Proximity Enhanced with GeoIPGUI Makeover (Cisco Kubric)

Release 5.0 (Planning)DNSSec with FIPSSOA & NS RecordHW Refresh


GSS Road to IPv6

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb

2011 2012

Release 3.3 (Private Only) - Geo IP Proximity - 8K Answers Support - ANM support for 8K Answers

Release 3.2 - HTTPs KAL - Workaround DNSSEC - Bug Fixes

Release 4.1 - IPv6 Support - Geo IP GSLB - ANM support for 8K Answers

Release 4.1.1 - IPv6 dot.ONE release - Bug Fixes


GSS 4.1 – Q4CY11(a) GeoIP based GSLB

• GeoIP based proximity • GeoIP based DNS Rules and Sticky

(b) IPv6 • Support for AAAA response• Support for persistence• IPv6 Management over IPv6 interface

(c) New GUI Design (Kubric Look & Feel)

(d) Configuration Scalability• 8000 answers

a

User2001:0DB8:AC10:FE01::

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

b

dc


GSS Roadmap Rel 4.0Q4CY11

Rel 5.01HCY12

1 1

2

1

2

3 3

4 4DCI Services• Automation to support

Vmotion over DCI

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

24

3 DCI Services• Automation through

integration with ANM• Exploring LISP Support

GSLB Services

• Geo IP based Proximity

DNS Services

• IPv6: Support for AAAA, A6, CNAME DNS Records

DNS Services

• DNSSEc with FIPS• SOA & NS Record Support

GSLB Services

• Share KAL Status Among Peers

• KAL-AP with VIP Capacity/Load

Operation Optimization

• Audit Logs • Log Source IP • Sync CLI and GUI User• View KAL logs through GUI

Operational Optimization

• Authentication using AD• Automated Backup• Activate/Suspend Answers• Enhanced Reporting• Alerts/Alarms

5 5Hardware Platform• GSS-4492R

Hardware Platform• Hardware Refresh with

FIPS compliance


Cisco GSS in a Nutshell

DNS Services DNS authority for A-records and AAAA records (Rel. 4.1)Answers of type: A-record, AAAA, NS and CRADdos for DNS Security12K – 28K DNS RPS depending upon configuration complexity

GSS Network Configuration Limits

Destination: 2000 hosted domains (128 chars with wildcards)Source: 60 Source Address ListsResources: 4000 VIPs across 256 SLBs (increasing to 8K in Rel 4.1)KALs: MP, ICMP, TCP, HTTP/Head, KAL-AP, SNMP, CRA, NSPolicy: 4000 DNS rules across GSS Network

GSLB Services

Availability: Site Level FailoverGSLB Methods: Geographical, Topological, Least Loaded, Client Source Resolver Hast, Ordered List, Ratio, RR/WRRResource Affinity: Sticky, Cookies.

Management, Monitoring & Logging

User Interface: GUI (with new Cisco Kubric Look & feel) & CLIAuthorization: RBACManagement Station Support: ANM Support

Pricing $ 20K plus licenses for DDOS, GeoIP and IPv6.

• IPv6 Support • DDoS Protection• Geographical and Resource Affinity• Supports Cisco ACE/CSS/CSM

http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_installation_and_configuration_guides_list.html

ACE GSS4492R-K9 HWSF-GSS-V1.3-K9 SWSF-GSS-DDOSLIC DDoSSF-GSS-GIPLICFX GeoIP GSLB SupportSF-GSS-V6LICFX IPv6 Support

Upto 16 GSSes can work in conjunction to meet the needs of large Enterprise and Service Provider.


PRODUCT OVERVIEWGlobal Site Selector


Types of GSLB SolutionsUnderlying

PlatformNetwork Insertion Pros Cons Dominant Use Case

DNS Based GLSB DNS AuthorityDNS ProxyDNS Traffic Intercept

Accurate Load InfoAccurate Proximity Info

Proximity between Client and Resolver

Caching at client/server/proxy

Disaster Recovery and Business Continuance

Global Traffic Management

DNS Security

Host Route Injection

SLB Add-OnRouter Add-OnServer Add-On

No new protocols requiredGSLB is a routing problem

Support for multiple ISPRoute FlappingLess accurate Load/Proximity Info

No dominant use case

Triangle Data Flow SLB Add-On Accurate Proximity Reverse Path Traffic Localization to nearest Datacenter

GSS is a DNS based GSLB Solution


More specifically …

Provides Universal DNS-based Disaster Recovery – redirects clients to back-up data center for any device that support SNMP MIB and uses DNS

Protects the DNS infrastructure with DNS-based DDOS mitigation software

Delivers Advance Global Traffic Management Global Server Load Balancing (GSLB) for geographically dispersed Server Load Balancers and Caches

Connect clients to the best server based on: Network topology Server load Availability of content and devices

GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS Security policies.


Ease of Deployment

Mobile FixedWireless

Dedicated/ATM/FR

ISDN/Dial

IP Control/Forwarding Plane

Cable DSL

Data Center #1

DNS Global Control Plane

ClientsRequestingWeb Sites

DNS RequestsDNS ResponseLayer 3 CommunicationsDNS Resolvers (DNSR): IE, Firefox, etc.

BINDCNR

QIPISP#1

ISP#2Client Name servers(D-proxy)

ISP#3

Root Name Server

Data Center #2

Intermediate Name Server

Supporting: .com

GSS becomes the Authoritive Name Server for the entire Zone supporting all applications for

the SP

DNS

DNS

GSS participates in the DNS infrastructure – Lower Latency


GSS is a system not a device Self synchronization of upto 16 GSSes Single Point of management via GUI Does not sacrifice device level access (SSH to box) Any GSS can run GUI and a 2nd GSS serves as standby

Easy to use Interface IOS Syntax 100 new CLI commands since v1.3 Single interface for monitoring, troubleshooting and configuration Supports Import/Export of Configuration in industry standard formats Role based Access Control Remote Syslog Support

Management Integration with ANM ANM - support the activation and suspension of a DNS rules and

answers ANM – communicates to the primary GSS manager (PGSSM) via CLI,

RMI and SSH. Configuration parameters to establish this communication is the GSS IP address and SSH credentials

Four of eight Administrators Logon consumed by ANM ANM issues commands to the PGSSM then the PGSSM relays these

commands to the rest of the GSSs in the cluster.

GSS Network

Ease of Management

Ease of Management

ANM

GSSGUI

GSS network is managed as a system – reduces number of touchpoints


www.fifa.com

Use Case: Policy based GSLB

User

Mes

h Li

nk

nameserver.fifa.comwww.fifa.com “NS” Record 10.86.191.150 “NS” Record 10.86.191.134

VIP=10.86.191.147

SLB

Datacenter B

DN

S qu

ery

ww

w.fi

fa.c

om A” Record

10.86.191.147

Proximity Selects Answer based on lowest RTT. RTT measured between client’s d-

proxy and a probing device (Cisco Router and/or GSS)

GSS uses DRP to communicate with probes

Disaster Recovery Site Health Check

Datacenter Load KAL-AP

Ratio based GLSB

GSLB Can Redirect Traffic Based On

DNS GSS Milan10.86.191.134

DNS

GSS Johannesburg10.86.191.150

SLB

Datacenter AVIP=10.86.191.131

1 Add NS Record for both GSSes

2 Create Mesh Link

3 Add DNS Rules + SAL + DDL + Qtype + Add Clauses

P-DNS216.1.1.1

DN

S Query

ww

w.fifa.com

10.8

6.19

1.13

4

DNS Query,

www.fifa.com

GSLB policy enables redirection based on proximity, site health, server load and user preferences

http://www.fifa.com/


Mobile

FixedWireless

Cable

DSL

Dedicated/ATM/FR

ISDN/Dial TokyoData

Center #2


Resolver

Use Case: BCDR

DNS Name Servers

NJ Back-up

Data Center #3

ChicagoData

Center #1


GSS Cluster

Recovering Service Availability after FailureActive-Passive Design Network fail-over can happen within 10s Application/Server

Recovery time is based on the time it take to complete data Synchronization of back-end data base, application servers and Web servers

Supported by Cisco’s SolutionsGSS, CSS, CSM, ACE


Mobile

FixedWireless

Cable

DSL

Dedicated/ATM/FR

ISDN/Dial TokyoData

Center #2


Resolver

Use Case: Securing DNS Infrastructure

Compromised DNS Name Servers or DNS bots

NJ Back-up

Data Center #3

ChicagoData

Center #1


Provides Security Focused, highly available, DNS/DHCP/TFTP infrastructure for one or more data centers.

Automatically identifies DNS-based DDOS attack and mitigates the attacks

Rate limits these specific DNS Request


GSS Release 3.1.2

Before After

1 1

21 2

3 3

No support for IDNA

Limited Integration with SLB Management (ANM)

Bug Fixes

IDNA Support

4 4

4 Tentative

Bug Fixes

KALs did not support HTTPs transport

KALs on HTTPs Transport

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

KAL

2 Integration with SLB Management (ANM)

43


GSS Release 3.2.0

Before After

1 1

24 2

3 3

No HTTPs KAL

DNSSec Deployments Break

GUI based ConfigChanges not logged

HTTPs KAL

4 4

Audit Log for GUI basedConfig Changes

SSL Vulnerabilities Secure Communication on SSL

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

KAL

2 DNSSec workaround to forward A4 records

13


GSS 3.2.0 Bug FixesIdentifier Headline Comments

CSCsz42912 Request to implement the show mem command in SNMP CSCtc38727 Manual Reactivation answers in OS with secondary circuit specified kalap CSCtc39127 GSS Running Config is gone, GUI is unavailable but is passing traffic CSCtd01467 IMPORTANT TLS/SSL SECURITY UPDATE CSCte64381 Cisco GSS not functioning as per Internet DNS Standards Fix for ChrystlerCSCtf30643 getBulkRequest with max repetitions 0 crashes snmp on GSS CSCtg60511 GSS sticky mesh staying in INIT state and not replicating sticky entries CSCti20170 High rate of tcp dns request causing dnsserver to crash COPART issueCSCti91605 GSS running out of inodes, unable to ssh CSCti93734 During initialzation GSS returns NXDomain CSCtj23186 Need check to prevent answer-group being added to dns rule w/out answers CSCtj24854 GSS running out of inodes, needs cleanup on /tmp JPMC issueCSCtj28476 ENH: Need to add "core-files verbose" output to gss tech-report Enh request from escalation

CSCtj55505 Tech report should be enhanced & add more sticky and selector logsTo get more debugs from cases like stream the world


GeoIP Support(a) GeoIP based Proximity

• Proximity calculations using GeoIP distances

(b) GeoRegions: GeoIP based Regions• Regions based on GeoIP database entries. (Add

single country or multiple countries). Granularity down to states

• Sticky support for GeoRegions

(c) GeoSAL: GeoIP based Source Address Lists

• SALs can be based on GeoIP based Regions

(d) New GUI Design (Kubric Look & Feel)• GUI option to configure all GeoIP

functionality

a


LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

bd

Available in GSS 4.1 in Q4CY11

c


GSS Competitive Side by SideFeature F5 GTM Netscalar

GSLBBrocade GSLB RadWare

GSLBCisco

DNS Services

DNS Services Uses Bind Uses Bind Uses Bind Uses Bind CNR*

DNS Defense Yes No No Unknown Yes

GSLB Services

Dedicated Appl. Yes Yes No Yes Yes

GLSB Functions Yes, 7 methods Yes, 3 method Yes, 3 methods Yes, 3 methods Yes, 7 methods

Dynamic Ratio Yes No No Unknown Yes

Persistence Yes Yes No Yes Yes

Topological Yes No No Yes Yes (manual load)

Geographical Yes Yes Yes Yes Yes (manual load)

Management

GUI, CLI and Wizard

Yes No No Unknown Yes

Administrative Login Authentication

Local Only Local Only Local Only Local Only RADIUS and RBAC


Questions?


BACKUP


GSS Capacity Details

Hosted Domains - max 1000 per SLB, 128 characters max per domain 2K

Hosted Domain Lists 2K

Maximum Domains per Domain List 500Administrative Owners 500Administrative Regions 20Administrative Locations 1K

128Max concurrent GUI sessionsMax administer / user ids 256

Max concurrent CLI sessions(simultaneous SSH + telnet sessions) 8

Source IP addresses configurable for DNS Rules 500

Source Address Groups (30 members max per group) 60

200DNS Race Content Routing Agent devices (20 max per race & answer group)

GSS Configuration Limits V3.0

100Name Server addresses for NS Forwarding (30 max per answer group)

Answer Groups (100 members max per group) 2K

GSS Performance LimitsV3.0

DNS Requests / Second (Single VIP) ~30KDNS Requests / Second (Complex Config) ~13KNS Forwarding Requests / Second

~1.5K

16Number of GSS in a Cluster

2K/4KVirtual IP Addresses – Standard / Shared 256Active Server Load Balancers

4KDNS RulesGSS Configuration Limits V3.0

40KAL AP Probes – Fast

384Scripted (SNMP) Probes – Standard

500HTTP Probes – Standard100HTTP Probes – Fast

ICMP Probes – Standard 750ICMP Probes – Fast 150TCP Probes – Standard 1.5KTCP Probes – Fast 150

KAL AP Probes – Standard 128120Scripted (SNMP) Probes – Fast

1KAnswers per KAL AP Probe


GSS Performance & Configuration ScalabilityPerformance

Single VIP (ans/sec) 30,000

Complex Configuration (ans/sec) 13,000

NS Forwarding 1500

DNS Rules 4000

VIP (Standard/Shared) 2000/4000

# of Active SLBs Probed 256

Max active GSSes in Mesh 16

HTTP Probes (Standard/Fast) 500/100

ICMP Probes (Standard/Fast) 750/150

TCP Probes (Standard/Fast) 1500/150

Scripted SNMP Probes (Standard/Fast) 384/120

KALAP Probes (Standard/Fast) 128/40

Answer Groups (per group max) 2000 (100)

Name Server addresses for NS Forwarding (max per answer group)

100 (30)

DNS Race CRA Devices (max per race, max per answer group)

200 (20,20)

Source IP Addresses configurable for DNS Rules

500

Source Address Groups (Max per group) 60 (30)

Hosted Domains (Max per SLB) 2000 (1000)

Hosted Domain Lists (Max per Domain List) 2000 (500)

Administrative Owners 500

Administrative Regions (Locations) 20 (1000)

Max user ids 256

Max GUI (CLI) sessions 128 (8)

Configuration Limits

Configuration Limits


Security Focused Functionality• Improves availability and resiliency

of DNS infrastructure with high performance and self protecting DDOS software

• Offloads and optimizes BIND/DNS processing and selects the best site based on:– Intelligent load balancing algorithms &

“clauses”– Proximity to user request– Data center and server loads, availability

& health– Persistence to prevent lost session

information

• Complete and Centralized DNS/DHCP/TFTP management for network-enabled applications

• Security conscious features:• DDOS Mitigation Software• Client to GSS and GSS to GSS

communication encrypted• Private DNS code base

• Supports all DNS-compatible devices• Can be deployed with or without content

switches


Security Focused GSS deployment

ISP-1 ISP-2

PublicWeb Servers

Secure Web Servers

DNS Server

Datacenter A

Cisco GSS

Why here?- Public IP and DNS Host Names - Layers of firewalls and Nating

between DNS and internal servers

Not here?- If hacked private IP available- - DNS traffic Tunneled though

firewall- Violates recommend “Split DNS”

Best Practices

Others

DMZ

Un-secure DNS traffic

http://www.clipartof.com/use_policy


GSS vs F5 GTMFeature GSS F5Global Traffic Management

Advance Multi-Site Traffic Management w/ Persistence Yes Yes

Integrate DC selection with Server Load Yes Yes

Universal Health checks for Traffic Management Yes YesLeverages Cisco Router Technology for DC selection Yes NO!

Business Continuance

Provides HA for any type of DNS traffic Yes YesManageability Yes

Dynamic configuration , secure Auto-sync Yes

Network Server Consolidation

Appliance Based DNS Yes (but we have retired CNR) Yes (with Bind)

Full DHCP/TFTP Services Yes (but we have retired CNR) NO!

Security Focused DNS Infrastructure

Integrated DNS-based DDOS protection Yes NO!

Protects BIND Infrastructure Yes NO!Not-Subject to BIND vulnerabilities Yes NO!


Improving DNS Survivability

Detects and mitigates the DNS focused Distributed Denial of Service (DDoS) attacks. Multiple defenses including source verificationWith the granularity and accuracy to provide new levels of business continuity by processing only legitimate DNS requestsDelivering the performance and architecture suitable for the largest enterprises and providersAddresses DDoS attacks today, and its network-based behavioral anomaly capability will be extended to additional DNS focused threats


GSLB Core Balance FunctionsLoad Balancing Methods

1. Ordered List- Uses next VIPs when all previous VIPs are

overloaded or down

6. Source Address and Domain hash- IP address of client’s DNS proxy and domain used- Always sticks same client to same VIP

2. Static Based on Client’s DNS Address- Maps IP address of client’s DNS to available VIPs

7. DNS Race– Initiates race of A-record responses to client– Finds closest SLB to client’s d-proxy

3. Round Robin – Cycles through available VIPs in order

8. DRP-based Dynamic Network Proximity – Actively localizes client traffic by probing the client

DNS Name servers and routing the client to the closest data center based on the lowest RTT measurement.

– Scales to greater than 400,000

4. Weighted Round Robin– Weighting causes repeat hits (up to 10) to a VIP

9. Global Sticky DNS Database– Dynamically tracks where clients are sent then

ensures they are sent to the same device for subsequent requests

– Entries are based the IP address of client name server and the domain name requested

– Sticky answers are shared between GSSs

5. Least Loaded– Least connections on CSM and least loaded on CSS– Load communicated via CAPP UDP

10. Drop– Silently discards the DNS request


CSS-BCSS-A

ServersSite 1 Keepalives:TCPICMPHTTP-HeadSNMP

CSS-BCSS-A

ServersSite 2

Keep Alives (KAL)

KALs – back-end process gathers state and load information from devices within the data center such as local server load balancers, and origin servers

KAL can be grouped and logically “AND” together V2.0 added a new KAL type --- SNMP based


GlobalStrike GSS 5.1

1. Security and Compliance• (a) DNSSEC strengthens the integrity of DNS Query/Response

transaction from threats such as • Forged or bogus response• Removal of Records (RRs) in responses• Incorrect application of wildcard expansion rules

• (b) USGv6 and IPv6 Ph 2 Logo certification• FIPS compliant or validated encryption with acceleration• Common Criteria EAL-2

2. Platfom Refresh• (c) UCS server based appliance (San Luis)• vGSS

3. GeoIP Enhancements• (d) Logical Grouping of Geo Regions

4. KAL- AP• Enhancements and scalability

Key Asks in GlobalStrike

a


LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

b

dc

Concept Committed 8/22/2011

global site selector

Documents

cisco gss

cisco systems

cisco confidentialpresentation

answers support anm

dns rules

gss planningrelease

gss roadmaprel

sticky b ipv6 support