AX_GSLB_Guide_v2_7_0-20121010

Global Server Load Balancing Guide

AX Series Advanced Traffic Manager

Document No.: D-030-01-00-0029

Ver. 2.7.0 10/10/2012

© A10 Networks, Inc. 10/10/2012 - All Rights Reserved

Information in this document is subject to change without notice.

Trademarks

A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS,aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, Virtual-ADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property oftheir respective owners.

Patents Protection

A10 Networks products including all AX Series products are protected by one or more of the following US patents and pat-ents pending: 8291487, 8266235, 8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126, 20120216266,20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598,20070195792, 20070180101

Confidentiality

This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideasherein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior writtenconsent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.

A10 Networks Inc. Software License and End User Agreement

Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees totreat Software as confidential information.

Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not:

1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2) sublicense, rent or lease the Software.

Disclaimer

The information presented in this document describes the specific products noted and does not imply nor grant a guaranteeof any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the prod-ucts described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changesto their products and documents at any time and without prior notification.

No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, cir-cuitry, descriptions and illustrations herein.

Environmental Considerations

Some electronic components may possibly contain dangerous substances. For information on specific component types,please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-posal of electronic components in your area.

Further Information

For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10Networks location, which can be found by visiting www.a10networks.com.

http://www.a10networks.com

Performance by Design 3 of 260Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

End User License Agreement


IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CARE-FULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEP-TANCE OF THIS AGREEMENT.

A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT (AX Series) TO YOUONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CON-TAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR INSTALLINGTHE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFT-WARE, YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOUREPRESENT (COLLECTIVELY, "CUSTOMER") TO THIS AGREEMENT. IF YOUDO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10NETWORKS IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DONOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

The following terms of this End User License Agreement ("Agreement") govern Cus-tomer's access and use of the Software, except to the extent there is a separatesigned agreement between Customer and A10 Networks governing Customer's useof the Software

License. Conditioned upon compliance with the terms and conditions of this Agree-ment, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Net-works Inc. ("A10 Networks"), grants to Customer a nonexclusive andnontransferable license to use for Customer's business purposes the Software andthe Documentation for which Customer has paid all required fees. "Documentation"means written information (whether contained in user or technical manuals, trainingmaterials, specifications or otherwise) specifically pertaining to the product or prod-ucts and made available by A10 Networks in any manner (including on CD-Rom, oron-line).

Unless otherwise expressly provided in the Documentation, Customer shall use theSoftware solely as embedded in or for execution on A10 Networks equipment ownedor leased by Customer and used for Customer's business purposes.

General Limitations. This is a license, not a transfer of title, to the Software andDocumentation, and A10 Networks retains ownership of all copies of the Softwareand Documentation. Customer acknowledges that the Software and Documentationcontain trade secrets of A10 Networks, its suppliers or licensors, including but notlimited to the specific internal design and structure of individual programs and asso-ciated interface information. Accordingly, except as otherwise expressly providedunder this Agreement, Customer shall have no right, and Customer specificallyagrees not to:

a. transfer, assign or sublicense its license rights to any other person or entity, or use the Software on unauthorized or secondhand A10 Networks equip-ment

b. make error corrections to or otherwise modify or adapt the Software or cre-ate derivative works based upon the Software, or permit third parties to do the same

4 of 260 Performance by DesignDocument No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012



c. reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction

d. disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party with-out the prior written consent of A10 Networks. Customer shall implement reasonable security measures to protect such trade secrets.

Software, Upgrades and Additional Products or Copies. For purposes of thisAgreement, "Software" and “Products” shall include (and the terms and conditions ofthis Agreement shall apply to) computer programs, including firmware and hard-ware, as provided to Customer by A10 Networks or an authorized A10 Networksreseller, and any upgrades, updates, bug fixes or modified versions thereto (collec-tively, "Upgrades") or backup copies of the Software licensed or provided to Cus-tomer by A10 Networks or an authorized A10 Networks reseller.

OTHER PROVISIONS OF THIS AGREEMENT:

a. CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLI-CABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES

b. USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LEASEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED

c. THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NEC-ESSARY BACKUP PURPOSES ONLY.

Term and Termination. This Agreement and the license granted herein shall remaineffective until terminated. All confidentiality obligations of Customer and all limita-tions of liability and disclaimers and restrictions of warranty shall survive terminationof this Agreement.

Export. Software and Documentation, including technical data, may be subject toU.S. export control laws, including the U.S. Export Administration Act and its associ-ated regulations, and may be subject to export or import regulations in other coun-tries. Customer agrees to comply strictly with all such regulations and acknowledgesthat it has the responsibility to obtain licenses to export, re-export, or import Soft-ware and Documentation.

Trademarks

A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX,Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registeredtrademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.

Patents Protection

A10 Networks products including all AX Series products are protected by one or more of the fol-lowing US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585,7716378, 7675854, 7647635, 7552126, 20120216266, 20120204236, 20120179770,20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,20070282855, 20070271598, 20070195792, 20070180101




Limited Warranty

Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILSOF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NET-WORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT,OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL,OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVEDAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIA-BILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USEPRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERSOR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAM-AGES.

In no event shall A10 Networks’ or its suppliers' or licensors' liability to Customer,whether in contract, (including negligence), breach of warranty, or otherwise, exceedthe price paid by Customer for the Software that gave rise to the claim or if the Soft-ware is part of another Product, the price paid for such other Product.

Customer agrees that the limitations of liability and disclaimers set forth herein willapply regardless of whetherCustomer has accepted the Software or any other prod-uct or service delivered by A10 Networks. Customer acknowledges and agrees thatA10 Networks has set its prices and entered into this Agreement in reliance upon thedisclaimers of warranty and the limitations of liability set forth herein, that the samereflect an allocation of risk between the parties (including the risk that a contractremedy may fail of its essential purpose and cause consequential loss), and that thesame form an essential basis of the bargain between the parties.

The Warranty and the End User License shall be governed by and construed inaccordance with the laws of the State of California, without reference to or applica-tion of choice of law rules or principles. If any portion hereof is found to be void orunenforceable, the remaining provisions of the Agreement shall remain in full forceand effect. This Agreement constitutes the entire and sole agreement between theparties with respect to the license of the use of A10 Networks Products unless other-wise supersedes by a written signed agreement.






Obtaining Technical Assistance


For all customers, partners, resellers, and distributors who hold valid A10Networks Regular and Technical Support service contracts, the A10 Net-works Technical Assistance Center provides support services online andover the phone.

Corporate Headquarters

A10 Networks, Inc.3 West Plumeria DrSan Jose, CA 95134 USA

Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support – toll-free in USA)Tel: +1-408-325-8676 (support – direct dial)Fax: +1-408-325-8666

www.a10networks.com

Collecting System InformationThe AX device provides a simple method to collect configuration and statusinformation for Technical Support to use when diagnosing system issues.

To collect system information, use either of the following methods.

USING THE GUI (RECOMMENDED)1. Log into the GUI.

2. On the main page (Monitor Mode > Overview > Summary),

click . This option downloads a text log file.

3. Email the file as an attachment to [email protected].

USING THE CLI1. Log into the CLI.

2. Enable logging in your terminal emulation application, to capture out-put generated by the CLI.

3. Enter the enable command to access the Privileged EXEC mode of the CLI. Enter your enable password at the Password prompt.





4. Enter the show techsupport command.

5. After the command output finishes, save the output in a text file.

6. Email the file as an attachment to [email protected].

Note: As an alternative to saving the output in a log file captured by your termi-nal emulation application, you can export the output from the CLI usingthe following command:

show techsupport export [use-mgmt-port] url

(For syntax information, see the AX Series CLI Reference.)



About This Document

About This Document

This document describes features of the A10 Networks AX Series™ /Application Delivery Controller.

FIGURE 1 AX 5630 (front panel view)

Information is available for AX Series products in the following documents.These documents are included on the documentation CD shipped with yourAX Series product, and also are available on the A10 Networks support site:

• AX Series Installation Guides

• AX Series LOM Reference

• AX Series System Configuration and Administration Guide

• AX Series Application Delivery and Server Load Balancing Guide

• AX Series Global Server Load Balancing Guide

• AX Series GUI Reference

• AX Series CLI Reference

• AX Series aRule Reference

• AX Series MIB Reference

• AX Series aXAPI Reference

Make sure to use the basic deployment instructions in the AX Series Instal-lation Guide for your AX model, and in the AX Series System Configurationand Administration Guide. Also make sure to set up your device’s LightsOut Management (LOM) interface, if applicable.



About This Document

Note: Some guides include GUI configuration examples. In these examples,some GUI pages may have new options that are not shown in the examplescreen images. In these cases, the new options are not applicable to theexamples. For information about any option in the GUI, see the AX SeriesGUI Reference or the GUI online help.

AudienceThis document is intended for use by network architects for determiningapplicability and planning implementation, and for system administratorsfor provision and maintenance of A10 Networks AX Series products.

Documentation Updates

Updates to these documents are published periodically to the A10 Networkssupport site, on an updated documentation CD (posted as a zip archive). Toaccess the latest version, please log onto your A10 support account and nav-igate to the following page: Support > AX Series > Technical Library.


A10 Virtual Application Delivery CommunityYou can use your A10 support login to access the A10 Virtual ApplicationDelivery Community (VirtualADC). The VirtualADC is an interactiveforum where you can find detailed information from product specialists.You also can ask questions and leave comments. To access the VirtualADC,navigate here:

http://www.a10networks.com/adc/





Contents

End User License Agreement 3

Obtaining Technical Assistance 7

Collecting System Information.............................................................................................................. 7

About This Document 9

Audience................................................................................................................................................ 10

Documentation Updates ...................................................................................................................... 10

A10 Virtual Application Delivery Community..................................................................................... 10

GSLB Overview 17

GSLB Deployment Modes.................................................................................................................... 18

Zones, Services, and Sites .................................................................................................................. 18

GSLB Policy .......................................................................................................................................... 18

Policy Metrics .................................................................................................................................. 19Health Checks ............................................................................................................................. 21Geo-Location ............................................................................................................................... 22DNS Options ............................................................................................................................... 23Metrics That Require the GSLB Protocol on Site AX Devices .................................................... 26

GSLB Configuration 27

Overview................................................................................................................................................ 27

Configure Health Monitors................................................................................................................... 28

Configure the DNS Proxy..................................................................................................................... 29

Configure a GSLB Policy ..................................................................................................................... 31

Enabling / Disabling Metrics ........................................................................................................... 32

Changing the Metric Order .................................................................................................................. 34

Configuring Active-Round Delay Time ............................................................................................ 35Configuring BW-Cost Settings ........................................................................................................ 42

How Bandwidth Cost Is Measured .............................................................................................. 42Configuration Requirements ........................................................................................................ 42Configuring Bandwidth Cost ........................................................................................................ 43

Configuring Alias Admin Preference ............................................................................................... 47Configuring Weighted Alias ............................................................................................................ 48Loading or Configuring Geo-Location Mappings ............................................................................ 49

Geo-location Overlap .................................................................................................................. 57



Contents

Configure Services................................................................................................................................61

Gateway Health Monitoring ............................................................................................................ 62CLI Example—Site with Single Gateway Link ................................................................................ 65CLI Example—Site with Multiple Gateway Links ............................................................................ 65Multiple-Port Health Monitoring ...................................................................................................... 66

Configure Sites......................................................................................................................................67

Configure a Zone...................................................................................................................................69

Enable the GSLB Protocol....................................................................................................................70

Resetting or Clearing GSLB .................................................................................................................70

Auto-mapping 73Configuration ............................................................................................................................... 74

Advanced DNS Options 77

DNS Active-only ....................................................................................................................................78

Support for DNS TXT Records .............................................................................................................80

Append All NS Records in DNS Authority Section ............................................................................82

Hints in DNS Responses ......................................................................................................................83

DNS Sub-zone Delegation ....................................................................................................................85

DNS Proxy Block ...................................................................................................................................91

Partition-specific Group Management 97

Implementation Details .........................................................................................................................97

GSLB Configuration Examples 99

CLI Example...........................................................................................................................................99

Configuration on the GSLB AX Device (GSLB Controller) ............................................................. 99Configuration on Site AX Device AX-A ......................................................................................... 101Configuration on Site AX Device AX-B ......................................................................................... 101

GUI Example ........................................................................................................................................102

Configuration on the GSLB AX Device (GSLB Controller) ........................................................... 102Configuration on Site AX Devices ................................................................................................ 112

GSLB Configuration Synchronization 113

Overview ..............................................................................................................................................113

GSLB Group Parameters ....................................................................................................................116

Configuration.......................................................................................................................................117



Contents

Geo-location-based Access Control 121

Using a Class List............................................................................................................................... 121

Using a Black/White List .................................................................................................................... 123

Configuring the Black/White List ................................................................................................... 123

Full-Domain Checking........................................................................................................................ 128

Full-Domain Checking .................................................................................................................. 129Enabling PBSLB Statistics Counter Sharing ................................................................................. 129

Cloud-based Computing Solution 131

DNSSEC Support 133

Overview.............................................................................................................................................. 133

DNS without Security .................................................................................................................... 134DNSSEC (DNS with Security) ...................................................................................................... 137Building the Chain of Trust ........................................................................................................... 140Performing Key Rollovers ............................................................................................................. 142

ZSK Key Rollovers .................................................................................................................... 143KSK Key Rollovers .................................................................................................................... 144

Importing and Exporting the Delegation Signature Keyset ........................................................... 145DNSSEC Templates .................................................................................................................. 146

Configuration ...................................................................................................................................... 148

Configuration Examples .................................................................................................................... 151

CLI Example #1 ............................................................................................................................ 151CLI Example #2 ............................................................................................................................ 151CLI Example #3 ............................................................................................................................ 152CLI Example #4 ............................................................................................................................ 152

CLI Command Reference 153

Main Configuration Commands ........................................................................................................ 153

gslb active-rdt ....................................................................................................................................... 153gslb dns action ..................................................................................................................................... 155gslb dns logging ................................................................................................................................... 155gslb geo-location .................................................................................................................................. 156gslb geo-location delete ....................................................................................................................... 157gslb geo-location load .......................................................................................................................... 158gslb group ............................................................................................................................................ 159gslb ip-list ............................................................................................................................................. 161gslb ping .............................................................................................................................................. 162gslb policy ............................................................................................................................................ 163gslb protocol ........................................................................................................................................ 163



Contents

gslb protocol limit ................................................................................................................................. 165gslb service-ip ...................................................................................................................................... 166gslb site ............................................................................................................................................... 168gslb system auto-map module ............................................................................................................. 173gslb system auto-map ttl ...................................................................................................................... 173gslb system ip-ttl .................................................................................................................................. 174gslb system prompt ............................................................................................................................. 174gslb system reset ................................................................................................................................. 175gslb system wait .................................................................................................................................. 175gslb template csv ................................................................................................................................. 175gslb template snmp ............................................................................................................................. 177gslb zone ............................................................................................................................................. 180no gslb all ............................................................................................................................................ 187

Policy Configuration Commands.......................................................................................................188

active-rdt .............................................................................................................................................. 188active-servers ...................................................................................................................................... 191admin-ip ............................................................................................................................................... 192admin-preference ................................................................................................................................ 192alias-admin-preference ........................................................................................................................ 193bw-cost ................................................................................................................................................ 193capacity ............................................................................................................................................... 194connection-load ................................................................................................................................... 195dns ....................................................................................................................................................... 197dnssec key-generate ........................................................................................................................... 207export dnssec-dnskey .......................................................................................................................... 208geo-location ......................................................................................................................................... 209geo-location match-first ....................................................................................................................... 209geo-location overlap ............................................................................................................................ 210geographic ........................................................................................................................................... 211health-check ........................................................................................................................................ 211import dnssec-dnskey .......................................................................................................................... 212import dnssec-ds ................................................................................................................................. 213ip-list .................................................................................................................................................... 214least-response ..................................................................................................................................... 214metric-fail-break ................................................................................................................................... 215metric-force-check ............................................................................................................................... 215metric-order ......................................................................................................................................... 215num-session ........................................................................................................................................ 217round-robin .......................................................................................................................................... 218weighted-alias ...................................................................................................................................... 218weighted-ip .......................................................................................................................................... 219weighted-site ....................................................................................................................................... 220



Contents

Show Commands................................................................................................................................ 222

show gslb cache .................................................................................................................................. 222show gslb config .................................................................................................................................. 223show gslb fqdn ..................................................................................................................................... 227show gslb geo-location ........................................................................................................................ 228show gslb group ................................................................................................................................... 231show gslb ip-list .................................................................................................................................... 234show gslb memory ............................................................................................................................... 234show gslb policy ................................................................................................................................... 234show gslb protocol ............................................................................................................................... 236show gslb rdt ........................................................................................................................................ 237show gslb samples conn ...................................................................................................................... 239show gslb samples conn-load .............................................................................................................. 240show gslb samples rdt ......................................................................................................................... 242show gslb service ................................................................................................................................. 243show gslb service-ip ............................................................................................................................. 244show gslb service-port ......................................................................................................................... 245show gslb session ................................................................................................................................ 245show gslb site ...................................................................................................................................... 246show gslb slb-device ............................................................................................................................ 248show gslb state .................................................................................................................................... 249show gslb statistics .............................................................................................................................. 249show gslb zone .................................................................................................................................... 250

Clear Command .................................................................................................................................. 254

clear ..................................................................................................................................................... 254

DNSSEC Commands .......................................................................................................................... 255

dnssec key-generate ............................................................................................................................ 255dnssec template ................................................................................................................................... 256dnssec sign-zone-now ......................................................................................................................... 257show dnssec template ......................................................................................................................... 258



Contents



GSLB Overview -

GSLB Overview

This chapter provides an overview of Global Server Load Balancing(GSLB).

Global Server Load Balancing (GSLB) uses Domain Name Service (DNS)technology and extends load balancing to global geographic scale.

AX Series GSLB provides the following key advantages:

• Protects businesses from down time due to site failures

• Ensures business continuity and applications availability

• Provides faster performance and improved user experience by directing users to the nearest site

• Increases data center efficiency and provides a better return on invest-ment by distributing load to multiple sites

• Provides flexible policies for selecting fairness and distribution to multi-ple sites

In AX Release 2.7.0, all AX models and software do not have any code for Pas-sive round trip time (RTT) for the time difference between receiving a TCP SYN and a TCP ACK for the TCP connection for GSLB. The code was completely removed starting from 2.7.0 because there was no single customer using this round trip time capability for GSLB.

In AX Release 2.7.0, the AX implementation of GSLB uses an array of fixed active IP addresses and the A10 site selection algorithm illustrated below in the figure, using an innovative method of iterative in-place marking.

All AX models and software do not order the multiple network addresses based upon a first set of performance metrics from the stored performance metrics nor do any form of ordering or re-ordering of the network addresses for GSLB.

(See “GSLB Policy” on page 18.)



GSLB Overview - GSLB Deployment Modes

GSLB Deployment Modes

You can deploy GSLB in proxy mode or server mode.

• Proxy mode – The AX device acts as a proxy for an external DNS server. In proxy mode, the AX device can update the A and AAAA records in its response to client requests, but it forwards requests for all other record types to the external DNS server.

• Server mode – The AX device directly responds to queries for specific service IP addresses in the GSLB zone. (The AX device still forwards other types of queries to the DNS server.) In server mode, the AX device can reply with A, AAAA, MX, NS, PTR, SRV and SOA records. For all other records, the AX device will attempt proxy mode.

Note: An AX device becomes a GSLB AX device when you configure GSLBon the device and enable the GSLB protocol, for the controller function.The A10 Networks GSLB protocol uses port 4149. The protocol is regis-tered on this port for both TCP and UDP.

Zones, Services, and Sites

GSLB operates on zones, services, and sites.

• Zones – A zone is a DNS domain for GSLB and is called a GSLB zone. An AX device can be configured with one or more GSLB zones. Each zone can contain one or more GSLB sites. For example, mydomain.com is a domain.

• Services – A service is an application; for example, HTTP or FTP. Each zone can be configured with one or more services. For example: www.mydomain.com is a service where www is the http service or an application.

• Sites – A site is a server farm that is locally managed by an AX device that performs Server Load Balancing (SLB) for the site.

GSLB PolicyGSLB by default is not enabled. Use of the feature requires proper configu-ration. GSLB deals with multiple sites, and each site has unique IP addressor IP addresses.

GSLB uses an array of fixed site IP addresses and the new site selectionalgorithm is illustrated below using an innovative method of interactive in-



GSLB Overview - GSLB Policy

place marking for selecting sites. GSLB does not order the multiple IP net-work addresses based on any set of performance metrics, and does not per-form any form of ordering/reordering of the IP network addresses.

The following figure illustrates the AX implementation. Each IP address isassociated with a set of parameters. A site selection policy is based on theevaluation of the policy parameters.

Each site IP is tagged with Marked (M) or Un-marked for each evaluatedparameter. The subsequent evaluation of the parameters is performed onlyon the previously marked sites and continues until the end of all the param-eters in the metric policy regardless of how many sites are remaining asMarked. In other words, the AX device does not stop the evaluation even ifthere is one single site left, and continues with the evaluation until the endof the user configured metric parameters.

At the end of the evaluation, the responses corresponding to the markedsites are sent back in a round-robin manner and there is no determination ofany single best network address.

Policy Metrics

A GSLB policy consists of one or more of the following metrics:

1. Health-Check – Services that pass health checks are preferred.

2. Weighted-IP – Service IP addresses with higher administratively assigned weights are used more often than service IP addresses with lower weights. (See “Weighted-IP and Weighted-Site” on page 21.)

3. Weighted-Site – Sites with higher administratively assigned weights are used more often than sites with lower weights. (See “Weighted-IP and Weighted-Site” on page 21.)

4. Session-Capacity – Sites with more available sessions based on respec-tive maximum Session-Capacity are preferred.

TABLE 1 GSLB site marking sample

Site IP Site1-IP Site2-IP Site3-IP Site4-IP Site5-IP Site6-IP

Metric

Health-check M M M M

Geo-location M M M

Admin-prefer-ence

M M

Response back in round robin

As Site4-IP and Site6-IP are marked at the end of evaluation, these the two addresses will be selected in round robin manner and that means there is no determination of any single best net-work address.




5. Active-Servers – Sites with the most currently active servers are pre-ferred.

6. Active-Round Delay Time (aRDT) – Sites with faster round-delay-times for DNS queries and replies between a site AX device and the GSLB local DNS are preferred.

7. Geographic – Services located within the client’s geographic region are preferred.

8. Connection-Load – Sites that are not exceeding their thresholds for new connections are preferred.

9. Num-Session – Sites that are not exceeding available Session-Capacity threshold compared to other sites are treated as having the same prefer-ence.

10. Admin-Preference – The site with the highest administratively set pref-erence is selected.

11. BW-Cost – Selects sites based on bandwidth utilization on the site AX links.

12. Least-Response – Service IP addresses with the fewest hits are pre-ferred.

13. Admin-IP – Sites are preferred based on administratively assigned weight.

14. Round-Robin – Sites are selected in sequential order. (See “Tie-Breaker” on page 21.)

15. Alias-Admin-Preference – Selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin-Preference metric, but applies only to DNS CNAME records.

16. Weighted-Alias – Prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records.

The Health-Check, Geographic, and Round-Robin metrics are enabled bydefault. All other metrics are disabled by default.

The metric order and the configuration of each metric are specified in aGSLB policy. Policies can be applied to GSLB zones and to individual ser-vices. The GSLB AX device has a default GSLB policy, named “default”,which is automatically applied to a zone or service.

Note: Metric order does not apply to the Alias-Admin-Preference andWeighted-Alias metrics. When enabled, Alias-Admin-Preference alwayshas high priority.

Note: In AX Release 2.6.0, the ability to configure the passive round-trip timemetric (Passive-RTT) was removed. If a configuration were to containany commands related to this deprecated metric, they would never takeeffect since there is no way to enable it. In the current release, all refer-




ences to the deprecated Passive-RTT metric have been removed from thesoftware.

Weighted-IP and Weighted-Site

The Weighted-IP and Weighted-Site metrics allow you to bias selectiontoward specific sites or IP addresses. GSLB selects higher-weighted IPaddresses or sites more often than lower-weighted IP addresses or sites.

For example, if there are two sites (A and B), and A has weight 2 whereas Bhas weight 4, GSLB will select site B twice as often as site A. Specifically,GSLB will select site B the first 4 times, and will then select site A the next2 times. This cycle then repeats: B is chosen 4 times, then A is chosen thenext 2 times, then B is chosen the next 4 times, and so on.

Note: If DNS caching is used, the cycle starts over if the cache aging timerexpires.

Tie-Breaker

The AX device uses Round-Robin as a tie-breaker to select a site. This istrue even if the Round-Robin metric is disabled in the GSLB policy. (See“Configure a GSLB Policy” on page 31.)

Health Checks

The Health-Check metric checks the availability (health) of the real serversand service ports. Sites whose real servers and service ports respond to thehealth checks are preferred over sites in which servers or service ports areunresponsive to the health checks.

GSLB supports health check methods for the following services:

ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP,POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP

You can use the default health methods or configure new methods for any ofthese services.

Note: By default, the GSLB protocol generates its own packets when sending ahealth check to a service. If the GSLB protocol cannot reach the service,then another health check is performed using standard network traffic.

Health-Check Precedence

Health monitoring for a GSLB service can be performed at the followinglevels and in the following order:

1. Gateway health check




2. Port health check

3. IP health check (Layer 3 health check of service IP)

Geo-Location

You can configure GSLB to prefer site VIPs for DNS replies that are geo-graphically closer to the clients. For example, if a domain is served by sitesin both the USA and Asia, you can configure GSLB to favor the USA sitefor USA clients while preferring the Asian site for Asian clients.

To configure geo-location:

• Leave the Geographic GSLB metric enabled; it is enabled by default.

• Load geo-location data. You can load geo-location data from a file or manually configure individual geo-location mappings.

Loading geo-location data from a file is simpler than manually configuringgeo-location mappings, especially if you have more than a few GSLB sites.For more information, see “Loading or Configuring Geo-Location Map-pings” on page 49.

The AX software includes an Internet Assigned Numbers Authority (IANA)database. The IANA database contains the geographic locations of the IPaddress ranges and subnets assigned by the IANA. The IANA database isloaded on the AX device, and it is enabled by default.

CNAME Support

As an extension to geo-location support, you can configure GSLB to send aCanonical Name (CNAME) record instead of an Address record in DNSreplies to clients. A CNAME record maps a domain name to an alias for thatdomain. For example, you can associate the following aliases with thedomain “a10.com”:

• www.a10.co.cn

• www.1.a10.com

• ftp.a10.com

Each of the aliases in the list above can be associated with a different geo-location:

If a client’s IP address is within the geo-location that is associated withwww.1.a10.com, then GSLB places a CNAME record for www.1.a10.comin the DNS reply to that client.




To configure CNAME support:

• Configure geo-location as described above.

• In the GSLB policy, enable the following DNS options:

• dns cname-detect (enabled by default)

• dns geoloc-alias

• For individual services in the zone, configure the aliases and associate them with geo-locations.

Alias-Admin-preference and Weighted-alias

The Alias Admin Preference metric, which selects the DNS CNAME recordwith the highest administratively set preference, can be used in DNS Proxyor DNS Server mode. Similarly, the Weighted Alias metric, which expressesa preference for higher-weighted CNAME records, can be used in DNSProxy or DNS Server mode.

Some additional policy options are required in either mode.

• DNS proxy – Enable the geoloc-alias option. After GSLB retrieves the DNS response from the DNS answer, GSLB selects a DNS A record using IP metrics, and then tries to insert the DNS CNAME record into the answer based on geo-location settings. While inserting the CNAME record, if the Alias metrics are enabled, GSLB may remove some CNAME records and related service IPs.

• DNS server – If applicable, enable the backup-alias option. If there is no DNS A record to return, GSLB tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled, GSLB may remove some CNAME records. No DNS A records are returned.

This option also requires the dns-cname-record as-backup option on the service.

DNS Options

DNS options provide additional control over the IP addresses that are listedin DNS replies to clients.

The following DNS options can be set in GSLB policies:

• dns action – Enable GSLB to perform DNS actions specified in the ser-vice configurations.

• dns active-only – Removes IP addresses for services that did not pass their health checks.




• dns addition-mx – Appends MX records in the Additional section in replies for A records, when the device is configured for DNS proxy or cache mode.

• dns auto-map – Enables creation of A and AAAA records for IP resources configured on the AX device. For example, this option is use-ful for auto-mapping VIP addresses to service-IP addresses.

• dns backup-alias – Returns the alias CNAME record configured for the service, if GSLB does not receive an answer to a query for the service and no active DNS server exists. This option is valid in server mode or proxy mode.

• dns backup-server – Designates one or more backup servers that can be returned to the client if the primaries should fail.

• dns cache – Caches DNS replies and uses them when replying to clients, instead of sending a new DNS request for every client query.

• dns cname-detect – Disabling this option skips the Cname response. If enabled, the GSLB-AX applies the zone and service policy to the Cname record instead of applying it to the address record.

• dns delegation – Enables sub-zone delegation. The feature allows you to delegate authority or responsibility for a portion of the DNS namespace from the parent domain to a separate sub-domain which may reside on one or more remote servers and may be managed by someone other than the network administrator who is responsible for the parent zone.

• dns external-ip – Returns the external IP address configured for a ser-vice IP. If this option is disabled, the internal address is returned instead.

• dns external-soa – Replaces the internal SOA record with an external SOA record to prevent external clients from gaining information that should only be available to internal clients. If this option is disabled, the internal address is returned instead.

• dns geoloc-action – Performs the DNS traffic handling action specified for the client’s geo-location. The action is specified as part of service configuration in a zone.

• dns geoloc-alias – Replaces the IP address with its alias configured on the GSLB AX Series.

• dns geoloc-policy – Returns the alias name configured for the client’s geo-location.

• dns hint – Enables hints, which appear in the Additional Section of the DNS response. Hints are A or AAAA records that are sent in the response to a client’s DNS request. These records provide a mapping between the host names and IP addresses.




• dns ip-replace – Replaces the IP addresses with the set of addresses administratively assigned to the service in the zone configuration.

• dns ipv6 – Enables support for IPv6 AAAA records.

• dns logging – Configures DNS logging.

• dns proxy block – Blocks DNS t queries from being sent to an internal DNS server. The AX device must be in GSLB proxy mode for the fea-ture to work.

• dns selected-only – Returns only the selected IP addresses.

• dns server – Enables the GSLB AX device to act as a DNS server, for specific service IPs in the GSLB zone.

• dns sticky – Sends the same service IP address to a client for all requests from that client for the service address.

• dns ttl – Overrides the TTL set in the DNS reply. (For more information about this option, see “TTL Override” on page 25.)

The cname-detect and external-ip options are enabled by default. All theother DNS options are disabled by default.

Order in Which Sticky, Server, Cache, and Proxy Options Are Used

If more than one of the following options are enabled, GSLB uses them inthe order listed, beginning with sticky:

1. sticky

2. server

3. cache

4. proxy

Note: GSLB does not have a separately configurable “proxy” option. The proxyoption is automatically enabled when you configure the DNS proxy aspart of GSLB configuration.

The site address selected by the first option that is applicable to the clientand requested service is used.

TTL Override

GSLB ensures that DNS replies to clients contain the optimal set of IPaddresses based on current network conditions. However, if the DNS TTLvalue assigned to the Address records is long, the local DNS servers used byclients might cache the replies for a long time and send those stale replies toclients. Thus, even though the GSLB AX device has current information,clients might receive outdated information.




To ensure that the clients’ local DNS servers do not cache the DNS repliesfor too long, you can configure the GSLB AX device to override the TTLvalues of the Address records in the DNS replies before sending the repliesto clients.

The TTL of the DNS reply can be overridden in two different places in theGSLB configuration:

1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used.

2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zone’s TTL setting is used.

By default, the TTL override is not set in either of these places.

Note: In DNS server mode, the DNS response from the AX device includes anIP TTL (maximum number of Layer 3 hops), with a default value equal to255. This IP TTL can be configured using the following CLI command:gslb system ip-ttl.

More Information

See “Advanced DNS Options” on page 77.

Metrics That Require the GSLB Protocol on Site AX Devices

AX devices use the GSLB protocol for GSLB management traffic. The pro-tocol must be enabled on the GSLB controller.

GSLB does not need to be enabled on the site AX devices, but enabling it isrecommended in order to collect site information that is needed for the fol-lowing metrics:

• Session-capacity

• aRDT

• Connection-Load

• Num-Session

Note: Enabling the GSLB protocol is also required if you are using the defaulthealth-check methods. However, if you modify the default health checks,then the GSLB protocol does not need to be enabled. (See “HealthChecks” on page 21.)



GSLB Configuration - Overview

GSLB Configuration

This chapter describes the configuration of Global Server Load Balancing(GSLB).

Overview

Configuration is required on the GSLB AX device (GSLB controller) andthe site AX devices.

Note: The AX device provides an optional mechanism to automatically syn-chronize GSLB configurations and service IP status among multipleGSLB controllers for a GSLB zone. If you plan to use automatic GSLBconfiguration synchronization among controllers, first see “GSLB Con-figuration Synchronization” on page 113.

Note: This chapter shows the GUI pages for detailed configuration. The GUIalso provides pages for simple GSLB configuration. Navigate to ConfigMode > Getting Started > GSLB Easy Config. See the online help orAX Series GUI Reference for information.

Configuration on GSLB Controller

To configure GSLB on the GSLB AX device:

1. Configure health monitors for the DNS server to be proxied and for the GSLB services to be load balanced.

2. Configure a DNS proxy.

3. Configure a GSLB policy (unless you plan to use the default policy set-tings, described in “GSLB Policy” on page 18).

4. Configure services.

5. Configure sites.

6. Configure a zone.

7. Enable the GSLB protocol for the GSLB controller function.

Note: If you plan to run GSLB in server mode, the proxy DNS server does notrequire configuration of a real server or service group. Only the VIP isrequired. However, if you plan to run GSLB in proxy mode, the real



GSLB Configuration - Configure Health Monitors

server and service group are required along with the VIP. (Server andproxy mode are configured as DNS options. See “DNS Options” onpage 23.)

Configuration on Site AX Device

To configure GSLB on the site AX devices:

1. Configure SLB, if not already configured.

2. Enable the GSLB protocol for the GSLB site device function.

Configuration takes place at the following levels:

The following sections describe the GSLB configuration steps in the GUIand in the CLI. Required commands and commonly used options are listed.For advanced commands and options, see “CLI Command Reference” onpage 153.

Note: Each of the following sections shows the CLI and GUI configuration. Forcomplete configuration examples, see “GSLB Configuration Examples”on page 99.

Configure Health Monitors

A10 Networks recommends that you configure health monitors for the localDNS server to be proxied and also for the GSLB services to be load bal-anced.

Use a DNS health monitor for the local DNS server. You also can use aLayer 3 health monitor to check the IP reachability of the server.

For the GSLB service, use health monitors for the application types of theservices. For example, for an HTTP service, use an HTTP health monitor. If

Global (system-wide on the GSLB AX device)

Zone

SLB device

Site

Service IP



GSLB Configuration - Configure the DNS Proxy

the Health-Check metric is enabled in the GSLB policy, the metric will usethe results of service health checks to select sites.

To monitor the health of the real servers providing the services, configurehealth monitors on the site SLB devices.

Configure the health monitors for the proxied DNS server and the GSLBservices on the GSLB AX device. Configure the health monitors for realservers and their services on the site AX devices.

Configuration of health monitors is the same as for standard SLB. There areno special health monitoring options or requirements for GSLB.

Configure the DNS ProxyThe DNS proxy is a DNS virtual service, and its configuration is thereforesimilar to the configuration of an SLB service.

To configure the GSLB DNS proxy, use one of the following procedures.

USING THE GUI1. Select Config Mode > Service > GSLB.

2. Click DNS Proxy, then click Add.

3. Enter a name for the DNS proxy.

4. Enter the IP address that will be advertised as the authoritative DNS server for the GSLB zone.

Note: The GUI will not accept the configuration if the IP address you enter hereis the same as the real DNS server IP address you enter when configuringthe service group for this proxy (below).

5. (Optional) To add this proxy configuration of the DNS server to a High Availability (HA) group, select the group.

6. In the GSLB Port section, click Add.

7. In the Port field, enter the DNS port number, if not already filled in.

8. In the Service Group field, select “create”. The Service Group and Server sections appear.

9. In the Name field, enter a name for the service group.



GSLB Configuration - Configure the DNS Proxy

10. In the Type drop-down list, select UDP.

11. In the Server section, in the Server drop-down list, enter the IP address of the DNS server. Enter the real IP address of the DNS server, not the IP address you are assigning to the DNS proxy.

12. Enter the DNS port number in the Port field and click Add. The server information appears.

13. Click OK. The GSLB Port section re-appears.

14. Click OK. The Proxy section re-appears.

15. Click OK. The DNS proxy appears in the DNS proxy table.

USING THE CLI1. To configure a real server for the DNS server to be proxied, use the fol-

lowing commands:

slb server server-name ipaddr

Use this command at the global configuration level of the CLI. The command creates the proxy and changes the CLI to the configuration level for it.

To configure the DNS port on the server, use the following command to change the CLI to the configuration level for the port:

port port-num udp

To enable health monitoring of the DNS service, use the following com-mand:

health-check monitor-name

(Layer 3 health monitoring using the default Layer 3 health monitor is already enabled by default.)

2. To configure a service group and add the DNS proxy (real server) to it, use the following commands:

slb service-group group-name udp

Use this command at the global configuration level of the CLI. The command creates the service group and changes the CLI to the configu-ration level for it. To add the DNS server to the service group, use the following command:

member server-name:port-num

3. To configure a virtual server for the DNS proxy and bind it to the real server and service group, use the following commands:

slb virtual-server name ipaddr



GSLB Configuration - Configure a GSLB Policy

Use this command at the global configuration level of the CLI. The command creates the virtual server changes the CLI to the configuration level for it. To add the DNS port, use the following command:

port port-number udp

This command changes the CLI to the configuration level for the DNS port. To bind the DNS port to the DNS proxy service group and enable GSLB on the port, use the following commands:

service-group group-name

gslb-enable

Configure a GSLB Policy

The GSLB policy contains the metrics used to evaluate each site.

For the evaluation of sites, A10 uses a fixed list of site addresses. This list isconstructed based on the original list when a site becomes active. This fixedmetric evaluation function does not do ordering or re-ordering of the origi-nal list.

In the “default” GSLB policy, the following metrics are enabled by default:

• Health-Check

• Geographic

• Round-Robin

All other metrics are disabled. (For detailed information about policyparameters and their defaults, see “Policy Configuration Commands” onpage 188 or the AX Series GUI Reference or online help.)

Note: Although the Geographic metric is enabled by default, there are no defaultgeo-location mappings. To use the Geographic metric, you must load ormanually configure geo-location mappings. (See “Loading or Configur-ing Geo-Location Mappings” on page 49 later in this section.)

Note: Also see “GSLB Policy” on page 18.




Enabling / Disabling Metrics

To enable or disable a metric, use one of the following procedures.


2. On the menu bar, select Policy.

3. Click on the policy name or click Add to create a new policy.

4. If you are configuring a new policy, enter a name in the Name field in the General section.

5. In the Metrics section, drag-and-drop the metric from one column to the other. For example, to disable the Health-Check metric, drag-and-drop it from the In Use column to the Not In Use column.

If you are enabling a metric, drag it to the position you want it to be used in the processing order. For example, if you are enabling the Admin Preference metric and you want this metric to be used first, drag-and-drop the metric to the top of the In Use column.

6. In the DNS Options section, configure the DNS options, if applicable to your deployment. (For descriptions, see “DNS Options” on page 23.)

7. Click OK.

USING THE CLI

To enable a metric, enter the metric name at the configuration level for thepolicy. For example, to enable the Admin-Preference metric, enter the fol-lowing command:

AX(config gslb-policy)#admin-preference

To disable a GSLB metric, use the “no” form of the command for the met-ric, at the configuration level for the policy. For example, to disable theHealth-Check metric, enter the following command at the configurationlevel for the policy:

AX(config gslb-policy)#no health-check




To set DNS options, use the following command at the configuration levelfor the policy. (For descriptions, see “DNS Options” on page 23.)

[no] dns {action | active-only [fail-safe] | addition-mx | auto-map | backup-alias | backup-server | cache [aging-time {seconds | ttl}] | cname-detect | delegation | external-ip | external-soa | geoloc-action | geoloc-alias | geoloc-policy | hint | ip-replace | ipv6 options | logging {both | query | response | none} proxy block option | selected-only [num] | server

[addition-mx] [any] [authoritative options][mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] [txt] |

sticky [network-mask | /prefix-length] [aging-time minutes] [ipv6-mask mask-length] |

ttl num}



GSLB Configuration - Changing the Metric Order

Changing the Metric Order

To change the metric order, use one of the following procedures.



3. Click on the policy name or click Add to create a new policy.

4. If you are configuring a new policy, enter a name in the Name field in the General section.

5. In the Parameters section, drag-and-drop the metric to the position in which you want it to be used in the processing order. For example, if you want the Admin-Preference metric to be used first, drop the metric to the top of the In Use column.

6. Click OK.

USING THE CLI

To change the positions of metrics in a GSLB policy, use the followingcommand at the configuration level for the policy:

[no] metric-order metric [metric ...]

The metric option specifies a metric and can be one of the following:

• active-rdt

• active-servers

• admin-ip

• admin-preference

• bw-cost

• capacity

• connection-load

• geographic

• health-check

• least-response




• num-session

• weighted-ip

• weighted-site

Note: Metric order does not apply to the Alias-Admin-Preference or Weighted-Alias metrics.

Configuring Active-Round Delay Time

If you are planning to use the active-Round Delay Time (aRDT) metric,read this section. Otherwise, you can skip the section. This metric is dis-abled by default.

aRDT

aRDT measures the round-delay-time for a DNS query and reply between asite AX device and the GSLB local DNS.

You can configure aRDT to take a single sample or periodic samples.

Global aRDT Parameters

The aRDT metric uses the following options, which are configurable on aglobal basis:

• Domain – Specifies the query domain. To measure the active round-delay-time (aRDT) for a client, the site AX device sends queries for the domain name to a client’s local DNS. An aRDT sample consists of the time between when the site AX device sends a query and when it receives the response.

Only one aRDT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each client’s local DNS. The default domain name is “google.com”.

The AX device averages multiple aRDT samples together to calculate the aRDT measurement for a client. (See the description of Track below.)

• Interval – Specifies the number of seconds between queries. You can specify 1-16383 seconds. The default is 1.

• Retry – Specifies the number of times GSLB will resend a query if there is no response. You can specify 0-16. The default is 3.

• Sleep – Specifies the number of seconds GSLB stops tracking aRDT data for a client after a query fails. You can specify 1-300 seconds. The default is 3.




• Timeout – Specifies the number of milliseconds GSLB will wait for a reply before resending a query. You can specify 1-16383 milliseconds (ms). The default is 3000 ms.

• Track – Specifies the number of seconds during which the AX device collects samples for a client. The samples collected during the track time are averaged together, and the averaged value is used as the aRDT mea-surement for the client. You can specify 3-16383 seconds. The default is 60 seconds.

The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT measurements is 10 minutes by default and is configurable on individual sites, using the aRDT aging-time command.

To configure global aRDT options, use the following command at the globalconfiguration level of the CLI:

[no] gslb active-rdt {domain domain-name |interval seconds |retry num |sleep seconds |timeout ms |track seconds}

Default Settings

When you enable aRDT, a site AX device sends some DNS requests to theGSLB domain’s local DNS. The GSLB AX device then averages the aRDTtimes of 5 samples.

Single Sample (Single Shot)

To take a single sample and use that sample indefinitely, use the single-shotoption. This option instructs each site AX device to send a single DNSquery to the GSLB local DNS.

The single-shot option is useful if you do not want to frequently update theaRDT measurements. For example, if the GSLB domain's clients tend toremain logged on for long periods of time, using the single-shot optionensures that clients are not frequently sent to differing sites based on aRDTmeasurements.




The single-shot has the following additional options:

• timeout – Specifies the number of seconds each site AX device should wait for the DNS reply. If the reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases where selec-tion is based on the aRDT metric. You can specify 1-255 seconds. The default is 3 seconds.

• skip – Specifies the number of site AX devices that can exceed their sin-gle-shot timeouts, without the aRDT metric itself being skipped by the GSLB AX device during site selection. You can skip from 1-31 sites. The default is 3.

Multiple Samples

To periodically retake aRDT samples, do not use the single-shot option. Inthis case, the AX device uses the averaged aRDT value based on the numberof samples measured for the intervals.

For example, if you set aRDT to use 3 samples with an interval of 5 sec-onds, the aRDT is the average over the last 3 samples, collected in 5-secondintervals. If you configure single-shot instead, a single sample is taken.

The number of samples can be 1-8. The default is 5 samples.

Store-By

By default, the GSLB AX device stores one aRDT measurement per siteSLB device. Optionally, you can configure the GSLB AX device to storeone measurement per geo-location instead. This option is configurable onindividual GSLB sites. (See “Changing aRDT Settings for a Site” onpage 39.)

Tolerance

The default measurement tolerance is 10 percent. If the aRDT measure-ments for more than one site are within 10 percent, the GSLB AX deviceconsiders the sites to be equal in terms of aRDT. You can adjust the toler-ance to any value from 0-100 percent.




Enabling aRDT

To enable aRDT, use one of the following procedures.



3. Click on the policy name or click Add to create a new one.

4. Drag-and-drop aRDT from the Not In Use column to the In Use column.

5. Click the plus sign to display the aRDT configuration fields.

6. To use single-shot aRDT, select the Single-shot checkbox. To collect multiple samples, do not select the Single-shot checkbox.

7. To change settings for single-shot, edit the values in the Timeout and Skip fields.

8. To change settings for multiple samples, edit the values in the Samples and Tolerance fields.

9. Click OK.

USING THE CLIEnter the following command at the configuration level for the GSLB pol-icy:

[no] active-rdt [difference num] [fail-break] [ignore-id group-id] [keep-tracking] [limit ms] [samples num-samples] [single-shot] [skip count] [timeout seconds][tolerance num-percentage]

If you omit all the options, the site AX device send DNS requests to theGSLB domain’s local DNS. The GSLB AX device averages the aRDTtimes of the samples. The aRDT measurements are regularly updated. Youcan use the samples option to change the number of samples to 1-8.

To enable single-shot aRDT instead, use the single-shot option. For single-shot, you also can use the skip and timeout options. (See the descriptionsabove, in “Single Sample (Single Shot)” on page 36)




CLI Examples

The following commands access the configuration level for GSLB policy“gslbp2” and enable the aRDT metric, using all the default settings:

AX(config)#gslb policy gslbp2

AX(config gslb-policy)#active-rdt

The following commands access the configuration level for GSLB policy“gslbp3” and enable the aRDT metric, using single-shot settings:

AX(config)#gslb policy gslbp3

AX(config gslb-policy)#active-rdt single-shot

AX(config gslb-policy)#active-rdt skip 3

In this example, each site AX device will send a single DNS query to theGSLB domain’s local DNS, and wait 3 seconds (the default) for a reply. Thesite AX devices will then send their aRDT measurements to the GSLB AXdevice. However, if more than 3 site AX devices fail to send their aRDTmeasurements to the GSLB AX device, the AX device will not use theaRDT metric.

Changing aRDT Settings for a Site

You can adjust the following aRDT settings on individual sites:

• aging-time – Specifies the maximum amount of time a stored aRDT result can be used. You can specify 1-60 minutes. The default is 10 min-utes.

• bind-geoloc – Stores the aRDT measurements on a per geo-location basis. Without this option, the measurements are stored on a per site-SLB device basis.

• ignore-count – Specifies the ignore count if aRDT is out of range. You can specify 1-15. The default is 5.

• ipv6-mask – Specifies the client IPv6 mask length, 1-128. The default is 128.

• limit – Specifies the limit. You can specify 1-16383. The default is 16383 milliseconds.

• mask – Based on the subnet mask or mask length, the entry can be a host address or a subnet address. The default is 32.

• range-factor – Specifies the maximum percentage a new aRDT mea-surement can differ from the previous measurement. If the new mea-surement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again.




For example, if the range-factor is set to 25 (the default), a new mea-surement that has a value from 75% to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of the previous measurement can not be used.

You can specify 1-1000. The default is 25.

• smooth-factor – Blends the new measurement with the previous one, to smoothen the measurements.

For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along with 90% of the previous measure-ment. Similarly, if the smooth-factor is set to 50, 50% of the new mea-surement is used, along with 50% of the previous measurement.


USING THE GUI

Use the Options section of the GUI page for the site.

USING THE CLI

Use the following command at the configuration level for the site:

[no] active-rdt aging-time minutes | bind-geoloc | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num

Excluding a Set of IP Addresses from aRDT Polling

You can use an IP list to exclude a set of IP addresses from aRDT polling.You can configure an IP list in either of the following ways:

• Use a text editor on a PC or use the AX GUI to configure a black/white list, then load the entries from the black/white list into an IP list.

• Use this command to configure individual IP list entries.




USING THE CLI

To configure an IP list using the CLI, use the following command at theglobal configuration level of the CLI:

[no] gslb ip-list list-name

The command changes the CLI to the configuration level for the list, wherethe following IP-list-related commands are available:

[no] ip ipaddr {subnet-mask | /mask-length} id group-id

This command creates an IP entry in the list. Based on the subnet mask ormask length, the entry can be a host address or a subnet address. The idoption adds the entry to a group. The group-id can be 0-31.

[no] load bwlist-name

This command loads the entries from a black/white list into the IP list. Forinformation on configuring a black/white list, see the “Policy-Based SLB(PBSLB)” chapter in the AX Series System Configuration and Administra-tion Guide.

To use the IP list to specify the IP addresses to exclude from aRDT data col-lection, use the following command at the configuration level for the GSLBpolicy:

[no] active-rdt ignore-id group-id

USING THE GUI

Note: In the current release, IP lists can not be configured using the GUI.




Configuring BW-Cost Settings

If you are planning to use the BW-Cost metric, read this section. Otherwise,you can skip the section. The BW-Cost metric is disabled by default.

The BW-Cost metric selects sites based on bandwidth utilization on the siteAX links.

How Bandwidth Cost Is Measured

To compare sites based on bandwidth utilization, the GSLB AX devicesends SNMP GET requests for a specified MIB interface object, such as ifInOctets, to each site.

• If the SNMP object value is less than or equal to the bandwidth limit configured for the site, the site is eligible to be selected.

• If the SNMP object value is greater than the bandwidth limit configured for the site, then the site is ineligible.

The GSLB AX device sends the SNMP requests at regular intervals. Once asite is ineligible, the site can become eligible again at the next interval if theutilization is below the configured limit minus the threshold percentage.(See below.)

Configuration Requirements

To use the BW-Cost metric, an SNMP template must be configured andbound to each site. The GSLB SNMP template specifies the SNMP versionand other information necessary to access the SNMP agent on the site AXdevice, and the Object Identifier (OID) of the MIB object to request.

In addition, the following BW-Cost parameters must be configured on eachsite:

• Bandwidth limit – The bandwidth limit specifies the maximum value of the requested MIB object for the site to be eligible for selection.

• Bandwidth threshold – For a site to regain eligibility when BW-Cost is being compared, the SNMP object’s value must be below the threshold-percentage of the limit value.

For example, if the limit value is 80,000 and the threshold is 90 (per-cent), then the limit value must be 72,000 or less, for the site to become eligible again based on bandwidth cost. Once a site again becomes eligi-ble, the SNMP object’s value is again allowed to increase up to the bandwidth limit value (80,000 in this example).




Configuring Bandwidth Cost

To use the BW-Cost metric:

1. On the site AX devices, configure and enable SNMP.

2. On the GSLB AX device:

a. Configure a GSLB SNMP template.

b. Add the template to the GSLB site configuration.

c. Optionally, set the bandwidth limit and threshold on the site. By default, the bandwidth limit is not set (unlimited).

d. Enable the BW-Cost metric in the GSLB policy. By default, the BW-Cost metric is disabled.

USING THE GUI

Note: SNMP template configuration is not supported in the GUI. Use the CLI toconfigure the template, then use the following GUI procedures.

USING THE CLI

To Configure a GSLB SNMP Template

Use the following commands:

[no] gslb template snmp template-name

This command adds the template and changes the CLI to the configurationlevel for the template, where the following template-related commands areavailable:

[no] version {v1 | v2c | v3}

The version command specifies the SNMP version running on the site AXdevice.

[no] host ipaddr

[no] oid oid-value

The host command specifies the IP address of the site AX device.

The oid command specifies the interface MIB object to query on the siteAX device.

Note: If the object is part of a table, make sure to append the table index to theend of the OID. Otherwise, the AX device will return an error.




SNMPv1 / v2c Commands:

[no] community community-string

The community command specifies the community string required forauthentication.

SNMPv3 Commands:

[no] username name

This command specifies the SNMPv3 username required for access to theSNMP agent on the site AX device.

[no] security-level {no-auth | auth-no-priv | auth-priv}

This command specifies the SNMPv3 security level:

• no-auth – Authentication is not used and encryption (privacy) is not used. This is the default.

• auth-no-priv – Authentication is used but encryption is not used.

• auth-priv – Both authentication and encryption are used.

[no] auth-proto {sha | md5}

[no] auth-key string

These commands are applicable if the security level is auth-no-priv orauth-priv. The auth-proto command specifies the authentication protocol.The auth-key command specifies the authentication key. The key string canbe 1-127 characters long.

[no] priv-proto {aes | des}

[no] priv-key string

These commands are applicable only if the security level is auth-priv. Thepriv-proto command specifies the privacy protocol used for encryption.The priv-key command specifies the encryption key. The key string can be1-127 characters long.

[no] context-engine-id id

[no] context-name id

[no] security-engine-id id

The context-engine-id command specifies the ID of the SNMPv3 protocolengine running on the site AX device. The context-name command speci-fies an SNMPv3 collection of management information objects accessibleby an SNMP entity. The security-engine-id command specifies the ID of




the SNMPv3 security engine running on the site AX device. For each com-mand, the ID is a string 1-127 characters long.

[no] interface id

The interface command specifies the SNMP interface ID.

Additional Commands:

[no] interval seconds

[no] port port-num

The interval command specifies the amount of time between each SNMPGET to the site AX devices. You can specify 1-999 seconds. The defaultis 3.

The port command specifies the protocol port on which the site AX deviceslisten for the SNMP requests from the GSLB AX device. You can specify 1-65535. The default is 161.

To Apply a GSLB SNMP Template to a GSLB Site


[no] template template-name

To Configure the Bandwidth Limit and Threshold on a Site


[no] bw-cost limit limit threshold percentage

The limit specifies the maximum value of the SNMP object (as queried bythe GSLB AX device), in order for the site to remain eligible for selection.You can specify 0-2147483647. There is no default.

If a site becomes ineligible due to being over the limit, the percentageparameter is used. In order to become eligible for selection again, the site’slimit value must not be more than limit*threshold-percentage.

You can specify 0-100 percent. There is no default.

To Enable the Bandwidth Cost Metric in a GSLB Policy

Use the following command at the configuration level for the policy:

[no] bw-cost




To display BW-Cost data for a site

Use the following command:

show gslb site [site-name] bw-cost

CLI Example – SNMPv2c

The following commands configure a GSLB SNMP template forSNMPv2c:

AX(config)#gslb template snmp snmp-1

AX(config-gslb template snmp)#version v2c

AX(config-gslb template snmp)#host 192.168.214.124

AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12

AX(config-gslb template snmp)#community public

AX(config-gslb template snmp)#exit

The following commands apply the SNMP template to a site and set thebandwidth limit and threshold:

AX(config)#gslb site usa

AX(config gslb-site)#template snmp-1

AX(config gslb-site)#bw-cost limit 100000 threshold 90

AX(config gslb-site)#exit

The following commands enable the BW-Cost metric in the GSLB policy:

AX(config)#gslb policy pol1

AX(config-gslb policy)#bw-cost

AX(config-gslb policy)#exit

The following command displays BW-Cost data for the site:

AX-1(config)#show gslb site usa bw-cost

U = Usable, TI = Time Interval

USGN = Unsigned, SN64 = Unsigned 64

CNTR = Counter, CT64 = Counter 64

Site Template Current Highest Limit U Type Len Value TI

--------------------------------------------------------------------------------

usa snmp-1 31091 142596 100000 Y CNTR 4 3355957308 3




CLI Example – SNMPv3

The following commands configure a GSLB SNMP template for SNMPv3.In this example, authentication and encryption are both used.


AX(config-gslb template snmp)#security-level auth-priv


AX(config-gslb template snmp)#username read


AX(config-gslb template snmp)#priv-proto des

AX(config-gslb template snmp)#auth-key 12345678

AX(config-gslb template snmp)#priv-key 12345678

The other commands are the same as those shown in “CLI Example –SNMPv2c” on page 46.

Configuring Alias Admin Preference

To configure the Alias Admin Preference metric:

1. At the configuration level for the GSLB service, assign an administra-tive preference to the DNS CNAME record for the service.

2. At the configuration level for the GSLB policy:

• Enable the Alias Admin Preference metric.

• Enable one or both of the following DNS options, as applicable to your deployment:

• DNS backup-alias

• DNS geoloc-alias

3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.

USING THE GUI

The current release does not support this feature in the GUI.

USING THE CLI1. To assign an administrative preference to the DNS CNAME record for a

service, use the following command at the configuration level for the service:

[no] admin-preference preference




The preference can be 0-255. A higher value is preferred over a lower value. The default is 0 (not set).

2. To enable the Alias Admin Preference metric, use the following com-mand at the configuration level for the policy:

[no] alias-admin-preference

Configuring Weighted Alias

To configure the Weighted Alias metric:

1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the service.


• Enable the Weighted Alias metric.




3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.

USING THE GUI


USING THE CLI1. To assign a weight to the DNS CNAME record for a service, use the fol-

lowing command at the configuration level for the service:

[no] weight num

The num can be 1-255. A higher value is preferred over a lower value. The default is 1.

2. To enable the Weighted Alias metric, use the following command at the configuration level for the policy:

[no] weighted-alias




Loading or Configuring Geo-Location Mappings

You can configure geo-location mappings manually or by loading the map-pings from a file. Configuring the geo-location mappings manually mightnot be practical, unless you have only a few sites.

The geo-location configuration options are described in detail below. Toskip the descriptions and go directly to configuration instructions, see one ofthe following sections. Each section provides the procedure for one of theapproaches to configuring geo-location mappings.

• “Loading or Configuring Geo-Location Mappings” on page 49

• “Manually Configuring Geo-Location Mappings” on page 54

Geo-Location Database Files

You can load the geo-location database (which contains the geo-locationmappings) from one of the following types of files:

• Internet Assigned Numbers Authority (IANA) database – The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. Note that this database is loaded by default.

• Custom database in CSV format – You can load a custom geo-location database from a file in comma-separated-values (CSV) format. How-ever, before loading the file, you must first configure a CSV template on the AX device because the data in the file is formatted by the template.

Note: You can load more than one geo-location database. When you load a newdatabase, if the same IP address or IP address range already exists in apreviously loaded database, the address or range is overwritten by the newdatabase.

Geo-Location Mappings

A geo-location mapping consists of a geo-location name and an IP addressor IP range.

• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.

• If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-location in the loaded geo-location data-base.

• If a service-ip cannot be mapped to a geo-location, GSLB maps the site AX device to a geo-location.




If more than one geo-location matches a client’s IP address, the most spe-cific match is used. For example, if a client is in the same city as a site AX,that site will be preferred. If the client and site are in the same state but indifferent cities, the site in that state will be preferred.

Only one database can be active. If you load more than one database, themost-recently loaded one becomes the active one, and the older database isno longer used. Data from the older database is not merged into the newdatabase.

Example Database File

An example of a database file is shown below. Each paragraph is actually asingle line in the file, but they are displayed here in multiple lines due to thelimited width of the page. (Note that lines in the database file should nothave spaces between the paragraphs. This was done to improve readability.)

"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSA-CHUSETTS", "COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"

"1159364096","1159364351","US","UNITED STATES","NA","NORTH AMERICA","","","","ENVIRON-MENTAL COMPLIANCE SERVICE","SILVER","","32.0708","-100.682"

"1159364352","1159364607","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSA-CHUSETTS", "MLS PROPERTY INFORMATION NETWORK","SHREWSBURY","WORCESTER","42.2959","-71.7134"...

The example above shows how the CSV file appears when displayed in atext editor. If the same data were displayed in a spreadsheet application, itwould appear like Figure 1 below.

FIGURE 1 CSV File in Spreadsheet Application

The database file can contain more types of information (fields, or columns)than are required for the GSLB database. When you load the CSV file intothe geo-location database, the CSV template on the AX device filters thefile to extract the required data, while ignoring the rest of the data. In theexample below, only the fields shown in bold type will be extracted andplaced into the geo-location database:

"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSA-CHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"




These fields contain the following information:

From IP address (starting IP address in range), To IP address (ending IP address in range, or subnet mask), Continent, Country

The IP addresses in this example are in bin4 format. Dotted decimal format(for example: 69.26.125.0) is also supported. If you use bin4 format, the AXdevice automatically converts the addresses into dotted decimal formatwhen you load the database into GSLB.

Converting IP Addresses into bin4 Format

If you want to use bin4 format in the CSV file, here is how to convert an IPaddress from dotted-decimal format to bin4 format:

1. Convert each node into Hex.

2. Convert the resulting Hex number into decimal.

3. Enter the decimal number into the database file.

Here is an example for IP address 69.26.125.0, the first IP address in theexample CSV file:

CSV File Field Delimiters

The fields in the CSV file must be separated by a delimiter. By default, theAX device interprets commas as delimiters. When you configure the CSVtemplate on the AX device, you can set the delimiter to any valid ASCIIcharacter.

Creating and Loading a Custom Geo-Location Database

To create and load a custom geo-location database:

1. Prepare the database file. (This step requires an application that can save to text for CSV format, and it cannot be performed on the AX device.)

2. Configure a CSV template on the AX device. The CSV template speci-fies the field positions (or columns) in the database that should be extracted, such as IP address and location information.

3. Import the CSV file onto the AX device.

Dotted Decimal Hex of Each Node CombinedHex Number

Decimal

69.26.125.0 45.1a.7d.00 451a7d00 1159363840




4. Load the CSV file.

5. Display the geo-location database.

USING THE GUI

Configuring the CSV Template

1. Select Config Mode > Service > GSLB.

2. On the menu bar, select Geo-location > Import.

3. In the Template section, enter a name for the template.

4. If the CSV file uses a character other than a comma to delimit fields, enter the delimiter character in the Delimiter field. You want the CSV template to use the same delimiter that has been used in the database file you will be loading.

5. In each data field, indicate the field’s position (or column) in the CSV file. For example, if the destination IP address or subnet is listed in the CSV file in the fourth column, enter “4” in the IP-To field.

6. Click Add.

Importing the CSV File

1. Select Config Mode > Service > GSLB, if not already selected.

2. On the menu bar, select Geo-location > Import, if not already selected..

3. In the File section, select the file transfer protocol.

4. Enter the filename and the access parameters required to copy the file from the remote server.

5. Click Add.

Loading the CSV File Data into the Geo-Location Database

1. Select Config Mode > Service > GSLB, if not already selected.

2. On the menu bar, select Geo-location > Import, if not already selected..

3. In the Load/Unload section, enter the name of the geo-location database in the file field.

4. In the Template field, enter the name of the template to use for format-ting the data.




USING THE CLI

Configuring the CSV Template

On the AX device, you must configure a CSV template for the database file.When you load the file into GSLB, the AX device uses the template toextract the data and load it into the GSLB database.

1. Use the following command at the global configuration level:

[no] gslb template csv template-name

This command creates the template and changes the CLI to the configu-ration level for it.

2. Use the following command to identify the field positions for the geo-location data:

[no] field num {ip-from | ip-to-mask | continent | country | state | city}

The num option specifies the field position (or column) within the CSV file. You can specify 1-64. The following options specify the type of geo-location data that is located in the field position:

• ip-from – Specifies the beginning IP address in the range or subnet.

• ip-to-mask – Specifies the ending IP address in the range, or the subnet mask.

• continent – Specifies the continent where the IP address range or subnet is located.

• country – Specifies the country where the IP address range or subnet is located.

• state – Specifies the state where the IP address range or subnet is located.

• city – Specifies the city where the IP address range or subnet is located.

3. If the CSV file uses a character other than a comma to delimit fields, use the following command to specify the character used in the file:

[no] delimiter {character | ASCII-code}

You can type the character or enter its decimal ASCII code (0-255).

Importing the CSV File

To import the CSV file onto the AX device, use the following command atthe Privileged EXEC or global configuration level of the CLI:

import geo-location file-name [use-mgmt-port] url




You can enter the entire URL on the command line or press Enter to displaya prompt for each part of the URL. If you enter the entire URL and a pass-word is required, you will still be prompted for the password. To enter theentire URL:

• tftp://host/file

• ftp://[user@]host[:port]/file

• scp://[user@]host/file

• rcp://[user@]host/file

• http://[user@]host/file

• https://[user@]host/file

• sftp://[user@]host/file

(For information about the use-mgmt-port option, see the “Using the Man-agement Interface as the Source for Management Traffic” chapter in theAX Series System Configuration and Administration Guide.)

Loading the CSV File Data into the Geo-Location Database

To load the CSV file, use the following command at the global configura-tion level of the CLI:

[no] gslb geo-location load file-name csv-template-name

Use the file name you specified when you imported the CSV file, and thename of the CSV template to be used for extracting data from the file.

Note: The file-name option is available only if you have already imported a geo-location database file.

To display information about CSV files as they are being loaded, use thefollowing command:

show gslb geo-location file [file-name]

Manually Configuring Geo-Location Mappings

USING THE GUI

In the GUI, this is part of site configuration. See “Configure Sites” onpage 67.




USING THE CLITo manually configure a geo-location mapping:

1. Configure each geographic location (geo-location) as a named range of client IP addresses. You can configure geo-locations globally and within individual GSLB policies.

To configure a geo-location, use the following command at the global configuration level or at the configuration level for the GSLB policy:

[no] gslb geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr]

2. Associate a site with a geo-location name, using the following command at the configuration level for the site:

[no] geo-location location-name

Note: If you configure geo-locations globally and at the configuration level forindividual sites, and a client IP address matches both a globally config-ured geo-location and a geo-location configured on a site, the globallyconfigured geo-location is used by default. To configure the GSLB AXdevice to use geo-locations configured on individual sites instead, use thegeo-location match-first policy command at the configuration level forthe policy.

Displaying the Geo-Location Database


2. On the menu bar, select Geo-location > Find.

The geo-location database appears. You can use the find options to displaydatabase entries or statistics for specific geo-locations or IP addresses.

USING THE CLI

To display the geo-location database, use the following command:

show gslb geo-location db [geo-location-name] [[statistics] ip-range range-start range-end] [[statistics] depth num][statistics]]

The geo-location-name option displays the database entry for the specifiedlocation.




The ip-range option displays entries for the specified IP address range.

The depth num option filters the display to show only the location entries atthe specified depth or higher. For example, to display continent and countryentries while hiding individual state and city entries, specify depth 2.

To search for an entry in the geo-location database that is based on client IPaddress, use the following command:

show gslb geo-location ip ipaddr

CLI Example

The commands in this example load a custom geo-location database from aCSV file called “test.csv”, and then display the database. The test.csv file isshown in “Example Database File” on page 50.

First, the following commands configure the CSV template:

AX(config)#gslb template csv test1-tmplteAX(config-gslb template csv)#field 1 ip-fromAX(config-gslb template csv)#field 2 ip-to-maskAX(config-gslb template csv)#field 5 continentAX(config-gslb template csv)#field 3 countryAX(config-gslb template csv)#exit

The following command imports the file onto the AX device:

AX(config)#import geo-location test1.csv ftp:Address or name of remote host []?192.168.1.100User name []?admin2Password []?*********File name [/]?test1.csv

The following commands initiate loading the data from the CSV file intothe geo-location database, and display the status of the load operation:

AX(config)#gslb geo-location load test1.csv test1-tmplteAX(config)#show gslb geo-location file T = T(Template)/B(Built-in), Per = Percentage of loadingFilename T Template Per Lines Success Error ------------------------------------------------------------------------------test1 T t1 98% 11 10 0




The following command displays the geo-location database. The data thatwas extracted from the CSV file is shown here in bold type.

AX(config)#show gslb geo-location db

Last = Last Matched Client, Hits = Count of Client matched T = Type, Sub = Count of Sub Geo-location G(global)/P(policy), S(sub)/R(sub range) M(manually config)

GlobalName From To Last Hits Sub T ------------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G

Geo-location: NA, GlobalName From To Last Hits Sub T ------------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS

Geo-location: NA.US, GlobalName From To Last Hits Sub T ------------------------------------------------------------------------------ 69.26.125.0 69.26.125.255 (empty) 0 0 GR 69.26.126.0 69.26.126.255 (empty) 0 0 GR 69.26.127.0 69.26.127.255 (empty) 0 0 GR 69.26.128.0 69.26.136.135 (empty) 0 0 GR 69.26.136.136 69.26.136.143 (empty) 0 0 GR 69.26.136.144 69.26.140.255 (empty) 0 0 GR 69.26.141.0 69.26.141.255 (empty) 0 0 GR 69.26.142.0 69.26.159.255 (empty) 0 0 GR 69.26.160.0 69.26.160.255 (empty) 0 0 GR 69.26.161.0 69.26.161.7 (empty) 0 0 GR

Geo-location Overlap

The geo-location overlap option searches the geo-location database for the“match best” instead of searching the database using the “match first” algo-rithm. This behavior may be helpful if you suspect that more than one hosthas been mapped to a single public IP address.

Geo-location Databases Background

When configuring GSLB on the AX device, a geo-location file containingmappings between geographic regions and IP addresses is imported onto theAX device. For example, the IANA database is pre-installed on the AXdevice prior to shipping, and it contains thousands of entries mapping geo-graphic regions to IP address ranges.




In addition, third-party companies sell geo-location databases, and some ofthese databases may contain millions of mappings between geographicregions and ranges of IP addresses. As with the IANA database files, thesefiles can also be imported into the AX device’s global database.

However, geo-location information can also be manually configured on theAX device at the GSLB policy level.

A GSLB policy is typically created for each GSLB zone, so you could, forexample, have separate zones for a company that has offices in New Yorkand San Jose. Each of these GSLB zones might have its own geo-locationfile, with each file containing highly granular information that maps IPaddresses and local regions.

When configuring geo-location for a GSLB zone, you will need to use thematch first command to decide whether to search the Global database (con-taining the IANA file) or if you would prefer to search the GSLB Policydatabase.

The match first command determines which of the two geo-location data-bases will be used to parse incoming DNS requests from clients. That is, itallows you to decide whether the Global database or GSLB Policy databasewill be searched.

Once this configuration decision has been made, then the next thing that youneed to do is decide if you want to enable the geo-location overlap com-mand.

Note: The geo-location overlap command is disabled by default because it tendsto be taxing on the AX processors.

The default behavior for the AX device is to use the match first algorithm(not to be confused with the match first option described above), is to scanthe geo-location database for the first IP address that matches the client’sSource IP.

In contrast, the geo-location overlap option uses match best algorithm,meaning the entire geo-location file must be scanned in order to locate theoptimal response to send back to the client. This is very demanding on theAX CPU.

When to Use Geo-Location Overlap

The geo-location overlap option is recommended for situations in which thepublic IP address is not unique and the same IP address may be associatedwith different hosts. While it is unlikely that the IANA geo-location filewould contain such errors, the internet is a dynamic place and informationcan become stale and/or inaccurate. In particular, this situation might hap-




pen if users are careless about the way they manually add IP addresses tothe GSLB policies. A user might have many GSLB zones and each zonemight have many geo-location files, so it is possible that some IP addressranges may overlap.

For example, if a company has a site in New York and San Jose:

• New YorK IP range is 1.1.1.1 – 1.1.1.9

• San Jose IP range is 1.1.1.1 – 1.1.1.3

In this situation, there exists an overlap in the IP address from 1.1.1.1 to1.1.1.3.

To remedy this confusing situation, one can enable the geo-location overlapoption to cause the AX device to search the geo-location database for thematch best (or longest matching IP address).

However, if the geo-location overlap option is disabled, then the AX devicewill revert to its default behavior, which is to use the match first algorithmto check the client’s IP address against the database and then use the first IPaddress-region mapping discovered when parsing the database.

USING THE GUI

If you suspect a public IP address in your domain is not unique and the sameIP address may be associated with different hosts, you can enable the geo-location overlap option. To do so, follow the procedure below:


2. Click the Policy tab, and then click the Add button.

3. Enter a name for the GSLB policy in the Name field.

4. Click the Geo-location arrow to expand the menu.

The Geo-location menu appears, as shown below:

5. In the Match Best Entry section, select the desired checkboxes. By default, the Global and Policy checkboxes are clear, meaning the overlap feature is disabled (and the match first approach is used).




6. To enable the overlap behavior, select one or both checkboxes in the Match Best Entry area. Your options are:

• Global – Enabling this option will search the global database (such as IANA) for the longest matching and most-specific address.

• Policy – Enabling this option will search the GSLB policy database for the longest matching and most-specific address.

7. When finished, click OK to save your changes.

USING THE CLI

If you believe your manually-configured geo-location databases may havetwo or more domains tied to the same IP address, you can use the followingcommand at the GSLB policy configuration level of the CLI to enable geo-location overlap:

[no] geo-location overlap [global | policy]

CLI Example

The following command enables geo-location overlap at the GSLB policylevel. The overlap option is used to enable match best behavior for the geo-location database within the default GSLB policy. By enabling this behav-ior, the match first algorithm will not be used, and instead the AX devicewill attempt to find the best match by searching for the longest string thatmatches the source IP address in the client’s request.

AX(config)#gslb policy default

AX(config-gslb policy)#geo-location overlap policy




GSLB Configuration - Configure Services

Configure Services

A service is an application such as HTTP or FTP. For example: www.mydo-main.com is a service where www is the http service or an application. Eachzone can be configured with one or more services.

To configure services in a GSLB zone, use one of the following procedures.


2. On the menu bar, select Service IP.

3. Click Add.

4. Enter the service name and IP address.

5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network.

6. Add the service port(s):

a. Enter the port number and select the protocol (TCP or UDP).

b. Optionally, select a health monitor.

c. Click Add. The service port appears in the service port list.

7. Click OK.

8. Repeat for each service IP.

USING THE CLI

To configure service VIPs, use the following command at the global config-uration level of the CLI:

gslb vip-name ipaddr

This command changes the CLI to the configuration level for the service.

To assign an external IP address to the service, use the following command.An external IP address is needed if the service IP address is an internal IPaddress that can not be reached from outside the internal network.

external-ip ipaddr




To configure a service port on the service, use the following command tochange the CLI to the configuration level for the port:

port port-num {tcp | udp}

To enable health monitoring of the service, use the following command:

health-check monitor-name

Gateway Health Monitoring

To simplify health monitoring of a GSLB site, you can use a gateway healthcheck. A gateway health check is a Layer 3 health check (ping) sent to thegateway router for an SLB site. If a site’s gateway router fails a healthcheck, it is likely that none of the services at the site can be reached. GSLBstops using the site until it begins to pass gateway health checks again.

In most cases, an ICMP health check is sufficient. You can use the defaultICMP health check or configure a custom one. For more detailed healthanalysis, you can use an external health check. For example, you can use ascript to get SNMP information from the gateway, and base the gateway’shealth status on the retrieved information.

Health-Check Precedence

Health checking for a GSLB service can be performed at the following lev-els.

1. Gateway health check

2. Port health check

3. IP health check (Layer 3 health check of service IP)

If the gateway health check is unsuccessful, the service IP is marked Down.If the gateway health check is successful, then the port health check can beused to check the status of the ports (assuming ports have been configuredon the service IP). Otherwise, if no service ports are configured on the ser-vice IP, then the Layer 3 health check of the service IP is used.




Configuring Gateway Health Checking for GSLB Sites

To configure gateway health checking for a GSLB site:

1. Configure the health monitor, unless you plan to use the default ICMP health monitor.

2. On the SLB device at the site, create an SLB real server configuration with the gateway router’s IP address. If you configured a custom health check, make sure to apply it to the real server.

3. On the GSLB controller, specify the site’s gateway IP address in the SLB-device configuration for the site.

Sites with Multiple Gateway Links

If a site has multiple gateways, create a separate real server for each gate-way on the site AX device. On the GSLB controller, create a separate SLB-device configuration for each gateway (real server). In each SLB-deviceconfiguration, specify only the service IPs that can be reached by the gate-way specified in that SLB-device configuration.

For a service IP that can be reached on any of multiple links, create a sepa-rate SLB-device configuration, without using the gateway option. The gate-way health status for this SLB-device will be Down only if all the gatewayhealth checks performed for the other SLB-device configurations for thesite fail.

USING THE GUI1. On the site AX device—To create the gateway router, navigate to the

real server configuration page. Enter a name and the gateway IP address. Do not add any ports.

If you plan to use the default Layer 3 health monitor, no further configu-ration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, select “create” from the Health Monitor drop-down list.

2. On the GSLB controller—To specify the site’s gateway IP address, nav-igate to the site configuration page. From this page, navigate to the SLB-Device configuration page and enter the gateway IP address in the Gateway field.




USING THE CLI1. On the site AX device—To create the gateway router, use the following

command at the global configuration level of the CLI on the site AX device:

[no] slb server gateway-name gateway-ipaddr

If you plan to use the default Layer 3 health monitor, no further configu-ration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, then use the following command at the configuration level for the real server (gateway):

[no] health-check icmp-monitor-name

2. On the GSLB controller—To specify the site’s gateway IP address, use the following command at the configuration level for the SLB device, within the site configuration:

[no] gateway gateway-ipaddr

Disabling a Gateway Health-Check

On the GSLB controller, you can disable gateway health checking at theSLB-device configuration level or the service configuration level; doing sowill not affect any health checks configured for the individual virtual serv-ers and service ports at the site.

To disable gateway health checking at the SLB-device configuration level,use the following command:

no gateway health-check

After you enter this command, the SLB device will stop accepting gatewaystatus information.

To disable gateway health checking at the service configuration level, usethe following command:

no health-check gateway

After you enter this command, the service will stop using gateway healthchecks.

Displaying the Health Status of a Site Gateway

To display the health status for a site gateway, use the following command:

show gslb slb-device




CLI Example—Site with Single Gateway Link

On the site AX device, the following command configures a real server forthe gateway. The default ICMP health method is used.

Site-AX(config)#slb server 1.1.1.1

On the GSLB controller, the following commands enable gateway healthchecking for site device “site-ax”:

GSLB-AX(config)#gslb site remote

GSLB-AX(config-gslb site)#slb-dev site-ax 10.1.1.1

GSLB-AX(config-slb dev)#gateway 1.1.1.1

The following command displays the gateway health status for GSLB sites:

GSLB-AX(config)#show gslb slb-device

Attrs = Attributes, APF = Administrative Preference

Sesn-Num/Uzn = Number/Utilization of Available Sessions

GW = Gateway Status, IPCnt = Count of Service-IPs

P = GSLB Protocol, L = Local Protocol

Device IP Attrs APF Sesn-Num Uzn GW IPCnt

--------------------------------------------------------------------------------

local:self 127.0.0.1 100 0 0% 0

local:self2 127.0.0.1 100 0 0% 0

local:self3 127.0.0.1 100 0 0% 2

remote:site-ax 10.1.1.1 100 0 0% UP 0

In this example, the gateway health status for SLB-device configuration“site-ax” on the “remote” site is Up.

CLI Example—Site with Multiple Gateway Links

On the site AX device, the following commands configure real servers foreach of two gateway links. The default ICMP health method is used for eachlink.


Site-AX(config-real server)#exit


On the GSLB controller, the following commands enable gateway healthchecking for each of the site’s links. A unique SLB-device name is used foreach link, even though both links are for the same SLB device (20.1.1.1).

GSLB-AX(config)#gslb site remote-link1

GSLB-AX(config-gslb site)#slb-dev site-ax-lnk1 20.1.1.1





GSLB-AX(config-slb dev)#exit

GSLB-AX(config-gslb site)#exit

GSLB-AX(config)#gslb site remote-link2

GSLB-AX(config-gslb site)#slb-dev site-ax-lnk2 20.1.1.1


If the same services can be reached through either link, an additional SLB-device configuration is required:

GSLB-AX(config)#gslb site remote-link-both

GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1

No gateway is specified in the SLB-device configuration. The gatewayhealth status will be Up unless the health checks for 2.2.2.1 and 3.3.3.1 bothfail.

Multiple-Port Health Monitoring

GSLB supports multiple-port health checking for service IPs. When you usea multiple-port health check for a service IP, the service IP is marked Up ifany of the ports passes the health check. It is not required for all ports topass the health check.

Default Health Monitors

The default health monitor for a service is the default Layer 3 health moni-tor (ICMP ping). The default health monitor for a service port is the defaultTCP or UDP monitor, depending on the transport protocol.

By default, if the GSLB protocol is enabled and can reach the service,health checking is performed over the GSLB protocol. Otherwise, healthchecking is performed using standard network traffic instead. Optionally,you can disable use of the GSLB protocol for health checking, on individualservice-IPs.

USING THE GUI




GSLB Configuration - Configure Sites

USING THE CLI

To configure a multiple-port health check, use the following command atthe configuration level for the service IP:

[no] health-check port port-num port-num [...]

You can specify up to 64 ports.

CLI Example

The following commands apply a custom HTTP health monitor to serviceIP “gslb-srvc2”:

AX(config)#gslb service-ip gslb-srvc2 192.168.20.99

AX(config-gslb service-ip)#port 80

AX(config-gslb service-port)#health-check http





Note: Applying a health monitor is required only if you do not plan to use thedefault health monitors. (See “Default Health Monitors” on page 66.)

The following commands enable a multi-port health check for the HTTPservice “www” on service IP “gslb-srvc2” in GSLB zone “abc.com”:

AX(config)#gslb zone abc.com

AX(config-gslb zone)#service http www

AX(config-gslb service)#health-check port 80 8080 8081

Configure Sites

To configure GSLB sites, use one of the following procedures.


2. On the menu bar, select Site.

3. Click Add.

4. Enter the site name.



GSLB Configuration - Configure Sites

5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site:

a. Click Add.

b. Enter a name for the device.

c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device.

d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service.

6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service.

7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add.

8. Click OK. The site appears in the Site table.

USING THE CLI

To configure the GSLB sites, use the following commands:

gslb site site-name

This command changes the CLI to the configuration level for the site. Toassociate an IP service with this site, use the following command:

ip-server {name | service-ip}

The name or service-ip is the name or IP address of a real server load bal-anced by the site.

To specify the AX device that provides SLB at the site, use the followingcommand:

slb-dev device-name ipaddr

To add the GSLB VIP server to the SLB device, use the following com-mand:

vip-server {name | ip ipaddr}

The service-name is the GSLB service specified by the gslb vip-nameipaddr command in “Configure Services” on page 61.



GSLB Configuration - Configure a Zone

Configure a Zone

To configure a GSLB zone, use one of the following procedures.


2. On the menu bar, select Zone.

3. Click Add.

4. Enter the zone name in the Name field.

5. In the Service section, click Add. (See Figure 16 on page 110.)

The service configuration sections appear.

6. In the Service field, enter the service name.

7. Select the service type from the Port drop-down list.

8. Add the services:

a. In the Service section, click Add.

b. Enter name for the service (for example, “www”).

c. Select the service type from the Port drop-down list.

d. Configure additional options, if applicable to your deployment.

e. Click OK.

f. Repeat for each service.

9. Click OK. The zone appears in the GSLB zone list.

USING THE CLI

To configure the GSLB zone, use the following commands:

gslb zone zone-url

The zone-url is the URL that clients will send in DNS queries. This com-mand changes the CLI to the configuration level for the zone. To add a ser-vice to the zone, use the following command:

service port service-name



GSLB Configuration - Enable the GSLB Protocol

The port is the application port for the server and must be the same portname or number specified on the service VIP.

Enable the GSLB Protocol

To enable the GSLB protocol, use one of the following procedures.


2. On the menu bar, select Global.

The Global section appears.

3. Select Enabled next to one of the following options, depending on the AX device’s function in the GSLB configuration:

• Run GSLB as Controller

• Run GSLB as Site SLB Device

4. Click OK.

USING THE CLI

To enable the GSLB protocol on the GSLB AX device, use the followingcommand at the global configuration level of the CLI:

gslb protocol enable controller

To enable the GSLB protocol on a site AX device, use the following com-mand at the global configuration level of the CLI:

gslb protocol enable device

Resetting or Clearing GSLB

If you need to reset or clear the GSLB configuration, you can use the fol-lowing commands:

• gslb system reset – Unloads all geo-location files and reloads the default “iana” file.

• no gslb all – Unloads all geo-location files, including “iana”, and clears all GSLB configuration information and statistical data.



GSLB Configuration - Resetting or Clearing GSLB

These commands are available at the global configuration level of the CLI.

Confirmation Prompt

By default, the CLI displays a prompt asking you to confirm whether to per-form the reset or deletion. You can reply “yes” or “no”.

If you do not want the prompt to appear, you can disable it by entering thefollowing command at the global configuration level of the CLI:

no gslb system prompt

Simplified CLI Syntax for Removing All Configuration Items

The all option removes all configuration items of the specified type. In pre-vious releases, the CLI supported removal of GSLB configuration itemsonly one item at a time.

Here are the no gslb commands that support the all option:

• no gslb geo-location all – Removes all manually configured geo-locations from the AX device’s configuration.

• no gslb geo-location load all – Unloads all geo-location database files on the AX device. The default database (IANA) is also unloaded.

• no gslb ip-list all – Removes all IP lists from the AX device’s configuration.

• no ip all – At the configuration level for an IP-list, removes all IP addresses from the list.

• no gslb policy all – Removes all GSLB policies from the AX device’s configuration.

• no gslb service-ip all – Removes all service IPs from the AX device’s configuration.

• no gslb site all – Removes all GSLB sites from the AX device’s configuration.

• no ip-server all – At the site configuration level, removes all IP servers (real servers) from the site.

• no slb-device all – At the site configuration level, removes all SLB devices.

• no vip-server all – At the configuration level for an SLB device, removes all virtual servers from the device.

• no gslb template csv all – Removes all CSV templates from the AX device’s configuration.



GSLB Configuration - Resetting or Clearing GSLB

• no gslb template snmp all – Removes all SNMP templates from the AX device’s configuration.

• no gslb template all – Removes all CSV templates and SNMP templates from the AX device’s configuration.

• no gslb zone all – Removes all GSLB zones from the AX device’s configuration.

To remove all GSLB configuration items at the same time, you can use thefollowing command instead:

no gslb all



Auto-mapping -

Auto-mapping

An AX device acting as a GSLB controller can retrieve the data needed tobuild the DNS system by automatically returning DNS records by name.This GSLB Auto-Mapping feature reduces the required amount of DNSmanagement work when deploying GSLB.

In releases prior to 2.7.0, manual configuration is required for each of theservices for which an AX device is to respond. This manual configurationtypically involves creating a service IP, applying it to a site, adding the zone,and then mapping the service to the service IP.

With, GSLB Auto-mapping, however, the AX device allows you to auto-matically create the service by taking the name of a system resource, or"module", and appending it to the front of a zone to create the service name(DNS name).

Once the servers and other network devices have been configured withbasic information, auto-mapping enables the GSLB protocol to supportDNS queries for the following modules (or system resources):

• SLB server

• SLB virtual server

• SLB device

• GSLB site

• GSLB service-IP

• GSLB Group

• Hostname

Details:

• This feature only works with GSLB wildcard service.

• There is no L3V support for SLB server or SLB virtual server.

• Names exceeding 20 characters must be changed to DNS domain, with labels separated by the '.' character.



Auto-mapping -

Configuration

Configuring DNS Auto-mapping requires the following steps:

1. Configure DNS Auto-mapping at the zone level or system level.

2. Enable DNS Auto-mapping the zone and/or system level.

USING THE GUI

To configure GSLB Auto-mapping, navigate as follows:


2. Click the Site tab, and then click the Add button.

3. Scroll down and click the arrow button to expand the Options section. A window similar to the one shown below appears:

FIGURE 2 Config Mode > Service > GSLB > Site > Add

4. Select the Auto Map checkbox, if it is not already selected.


6. Scroll down and click the arrow button to expand the Auto Map section. A window similar to the one shown below appears:

FIGURE 3 Config Mode > Service > GSLB > Policy > Add

7. By default, all modules (resources) are selected. You can select or clear the checkboxes to determine which “modules” or system resources for which the GSLB protocol will support DNS queries.



Auto-mapping -

8. Either accept the default TTL value of 300 seconds, or enter a new time-to-live for the modules.

9. Click OK to store your changes.

USING THE CLI

Configure DNS Auto-mapping at the system level

By default, system auto-mapping is disabled until you configure the mod-ules. However, after system auto-mapping has been configured, the queryname is the object’s name.

Use the following CLI commands to configure auto-mapping.

gslb system auto-map module {all | slb-server |slb-virtual-server | slb-device | gslb-service-ip |gslb-site | gslb-group | hostname}

gslb system auto-map ttl seconds

Note: By default, all modules are enabled in the policy.

Configure DNS Auto-mapping at the zone level

Use the following CLI commands at the GSLB policy level to configureauto-mapping for a zone level:

dns auto-map

Details:

To get the DNS response, the query name is in the following format:

<obj-name>.<zone-name>

For example, if a real server's name is us-svr1, and the wildcard zone isexample.com, then the query name should be us-svr1.example.com



Auto-mapping -

CLI Example

The following example configures a VIP called “WWW” at IP192.168.1.100.

AX(config)#slb virtual-server WWW 192.168.1.100

AX(config-slb vserver)#ha-group 1

AX(config-slb vserver)#port 80 http

AX(config-slb vserver-vport)#source-nat pool Internal-Pool-1

AX(config-slb vserver-vport)#service-group Internal-Service-Group-1

Next, the commands below configure a GSLB policy “auto-map”, for thezone “a10.com”. A wildcard service IP is used. If a client sends a query fora host within the “a10.com” zone (for example, an AX with the name "sj-ax"), then the full service name is “sj-ax.a10.com”., and the GSLB protocolwill respond to the client’s query by providing the management IP addressand the IP address for the inbound data interface.

AX(config)#gslb policy auto-map

AX(config)#dns auto-map

AX(config)#gslb zone a10.com

AX(config-gslb zone)#service *

AX(config-gslb service)#gslb policy auto-map



Advanced DNS Options -

Advanced DNS Options

This chapter describes some of the DNS options you can configure inGlobal Server Load Balancing (GSLB) policies.

Note: This chapter is not intended to be an exhaustive presentation of all DNSoptions in GSLB policies. For complete syntax information, see “dns” onpage 197.

• “DNS Active-only” on page 78

• “Support for DNS TXT Records” on page 80

• “Append All NS Records in DNS Authority Section” on page 82

• “Hints in DNS Responses” on page 83

• “DNS Sub-zone Delegation” on page 85

• “DNS Proxy Block” on page 91



Advanced DNS Options - DNS Active-only

DNS Active-only

By default, if all of the servers failed to pass the health check, then theGSLB controller would return an empty list to the client, rather than sendingthe list of IP addresses for the servers that had failed the health check.

You can configure the AX device to send the list of IP addresses (associatedwith servers that failed their health checks) back to the client. The featurecan be enabled using the new dns active-only metric option.

In association with this feature, you can also designate one or more backupservers, and the IP addresses for these servers will be sent to the client in theevent that all of the primary servers have failed. This behavior requires thatyou enable the dns backup-server feature within the GSLB policy, and thatyou specify the backup servers within the DNS A-record for the GSLB zoneservice.

To summarize, there are now three options:

• active-only – (Old) Nothing is returned to the client if all servers fail the health check.

• active-only fail-safe – (New) A list of IP addresses for the servers that failed the health check are sent back to the client.

• backup-server – Designate one or more backup servers that can be returned to the client if the primaries should fail.

USING THE GUI

To configure the Active Only Fail Safe feature on a GSLB AX device,follow the procedure below:




4. Click the DNS Options arrow to expand the menu.



Advanced DNS Options - DNS Active-only

5. From the DNS Options menu that appears, select one of the following:

• Active Only checkbox – Select this to enable the Active Only fea-ture. If all servers fail the health check, then nothing is returned to the client. (Selecting this checkbox activates the Fail Safe check-box.)

• Fail Safe checkbox – Select this sub-option to have the list of IP addresses associated with failed servers returned to the client.

6. (Optional) Select the Backup Server checkbox if you would like one or more backup servers to be returned to the client in the event that all of the primary servers fail.


USING THE CLI

Enabling fail-safe option

To enable the active-only fail-safe option and return a list of server IPaddresses for failed servers, use the following command within a GSLBpolicy:

dns active-only fail-safe

The no form of the command can be used with the active-only feature todisable the fail-safe option.

CLI Example

The commands below enable the DNS active-only fail-safe option within aGSLB policy, so a list of IP addresses will be sent to the client for the serv-ers that failed the health check.


AX(config-gslb policy)#dns active-only fail-safe


Enabling backup server mode

To designate one or more backup servers to be returned to the client if theprimary servers fail, do the following:

1. Use the following command to enable the backup server mode within the GSLB policy:

dns backup-server



Advanced DNS Options - Support for DNS TXT Records

2. Specify the backup servers in the dns-a-record within the GSLB zone service using the following command:

dns-a-record ip-addr as-backup

CLI Example

The commands below are used within a GSLB policy to specify that abackup server at IP 192.168.123.1 will be returned to the client, should theprimary servers fail.


AX(config-gslb policy)#dns backup-server


AX(config)#gslb zone z1

AX(config-gslb zone)#service 80 http

AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup

AX(config-gslb zone-gslb service)#exit

Support for DNS TXT Records

The TXT record is a type of DNS resource record, similar to an A record ora CNAME record, but it has typically been used to carry machine-readabledata, opportunistic encryption, Sender Policy Framework (SPF), DomainKeys, and DNS-SD. (Please refer to RFC 1464 for further details on usesfor TXT resource records.)

GSLB supports the ability to use DNS TXT resource records for thefollowing purposes:

• Perform Add/Delete/Find operations, based on a DNS TXT record

• Support multiple DNS TXT records for each service

• Carry multiple pieces of DNS TXT data within one TXT record

• Support DNS TXT/ANY query in server mode

• Support GSLB debug functions

Note: The maximum length of a DNS TXT record data is 2048 characters.



Advanced DNS Options - Support for DNS TXT Records

USING THE GUI

To configure a DNS TXT record for a GSLB zone using the AX GUI,navigate as follows:


2. Click the Zone tab, and then click the Add button.

3. Scroll down and click the arrow button to expand the Service section.

4. Click the Add button, and enter the details for this new service.

5. Scroll down and click the arrow button to expand the DNS TXT Record section. A window similar to the one shown below appears:

FIGURE 4 DNS TXT Record

6. Enter the desired text string in the blank DNS TXT Record field. Then, click the Add button, as shown in Figure 4.

Note: Use quotation marks when entering text strings that contain spaces. If atext string is entered without using quotation marks, this will cause thecontent to be split into different sections of the record.

7. When finished, scroll to the bottom of the page and click OK to save your changes.

USING THE CLITo use DNS TXT resource records to carry multiple pieces of DNS TXTdata within one TXT record, use the following command at the GSLBpolicy configuration level:

[no] dns server txt



Advanced DNS Options - Append All NS Records in DNS Authority Section

And then use the following command at the service config level within aGSLB zone:

[no] dns-txt-record aaaa bbbb cccc

Note: The AX device has a special handler that enables you to enter non-print-able characters that the CLI does not support. For details, please contactA10 Support.

Displaying Records

To display the DNS TXT Records, use the following command:

show gslb service dns-txt-record

To display the DNS TXT switch, use the following command:

show gslb policy [name]

Append All NS Records in DNS Authority Section

GSLB supports name server (NS) records in the Authority Section of theDNS response. When this feature is enabled, the GSLB AX device (runningin server mode) will include all NS records in the Authority Section of theDNS response that is sent to the client. By providing additional NS informa-tion, this feature can be helpful if one or more of the name servers becomesunavailable.

USING THE GUI

To enable the GSLB AX device to append NS records in the Authoritysection of a DNS response, follow the procedure below:





The DNS Options menu appears, as shown below:



Advanced DNS Options - Hints in DNS Responses

FIGURE 5 NS Records under DNS Options

5. Select the Server Mode checkbox to place the AX device in Server Mode (and to activate the NS List checkbox). Then, select the NS List checkbox, as shown above.


USING THE CLI

To append all Name Server (NS) Resource Records (RR) in the AuthoritySection of a DNS reply from a GSLB AX device in server mode, use thefollowing command at the gslb policy configuration level of the CLI:

[no] dns server authoritative ns-list

You can disable the inclusion of the NS record in the Authority section ofDNS responses by using the no form of the command.

Hints in DNS Responses

By default, the AX device places hints in the Additional Section of the DNSresponse. Hints are A or AAAA records that are sent in the response to a cli-ent’s DNS request. These records provide a mapping between the hostnames and IP addresses.

You can disable the appearance of hints in a DNS response. In addition, youalso can determine where in the DNS response the hints will appear.

Hints can appear in the following sections of a DNS response:



Advanced DNS Options - Hints in DNS Responses

• None – Does not append hints in the DNS response

• Additional – Appends hints in the Additional Section (default)

• Answer – Appends hints in the Answer Section

This new option applies to the following record types:

• NS

• MX

• SRV

USING THE GUI

To configure hints in the DNS response, follow the procedure below:





5. In the Hint area, select the desired radio button:

• No – Disables hints in the DNS response

• Additional – Enables hints in the Additional Section (default)

• Answer – Enables hints in the Answer Section


USING THE CLI

Use the following command at the GSLB policy configuration level of theCLI to configure the Hint Record, (or Glue Record) that appears in DNSreplies sent from the GSLB AX device to a client’s DNS request.

[no] dns hint {addition | answer | none }



Advanced DNS Options - DNS Sub-zone Delegation

CLI Example

The following command configures the AX device to include the HintRecord in the Answer Section of the DNS response. This might be helpfulif, for example, the local DNS server has trouble parsing the AdditionalSection that appears in a full DNS reply.


AX(config-gslb policy)#dns hint answer


DNS Sub-zone Delegation

GSLB sub-zone delegation allows you to delegate authority or responsibil-ity for a portion of the DNS namespace from the parent domain to a separatesub-domain which may reside on one or more remote servers and may bemanaged by someone other than the network administrator who is responsi-ble for the parent zone.

By delegating responsibility for a sub-zone (or “sub-domain”), you areeffectively dividing up the namespace, or the mappings between the host-names and their associated IP addresses. This division helps to distribute theDNS database more effectively.

Sub-zone delegation may be desirable if your organization is growingquickly and you are adding remote branches or offices. If the branches aredistributed across a broad geographic area, sub-zone delegation can be doneto reduce the response times to the resolvers, thus providing faster perfor-mance by placing the requested DNS records closer to the clients. Sub-zonedelegation may also be done to distribute the DNS traffic load across alarger number of servers in order to improve fault tolerance. Additionally,you may wish to delegate the responsibility for a sub-zone to an administra-tor who is more familiar with a particular group of servers, whether due togeographical proximity or due to an administrator’s familiarity with thecontent and services offered by those servers.

For example, assume a San Jose-based company is expanding rapidly anddecides to open an office in New York for its finance division. With theadditional traffic generated by client DNS resolvers on the East Coast, theparent domain, (“example.com”) may no longer suffice. In this case, itmight be helpful to add a separate sub-zone (“finance.example.com”) forthe New York office. Such a scenario is shown in Figure 6 on page 86.




FIGURE 6 Namespace for finance division is delegated as new sub-zone

Figure 6 shows the root zone at the top of the DNS hierarchy. The figurealso illustrates the following important points:

• The next level down are the Top Level Domains (TLDs), or the DNS servers responsible for managing the resource records for the “.com”, “.org” and other domains.

• The parent zone is located beneath the TLDs. It is at this level within the DNS structure that the organization’s main domain (“example.com”) is located.

• A separate sub-zone (“finance.example.com”), representing the New York office, has been delegated from the parent zone.

As this hypothetical sub-zone is branched off of the parent domain, it mightbe helpful to delegate responsibility for managing this new sub-zone to anIT administrator who is also located in New York.

Keep in mind that during the process of delegating authority for any sub-zone, an NS record must be added to the zone file within the authoritativename server for the parent zone. This must be done so that other DNS serv-ers and clients will recognize the new server as being authoritative for theparticular delegated sub-zone.




Details:

• Sub-zone delegation is enabled within a GSLB policy and applied at the zone level.

• When delegating a sub-zone, the GSLB AX device must be in server mode. The feature will not work with the GSLB AX device in proxy mode.

• Once a sub-zone has been delegated from the parent zone, client resolv-ers will send a query for the NS record, and the response from the GSLB AX device will have the NS record in the Authority section and the IP address in the Additional section of the full DNS response.

Note: The AX device supports configuration of glue records. A glue record canbe configured to prevent circular dependencies, which can occur if thename server is located in a sub-zone of the parent domain. Such a scenariocan make it impossible for the client resolver to locate the IP for the nameserver, because it is located within a sub-zone of the parent domain. Con-figuring a glue record eliminates this problem by providing an addressrecord that appears in the Additional section of the full DNS response,and this enables the client to find the name server.

USING THE GUI

This feature is not supported in the GUI for this release.

USING THE CLI

To enable sub zone delegation, use the following command at the GSLBconfiguration level:

[no] dns delegation

CLI Example #1

The following command configures the GSLB policy, and places the GSLBAX device in server mode. The delegation command, which is also appliedat the DNS level, enables the sub-zone delegation.

AX(config)#gslb policy delegat-1

AX(config-gslb policy)#dns server

AX(config-gslb policy)#dns delegation





The following command creates the sub-zone to be delegated. Note that thisalso requires the configuration of a wildcard service.

AX(config)#gslb zone sub.example.com

AX(config-gslb zone)#service *

Alternatively, you could use the following commands to have the featuresupport DNSSEC by removing the “sub.” from the zone config.

AX(config)#gslb zone example.com

AX(config-gslb zone)#service *.sub

The following command creates the NS record in the GSLB policy:

AAX(config-gslb service)#dns-ns-record ns.finance.example.com

The following command applies the delegation policy at the zone level forthe service group level:

AX(config-gslb zone)#policy delegation

The following optional command can be used at the GSLB zone level toconfigure a DNS glue record. This configuration helps prevent circulardependencies:

AX(config-gslb zone)#service 53 ns.finance

AX(config-gslb zone-gslb service)#dns-a-record <service-ip name>





CLI Example #2

The following command configures the GSLB service IP “ns-ip-1” at IP172.16.11.211 and disables the health check at the service IP level and atport 53 for UDP.

AX(config)#gslb service-ip ns-ip-1 172.16.11.211AX(config-gslb service ip)#no health-check

AX(config-gslb service ip)#port 53 udp

AX(config-gslb service ip-port)#no health-check

The following command configures the GSLB service IP “dc1-vip” at IP10.10.10.10 and disables the health check at the service IP level and at port80 for TCP.

AX(config)#gslb service-ip dc1-vip 10.10.10.10AX(config-gslb service ip)#no health-check

AX(config-gslb service ip)#port 80 tcp


The following command configures the GSLB service IP “ns-ip-1” at IP172.16.10.203 and disables the health check at the service IP level and atport 80 for TCP.

AX(config)#gslb service-ip dc2-vip 172.16.10.203AX(config-gslb service ip)#no health-check

AX(config-gslb service ip)#port 80 tcp


The following commands configure a GSLB site called “dc1”. The site hasan AX device, “dc1-ax” at IP 10.10.10.50.

AX(config)#gslb site dc1

AX(config-gslb site)#slb-dev dc1-ax 10.10.10.50AX(config-gslb site-slb dev)#vip-server dc1-vip

AX(config-gslb site-slb dev)#exit



AX(config-gslb site)#slb-dev dc1-ax 172.16.10.50AX(config-gslb site-slb dev)#vip-server dc2-vip







AX(config-gslb site)#slb-dev dc5-ax 172.16.11.50AX(config-gslb site-slb dev)#vip-server ns-ip-1


The following commands configure three GSLB policies: (1) the defaultGSLB policy, (2) GSLB policy “5” (for delegation), and (3) GSLB policy“dns-server”. The AX delegates authority for the sub-domain“sub.sub.a10networks.jp” to nameserver "ns01.sub.sub.a10networks.jp".

AX(config)#gslb policy defaultAX(config-gslb policy)#exit

AX(config)#gslb policy 5AX(config-gslb policy)#dns delegation

AX(config-gslb policy)#dns server


AX(config)#gslb policy dns-serverAX(config-gslb policy)#dns server


The following commands create the GSLB zone “sub.sub.a10networks.jp”and creates a wildcard service within the zone. The GSLB policy “5”, cre-ated above, is assigned to the wildcard service, and an NS record is createdfor the name server, “ns01.sub.sub.a10networks.jp”.

AX(config)#gslb zone sub.sub.a10networks.jpAX(config-gslb zone)#service *

AX(config-gslb zone-gslb service)#policy 5

AX(config-gslb zone-gslb service)#dns-ns-record ns01.sub.sub.a10networks.jp




Advanced DNS Options - DNS Proxy Block

The following commands are used within the same GSLB zone“sub.sub.a10networks.jp” to creates a service for port 53 called “ns01”. TheGSLB policy “dns-server”, created above, is assigned to the service, and anA record is created for “ns-ip-1” to return the associated Service-IP if theDNS is in server mode.

AX(config-gslb zone)#service 53 ns01

AX(config-gslb zone-gslb service)#policy dns-server

AX(config-gslb zone-gslb service)#dns-a-record ns-ip-1 static

The following commands creates the GSLB zone “sub.a10networks.jp” andenables the http service. Then, the policy “dns-server” is bound and Arecords are create for “dc1-vip” and “dc2-vip”.

AX(config)#gslb zone sub.a10networks.jpAX(config-gslb zone)#service http www

AX(config-gslb zone-gslb service)#policy dns-server

AX(config-gslb zone-gslb service)#dns-a-record dc1-vip static

AX(config-gslb zone-gslb service)#dns-a-record dc2-vip static

The following command enables the GSLB and makes this AX device theGSLB controller.

AX(config)#gslb protocol enable controller

DNS Proxy Block

AX Release 2.7.0 introduces DNS Proxy Block, which enables an AXdevice to block DNS client queries from being sent to an internal DNSserver. The AX device must be in GSLB proxy mode for the feature towork.

The DNS Proxy Block feature can be used to block DNS queries based onDNS query type, DNS query number, or by specifying a range of numbers.

The feature can be used to block the following well-known DNS types:

• A (type 1)

• AAAA (type 28)

• CNAME (type 5)

• MX (type 15)

• NS (type 2)




• PTR (type 12)

• SOA (type 6)

• SRV (type 33)

• TXT (type 16)

After specifying the type of DNS query to be blocked, select an action toperform on the selected DNS query type, for example, drop or reject.

When selecting an action to perform on a query type, keep in mind the fol-lowing caveats:

• Selecting a DNS query type without specifying the action will cause the default action to be applied to the selected query type. The default action is “drop”.

• Selecting an action without specifying the query type will cause the fea-ture to essentially remain disabled. If no query type has been identified, then no action is applied, even if an action has been specified.

Benefits

Implementing this feature may reduce the amount of traffic sent to back-endDNS servers. This can increase efficiency by reducing the burden on thoseservers. This feature may also be desirable in situations where resourcerecords reside on a DNS server that is accessible to both internal and exter-nal clients. In such situations where the same DNS server is being accessedby both internal and external clients, the DNS Proxy Block feature helpsprevent sensitive resource records on an internal DNS server from beingleaked to external clients.

Note: Prior releases supported a similar “DNS Blocking” option, which essen-tially removed the dns-a-record information from DNS responses. Byusing the no-resp option at the GSLB service level for a zone, dns-a-record information would be stripped from the DNS server’s response.This new command, however, simply blocks the client’s DNS requestbefore it is received by the back-end DNS server.

Details:

• The GSLB AX device must be operating in proxy mode to support the DNS Proxy Block feature.

• The feature is configured within the GSLB policy and is applied at the zone and service levels.




• Multiple query types can be specified, but only one action can be applied to those query types. Therefore, the first bullet below would be an acceptable configuration, but the second bullet would not:

• Reject both SRV and CNAME query types (OK)

• Reject SRV but drop CNAME query types (Not OK)

USING THE GUI

To enable the DNS Proxy Block feature for a GSLB zone using the AXGUI, navigate as follows:



3. Click the DNS Proxy Block arrow to expand the menu.

A window similar to the one shown below appears:

FIGURE 7 DNS Proxy Block

4. Select the Drop or Reject Action radio button. If desired, you can select the No radio button to disable the DNS Proxy Block feature.

5. Click the Type List drop-down menu and select the desired well-known DNS query type that you would like to block. Then, click the Add button. If you want to remove a query type from the list, select the checkbox next to a query type and then click the Delete button.




Alternatively, to enter a range of DNS query type numbers to be blocked, in the Range List section, enter the beginning number in the From field and the ending number in the To field.


7. Next, apply the policy to a zone by selecting Config Mode > Service > GSLB, and then click the Zone tab.

8. Apply the GSLB policy you just created to an existing zone by clicking the hyperlinked name of the zone and then selecting the GSLB policy from the drop-down menu.

9. Click OK to save your changes.

USING THE CLI

Enabling GSLB DNS Proxy Block

To enable the GSLB DNS Proxy Block feature, use the following commandat the GSLB policy configuration level:

dns proxy block [a | aaaa | ns | mx | srv | cname | ptr | soa | txt | num query-type | range {start-query-type end-query-type} |

]action [[drop | reject]

The query-type is the numeric value that corresponds to a well-known DNSquery type. Specify any number from 1 to 255.

The range option allows you to target less well-known DNS query types.The start-query-type is the numeric value used to define the beginning ofthe range, while the end-query-type is the numeric value used to define theend of the range of DNS query types that will be blocked. The range can go




from 1 to 65535. If desired, you can enter the same number for the begin-ning and end range values to target a specific query type.

The available actions are drop and reject. Selecting "drop" drops the speci-fied DNS query type without sending a confirmation message to the client.Selecting "reject" rejects the specified DNS query type and returns the“Refused” message in replies to the client.

Note: To enter the action and query type on a single line, you must enter thequery type prior to entering the action. If the action is entered first, thenthe query type must be entered on a separate line.

CLI Example

The following example shows the commands used to create a GSLB policy,enable the DNS Proxy Block feature for A records, and then applies the pol-icy to the zone called “example.com” for the service http.

AX(config)#gslb policy pol-1

AX(config-gslb policy)#dns proxy block a


AX(config-gslb policy)#gslb zone example.com

AX(config-gslb policy)#policy pol-1

AX(config-gslb policy)#service http www






AX Series - Global Server Load Balancing Guide

Partition-specific Group Management - Implementation Details

Partition-specific Group Management

Beginning with release 2.6.1-GR1, the AX device allows Global ServerLoad Balancing (GSLB) to be configured within individual partitions. Theshared partition and the private partitions in which Layer 2/3 virtualizationis enabled, can each have their own GSLB configuration parameters, whichare separate from the other partitions.

To configure GSLB parameters for an individual partition, assign them allto the same GSLB configuration group, and then map the group to the parti-tion.

Implementation Details• Partition-specific GSLB configuration is supported only for partitions in

which Layer 2/3 virtualization is enabled.

• The following GSLB configuration items can not be configured for indi-vidual partitions. They can be configured only globally, for all partitions on the AX device:

• GSLB system-wide settings: gslb system, gslb dns, gslb protocol and gslb active-rdt

• GSLB geo-locations (gslb geo-location)

• Duplicate names are not supported for GSLB items. For example, the same zone name can not be configured in more than one partition.

• For each partition, only one GSLB Group is supported to implement mapping.

• For each partition, you can create one group, the “partition group”.

• In the current release, the following synchronization scenario is sup-ported: from shared partition group to shared partition group

• The view and inheritance features are not supported in this release.

aVCS Notes

• In an aVCS deployment there is more than one device in the virtual chassis. Due to real-time configuration synchronization, all devices in the virtual chassis will have the same configuration. In this case, more than one GSLB controller can have the highest priority. The controller with the highest last 4 bytes in its management interface MAC address is elected as the group master.



Partition-specific Group Management - Implementation Details

• GSLB group will synchronize configuration between AX devices. If the group is enabled and the GSLB configuration can be handled by the GSLB group, aVCS will not synchronize the GSLB configuration to the vBlade.

• If the vMaster is not the same device as the as GSLB group master, con-figuration of GSLB in a member controller requires the config-any-where option to be enabled in the GSLB group.

Note: For additional information about Role Based Partitions, please see the“Role-Based Administration” chapter in the AX Series System Configura-tion and Administration Guide.



GSLB Configuration Examples - CLI Example

GSLB Configuration Examples

This chapter provides configuration examples for Global Server Load Bal-ancing (GSLB).

These examples implement a basic GSLB deployment. The examplesassume that the default GSLB policy is used, without any changes to thepolicy settings.

CLI Example

Configuration on the GSLB AX Device (GSLB Controller)

The following commands configure a health monitor for the local DNSserver to be proxied:

AX-Controller(config)#health monitor dns-53AX-Controller(config-health:monitor)#method dns domain example.comAX-Controller(config-real server)#exit

The following commands configure the DNS proxy:

AX-Controller(config)#slb server dns-1 10.10.10.53AX-Controller(config-real server)#port 53 udpAX-Controller(config-real server-node port)#health-check dns-53AX-Controller(config-real server-node port)#exitAX-Controller(config-real server)#exitAX-Controller(config)#slb service-group sg-1 udpAX-Controller(config-slb service group)#member dns-1:53AX-Controller(config-slb service group)#exitAX-Controller(config)#slb virtual-server DNS_SrvA 10.10.10.100AX-Controller(config-slb virtual-server)#port 53 udpAX-Controller(config-slb virtual server-slb virtua...)#gslb-enableAX-Controller(config-slb virtual server-slb virtua...)#service-group sg-1AX-Controller(config-slb virtual server-slb virtua...)#exitAX-Controller(config-slb virtual server)#exit

The following commands configure the service IP addresses. The VIPaddress and virtual port number of the virtual server in the site AX Seriesdevice’s SLB configuration are used as the service IP address and port num-ber on the GSLB AX Series device.




AX-Controller(config)#gslb service-ip servicevip1 2.1.1.10AX-Controller(config-gslb service ip)#port 80 tcpAX-Controller(config-gslb service ip)#exitAX-Controller(config)#gslb service-ip servicevip2 3.1.1.10AX-Controller(config-gslb service ip)#port 80 tcpAX-Controller(config-gslb service ip)#exit

The following command loads the IANA file into the geo-location database:

AX-Controller(config)#gslb geo-location load iana

The following commands configure the sites. For each site SLB device,enter the IP address of the AX Series device that provides SLB at the site.For the VIP server names, enter the service IP name specified above.

AX-Controller(config)#gslb site usaAX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1AX-Controller(config-gslb site-slb dev)#vip-server servicevip1AX-Controller(config-gslb site-slb dev)#exitAX-Controller(config-gslb site)#exitAX-Controller(config)#gslb site asiaAX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1AX-Controller(config-gslb site-slb dev)#vip-server servicevip2AX-Controller(config-gslb site-slb dev)#exitAX-Controller(config-gslb site)#exit

The following commands configure the GSLB zone:

AX-Controller(config)#gslb zone a10.comAX-Controller(config-gslb zone)#service http wwwAX-Controller(config-gslb zone-gslb service)#dns-cname-record www.a10.co.cnAX-Controller(config-gslb zone-gslb service)#geo-location China www.a10.co.cnAX-Controller(config-gslb zone-gslb service)#exitAX-Controller(config-gslb zone)#exit

At the configuration level for the service (www), the CNAMEwww.a10.co.cn is configured, and the CNAME is associated with geo-loca-tion China. If a client’s IP address is in the range for the China geo-location,GSLB sends the CNAME www.a10.co.cn in the DNS reply.

The following command enables the GSLB protocol:

AX-Controller(config)#gslb protocol enable controller




Configuration on Site AX Device AX-A

The following commands configure SLB on site AX device AX-A:

Site-AX-A(config)#slb server www 2.1.1.2Site-AX-A(config-real server)#port 80 tcpSite-AX-A(config-real server-node port)#exitSite-AX-A(config-real server)#exitSite-AX-A(config)#slb server www2 2.1.1.3Site-AX-A(config-real server)#port 80 tcpSite-AX-A(config-real server-node port)#exitSite-AX-A(config-real server)#exitSite-AX-A(config)#slb service-group www tcpSite-AX-A(config-slb service group)#member www:80Site-AX-A(config-slb service group)#member www2:80Site-AX-A(config-slb service group)#exitSite-AX-A(config)#slb virtual-server www 2.1.1.10Site-AX-A(config-slb virtual server)#port 80 httpSite-AX-A(config-slb virtual server-slb virtua...)#service-group wwwSite-AX-A(config-slb virtual server-slb virtua...)#exitSite-AX-A(config-slb virtual server)#exit

Note: The virtual server IP address must be the same as the GSLB service IPaddress configured on the GSLB AX device.

The following command enables the GSLB protocol:

Site-AX-A(config)#gslb protocol enable device

Configuration on Site AX Device AX-B

The following commands configure SLB and enable the GSLB protocol onsite AX device AX-B:

Site-AX-B(config)#slb server www 3.1.1.2Site-AX-B(config-real server)#port 80 tcpSite-AX-B(config-real server-node port)#exitSite-AX-B(config-real server)#exitSite-AX-B(config)#slb server www2 3.1.1.3Site-AX-B(config-real server)#port 80 tcpSite-AX-B(config-real server-node port)#exitSite-AX-B(config-real server)#exitSite-AX-B(config)#slb service-group www tcpSite-AX-B(config-slb service group)#member www:80Site-AX-B(config-slb service group)#member www2:80Site-AX-B(config-slb service group)#exitSite-AX-B(config)#slb virtual-server www 3.1.1.10Site-AX-B(config-slb virtual server)#port 80 httpSite-AX-B(config-slb virtual server-slb virtua...)#service-group wwwSite-AX-B(config-slb virtual server-slb virtua...)#exit



GSLB Configuration Examples - GUI Example

Site-AX-B(config-slb virtual server)#exitSite-AX-B(config)#gslb protocol enable device

GUI Example

Configuration on the GSLB AX Device (GSLB Controller)

Configure a Health Monitor for the DNS Proxy

1. Select Config Mode > Service > Health Monitor.

2. On the menu bar, select Health Monitor.

3. Click Add.

4. Enter a name for the monitor in the Name field.

5. In the Method section, select DNS from the Type drop-down list.

6. In the Domain field, enter the domain name. (Generally, this is the same as the GSLB zone name you will configure.)

Configure the DNS Proxy

1. Begin configuring the proxy:

a. Select Config Mode > Service > GSLB.

b. On the menu bar, select DNS Proxy.

c. Click Add.

d. Enter a name for the proxy in the Name field.

e. In the IP Address field, enter the IP address that will be advertised as the authoritative DNS server for GSLB zone.

Note: The GUI will not accept the configuration if the IP address you enter hereis the same as the real DNS server IP address you enter when configuringthe service group for this proxy. (below).

f. In the GSLB Port section, click Add. The GSLB Port section appears.




2. Configure the service group:

a. In the Service Group drop-down list, select “create” to create a ser-vice group. (See Figure 8 on page 103.)

The Service Group section appears.

b. Enter the service group information. For this example, enter the fol-lowing:

• Name – gslb-proxy-sg-1

• Port type – UDP

• Load-balancing metric (algorithm) – Round-Robin

• Health Monitor – “default”

c. In the Server section, enter the DNS server’s real IP address in the Server field, and enter the DNS port number in the port field.

d. Click Add. The DNS port appears in the list. (See Figure 9 on page 104.)

e. Click OK. The GSLB Port section reappears. In the service drop-down list, the service group you just configured is selected. (See Figure 10 on page 104.)

3. Finish configuration of the proxy:

a. Click OK. The Proxy section reappears. (See Figure 11 on page 105.)

b. Click OK. The DNS proxy appears in the DNS Proxy table. (See Figure 12 on page 105.)

FIGURE 8 Configure > Service > GSLB > DNS Proxy




FIGURE 9 Configure > Service > GSLB > DNS Proxy - service group configuration

FIGURE 10 Configure > Service > GSLB > DNS Proxy - service group selected




FIGURE 11 Configure > Service > GSLB > DNS Proxy - GSLB port configured

FIGURE 12 Configure > Service > GSLB > DNS Proxy - DNS proxy configured

Load the IANA Geo-location Database


2. On the menu bar. select Geo-location > Import.

3. In the Load/Unload section, enter “iana” in the File field. Leave the Template field blank.

4. Click Add.

Configure Services


2. On the menu bar, select Service IP.

3. Click Add.




4. Enter the service name and IP address. For this example, enter the fol-lowing:

• Name – servicevip1

• IP Address – 2.1.1.10 (This is the VIP address of a site. Configure a separate GSLB service IP for each SLB VIP.)

5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network.

6. Add the service port(s):

a. Enter the port number and select the protocol (TCP or UDP).

b. Optionally, select a health monitor.

c. Click Add. The service port appears in the service port list.

For this example, add TCP port 80 and leave the health monitor unselected.

(See Figure 13 on page 106.)

7. Click OK.

8. Repeat for each service IP.

FIGURE 13 Config Mode > Service > GSLB > Service IP




Configure Sites


2. On the menu bar, select Site.

3. Click Add.

4. Enter the site name.

5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site:

a. Click Add.

b. Enter a name for the device.

c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device.

d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service.

For this example, enter the following:

• Name – AX-A

• IP Address – 2.1.1.1 (This is the IP address of the site AX device that provides SLB for the site.)

• GSLB Service – Add a service IP by selecting it from the drop-down list and clicking Add. For this example, add “servicevip1” to site “usa”.

6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service.

7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add.

8. Click OK. The site appears in the Site table.




FIGURE 14 Configure > Service > GSLB > Site - SLB Device




FIGURE 15 Configure > Service > GSLB > Site - site parameters selected

Configure a Zone


2. On the menu bar, select Zone.

3. Click Add.

4. Enter the zone name in the Name field.

5. In the Service section, click Add. (See Figure 16 on page 110.)

The service configuration sections appear.

6. In the Service field, enter the service name.




7. Select the service type from the Port drop-down list.

8. Add the services:

a. In the Service section, click Add.

b. Enter name for the service (for example, “www”).

c. Select the service type from the Port drop-down list.

d. Configure additional options, if applicable to your deployment.

e. Click OK.

f. Repeat for each service.

9. Click OK. The zone appears in the GSLB zone list.

FIGURE 16 Configure > Service > GSLB > Zone




FIGURE 17 Configure > Service > GSLB > Zone

Enable the GSLB Protocol



3. Select Enabled next to Run GSLB as Controller.

4. Click OK.




Configuration on Site AX Devices

SLB configuration is the same with or without GSLB, and is not describedhere.

To enable the AX device to run GSLB as a site AX device, perform the fol-lowing steps on each site AX device:



3. Select Enabled next to Run GSLB as Site SLB Device.

4. Click OK.



GSLB Configuration Synchronization - Overview

GSLB Configuration Synchronization

This chapter describes GSLB configuration synchronization.

Overview

The AX device provides a mechanism to automatically synchronize GSLBconfigurations and service IP status among multiple GSLB controllers for aGSLB zone. (A “GSLB controller” is an AX device on which GSLB is con-figured and on which the GSLB controller option is enabled.)

To use this feature, add the GSLB controllers to a GSLB controller group.The group members (controllers) elect a master controller for the group.The master controller updates the GSLB configurations on each of the othergroup members. The master controller also checks the service IPs for theirstatus and sends the status information to the other group members.

Note: This feature is different from the AX Series Virtual Chassis System(aVCS) feature. aVCS is used for multiple AX devices that serve asmutual backups within the same LAN. GSLB configuration synchroniza-tion is used by GSLB controllers, which typically are connected acrossWAN links.

How AX Devices Join a Controller Group

On each GSLB controller, the configuration for a GSLB group includes alist of primary group members. After the GSLB process starts on an AXdevice, the device joins the controller group by connecting to the primarygroup members to exchange group management traffic. You can specify upto 15 primary group members. By default, no primary group members aredefined.

You do not need to configure the list of primary group members on eachcontroller. If you configure the list on the AX device you plan to use as themaster controller for the group, that device will send the list to the othercontrollers in the group.

The learning option enables an AX device to learn the IP addresses of addi-tional group members from the primary group members. Learning isenabled by default.




Election of the Master Controller

Each GSLB controller in a controller group has a configurable priorityvalue, 1-255. During master election, the GSLB controller with the highestpriority is elected master for the group.

If more than one controller has the highest priority value, the controller withthe highest last 4 bytes in its management interface MAC address is elected.

The master controller and the other controllers periodically send keepalivemessages. If the other controllers stop receiving keepalive messages fromthe master controller, a new master is elected.

Note: To designate a master controller for the GSLB group, set the priority ofthe desired AX device to a higher value than the other members. It is rec-ommended that you make GSLB configuration changes for the group-wide parameters (shown below) on the master. The group synchronizationfeature will push your configuration to the other group members.

GSLB Synchronization

The master in a GSLB controller group synchronizes the following GSLBconfiguration items by updating the configurations on the other controllers:

• Service IPs

• Sites, including SLB-device parameters

• Zones, including services

• GSLB policies (only those that are used by services)

• SLB information for DNS proxy

• GSLB protocol settings

The following items are not synchronized:

• Geo-location files

• Black/white list files

• Health monitors

The master controller sends the following status information to the othercontrollers:

• aRDT data

• Connection load data

• Virtual port status




• Virtual server status

• Device status

Until the configuration synchronization status reaches “FullSync”, you canchange GSLB configuration information directly on group members even ifthey are not the master. However, if the same configuration items arechanged on the master, the changes on the master overwrite the changes onthe other group members.

After the configuration synchronization status reaches “FullSync”, directlychanging the configuration on a member device is not supported. In thiscase, the following error message is displayed: “Operation denied by GroupMaster”.

Notes

• In the current release, if there are two or more controllers in a private network and they are using the same public NAT address, only one of the controllers will be accepted as a member of the GSLB group. The AX GSLB controller will reject the other connection request if it comes from the same external IP.

• In HA or VRRP-A deployments, the GSLB configuration synchroniza-tion feature synchronizes with the active device, which then pushes the GSLB configuration changes to the standby.

• Starting in Release 2.6.1-P3, the AX device’s CLI prompt displays the AX device’s role within the GSLB group, which can be either “Master” or “Member”, as shown in the examples below: AX2500-Master(config)# AX2500-Member(config)# Display of the group role can be disabled by using the no terminal gslb-prompt command at the global config level.



GSLB Configuration Synchronization - GSLB Group Parameters

GSLB Group Parameters

Table 2 lists the GSLB group parameters you can configure.

TABLE 2 GSLB Group Parameters

Parameter Description and Syntax Supported Values

Group name Name of the GSLB controller group.

[no] gslb group default

Note: The current release does not support this fea-ture in the GUI.

“default”

Default: not set

Group state State of the group on the AX device.

[no] enable


Enabled or disabled

Default: disabled

Priority Value used during master election for the group. Higher priority values are preferred over lower pri-ority values. For example, priority value 200 is pre-ferred over priority value 100.

[no] priority num


0-255

Default: 100

Primarycontroller

IP addresses of the other GSLB controllers to con-nect to within the group.

You can specify up to 15 IP addresses.

[no] primary ipaddr


Valid IP address

Default: not set

Learning Allows the device to learn the IP addresses of addi-tional group members from the primary control-ler(s).

[no] learn


Enabled or disabled

Default: enabled

Automatic configuration save

Automatically saves the configuration on a group member when the configuration is saved on the group’s master controller.

[no] config-save


Enabled or disabled

Default: enabled



GSLB Configuration Synchronization - Configuration

Configuration

At a minimum, to add an AX device to a GSLB controller group:

1. On the controller you plan to use as the master:

a. Configure the GSLB parameters that will be synchronized with the other controllers.

b. Configure local GSLB parameters as applicable to your deploy-ment.

c. Add the device to the GSLB controller group and change the group priority value to 255.

d. Enable the device’s membership in the group.

2. On each of the other controllers:

a. Add the device to the GSLB controller group. Set the priority to a value that is less than the master.

b. Enable the AX device’s membership in the group.

c. Configure local GSLB parameters as applicable to your deploy-ment.

USING THE GUI

The current release does not support configuration of this feature using theGUI.

USING THE CLITo configure a GSLB group, use the following commands.

[no] gslb group default

This command changes the CLI to the configuration level for the group,where the following commands are available.

[no] enable

This command activates the GSLB controller’s membership in the group.

[no] priority num

This command specifies the priority of the controller to become the masterfor the group. (See “Election of the Master Controller” on page 114.)




[no] primary ipaddr

This command specifies the IP address of another GSLB controller in thegroup. You can specify up to 15 primary controllers. Enter the commandseparately for each controller.

[no] learn

This command enables the AX device to learn the IP addresses of othergroup members from the primary controllers.

[no] config-save

This command enables automatic configuration save on a group memberwhen the configuration is saved on the group’s master controller.

To display GSLB group information, use the following command:

show gslb group [group-name] [brief] [statistics]

CLI Example

The following commands add a GSLB controller to the default GSLBgroup, enable the device’s membership in the group, and display groupinformation:

AX(config)#gslb group default

AX(config-gslb group)#enable

AX(config-gslb group)#show gslb group brief

Pri = Priority, Attrs = Attributes

D = Disabled, L = Learn

P = Passive, * = Master

Name Pri Attrs Master Member

-----------------------------------------------------------------------------

default 100 L 192.168.101.72 2

Table 3 describes the fields in the command output.

TABLE 3 show gslb group brief fields

Field Description

Name Name of the GSLB controller group.

Pri Priority of the master controller.




AX(config-gslb group)#show gslb group




Group: default, Master: 192.168.101.72

Member ID Pri Attrs Status

-----------------------------------------------------------------------------

local 22e40d29 255 L* OK

192.168.1.131 941a1229 100 Synced

192.168.1.132 ab301229 100 P Synced


Attrs GSLB group attributes of this member:

• D – Member is disabled.

• L – Group learning is enabled on this member.

• P – Member’s connection with this member (the member on which you enter the show gslb group command) is passive.

The group connection between any two controller group members is a client-server connection. The group member that initiates the connection is the client, and has the pas-sive side of the connection. The other member is the server.

• * – Member is the current master for the group.

Note: Attributes are displayed only when at least two group members are connected.

Master IP address of the current master for the group.

Member Number of GSLB controllers in the group. This number includes all configured group members and all learned group members.

TABLE 3 show gslb group brief fields (Continued)

Field Description

TABLE 4 show gslb group fields

Field Description

Member GSLB controllers currently in the group.

The “local” member is the GSLB controller on which you entered this show command.

ID Group member ID assigned by the controller group feature.




Pri Priority of the GSLB controller.

Attrs GSLB group attributes of the member:







Status When the GSLB group is starting up, this column shows the protocol status. After the group is established, this column shows the group status.

Protocol status:

• Idle

• Active

• OpenSent

• OpenConfirm

• Established

Group status of the member:

• Ready

• FullSync / MasterSync

• Synced

Note: If the group status of the member is OK, this AX device (the one on which you entered the command) knows of the member, but no connection between this AX device and the member is required.

TABLE 4 show gslb group fields (Continued)

Field Description



Geo-location-based Access Control - Using a Class List

Geo-location-based Access Control

You can control access to a VIP based on the geo-location of the client. Youcan configure the AX device to perform one of the following actions fortraffic from a client, depending on the location of the client:

• Drop the traffic

• Reset the connection

• Send the traffic to a specific service group (if configured using a black/white list)

The AX device determines a client’s location by looking up the client’s sub-net in the geo-location database used by Global Server Load Balancing(GSLB).

Note: This feature requires you to load a geo-location database, but does notrequire any other configuration of GSLB. The AX system image includesthe Internet Assigned Numbers Authority (IANA) database. By default,the IANA database is not loaded but you can easily load it, as described inthe configuration procedure later in this section.

Using a Class List

This section show how to configure geo-location-based VIP access using aclass list.

Note: In the current release, geo-location-based VIP access works only if theclass list is imported as a file. The CLI does not support configuration ofclass-list entries for this application.

Example

The following class list maps client geo-locations to limit IDs (LIDs), whichspecify the maximum number of concurrent connections allowed for clientsin the geo-locations.

L US 1

L US.CA 2

L US.CA.SJ 3

The following commands import the class list onto the AX device, config-ure a policy template, and bind the template to a virtual port. The connec-



Geo-location-based Access Control - Using a Class List

tion limits specified in the policy template apply to clients who sendrequests to the virtual port.

This example assumes the default geo-location database (iana) is alreadyloaded.

AX(config)#import class-list c-share tftp:

Address or name of remote host []?192.168.32.162

File name [/]?c-share

Importing ... Done.

AX(config)#slb template policy pclass

AX(config-policy)#class-list name c-share

AX(config-policy)#class-list lid 1

AX(config-policy-policy lid)#conn-limit 4

AX(config-policy-policy lid)#exit

AX(config-policy-policy lid)#class-list lid 2



AX(config-policy-policy lid)#class-list lid 3



AX(config-policy)#geo-location overlap

AX(config-policy)#exit

AX(config)#slb virtual-server vip1 10.1.1.155

AX(config-slb vserver)#port 80 http

AX(config-slb vserver-vport)#template policy pclass

AX(config-slb vserver-vport)#exit

The following command verifies operation of the policy:

AX(config-policy)#show slb geo-location statistics

M = Matched or Level, ID = Group ID

Conn = Connection number, Last = Last Matched IP

v = Exact Match, x = Fail

Virtual Server: vip1/80, c-share

--------------------------------------------------------------------------------

Max Depth: 3

Success: 3

Geo-location M ID Permit Deny Conn Last

--------------------------------------------------------------------------------

US.CA.SJ v 3 1 1 1 77.1.1.107

--------------------------------------------------------------------------------

Total: 1



Geo-location-based Access Control - Using a Black/White List

Using a Black/White ListTo configure geo-location-based access control for a VIP:

1. Configure a black/white list. You can configure the list using a text edi-tor on a PC or enter it directly into the GUI. If you configure the list using a text editor, import the list onto the AX device.

2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and the actions to perform for the group IDs in the list.

3. Load a geo-location database, if one is not already loaded.

4. Apply the policy template to the virtual port for which you want to con-trol access.

Configuring the Black/White List

You can configure black/white lists in either of the following ways:

• Remote option – Use a text editor on a PC, then import the list onto the AX device.

• Local option – Enter the black/white list directly into a management GUI window.

With either method, the syntax is the same. The black/white list must be atext file that contains entries (rows) in the following format:

L "geo-location" group-id #conn-limit

The “L” indicates that the client’s location will be determined using infor-mation in the geo-location database.

The geo-location is the string in the geo-location database that is mapped tothe client’s IP address; for example, “US”, “US.CA”, or “US.CA.SanJose”.

The group-id is a number from 1 to 31 that identifies a group of clients (geo-locations) in the list. The default group ID is 0, which means no group isassigned. On the AX device, the group ID specifies the action to perform onclient traffic.

The #conn-limit specifies the maximum number of concurrent connectionsallowed from a client. The # is required only if you do not specify a groupID. The connection limit is optional. For simplicity, the examples in thissection do not specify a connection limit.




Here is a simple example of a black/white list for this feature:

L "US" 1

L "US.CA" 2

L "JP" 3

USING THE GUI

To configure or import a black/white list using the GUI:

1. Select Config Mode > Service > PBSLB.

2. Click New.

• To import the list:

• Leave Remote selected.

• Enter a name for the list in the Name field.

• Enter the hostname or IP address in the Host field.

• Enter the file path and name in the Location field.

• To enter the file directly into the GUI:

• Select Local.

• Type the list into the Definition field.

3. Click OK.

To configure an SLB policy (PBSLB) template:

1. Select Config Mode > Service > Template.

2. On the menu bar, select Application > PBSLB Policy.

3. Click Add.

4. In the Name field, enter a name for the template.

5. From the drop-down list below the Name field, select the black/white list.

6. Select a group ID from the Group ID drop-down list.

7. Select one of the following from the Action drop-down list.

• Drop – Drops new connections until the number of concurrent con-nections on the virtual port falls below the port’s connection limit. (The connection limit is set in the black/white list.)

• Reset – Resets new connections until the number of concurrent con-nections on the virtual port falls below the connection limit.




• service-group-name – Each of the service groups configured on the AX device is listed.

• create – This option displays the configuration sections for creating a new service group.

8. Optionally, enable logging. (The AX device uses the same log rate limit-ing and load balancing features for PBSLB logging as those used for ACL logging. See the “"Log Rate Limiting” section in the “"Basic Setup” chapter of the AX Series System Configuration and Administra-tion Guide.)

9. Click Add.

10. Repeat step 6 through step 9 for each group ID.

11. Click OK.

To load the IANA geo-location database:


2. On the menu bar, select Geo-location > Import.

3. In the Load/Unload section, enter “iana” in the File field. Leave the Template field blank.

4. Click Add.

Note: If preferred, you can import a custom geo-location database instead. Forinformation, see “Loading or Configuring Geo-Location Mappings” onpage 49.

To apply the policy template to a virtual port:

1. Select Config Mode > Service > SLB.

2. On the menu bar, select Virtual Server.

3. Select the virtual server or click Add to configure a new one.

4. If you are configuring a new VIP, enter the name and IP address for the server.

5. In the Port section, select the port and click Edit, or click Add to add a new port. The Virtual Server Port page appears.

6. Select the policy template from the PBSLB Policy Template drop-down list.




7. Click OK.

8. Click OK again to finish the changes and redisplay the virtual server list.

USING THE CLI1. To import a black/white list onto the AX device, use the following com-

mand at the global configuration level of the CLI:

bw-list name url [period seconds] [load]

The name can be up to 31 alphanumeric characters long. The url speci-fies the file transfer protocol, directory path, and filename. The follow-ing URL format is supported: tftp://host/file

2. To configure a PBSLB template, use the following commands:

[no] slb template policy template-name

Enter this command at the global configuration level of the CLI. The command creates the template and changes the CLI to the configuration for the template, where the following PBSLB-related commands are available.

[no] bw-list name file-name

This command binds a black/white list to the virtual ports that use this template.

[no] bw-list id idservice {service-group-name | drop | reset}[logging [minutes] [fail]]

This command specifies the action to take for clients in the black/white list:

• id – Group ID in the black/white list.

• service-group-name – Sends clients to the SLB service group asso-ciated with this group ID on the AX device.

• drop – Drops connections for IP addresses that are in the specified group.

• reset – Resets connections for IP addresses that are in the specified group.

3. To load a geo-location database, use the following command at the global configuration level of the CLI:

[no] gslb geo-location load {iana | file-name csv-template-name}




4. To apply the policy template to a virtual port, use the following com-mand at the configuration level for the virtual port:

[no] template policy template-name

Displaying SLB Geo-Location Information

To display SLB geo-location information, use the following command:

show slb geo-location [virtual-server-name |virtual-port-num |bad-only | [depth num][id num][location string][statistics]]

The bad-only option displays only invalid or mismatched geo-location con-tent.

The depth option specifies how many nodes within the geo-location datatree to display. For example, to display only continent and country entriesand hide individual state and city entries, specify depth 2. By default, thefull tree (all nodes) is displayed.

The id option displays only the geo-locations mapped to the specified black/white list group ID.

The location option displays information only for the specified geo-loca-tion; for example “US.CA”.

Clearing SLB Geo-Location Statistics

To clear SLB geo-location statistics, use the following command at the Priv-ileged EXEC level of the CLI:

clear slb geo-location [virtual-server name [...]virtual-port-num | location {all | string}]



Geo-location-based Access Control - Full-Domain Checking

CLI Example

The following command imports black/white list “geolist” onto the AXdevice.

AX(config)#import bw-list geolist scp://192.168.1.2/root/geolist

The following commands configure a policy template named “geoloc” andadd the black/white list to it. The template is configured to drop traffic fromclients in the geo-location mapped to group 1 in the list.

AX(config)#slb template policy geoloc

AX(config-policy)#bw-list name geolist

AX(config-policy)#bw-list id 1 drop

AX(config-policy)#exit

The following commands apply the policy template to port 80 on virtualserver “vip1”:

AX(config)#slb virtual-server vip1

AX(config-slb virtual server)#port 80 http

AX(config-slb vserver-vport)#template policy geoloc

AX(config-slb vserver-vport)#show slb geo-location

Full-Domain Checking

By default, when a client requests a connection, the AX device checks theconnection count only for the specific geo-location level of the client. If theconnection limit for that specific geo-location level has not been reached,then the client’s connection is permitted. Likewise, the permit counter isincremented only for that specific geo-location level.

Table 5 shows an example set of geo-location connection limits and currentconnections.

Using the default behavior, the connection request from the client atUS.CA.SanJose ia allowed even though CA has reached its connectionlimit. Likewise, a connection request from a client at US.CA is allowed.However, a connection request from a client whose location match is simply“US” is denied.

TABLE 5 Geo-location connection limit example

Geo-location Connection LimitCurrent Connections

US 100 100

US.CA 50 37

US.CA.SanJose 20 19




After these three clients are permitted or denied, the connection permit anddeny counters are incremented as follows:

• US – Deny counter is incremented by 1.

• US.CA – Permit counter is incremented by 1.

• US.CA.SanJose – Permit counter is incremented by 1.

Full-Domain Checking

When full-domain checking is enabled, the AX device checks the currentconnection count not only for the client’s specific geo-location, but for allgeo-locations higher up in the domain tree.

Based on full-domain checking, all three connection requests from the cli-ents in the example above are denied. This is because the US domain hasreached its connection limit. Likewise, the counters for each domain areupdated as follows:

• US – Deny counter is incremented by 1.

• US.CA – Deny counter is incremented by 1.

USING THE GUI


USING THE CLITo enable full-domain checking for geo-location-based connection limiting,use the following command at the configuration level for the PBSLB tem-plate:

geo-location full-domain-tree

Note: It is recommended to enable or disable this option before enabling GSLB.Changing the state of this option while GSLB is running can cause therelated statistics counters to be incorrect.

Enabling PBSLB Statistics Counter Sharing

You can enable sharing of statistics counters for all virtual servers and vir-tual ports that use a PBSLB template. This option causes the followingcounters to be shared by the virtual servers and virtual ports that use thetemplate:




• Permit

• Deny

• Connection number

• Connection limit

USING THE GUI


USING THE CLITo enable the share option, use the following command at the configurationlevel for the PBSLB policy template:

geo-location share

Note: It is recommended to enable or disable this option before enabling GSLB.Changing the state of this option while GSLB is running can cause therelated statistics counters to be incorrect.



Cloud-based Computing Solution -

Cloud-based Computing Solution

GSLB supports the ability to dynamically generate a service-ip, based onthe hostname assigned to an AX device. If you have an FQDN for the SLBbut you are lacking the associated IP address, then the GSLB protocol canquery the DNS server for an A record or CNAME record in order to learnthe IP address for that device. The GSLB AX device, or GSLB controller,can acquire the IP address of the device and apply it to the service-ip.

This information can then be used to configure the SLB server (withhostname) as an ip-server or vip-server of a GSLB site. The IP address thatappears in the A record or CNAME record will become the dynamicallyassigned service-ip for that SLB.

Benefits

The GSLB Cloud Computing Solution may work well if you are using mul-tiple web-based service providers to provide server load balancing services.It can allow you to shift from one web-based service provider to another inorder to use the services that cost less or that have better health metrics.

If you are using a cloud-based SLB service provider for web-based services,then the provider will send a CNAME record to access the cloud servers,and the cloud servers can be dynamically imported into the AX device viathe CNAME record in order to do GSLB.

Note: For this release, the feature supports IPv4 resource records and does notsupport IPv6 records.

USING THE GUI

This feature is not supported in the GUI for this release.

USING THE CLI

No new CLI commands are required to use this feature. The ability to shiftfrom one cloud-based SLB provider to another can be enabled by usingexisting CLI commands, as shown in the CLI example below.

CLI Example

The example below shows the generation of dynamic service-ip addressesby hostname via DNS. This can be accomplished using the following CLIconfigurations on an AX device:



Cloud-based Computing Solution -

To configure the cloud-based service provider number 1:

AX(config)#slb server www www.example2.com


AX(config)#slb server mail mail.example2.com


AX(config)#slb server www1 www1.example2.com

The following commands configure three sites for each web-based serviceprovider:

AX(config)#gslb site sanjose

AX(config-gslb site)#slb-dev AX5200 192.168.1.2

AX(config-gslb site-slb dev)#ip-server ip-server1

AX(config-gslb site-slb dev)#ip-server ip-server2

AX(config-gslb site-slb dev)#ip-server www

AX(config-gslb site-slb dev)#ip-server mail



DNSSEC Support - Overview

DNSSEC Support

This chapter describes the AX device’s DNSSEC support.

Overview

An AX device configured as a Global Server Load Balancer (GSLB) con-troller can act as an authoritative DNS server for a domain zone. As theauthoritative DNS server for the zone, the AX device sends records inresponse to requests from DNS clients. The AX device supports the abilityto respond to client requests for the following types of well-known resourcerecords:

• A

• AAAA

• CNAME

• NS

• MX

• PTR

• SRV

• TXT

Placing the AX device within the DNS infrastructure exposes it to potentialonline attacks. When DNS was originally designed, there were no mecha-nisms to ensure the DNS infrastructure would remain secure.

In an unsecured DNS environment, the client’s DNS resolver has no way toassess the validity of the address it receives for a particular domain name, sothe client’s DNS resolver cannot tell whether an address received for a par-ticular domain is from the legitimate owner of that domain.

This potential security hole opens the door for possible forgeries, thus mak-ing DNS vulnerable to so-called “man-in-the-middle” attacks, DNS cachepoisoning attacks, and other types of online attacks that could be used toforge DNS data, hijack traffic, and to potentially steal sensitive informationfrom the user.




To close this security hole, the IETF introduced a set of standards in themid-1990s called Domain Name System Security Extensions (DNSSEC).These additional standards add authentication to DNS and help ensure theintegrity of the data transferred between the client resolvers and DNS serv-ers.

DNSSEC offers authentication through the use of cryptographic keys anddigital signatures, which ensure that entries within DNS tables are correctand that connections are made to legitimate servers. The AX device’s imple-mentation of DNSSEC is based on RFCs 4033, 4034, and 4035.

Note: DNSSEC for GSLB is not supported in proxy mode for this release.

DNS without Security

Figure 18 on page 135 provides a visual introduction to basic DNS withoutDNSSEC. The figure shows the recursive lookup process that occurs whena client resolver requests the IP address for a particular URL. Note that this




illustration shows how a client request works in a simple DNS environmentthat does not have DNSSEC.

FIGURE 18 DNS Packet Flow without DNSSEC

A client (shown at upper left) requires access to a server in the domainzone1.example.org (at lower left). The AX device, which is acting as theGSLB controller, is the authoritative DNS server for the zone. In order toaccess this server, the client requires the IP address for this zone, or domain.The user enters the domain name in the web browser’s URL, and fromthere, the process of obtaining the IP address associated with this domainunfolds as follows:

1. The DNS resolver embedded in the client’s web browser sends an address request (“A ?”) to the Caching DNS server to see if the Caching DNS server already has the required IP address cached in its memory for the requested example.org domain.

2. The Caching DNS server has a list of IP address-to-domain mappings, but the list is not comprehensive, and unfortunately, the Caching DNS




server does not have the required IP address. It acts as a proxy for the client and makes a recursive query to the Root DNS Server, which is located at the top of the DNS hierarchy.

3. The Root DNS Server does not have the requested IP address, but in an attempt to point the Caching DNS server in the right direction, it responds to the request with a Name Server (NS) record, which contains the IP of the Top Level Domain (TLD) server for the .org domain.

4. The Caching DNS server now has the IP address for the name server that manages the .org domain, so it sends an address request (on behalf of the client) to the TLD DNS server for the .org domain.

5. It turns out that the TLD Server does not have the requested IP address, but once again, it points the Caching DNS server in the right direction by providing an NS record containing the IP address for the next name server within the DNS hierarchy, which is the authoritative DNS server for the example.org subdomain.

6. Now that it has the IP address needed to reach the authoritative DNS server for the example.org domain, the Caching DNS server sends a request for zone1.example.org to this authoritative DNS server.

7. The authoritative DNS server does not have the requested information, but it can get the Caching DNS server one step closer to its destination by providing the NS record for the authoritative DNS server for the zone1.example.org domain.

8. The Caching DNS Server sends a request to the authoritative DNS server for the zone1.example.org domain.

9. The AX device, which is the authoritative DNS server for zone1.exam-ple.org, has the IP address that the client needs. It sends the requested IP address to the Caching DNS server.

10. The Caching DNS server sends the IP address, provided by the AX device, to the DNS resolver in the client’s browser. The client now has the IP address needed to reach the server in the zone1 subdomain.




DNSSEC (DNS with Security)

Figure 19 on page 138 illustrates how the DNS query process works whenthe security extensions are used with DNS to provide security (DNSSEC).The process is similar to that depicted in Figure 18 on page 135, but withthe notable exception that DNSSEC uses the following additional resourcerecord types to provide security:

• DNS Key (DNSKEY) – Public key used by an Authoritative DNS server to sign resource records for its zone.

• Delegation Signer (DS) – Hash (message digest) of a public key. A DNS server uses the DS for a zone directly beneath it in the DNS hierarchy to verify that signed resource records from the Authoritative DNS server for that zone are legitimate.

• Resource Record Signature (RRSIG) – Digitally signs another resource record, such as an A record. The digital signature is created by applying a hash function to the DNS record to reduce its file size, an encryption algorithm is applied to the hash value (using the private key), and this encrypted hash value appears as the digital signature at the bottom of the resource record. The RRSIG record, which contains the private key used to encrypt the hash value, appears at the bottom of the record being signed.

While Figure 18 on page 135 shows how basic DNS works without DNS-SEC, Figure 19 on page 138 provides an updated version of this illustrationshowing how the DNS lookup process works with DNSSEC.

The recursive lookup process remains largely unchanged, with the higherlevel DNS servers pointing to lower level servers within the DNS hierarchyin order to move the request closer to the authoritative server for the desireddomain.

However, when DNSSEC is added to this scenario, the additional records(such as DS, RRSIG, and DNSKEY) are used to sign and authenticate thecommunications from the DNS servers, thus proving to the client that eachof the name servers in the “chain of trust” are authoritative for their respec-tive domains. For more details, See “Building the Chain of Trust” onpage 140.




FIGURE 19 DNS Packet Flow with DNSSEC

Figure 19 shows the resolution process for an address query from the DNSresolver on a client for the IP address of zone1.example.org.

1. The DNS resolver on the client sends an address query for the IP address of a host under zone1.example.org.

2. The Caching DNS server, which does not have the address, forwards the request to the root server.

3. The root server redirects the Caching DNS server to the TLD DNS server for the .org domain. This is accomplished by sending an NS record with the IP address of that TLD server. The root server uses an RRSIG record (used to store the private key) to sign the NS record, and




the root server sends a copy of the DS record to the Caching DNS server, which points to the TLD server.

4. The Caching DNS server sends the address query to the TLD server for the .org domain.

5. The TLD server does not have the requested address, so it points the Caching DNS server to the Authoritative DNS server for example.org It sends an NS record with the IP address of the authoritative server for example.org, and the TLD server signs the NS record with the private key in the RRSIG record.

6. The Caching DNS server sends the address query to the Authoritative DNS server for example.org.

7. The Authoritative DNS server for example.org does not have the requested address, so it responds to the caching server’s request by send-ing the NS record (signed with the RRSIG record). This NS record con-tains the IP address of the Authoritative DNS server for zone1.example.org. The server sends the DS record for the zone1.exam-ple.org server to the Caching DNS server.

8. The Caching DNS server sends the address query to the Authoritative DNS server for zone1.example.org, which happens to be the AX device.

9. Finally, the Caching DNS server has reached the Authoritative DNS server for zone1.example.org. The Authoritative DNS server (which is the AX device) replies with an SOA record, the requested A record, and RRSIG records containing the private key, which is used to sign the SOA and A records.

10. The Caching DNS server asks the AX device for its DNSKEY record, which is where the public key for the zone is advertised. (This public key is needed to unlock the resource records and check the hash values back up the chain.)

11. The AX device sends its DNSKEY record, along with an RRSIG record that was used to sign the DNSKEY record. (The RRSIG record contains the private key.)

12. To continue assembling the chain of trust, the Caching DNS server asks the Authoritative DNS server for example.org for its DNSKEY record.

13. The Authoritative DNS server for example.org sends its DNSKEY record, along with an RRSIG record (with the private key) that was used to sign the DNSKEY record.




14. The Caching DNS server then asks the TLD server for .org for its DNS-KEY record.

15. The TLD server sends its DNSKEY record, along with an RRSIG record that was used to sign the DNSKEY record. The Caching DNS server now has all the private/public key pairs and has therefore vali-dated all of the links in the chain of trust. It can now send the trusted response to the DNS resolver on the client.

Building the Chain of Trust

Figure 20 illustrates how the Chain of Trust is built within the DNSSECinfrastructure. A Chain of Trust is built like a series of links, with each nodeauthenticating the one below.

The presence of a Chain of Trust allows the client’s DNS resolver to knowthat all DNS servers within the chain have vouched for one another, startingfrom the Root DNS Server and continuing down to the lowest-level DNSserver.




FIGURE 20 DNSSEC Chain of Trust

Figure 20 above shows the Authoritative DNS Server for the zone1.exam-ple.org domain at the bottom left, and the Root DNS Server is located at theupper right.

Starting from the lower left, the Authoritative DNS Server for thezone1.example.org domain, has a DNS key record (DNSKEY). This DNS-KEY record contains the public Zone Signing Key (ZSK) for zone1. TheZSK is used to sign other record types, such as A records, for the zone. TheDNSKEY record is signed by another key, the Key Signing Key (KSK),which also belongs to this zone.




The Start of Authority (SOA) record indicates that this server is the Author-itative DNS Server for zone1. The A record provides the IP address forzone1.example.org.

The next level up within the DNS hierarchy corresponds to the next "label"in the example.org domain, and it has a record called the Delegation Signer(DS). The DS record contains a hash, or message digest, of the public KeySigning Key (KSK), which belongs to the Authoritative DNS Server for thenode below, zone1.example.org.

The DNS resolver (or the Caching DNS Server) can compare the hash valuefor any of the nodes within the Chain of Trust, and the values should match.If the hash values in a DS record cannot be recreated from the DNSKEYrecord, then this indicates the packet containing the key record may havebeen tampered with, cannot be trusted, and should be discarded.

However, if the hash value is correct, this indicates that the Chain of Trust isunbroken and that the DNSKEY record (for the Authoritative DNS Serverassociated with the zone1.example.org domain) is properly linked to the DSrecord above.

In turn, the DNSKEY record (for the Authoritative DNS Server associatedwith the example.org domain) is properly linked to the DS record above.This process of DNSKEY records being linked with the DS record of thenode above continues all the way to the Root DNS Server.

The client’s DNS resolver knows that the Root DNS Server is legitimatedue to the presence of a “trust anchor”. This trust anchor, which consists ofinformation for the Root DNS Server, is included in the resolver softwarethat is installed on the client. This minimizes the chance that a client couldaccess a corrupt root DNS server.

Due to this anchor, the client knows the Root DNS Server can be trusted, init can infer that the other nodes within the Chain of Trust can also be trusted.Because the hash values match all the way down the line, this is an indica-tion that the Chain of Trust is intact, and that the client’s DNS resolver cantrust the Authoritative DNS Server for zone1.example.org, located at thebottom of the Chain of Trust within the DNS hierarchy.

Performing Key Rollovers

New DNSSEC keys should be generated periodically to replace the old key-set. While it may not be necessary to perform the key rollover process everytime you sign your zone, it is a good idea to change keys on a regular sched-ule if you suspect your keys may have been compromised.




As a rule of thumb, longer keys are more secure and do not need to bereplaced as often as shorter keys. However, if your zone contains highlyvaluable information that could attract unwanted attention from potentialmiscreants, then it is recommended that you perform the key rollover pro-cess at more frequent intervals.

Key rollovers must be performed manually. The key rollover process differsslightly for the ZSK and KSK keys. Instructions for performing both typesof key rollovers are provided below.

ZSK Key RolloversZSK rollovers use a pre-publishing scheme. This approach can be helpfulbecause if the old key expires or is compromised in some way, the new keyhas already been distributed throughout the DNS. This makes performingthe rollover relatively easy since you can easily switch to the new key thathas already been distributed while removing the old key from the zone. Thisway, the name servers will still be able to find the zone-signing DNSKEYrecord by using the new pre-published but inactive ZSK key, thus prevent-

ing them from becoming isolated with the old information.1

To help illustrate the ZSK rollover process, consider the following examplein which there is DNSSEC-enabled zone, “example.com”, which uses theDNSSEC template “temp-test”. In this example, the old key called, “ZSK-OLD” is replaced with a new key, “ZSK-NEW”.

The key rollover process unfolds as follows:

1. The new key “ZSK-NEW” is added to the DNSSEC template “temp-test”. When the new key is added to the template, the status of the new key is set with the publish command in order to distribute the new key across the network of DNS servers.

2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of time configured for this parameter; the default is 4 hours. Once the time has elapsed, the old ZSK key expires and is removed from the cache.

3. The status of the old key “ZSK-OLD” is changed within the DNSSEC template using the deprecate command. At the same time, the status of the new key “ZSK-NEW” is elevated using the active command.

4. It is recommended to wait for the duration specified for the Maximum Zone TTL for any data in the zone to expire from the caches. This is just

1. For additional details on pre-publishing, refer to RFC 4641.




a precaution to ensure that any old data in the zone expires and is removed.

5. Remove the old key “ZSK-OLD” from the DNSSEC template using the no zsk keyname command.

KSK Key RolloversA double-signature scheme is used for KSK key rollovers. This scheme issimpler than the ZSK pre-publishing scheme and does not use the publish,active, and deprecate command options.

The drawback to using the double-signature approach for KSK rollovers isthat the number of signatures is multiplied by a factor of two. This increasesthe size of your zone during the key rollover process, which can presentproblems for larger zones. However, the benefit of the double-signaturescheme, when compared with the pre-publishing scheme used for ZSK roll-overs, is that the double-signature scheme requires only three steps: Initial,

new DNSKEY, and DNSKEY removal.1

To help illustrate the KSK rollover process, consider the following examplein which there is DNSSEC-enabled zone, “example.edu”, which uses theDNSSEC template “temp-2”, and has the KSK key called “KSK-OLD”. Inthis example, the old key is replaced with a new key, “KSK-NEW”.

The KSK key rollover process unfolds as follows:

1. The new key “KSK-NEW” is added to the DNSSEC template “temp-2” to sign the zone.

2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of time configured for this parameter; the default is 4 hours. After this time period has passed, the old KSK key will expire from the cache.

3. Transfer the new KSK key to the parent zone. In this example, the par-ent zone is “.edu”. For details on transferring the key to the parent zone, see “Importing and Exporting the Delegation Signature Keyset” on page 145.

4. The parent zone has a TTL value configured for the DS record. Wait for this amount of time to pass. This will cause the old DS record (which

1. For additional details, refer to RFC 4641.




points to the authoritative DNSKEY record for the “example.edu” child zone) to expire from the cache of the parent zone.

5. Remove the old key “KSK-OLD” from the DNSSEC template “temp-2” using the no ksk keyname command. Once the old key is removed, the new KSK will be used to sign the zone.

Importing and Exporting the Delegation Signature Keyset

The Delegation Signer (DS) resource record (RR) and the correspondingDNSKEY RR are stored in the different locations. The AX device offersimport and export CLI commands to move these records to the appropriatenodes within the DNS hierarchy.

Figure 20 on page 141 shows that the DS RR always appears one levelhigher within the DNS hierarchy than its DNSKEY record. The DS recordis on the “parent” side and the DNSKEY record is on the child side. To helpunderstand this principle, consider the example earlier in this section. TheDS record for the zone example.org is stored in the .org zone. This zone isthe parent zone relative to the example.org zone, which is the child zone.While the DS record is stored in the parent zone, the DNSKEY record isstored in the child zone.

To ensure that these records are in the appropriate relative locations, the AXsupports two kinds of keyset formats that can be used to import the DSrecord from the child zone to the parent zone:

• DS RR – This is a hashed version of the DNSKEY.

• DNSKEY RR – The AX converts this record using a hash function, in order to create the resulting DS record.

The import dnssec-ds/dnssec-dnskey child-zone-name command importsthe DS keyset of the child zone. Note that the parent zone must be set upbefore the record is imported.

The export dnssec-ds/dnssec-dnskey authoritative-zone-name com-mand exports the DS keyset from the child zone to the parent zone.

Note: Communication between the parent and child zones is performed out-of-band.




DNSSEC TemplatesTo configure DNSSEC on the AX device, templates are used to defineinformation required by the security standard. The following information isrequired when configuring DNSSEC templates:

• Combinations limits (on signatures)1 – The parameter is used to spec-ify the maximum number of combinations per Resource Record Set (RRset), where RRset is defined as all the records of a particular type for a particular domain, such as all the “quad-A” (IPv6) records for www.example.com.

A static signature is included in the response to DNS queries. This static signature is generated in advance of future requests. For example, sup-pose there are five “A type” DNS resource records that correspond to a hypothetical domain name, www.example.net:

• 1.1.1.1

• 1.1.1.2

• 1.1.1.3

• 1.1.1.4

• 1.1.1.5

A static signature is generated for all of the possible combinations, such as [1.1.1.1], [1.1.1.1 1.1.1.2], [1.1.1.1 1.1.1.2 1.1.1.3]... [1.1.1.5]. By setting the combinations-limit parameter, this places a limit on the num-ber of combinations of resource records that could be returned, prevent-ing an excessive burden on the system memory.

Values for this combination limit range from 1-65535, with a default value of 31 possible combinations per resource record set.

• DNSKEY Time to Live – The dnskey-ttl parameter is used to set the lifetime for DNSSEC key resource records. The TTL can range from 1-864,000 seconds, with a default of 14,400 seconds (or 4 hours).

• Key Signing Key – The key signing key (KSK) is needed to establish the chain of trust and is the private counterpart to the public zone sign-ing key used to sign authentication keys for the zone. At least one KSK is needed to sign successfully, but no more than two KSKs can be con-figured. There is no default.

• Return NSEC/NSEC3 – This parameter is used to enable or disable the return of an NSEC or NSEC3 record in response to a client request for an invalid domain. As originally designed, DNSSEC would expose the list of device names within a zone, allowing an attacker to gain a list of network devices that could be used to create a map of the network.

1. For more details, please refer to RFC 4033, 4034, 4035 and 4641.




However, when NSEC/NSEC3 is used, the DNS server responds to invalid client requests by providing an NSEC/NSEC3 record, which contains an authenticated denial of existence for the invalid domain.

NSEC records include the invalid name in the response to the client. It was found that this information could be used for “zone walking” or “zone enumeration” using dictionary attacks. To address this vulnerabil-ity, NSEC3 was introduced to thwart zone walking by including a hashed value of the invalid requested name in the response record.

By default, the AX device returns an NSEC/NSEC3 record to client queries for invalid domain names. To disable the return of an NSEC/NSEC3 record, use the no return-nsec-on-failure command.

• Signature validity period – The signature-validity-period parameter is used to set the period for which a signature will remain valid. The time can range from 5-30 days, and the parameter has a default of 10 days.

• Zone Signing Key – The zone signing key (ZSK) is used to sign the domain name’s zone. At least one ZSK is needed to sign successfully, but no more than two ZSKs can be configured. There is no default.

The ZSK allows that you specify one of the following sub-options, which are used during the key rollover process:

• Active – Selecting this option sets the status of the ZSK to active, and only the active ZSK can be used to sign the zone. The active option is enabled by default. Only one active ZSK is allowed per zone.

• Published – This option is used to publish a newer ZSK just before deprecating the older key and activating the newer ZSK. This offers a way to push the newer key into the DNS infrastructure, but with-out activating it. The published ZSK can become active at the expi-ration of the DNSKEY TTL period.

• Deprecated – This option is used to deprecate an older ZSK prior to activating a new ZSK. This must be done before the new key can become active.

FIGURE 21 Life cycle of a ZSK



DNSSEC Support - Configuration

Configuration

To configure DNSSEC for GSLB:

1. Generate the DNS keys (or import them) to the AX device.

2. Configure the DNSSEC template.

3. Verify the DNSSEC template.

4. Apply the DNSSEC template to GSLB policy.

USING THE GUI

The current release does not support configuration of this feature using theGUI.

USING THE CLI

Configure the DNSSEC template

Note: You must generate the keys before using them in a DNSSEC template.

To configure the DNSSEC template, use the following command at theGSLB config level:

dnssec template name

Please refer to “DNSSEC Templates” on page 146 for details on configur-ing DNSSEC template sub-options.

Verify DNSSEC template using show command

After configuring a DNSSEC template, use the following command at theGSLB config level to display information for the configured template:

show dnssec template name

Apply the DNSSEC template to GSLB policy

To apply the DNSSEC template and provide DNSSEC support for GSLB,and to enable DNSSEC within the zone policy, use the following commandat the GSLB policy level:

dns server authoritative sec




Specify the DNSSEC template

To specify the DNSSEC template, use the following command at the GSLBzone config level. If no template is specified, then the default template willbe used.

template dnssec template-name

Import the DS Keyset from a Child Zone

To import the DS keyset from the child zone to the parent zone, use the fol-lowing command at the config level:

import dnssec-ds child-zone-name

Export the DS Keyset from a Child Zone

To export the DNSKEY keyset from the child zone to the parent zone, usethe following command at the config level:

export dnssec-dnskey authoritative-zone-name

Note: When using the CLI commands to import/export a DS/DNSKEY recordto/from a parent/child zone, it is not necessary to list the AX device’sinternal file name for the resource record. Instead, you can simply includethe name of the DNS zone from which you will be importing or exportingthe file.

Generate the DNSSEC Key

To generate the DNSSEC keyset, use the following command at the configlevel:

dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num

• Algorithm – Specify which RSA SHA algorithm is used to generate the DNSSEC key pair (ZSK and KSK). You can specify any of the following algorithms:

• RSASHA1 (default)

• RSASHA256

• RSASHA512

• NSEC3RSASHA1

Selecting one of the first three algorithms (RSASHA1, RSASHA256, or RSASHA512) will cause the standard NSEC resource record to be gen-erated for the zone. However, selecting the fourth algorithm option (NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be generated for the zone, which is helpful in mitigating the threat posed by zone walking.




Note: Different zones can use different DNSSEC templates and thus have dif-ferent algorithms.

• Keysize – Specify the number of bits in the DNSSEC key, which can range from 512-4096 bits. Values must be specified in multiples of 64 bits, and the default value is 1024 bits.

Deleting the DNSSEC Key

To remove a DNSSEC key from the AX device, use the following CLI com-mand at the config level:

no dnssec key-generate name

Exporting the DNSSEC Key

To export the DNSSEC key from the AX device, use the following CLIcommand at the config level:

export dnssec-key filename

Importing the DNSSEC Key

To import the DNSSEC key to the AX device, use the following CLI com-mand at the config level:

import dnssec-key filename

Note: The imported dnssec-key file is a compressed file with the .tar suffix. Thistar file includes both the private and public keys, with the respective suf-fixes of .private and .key. When an example tar file with the name“key01” is un-compressed, it includes the public key ("key01.key") andthe private key ("key01.private").

Zone Signing Commands

After the zone or DNSSEC template configuration is changed, the zonesigning will automatically begin 30 seconds later. However, you can use thefollowing command at the global config level to immediately trigger zone-signing:

dnssec sign-zone-now name

Specify the name for the DNS zone. Note that if a name is not specified,then all zones will be checked for configuration changes and signed (if anychanges are found).

Details:

• DNSSEC Signature timeout – All zones will be checked every two days to guarantee that the dnssec-enabled zones have valid signatures. If the signature has timed-out, then this will cause the zone to be re-signed.



DNSSEC Support - Configuration Examples

• Import the DNSSEC DS RR for the child zone – Every time the DS record of the child zone is imported, the parent of that child zone will be re-signed.

Configuration ExamplesThe following sections show DNSSEC configuration examples.

CLI Example #1

The following commands enable the DNSSEC option for GSLB, so that theAX device can handle DNSSEC queries while in DNS server mode.


AX(config-gslb policy)#dns server authoritative sec


Note: DNSSEC for GSLB is not supported in proxy mode for this release.

Note: The AX device supports the following standard DNS records: SOA, A, AAAA, ANY, CNAME, MX, NS, PTR and SRV. The AX device supports the following DNSSEC records: DNSKEY, NSEC, NSEC3, DS and RRSIG

CLI Example #2

When configuring GSLB on the AX device, the default DNSSEC templateis used for each zone unless you specify another template. The commandsbelow generate an encryption key called “keygen1”, using theNSEC3RSASHA1 encryption algorithm. Then, commands are used to cre-ate the DNSSEC template called “dnssec1”, which has a combinations-limitof 10 and uses the key just created. The template is applied to a zone calledexample.com:

AX(config)#dnssec key-generate keygen1 algorithm NSEC3RSASHA1 keysize 1024

AX(config)#dnssec template dnssec1

AX(config-dnssec)#combinations-limit 10

AX(config-dnssec)#ksk keygen1

AX(config-dnssec)#exit

AX(config)#gslb zone example.com

AX(config-gslb zone)#template dnssec dnssec1

AX(config-gslb zone)#exit



DNSSEC Support - Configuration Examples

CLI Example #3

The following command is used to display information for the DNSSECtemplate created above:

AX(config)#show dnssec template dnssec1

dnssec template dnssec1

ksk keygen1

combinations-limit 10

CLI Example #4

The following command imports the DS record from the delegated childzone (“zone1.example.org”) to the parent zone (“example.org”), for whichthe AX device is the authoritative DNS server:

AX(config)#import dnssec-ds zone1.example.org scp://[email protected]/root/dsset-zone1.example.org

Password []?******

Importing ...

...0 minutes 3 seconds

Done.



CLI Command Reference - Main Configuration Commands

CLI Command Reference

This chapter lists the CLI commands for Global Server Load Balancing(GSLB). The commands are organized into the following sections:

• “Main Configuration Commands” on page 153

• “Policy Configuration Commands” on page 188

• “Show Commands” on page 222

• “Clear Command” on page 254

Main Configuration CommandsThe commands in this section configure GSLB parameters. In some cases,the commands create a GSLB configuration item and change the CLI to theconfiguration level for that item.

gslb active-rdt

Description Configure global aRDT settings.

Syntax [no] gslb active-rdt {domain domain-name |interval seconds |port portnum |retry num |sleep seconds |timeout ms |track seconds}

Parameter Description

domain domain-name Specifies the query domain. To measure the

active-Round Delay Time (aRDT) for a client,the site AX device sends queries for the domainname to a client’s local DNS. An aRDT sampleconsists of the time between when the site AXdevice sends a query and when it receives theresponse.




Only one aRDT domain can be configured. It isrecommended to use a domain name that is likelyto be in the cache of each client’s local DNS.

The AX device averages multiple aRDT samplestogether to calculate the aRDT measurement fora client. (See the description of track below.)

interval seconds Specifies the number of seconds between que-

ries. You can specify 1-16383 seconds.

port portnum Specifies the port. You can specify ports 1-65535. (For more information, please contactA10 Networks.)

retry num Specifies the number of times GSLB will resenda query if there is no response. You can specify0-16.

sleep seconds Specifies the number of seconds GSLB stopstracking aRDT data for a client after a queryfails. You can specify 1-300 seconds.

timeout ms Specifies the number of milliseconds GSLB willwait for a reply before resending a query. Youcan specify 1-16383 ms.

track seconds Specifies the number of seconds during whichthe AX device collects samples for a client. Thesamples collected during the track time are aver-aged together, and the averaged value is used asthe aRDT measurement for the client. You canspecify 3-16383 seconds.

The averaged aRDT measurement is used until itages out. The aging time for averaged aRDTmeasurements is 10 minutes by default and isconfigurable on individual sites, using theactive-rdt aging-time command.

Default This command has the following default settings:

• domain – google.com

• interval – 1 second

• port – Please contact A10 Networks for information.

• retry – 3

• sleep – 3 seconds




• timeout – 3000 ms

• track – 60 seconds

Mode Global configuration mode

gslb dns action

Description Globally drop or reject DNS queries from the local DNS server.

Syntax [no] gslb dns action {drop | reject}


drop Drops DNS queries that do not match any zoneservice.

reject Rejects DNS queries that do not match any zoneservice, and returns the “Refused” message inreplies.

Default Not set


gslb dns logging

Description Globally set DNS logging parameters. When this option is enabled, the GSLB DNS log messages appear in the AX log.

Syntax [no] gslb dns logging {both | query | response | none |}


both Specifies that both query and response messages are logged.

query Specifies that query messages are logged.

response Specifies that response messages are logged.

none Logs nothing.

Default Disabled





gslb geo-location

Description Configure a global geographic location by assigning a location name to a client IP address range. GSLB forwards client requests from addresses within the specified IP address range to the GSLB site that serves the loca-tion.

Syntax [no] gslb geo-location location-name [start-ip-addr {mask ip-mask | end-ip-addr}]

no gslb geo-location all


location-name Name of the location. Use a period between eachstring label (range). Each range can contain up to15 alphanumeric characters. The entire name cancontain up to 127 alphanumeric characters.

Example: Asia.japan.123456789.xyz

The AX device can perform a partial match for ageo-location. For example, if IP 1.1.1.1 belongsto “Asia.japan”, but only “Asia” is configured,the AX device still knows which site to select.

start-ip-addr Beginning IP address for the range.

mask ip-mask Network mask.

end-ip-addr Ending IP address for the range.

all Removes all manually configured geo-locationsfrom the configuration. The all option is validonly with the “no” form of the command shownabove.

If you enter the gslb geo-location location-name command without anyadditional options, the CLI changes to the configuration level for thegeo-location, where you can assign multiple IP address ranges to it. Use thefollowing command for each range:

[no] ip start-ip-addr {mask ip-mask | end-ip-addr}

Default N/A





Usage Geographic location also can be configured in a GSLB policy. In this case,the policy specifies whether to use the globally configured geographic loca-tion or the location configured in the policy. (See “geo-location” onpage 209 and “geo-location match-first” on page 209.)

You can use manually configured geo-location mappings or load a databaseof mappings. To load a geo-location databases, see “gslb geo-location load”on page 158.

• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.

• If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-location in the loaded geo-location data-base.

• If a service-ip cannot be mapped to a geo-location, GSLB maps the site AX device to a geo-location.

Example The following example configures geographic location “US.CA.SanJose” for IP address range 100.1.1.1 through 100.1.1.125:

AX(config)#gslb geo-location US.CA.SanJose 100.1.1.1 100.1.1.125

gslb geo-location delete

Description Delete or replace a custom geo-location database from the AX device.

Syntax gslb geo-location delete {all | file-name}


all Deletes all manually configured geo-locationsfrom the configuration.

Default N/A

Usage This command is available only if you have already imported a geo-locationdatabase file. This command can replace a loaded geo-location database filebut does not unload one without replacing it. To unload a geo-location data-base file without replacing it, see “gslb geo-location load” on page 158.





gslb geo-location load

Description Load a geo-location database into GSLB. Loading a pre-configured geo-location database provides a convenient alternative to manually configuring each geo-location separately.

Syntax [no] gslb geo-location load {iana | file-name csv-template-name}

no gslb geo-location load all


iana Loads the Internet Assigned Numbers Authority(IANA) database. The IANA database containsthe geographic locations of the IP address rangesand subnets assigned by the IANA. The IANAdatabase is included in the AX system software.However, it is unloaded (not used) by default.

file-name csv-template-name Loads a custom database. You can load a custom

geo-location database from a file in comma-sepa-rated-values (CSV) format. This option requiresconfiguration of a CSV template on the AXdevice. When you load the CSV file, the data isformatted based on the template. (To configure aCSV template, see “gslb template csv” onpage 175.)

Note: The file-name option is available only if you have already imported a geo-location database file. To display a list of filenames, enter the following:gslb geo-location load ?

all Unloads all geo-location database files, includingthe default database (IANA). The all option isvalid only with the “no” form of the commandshown above.

Default The IANA geo-location database is loaded by default.


Usage You can load more than one geo-location database. When you load a newdatabase, if the same IP address or IP address range already exists in a pre-viously loaded database, the address or range is overwritten by the newdatabase.




Example The following command loads the IANA database:

AX(config)#gslb geo-location load iana

Example The following command loads geo-location data from a CSV file:

AX(config)#gslb geo-location load test1.csv test1-tmplte

gslb group

Description Configure GSLB group settings. GSLB controllers within a GSLB group automatically synchronize GSLB configuration information and data.

Syntax [no] gslb group default

The command changes the CLI to the configuration level for the group,where the following group-related commands are available:

(The other commands are common to all CLI configuration levels. See theAX Series CLI Reference.)

Command Description

[no] config-anywhere Allows GSLB to be configured on any group

member, without restricting the changes to themaster controller.

[no] config-merge If this option is used and the current GSLB con-

troller has the highest priority of all group mem-bers, then this current controller will attempt toretrieve the config file from the master GSLBcontroller before assuming control.

[no] config-save Enables automatic configuration save on this

GSLB group member when the configuration issaved on the group master.

[no] dns-discover Discover member via DNS protocol. When this

option is used, you do not need to configure aprimary IP address, because GSLB will send aDNS query (based on the group name) todiscover other group members.

For example, if group name is “group.a10.com”then GSLB will send the DNS discover querywith domain name “group.a10.com”.




[no] enable Activates the AX device’s membership in theGSLB controller group.

[no] inherit Inherit main GSLB configuration.

[no] learn Enables the AX device to learn the IP addressesof other group members from the group’s pri-mary controllers.

[no] primary ipaddr Specifies the IP address of another group mem-

ber, to be a primary member. After the GSLBprocess starts on an AX device, the device joinsthe controller group by connecting to the primarygroup members to exchange group managementtraffic.

You can specify up to 15 primary members.Enter the command separately for each member.

[no] priority num Specifies the priority of the AX device to become

the master for the group. You can specify 1-255.

[no] standalone Run GSLB Group in standalone mode.

[no] suffix name This option allows you to configure the DNS suf-

fix that will be used for dns-discovery. You canspecify the suffix (or name) that GSLB willappend to the domain name when sending thedns-discover query. For example, if the groupname is “group” and the suffix is “a10.com”,then the concatenated strings are sent in the DNSdiscovery query as “group.a10.com”.

Default The group parameters have the following default values:

• config-anywhere – disabled

• config-merge – disabled

• config-save – disabled

• dns-discover – disabled

• enable – disabled

• inherit – disabled

• learn – enabled

• primary – not set




• priority – 100

• standalone – disabled

• suffix – not set


gslb ip-list

Description Configure a list of IP addresses and group IDs to use as input to other GSLB commands.

Syntax [no] gslb ip-list list-name

no gslb ip-list all

The command changes the CLI to the configuration level for the list, wherethe following IP-list-related commands are available:


Command Description

[no] ip ipaddr [subnet-mask | /mask-length] id group-id Creates an IP entry in the list. Based on the sub-

net mask or mask length, the entry can be a hostaddress or a subnet address. The id option addsthe entry to a group. The group-id can be 0-31.

no ip all Removes all manually configured IP addressesfrom the IP list.

[no] load bwlist-name Loads the entries from a black/white list into the

IP list. For information on configuring a black/white list, see the “Policy-Based SLB (PBSLB)”section in the “Traffic Security Features” chapterof the AX Series System Configuration andAdministration Guide.

all Removes all GSLB IP lists from the configura-tion. The all option is valid only with the “no”form of the command shown above.

Default None





Usage You can configure an IP list in either of the following ways:

• Use a text editor on a PC or use the AX GUI to configure a black/white list, then load the entries from the black/white list into an IP list.

• Use this command to configure individual IP list entries.

Example The following commands configure a GSLB IP list and use the list to exclude IP addresses from aRDT data collection:

AX(config)#gslb ip-list iplist1

AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3




AX(config-gslb ip-list)#exit


AX(config-gslb policy)#ip-list iplist1

AX(config-gslb policy)#active-rdt ignore-id 3

gslb ping

Description Test GSLB connectivity from the GSLB AX device to a site AX device.

Syntax ping {site-name | ipaddr}

site-name | ipaddr GSLB site name or the IP address of the site AX

device.

Command Description

site-name GSLB site name of the site AX device.

ipaddr The IP address of the site AX device.





gslb policy

Description Configure a GSLB policy.

Syntax [no] gslb policy {default | policy-name}

no gslb policy all


default The default GSLB policy included in the soft-ware.

policy-name Name of the policy, up to 63 alphanumeric char-acters.

all Removes all GSLB policies from the configura-tion. The all option is valid only with the “no”form of the command shown above.

This command changes the CLI to the configuration level for the specifiedGSLB policy. For information about the commands available at the GSLBpolicy level, see “Policy Configuration Commands” on page 188.

Default N/A


Example The following example creates a GSLB policy called “gslb-policy2”:

AX(config)#gslb policy gslb-policy2AX(config gslb-policy)#

gslb protocol

Description Enable the GSLB protocol or set protocol options.

Syntax [no] gslb protocol{enable {controller | device} |status-interval seconds | use-mgmt-port}

Note: For the limit options, see “gslb protocol limit” on page 165.





enable {controller | device} Enables the GSLB protocol:

controller – Use this option on the AXdevice on which GSLB is configured.

device – Use this option on the AX devicesthat are SLB devices at the GSLB sites.

status-interval seconds Changes the number of seconds between GSLB

status messages. You can specify 1-300 seconds.

use-mgmt-port Use the management route table instead of thedata route table.

Default The GSLB protocol options have the following defaults:

• enable – Disabled.

• status-interval – 30 seconds

• use-mgmt-port – disabled


Usage The A10 Networks GSLB protocol uses port 4149. The protocol is regis-tered on this port for both TCP and UDP.

AX devices use the GSLB protocol for GSLB management traffic. The pro-tocol must be enabled on the GSLB controller, and it is recommended (butnot required) that you enable the protocol on the site AX devices.

The following GSLB policy metrics require the protocol to be enabled onboth the site AX devices as well as the GSLB controller:

• Session-Capacity

• aRDT

• Connection-Load

• Num-Session

The GSLB protocol is also required for the Health-Check metric, if thedefault health checks are used. If you modify the health checks, the GSLBprotocol is not required.




Example The following command enables the GSLB protocol on a GSLB AX Series device:

AX(config)#gslb protocol enable controller

Example The following command enables the GSLB protocol on a site AX Series device:

AX(config)#gslb protocol enable device

gslb protocol limit

Description Change aRDT message limits.

Syntax [no] gslb protocol limit{ardt-query num-msgs |ardt-response num-msgs |ardt-session num-sessions |conn-response num-msgs |response num-msgs |message num-msgs }


ardt-query Limits the number of aRDT Query messages.

ardt-response Limits the number of aRDT Response Messages.

ardt-session Limits the number of aRDT sessions.

conn-response Limits the number Connection Load ResponseMessages.

response Limits the number of Response Messages.

message Limits the number of messages.

Default The GSLB protocol limit options have the following defaults:

• ardt-query – 200 messages

• ardt-response – 1000 response messages

• ardt-session – 32768 sessions

• conn-response – no limit




• response – 3600 messages

• message – 10000 messages


gslb service-ip

Description Configure a service IP, which can be a virtual server’s or real server’s IP address.

Syntax [no] gslb service-ip service-name [ipaddr]

no gslb service-ip all


service-name Name of the service, up to 63 alphanumeric char-acters.

ipaddr IP address of the virtual server or real server. Youcan specify an IPv4 or IPv6 address.

(If you are changing the configuration of a GSLBservice that is already configured, this parameteris not required.)

all Removes all GSLB service IPs from the configu-ration. The all option is valid only with the “no”form of the command shown above.

This command changes the CLI to the configuration level for the specifiedservice, where the following GSLB-related commands are available:

Command Description

disable Disables GSLB for the service IP address.

enable Enables GSLB for the service IP address.

[no] external-ip ipaddr Assigns an external IP address to the service IP.

The external IP address allows a service IP thathas an internal IP address to be reached from out-side the internal network.

[no] health-check [option] Configures monitoring of the service IP address.

If you enter the command without any options,




the default Layer 3 health monitor (ICMP ping)is used.

monitor-name – The service is checked using thespecified Layer 3, 4 or 7 health monitor.

follow-port portnum – The health of the serviceport is based on the health of another port. Spec-ify the other port number.

protocol – Enables or disables use of the GSLBprotocol for health checking of the service. Bydefault, the protocol option is enabled. If theGSLB protocol is enabled and can reach the ser-vice, health checking is performed over theGSLB protocol. Otherwise, health checking isperformed using standard network traffic instead.

[no] ipv6 ipv6-addr Maps the specified IPv6 address to an IPv4 ser-

vice IP. This option also requires IPv6 DNSAAAA support to be enabled in the GSLB pol-icy. (See the ipv6-mapping option in “dns” onpage 197.)

[no] port num {tcp | udp} Adds a service port to the service IP address. The

command also changes the CLI to the configura-tion level for the specified service port, where thefollowing service port-related commands areavailable:

disable – Disables GSLB for the service porton this service IP address.

enable – Enables GSLB for the service port onthis service IP address.

[no] health-check [monitor-name] –Enables or disables health monitoring for the ser-vice port. If you do not specify a health monitor,the default health monitor is used. (See “Usage”below.)

Default No services are configured by default. When you configure a service, theservice is enabled by default, and the default port is 80. The default healthmonitor for a service is the default Layer 3 health monitor (ICMP ping). Thedefault health monitor for a service port is the default TCP or UDP monitor,depending on the transport protocol. (For more on health checking, see“Usage” below.)





Usage If you leave the health monitor for a service left at its default setting (thedefault ICMP ping health check), the health checks are performed withinthe GSLB protocol.

If you use a custom health monitor, or you explicitly apply the defaultLayer 3 health monitor to the service, the GSLB protocol is not used for anyof the health checks.

If you use a custom health monitor for a service port, the port number spec-ified in the service configuration is used instead of the port number speci-fied in the health monitor configuration.

The following policy metric options are not supported for IPv6 service IPs:

• active-rdt

• ip-list

• dns external-ip

• dns ipv6 mapping

• geo-location

Example The following example creates a GSLB service IP address named “gslb-srvc2” with IP address 192.160.20.99:

AX(config)#gslb service-ip gslb-srvc2 192.168.20.99AX(config-gslb service-ip)#

gslb site

Description Configure a GSLB site.

Syntax [no] gslb site site-name

no gslb site all


site-name Name for the site, up to 63 alphanumeric charac-ters.

all Removes all GSLB sites from the configuration.The all option is valid only with the “no” form ofthe command shown above.




This command changes the CLI to the configuration level for the specifiedsite, where the following site-related commands are available:

Command Description

[no] active-rdt option Configures options for the aRDT metric:

aging-time minutes – Specifies the max-imum amount of time a stored aRDT result canbe used. You can specify 1-15360 minutes. Thedefault is 10 minutes.

bind-geoloc – Stores the aRDT measure-ments on a per geo-location basis. Without thisoption, the measurements are stored on a per site-SLB device basis.

ignore-count num – Specifies the ignorecount if aRDT is out of range. You can specify 1-15. The default is 5.

limit num – Specifies the maximum aRDTallowed for the site. If the aRDT measurementfor a site exceeds the configured limit, GSLBdoes not eliminate the site. Instead, GSLB movesto the next metric in the policy. You can specify0-16383 milliseconds (ms). The default is 16383.

mask {/mask-length | mask-ipaddr} –Specifies the IPv4 client subnet mask length. Thedefault mask length is 32.

range-factor num – Specifies the maxi-mum percentage a new aRDT measurement candiffer from the previous measurement. If the newmeasurement differs from the previous measure-ment by more than the allowed percentage, thenew measurement is discarded and the previousmeasurement is used again.

For example, if the range-factor is set to 25 (thedefault), a new measurement that has a valuefrom 75% to 125% of the previous value can beused. A measurement that is less than 75% ormore than 125% of the previous measurementcan not be used.


smooth-factor num – Blends the newmeasurement with the previous one, to smoothenthe measurements.




For example, if the smooth-factor is set to 10 (thedefault), 10% of the new measurement is used,along with 90% of the previous measurement.Similarly, if the smooth-factor is set to 50, 50%of the new measurement is used, along with 50%of the previous measurement.


(For information about the aRDT metric, see“active-rdt” on page 188.)

[no] auto-map Enables auto-mapping feature at the site level.

[no] bw-cost options Configures options for the BW-Cost metric:

limit num – Specifies the maximum amountthe SNMP object queried by the GSLB AXdevice can increase since the previous query, inorder for the site to remain eligible for selection.You can specify 0-2147483647. There is nodefault.

If a site becomes ineligible due to being over thelimit, the percentage parameter is used. In orderto become eligible for selection again, the site’slimit value must not exceed limit*threshold-percentage.

You can specify 0-100. There is no default.

threshold percentage – For a site toregain eligibility when BW-Cost is being com-pared, the SNMP object’s value must be belowthe threshold-percentage of the limit value.

For example, if the limit value is 80,000 and thethreshold is 90 percent, then the limit value mustbe 72,000 or less, in order for the site to becomeeligible again based. Once a site again becomeseligible, the SNMP object’s value is againallowed to increase up to the bandwidth limit(80,000 in this example).

(For information about the BW-Cost metric, see“bw-cost” on page 193.)

[no] disable Disables all servers in the GSLB site.




[no] geo- location location-name Associates this site with a specific geographic

location. (To configure a location, use the gslbgeo-location command.)

[no] ip-server service-ip Associates a real server with this site.

Note: Generally, virtual servers rather than realservers are associated with a site. To associate avirtual server with a site, use the vip-serveroption of the slb-dev command.

no ip-server all Removes all real servers from the site.

[no] slb-dev device-name ip-addr Specifies the device that provides SLB for the

site. The IP address must be reachable by theGSLB AX Series when the GSLB protocol isenabled.

This command changes the CLI to the configura-tion level for the SLB device. At this CLI level,the following optional GSLB-related commandsare available:

[no] admin-preference num – Assigns apreference value to the SLB device. If theAdmin-Preference metric is enabled in the policyand all metrics before this one result in a tie, theSLB device with the highest Admin-Preferencevalue is preferred. You can specify from 0 – 255.The default is 100.

[no] auto-detect [ip | port] –Enables DNS auto mapping at the service IPlevel or the port level.

[no] auto-map – Enables auto mapping forthis site.

[no] gateway ipaddr – Specifies the gate-way the SLB device will use to reach the GSLBlocal DNS for collecting aRDT measurements.

[no] gateway health-check – Enablesgateway health checking. A gateway healthcheck is a Layer 3 health check (ping) sent to thegateway router for an SLB site. This option isenabled by default.




[no] max-client num – Specifies the maxi-mum number of clients for which the GSLB AXdevice (controller) saves data such as aRDTmeasurements for each of the clients. You canspecify 1-2147483647. The default is 32768.

[no] proto-aging-fast – This optionenables a quick refresh of data sent from a siteAX device to the AX controller by “aging out”data from a site AX device. This can be useful toobtain fresh health status information from a siteAX. For example, if a virtual server has beendeleted from a site-AX device, but this informa-tion could not be sent to the AX controller, thenthe status in the controller will continue to appearas "UP" for a long time until it is aged out. The"proto-aging-fast" command forces the GSLBcontroller to start aging the health status immedi-ately after receiving updated information from asite AX.

[no] proto-aging-time seconds – Ifcommunication between a site AX device and theGSLB controller is interrupted, then the data forthat site will become stale. The GSLB controllercan continue to rely upon this old information,but after some time, the old data for the site mustbe purged. The lifespan of this old data is thesum of the time set using the gslb protocol sta-tus-interval command, plus the time you setusing this proto-aging-time option. The defaultvalue is 60 seconds.

[no] proto-compatible – EnablesGSLB protocol compatibility between a control-ler running 2.6.1 or later and a site AX devicerunning 2.4.x. This option is disabled by default.

[no] vip-server {name | ip ipaddr} –Maps this SLB site to a globally configuredGSLB service IP address. If you use the nameoption, the name must be the name of a config-ured service IP. (To configure the service IP, usethe gslb service-ip command. See “gslb service-ip” on page 166.)

no vip-server all – Removes all VIP map-pings (configured by the vip-server command)from the SLB device.




no slb-dev all Removes all SLB devices from the site.

[no] template template-name Binds a template to the site. To use the BW-Cost

metric, use this option to bind a GSLB SNMPtemplate to the site.

[no] weight num Assigns a weight to the site. If the Weighted-Sitemetric is enabled in the policy and all metricsbefore Weighted-Site result in a tie, the site withthe highest weight is preferred. The weight canbe from 1 – 100. The default is 1.

Default See above.


Example The following example creates a site named “NY-site” and adds SLB AX Series “site-ax-1” with IP address 10.10.10.10 to the site:

AX(config)#gslb site NY-siteAX(config gslb-site)#slb-dev site-ax-1 10.10.10.10

gslb system auto-map module

Description Enable auto-mapping of IP address to resource name.

Syntax [no] gslb system auto-map module {all | slb-server | slb-virtual-server | slb-device | gslb-service-ip | gslb-site | gslb-group | hostname}

Default Disabled


Usage See “Auto-mapping” on page 73.

gslb system auto-map ttl

Description Configure the TTL for DNS A or AAAA records created by the auto-map-ping feature.

Syntax [no] gslb system auto-map ttl seconds





seconds Maximum number of seconds for which an A orAAAA record created by auto-mapping is valid.You can specify 1-65535 seconds.

Default 300

gslb system ip-ttl

Description Change the IP Time-to-Live (TTL) in DNS replies to clients.

Syntax [no] gslb system ip-ttl num


num TTL, 1-255.

Default 255


Usage This option applies only to DNS server mode. The option does not apply toDNS proxy mode.

The TTL value is used in all replies, regardless of the client’s original TTL.

gslb system prompt

Description Disable or re-enable display of the confirmation prompt for gslb system reset and no gslb [option] all commands.

Syntax [no] gslb system prompt

Default The prompt is enabled.





gslb system reset

Description Reset the entire GSLB configuration.

Syntax gslb system reset

Default N/A


Usage This command unloads all geo-location files, and reloads the default “iana”file.

This command does not remove the GSLB configuration. If you want toentirely remove the GSLB configuration, see “no gslb all” on page 187.

gslb system wait

Description Delay startup of GSLB following startup of the AX device.

Syntax [no] gslb system wait seconds


seconds Length of the delay, 0-16384 seconds.

Default 0 seconds (no delay)


gslb template csv

Description Configure a template for extracting geo-location data from an imported CSV file.

Syntax [no] gslb template csv template-name

no gslb template csv all





template-name Name of the template, 1-63 characters.

all Removes all CSV templates from the configura-tion. The all option is valid only with the “no”form of the command shown above.

Note: To remove all CSV templates and SNMP templates, use the followingcommand: no gslb template all

This command changes the CLI to the configuration level for the specifiedtemplate, where the following commands are available.


Command Description

[no] delimiter {character | ASCII-code} Specifies the character used in the file to delimit

fields. You can type the character or enter its dec-imal ASCII code (0-255).

[no] field num type-of-data The num option specifies the field position

within the CSV file. You can specify from 1-64.The following options specify the type of geo-location that is located in the field position:

ip-from – Specifies the beginning IP address inthe range or subnet.

ip-to-mask – Specifies the ending IP address inthe range, or the subnet mask.

continent – Specifies the continent where the IPaddress range or subnet is located.

country – Specifies the country where the IPaddress range or subnet is located.

state – Specifies the state where the IP addressrange or subnet is located.

city – Specifies the city where the IP addressrange or subnet is located.

Default There is no default CSV template. When you configure one, the field loca-tions are not set. The default delimiter character is a comma ( , ).





Usage To load a geo-location data file and use the CSV template to extract thedata, see “gslb geo-location load” on page 158.

Example The following commands configure a CSV template called “test1-tmplte”:

AX(config)#gslb template csv test1-tmplteAX(config-gslb template csv)#field 1 ip-fromAX(config-gslb template csv)#field 2 ip-to-maskAX(config-gslb template csv)#field 5 continentAX(config-gslb template csv)#field 3 country

gslb template snmp

Description Configure an SNMP template to query data for use by the BW-Cost metric.

Syntax [no] gslb template snmp template-name

no gslb template snmp all


template-name Name of the template, 1-63 characters.

all Removes all SNMP templates from the configu-ration. The all option is valid only with the “no”form of the command shown above.

Note: To remove all CSV templates and SNMP templates, use the followingcommand: no gslb template all

This command changes the CLI to the configuration level for the specifiedtemplate, where the following commands are available.


Command Description

[no] auth-key string Specifies the authentication key. The key string

can be 1-127 characters long. This command isapplicable if the security level is auth-no-priv orauth-priv.




[no] auth-proto {sha | md5} Specifies the authentication protocol. This com-

mand is applicable if the security level is auth-no-priv or auth-priv.

[no] community community-string For SNMPv1 or v2c, specifies the community

string required for authentication.

[no] context-engine-id id Specifies the ID of the SNMPv3 protocol engine

running on the site AX device.

[no] context-name id Specifies an SNMPv3 collection of management

information objects accessible by an SNMPentity.

[no] host ipaddr Specifies the IP address of the site AX device.

[no] interface id Specifies the SNMP interface ID.

[no] interval seconds Specifies the amount of time between each

SNMP GET to the site AX devices. You canspecify 1-999 seconds. The default is 3.

[no] oid oid-value Specifies the interface MIB object to query on

the site AX device.

Note: If the object is part of a table, make sure to append the table index to theend of the OID. Otherwise, the AX device will return an error.

[no] port portnum Specifies the protocol port on which the site AX

devices listen for the SNMP requests from theGSLB AX device. You can specify 1-65535. Thedefault is 161.

[no] priv-key string Specifies the encryption key. The key string can

be 1-127 characters long. This command is appli-cable only if the security level is auth-priv.

[no] priv-proto {aes | des} Specifies the privacy protocol used for encryp-

tion. This command is applicable only if thesecurity level is auth-priv.




[no] security-engine-id id Specifies the ID of the SNMPv3 security engine

running on the site AX device. For each com-mand, the ID is a string 1-127 characters long.

[no] security-level {no-auth | auth-no-priv | auth-priv} Specifies the SNMPv3 security level:

no-auth – Authentication is not used and encryp-tion (privacy) is not used. This is the default.

auth-no-priv – Authentication is used butencryption is not used.

auth-priv – Both authentication and encryptionare used.

[no] username name Specifies the SNMPv3 username required for

access to the SNMP agent on the site AX device.

[no] version {v1 | v2c | v3} Specifies the SNMP version running on the site

AX device.

Default See above.


Usage The community command applies only to SNMPv1 or v2c. Most of theother commands, with the exception of the version, interval, port, andinterface commands, apply to SNMPv3.

You can not delete an SNMP template if the template is in use by a site. Todelete a template, first remove it from all site configurations that are usingit.

Example The following commands configure a GSLB SNMP template for SNMPv2c:


AX(config-gslb template snmp)#version v2c



AX(config-gslb template snmp)#community public

AX(config-gslb template snmp)#exit




Example The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and encryption are both used.


AX(config-gslb template snmp)#security-level auth-priv


AX(config-gslb template snmp)#username read


AX(config-gslb template snmp)#priv-proto des

AX(config-gslb template snmp)#auth-key 12345678

AX(config-gslb template snmp)#priv-key 12345678

gslb zone

Description Configure a GSLB zone, which identifies the top-level name for the ser-vices load balanced by GSLB.

Syntax [no] gslb zone zone-name

no gslb zone all

Note: DNSSEC is not supported for GSLB wildcard zones.


zone-name Name of the zone, up to 127 alphanumericcharacters, or * (wildcard character matching onall zone names).

You can use lower case characters and upper casecharacters. However, since Internet domainnames are case-insensitive, the AX device inter-nally converts all upper case characters in GSLBzone names to lower case.

all Removes all GSLB zones from the configura-tion. The all option is valid only with the “no”form of the command shown above.

This command changes the CLI to the configuration level for the specifiedzone, where the following zone-related commands are available:




Command Description

[no] disable Disables all services in the GSLB zone.

[no] dns-mx-record name priority Configures a DNS Mail Exchange (MX) record

for the zone. The name is the fully-qualifieddomain name of the mail server for the zone.

If more than one MX record is configured for thesame zone, the priority specifies the order inwhich the mail server should attempt to delivermail to the MX hosts. The MX with the lowestpriority value has the highest priority and is triedfirst. The priority can be 0-65535. There is nodefault.

MX records configured on a zone are used onlyfor services on which MX records are not config-ured.

Note: If you want the GSLB AX device to return the IP address of the mail ser-vice in response to MX requests, you must configure Address records forthe mail service.

[no] dns-ns-record domain-name Configures a DNS name server record for the

specified domain.

[no] dns-soa-record [external]dns-server-name mailbox-name [expire seconds][refresh seconds] [retry seconds] [serial num] [ttl seconds] Configures a DNS start of authority (SOA)

record for the GSLB zone.

The external option causes the AX device toreplace the internal SOA record with an externalSOA record when a request is received from anexternal client. This prevents external clientsfrom gaining access to internal information. Thefeature must also be enabled in the GSLB policy.




The refresh option specifies the number of sec-onds other DNS servers wait before requestingupdated information for the GSLB zone. Theretry option specifies how many seconds otherDNS servers wait before resending a refreshrequest, if GSLB does not respond to the previ-ous request. The expire option specifies howmany seconds GSLB can remain unresponsive toa refresh request before the other DNS serverdrops responding to queries for the zone.

The serial option specifies the initial serial num-ber of the SOA record. This number is automati-cally incremented each time a change occurs toany records in the zone file. You can specify aserial number from 0-2147483647. The default isbased on the current system time on the GSLBAX device when you create the SOA record.

The ttl option specifies the number of secondsGSLB will cache and reuse negative replies(NXDOMAIN messages). A negative reply is anerror message indicating that a requested domaindoes not exist.

Note: The ttl option is equivalent to the “minimum” option in BIND 9.

[no] policy policy-name Applies the specified GSLB policy to the zone.

You can specify “default” for the GSLB policyname, if you have not configured another policyand applied it to the zone. The GSLB policyapplied to the zone is also applied to the servicesin that zone.

[no] service port [service-name] Adds a service to the zone. The port option spec-

ifies the service port and can be a well-knownname recognized by the CLI or a port numberfrom 1 to 65535. The service-name can be 1-31alphanumeric characters or * (wildcard charactermatching on all service names).

For the same reason described for zone names,the AX device converts all upper case charactersin GSLB service names to lower case.

This command changes the CLI to the configura-tion level for the service, where the followingGSLB-related commands are available:




action action-type – Specifies the action toperform for DNS traffic:

drop – Drops DNS queries from the localDNS server.

reject – Rejects DNS queries from thelocal DNS server and returns the “Refused”message in replies.

forward {both | query | response} – For-wards requests or queries, as follows:

forward both – Forwards queries to theAuthoritative DNS server, and forwardsresponses to the local DNS server.

forward query – Forwards queries to theAuthoritative DNS server, but does notforward responses to the local DNSserver.

forward response – Forwards responsesto the local DNS server, but does not for-ward queries to the Authoritative DNSserver.

Note: Use of the actions configured for services also must be enabled in theGSLB policy, using the dns action command at the configuration levelfor the policy. See “dns” on page 197.

disable – Disables all services in the GSLBzone.

dns-a-record {service-name | ip service-ipaddr}{as-backup | as-replace | no-resp| static | ttl num | weight num} –Configures a DNS Address (A) record for theservice, for use with the DNS replace-ip optionin the GSLB policy. (See “dns” on page 197.)

as-backup – This option is used to specifythe backup servers in the dns-a-record withinthe GSLB zone. These are the servers thatwill be returned to the client if the primaryservers fail and backup server mode isenabled.

as-replace – This option is used with theip-replace option in the policy. When bothoptions are set (as-replace here and ip-




replace in the policy), the client receivesonly the IP address set here by service-ip.

no-resp – Prevents the IP address for thissite from being included in DNS replies toclients.

static – This option is used with the dnsserver option in the policy. When bothoptions are set (static here and dns server inthe policy), the GSLB AX device acts as theDNS server for the IP address set here byservice-ip.

ttl num – Assigns a TTL to the service,0-2147483647. By default, the TTL of thezone is used. This option can be used withthe dns server option in the policy, or withDNS proxy mode enabled in the policy.

weight num – Assigns a weight to the ser-vice. If the Weighted-IP metric is enabled inthe policy and all metrics before Weighted-IP result in a tie, the service on the site withthe highest weight is selected. The weightcan be 1-100. By default, the weight is notset.

Note: The no-resp option is not valid with the static or as-replace option. Ifyou use no-resp, you cannot use static or as-replace.

dns-cname-record alias [alias ...][as-backup] [admin-preference num] [weight num] – Configures DNS CanonicalName (CNAME) records for the service.

as-backup – Specifies that the record is abackup record.

admin-preference num – Default is100. Please contact A10 Networks for infor-mation.

weight num – Please contact A10 Net-works for information.

dns-mx-record name priority – Con-figures a DNS Mail Exchange (MX) record forthe service. The name is the fully-qualifieddomain name of the mail server for the service.




If more than MX record is configured for thesame service, the priority specifies the order inwhich the mail server should attempt to delivermail to the MX hosts. The MX record with thelowest priority number has the highest priorityand is tried first. The priority can be 0-65535.There is no default.

Note: If you want the GSLB AX device to return the IP address of the mail ser-vice in response to MX requests, you must configure A records for themail service.

dns-ns-record domain-name [as-backup] – Configures a DNS nameserver record. The as-backup option specifiesthat the record is a backup record. To use the as-backup option, you also must use the dnsbackup-alias command in the policy. (See “dns”on page 197.)

dns-ptr-record domain-name – Con-figures a DNS pointer record.

dns-srv-record domain-name priority [port portnum] [weight num] – Configures a DNS servicerecord.

The priority can be 0-65535. There is nodefault.

The port portnum specifies the protocol portto return to the client, and can be 0-65534.There is no default. If you do not specify theport, GSLB finds the port for the SRV recordand sends it to the client. If you do specifythe port, GSLB sends the specified port tothe client.

The weight num specifies the weight and canbe 0-65535. The default is 10.

dns-txt-record aaaa bbbb cccc –Enables use of DNS TXT resource records tocarry multiple pieces of DNS TXT data withinone TXT record.

Note: The AX device has a special handler that enables you to enter non-print-able characters that the CLI does not support. For details, please contactA10 Support.




Note: This option also requires the dns server txt command at the configurationlevel for the GSLB policy.

geo-location location-name [...]{action action | alias url | policy policy-name} – Configures geo-location settings. The location must already beconfigured. (See “gslb geo-location” onpage 156.)

action action – Specifies the action to per-form for DNS traffic. The action options arethe same as those for the action commanddescribed above.

alias url – Maps an alias configured with thealias option (see above) to the specifiedlocation for this service.

policy policy-name – Applies the specifiedGSLB to clients from the geo-location.

health-check {gateway | port portnum [...]} –Please contact A10 Networks for information.

admin-ip {service-name | service-ipaddr} [...]– Specifies the list of service IP addresses in theDNS reply.

policy policy-name – Applies the speci-fied GSLB policy to the service.

no gslb service all Removes all services from the zone.

[no] template dnssec template-name Binds a DNSSEC template to the zone. (See

“DNSSEC Support” on page 133.)

[no] ttl seconds Changes the TTL of each DNS record contained

in DNS replies received from the DNS for whichthe AX Series is a proxy, for this zone. You canspecify from 0 to 1000000000 (one billion) sec-onds. This TTL setting overrides the TTL settingin the GSLB policy. The default is 10.

The TTL of the DNS reply can be overridden intwo different places in the GSLB configuration:(1) If a GSLB policy is assigned to the individual




service, then the TTL from that policy is used.(2) If no policy is assigned to the individual ser-vice, but the TTL is set in the zone, then thezone’s TTL setting is used. (This is the level setby the ttl command shown earlier this section.)

Default Default settings are described above, where applicable.


Example The following example creates a zone named “ax-gslb-zone”:

AX(config)#gslb zone ax-gslb-zoneAX(config gslb-zone)#

Example The following example uses the wildcard character at the end of the gslb zone command. This has the result of identifying all GSLB zones so that the next line of the configuration creates a positive match on all DNS domains that have the prefix of “www”.

AX#configure

AX(config)#gslb zone *

AX(config-gslb zone)#service http www

Example The following commands create a default GSLB policy and then specify that a backup server at IP 192.168.123.1 will be returned to the client if the primary servers fail.


AX(config-gslb policy)#dns backup-server


AX(config)#gslb zone z1

AX(config-gslb zone)#service 80 http

AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup


no gslb all

Description Delete all GSLB configuration commands.

Syntax no gslb all

Default N/A




CLI Command Reference - Policy Configuration Commands

Usage If you only want to reset GSLB instead of removing the GSLB configura-tion, see “gslb system reset” on page 175.

The all option is also supported with the “no” forms of the GSLB configura-tion commands described in the other sections in this chapter. For syntaxinformation, see the sections for the individual commands.

Policy Configuration CommandsThe commands in this section configure GSLB policies. The CLI changes tothis level when you enter the gslb policy policy-name command from theglobal Config level.

active-rdt

Description Configure the active-Round Delay Time (aRDT) metric.

aRDT measures the round-delay-time for a DNS query and reply between asite AX device and the GSLB local DNS.

Syntax [no] active-rdt [difference num] [fail-break] [ignore-id group-id] [keep-tracking] [limit ms] [samples num-samples] [single-shot] [skip count] [timeout seconds][tolerance num-percentage]


difference num Number from 0 to 16383 specifying the round-

delay-time difference.

fail-break Enables GSLB to stop if the configured aRDTlimit in a policy is reached. The fail-break actiondepends on whether the GSLB controller is run-ning in server mode or proxy mode:

– Server mode: If a backup-alias is configured,the GSLB controller returns the backup-alias to




the client; otherwise, the controller returns aSERVFAIL error to the client.

– Proxy mode: If a backup-alias is configured,the GSLB controller returns the backup-alias tothe client; otherwise, the controller returns theresponse from the backend DNS server.

Note: To configure the aRDT limit, use the limit option (describe below).

To configure GSLB to return a CNAME record as a backup, enable thebackup-alias option using the dns backup-alias command at the configu-ration level for the policy. To configure the backup alias for a servicewithin a zone, use the following command at the configuration level forthe service: dns-cname-record alias-name as-backup

ignore-id group-id Excludes the IP addresses in the specified IP list

from aRDT data collection. Specify an ID from0-31. (To configure an IP list, see “gslb ip-list”on page 161.)

keep-tracking Continues tracking of aRDT for clients after thetrack time expires. By default, GSLB stops col-lecting aRDT samples for a client (stops trackingthe client) after the time has exceeded the num-ber of seconds specified by the global aRDTtrack setting.

limit ms Specifies the aRDT limit for the policy. Thisoption is useful for applying site selection basedon aRDT limits and geo-location. This option isrequired if you plan to use the DNS geoloc-pol-icy option. You can specify 1-16383 ms.

To configure aRDT limit by geo-location:

1. Enable the active-rdt bind-geoloc option oneach GSLB site.

2. Enable the dns geoloc-policy option in thedefault GSLB policy, and enable the active-rdtoption in the policies for geo-locations. If appli-cable, configure the aRDT limit.

3. On the service within the zone, enable the geo-location option and specify the GSLB policy touse for that location.

samples num-samples Number from 1 to 8 specifying the number of

samples to collect.




single-shot Collects a single sample only.

skip count When single-shot is configured, this option

determines the number of site AX devices thatcan exceed their single-shot timeouts, withoutthe aRDT metric itself being skipped by theGSLB AX device during site selection. You canskip from 1-31 sites.

timeout seconds When single-shot is configured, this option

determines the number of seconds each site AXdevice should wait for the DNS reply. If the replydoes not arrive within the specified timeout, thesite becomes ineligible for selection, in caseswhere selection is based on the aRDT metric.You can specify 1-255 seconds.

tolerancenum-percentage Specifies how much the aRDT values must differ

in order for GSLB to prefer one geo-location orsite over another based on aRDT.

Default Disabled. When you enable the aRDT metric, it has the following defaultsettings:

• difference – 0

• fail-break – disabled

• ignore-id – not set

• keep-tracking – disabled

• limit – 16383 ms

• samples – 5

• single-shot – Disabled. Multiple samples are taken at regular intervals.

• skip – 3

• timeout – 3 seconds

• tolerance – 10 percent.

Mode GSLB Policy

Usage This metric requires the GSLB protocol to be enabled both on the GSLBcontroller and on the site AX devices.




Example The following command enables the aRDT metric:

AX(config gslb-policy)#active-rdt

active-servers

Description Configure the Active-Servers metric, which prefers the VIP with the highest number of active servers.

Active-servers is a measure of the number of active real servers bound to avirtual port residing on a GSLB site.

Syntax [no] active-servers [fail-break]


fail-break Enables GSLB to stop if the number of activeservers for all services is 0. The fail-break actiondepends on whether the GSLB controller is run-ning in proxy mode or server mode:

– Server mode: If a backup-alias is configured,the GSLB controller returns the backup-alias tothe client; otherwise, the controller returns aSERVFAIL error to the client.


Default Disabled

Mode GSLB Policy

Usage Use this command to eliminate inactive real servers from being eligible forselection.

Example The following command enables the Active-Servers metric:

AX(config gslb-policy)#active-servers




admin-ip

Description Allows you to assign administrative weights to IP addresses.

Syntax [no] admin-ip [top-only]


top-only Returns only the first (top) IP address in the IPlist. This option overrides the default behavior, inwhich GSLB sends all IP addresses to therequesting client after those addresses have beenvetted according to the metrics in the policy.

Default Disabled

Mode GSLB Policy

Usage The prioritized list is sent to the next metric for further evaluation. Ifadmin-ip is the last metric, the prioritized list is sent to the client. To config-ure the ordered list of IP addresses for a service, use the ip-order commandat the service configuration level for the GSLB zone. See “gslb zone” onpage 180.

admin-preference

Description Enable or disable the Admin-Preference metric, which prefers the site whose SLB device has the highest administratively set weight.

Syntax [no] admin-preference

Default Disabled

Mode GSLB Policy

Usage To set the GSLB Admin-Preference value for a site, use the admin-prefer-ence command at the configuration level for the SLB device within the site.(See “gslb site” on page 168.)

Example The following command enables the Admin-Preference metric:

AX(config gslb-policy)#admin-preference




alias-admin-preference

Description Enable or disable the Alias Admin Preference metric, which selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin Preference metric, but applies only to DNS CNAME records.

Syntax [no] alias-admin-preference

Default Disabled

Mode GSLB Policy

Usage Metric order does not apply to this metric. When enabled, this metricalways has high priority.

To configure the Alias Admin Preference metric:

1. At the configuration level for the GSLB service, use the admin-prefer-ence preference command to assign an administrative preference to the DNS CNAME record for the service. (See “gslb service-ip” on page 166.)


• Use the alias-admin-preference command to enable the Alias Admin Preference metric.




(See “dns” on page 197.)

3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See “gslb service-ip” on page 166.)

bw-cost

Description Configure the BW-Cost metric. This mechanism queries the bandwidth uti-lization of each site, and selects the site(s) whose bandwidth utilization has not exceeded a configured threshold during the most recent query interval.

Syntax [no] bw-cost [fail-break]





fail-break Enables GSLB to stop if the current BW-Costvalue is over the limit. The fail-break actiondepends on whether the GSLB controller is run-ning in proxy mode or server mode:



Default Disabled

Mode GSLB Policy

Example The following command enables the BW-Cost metric:

AX(config gslb-policy)#bw-cost

capacity

Description Configure the TCP/UDP Session-Capacity metric. This mechanism pro-vides a way to shift load away from a site before the site becomes con-gested.

Example:

Site A’s maximum session capacity is 800,000 and Site B’s maximum ses-sion capacity is 500,000. If the Session-Capacity threshold is set to 90, thenfor Site A the capacity threshold is 90% of 800,000, which is 720,000. Like-wise, the capacity threshold for Site B is 90% of 500,000, which is 450,000.

Syntax [no] capacity [threshold num-percentage] [fail-break]


threshold num-percentage Number from 0 to 100 specifying the maximum

percentage of a site AX Series session table thatcan be used. If the session table utilization isgreater than the specified percentage, the GSLBAX Series prefers other sites over this site.




fail-break Enables GSLB to stop if the session utilizationon all site SLB devices is over the threshold. Thefail-break action depends on whether the GSLBcontroller is running in proxy mode or servermode:



Default Disabled. When you enable the capacity metric, the default threshold is 90percent.

Mode GSLB Policy

Usage This metric requires the GSLB protocol to be enabled both on the GSLBcontroller and on the site AX devices.

Example The following command enables the capacity metric at the default value of 90% utilization of TCP/UDP session capacity:

AX(config gslb-policy)#capacity

connection-load

Description Configure the Connection-Load metric, which prefers sites that have not exceeded their thresholds for new connections.

Syntax [no] connection-load [limit number-of-connections] |[samples number-of-samples interval seconds][fail-break]


limit number-of-connections Number that specifies the maximum average

number of new connections per second the siteAX Series can have. You can specify from 1 to999999999 (999,999,999).




samples number-of-samples interval seconds Number of samples for the SLB device (the site

AX Series) to collect, and the number of secondsbetween each sample. You can specify 1-8 sam-ples and an interval of 1-60 seconds.

fail-break Enables GSLB to stop if the connection load forall sites is over the limit. The fail-break actiondepends on whether the GSLB controller is run-ning in proxy mode or server mode:



Default Disabled. When you enable the Connection-Load metric, the default limit isnot set (unlimited). The default number of samples is 5, and the defaultinterval is 5 seconds.

Mode GSLB Policy

Usage This command applies only to GSLB selection of a site. The command doesnot affect the number of connections the site AX Series itself allows.

This metric requires the GSLB protocol to be enabled both on the GSLBcontroller and on the site AX devices.

Example The following command sets the connection load limit to 1000 new connec-tions:

AX(config gslb-policy)#connection-load limit 1000




dns

Description Configure DNS parameters for the policy.

Syntax [no] dns {action | active-only [fail-safe] | addition-mx | auto-map | backup-alias | backup-server | cache [aging-time {seconds | ttl}] | cname-detect | delegation | external-ip | external-soa | geoloc-action | geoloc-alias | geoloc-policy | hint | ip-replace | ipv6 options | logging {both | query | response | none} proxy block option | selected-only [num] | server

[addition-mx] [any] [authoritative options][mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] [txt] |

sticky [network-mask | /prefix-length] [aging-time minutes] [ipv6-mask mask-length] |

ttl num}





action Enable GSLB to perform the DNS actions speci-fied in the service configurations.

Note: To configure the DNS action for a service, use the action action-typecommand at the configuration level for the service. See “gslb zone” onpage 180.

active-only [fail-safe] Removes IP addresses from DNS replies when

those addresses fail health checks.

Note: If none of the IP addresses in the DNSreply pass the health check, the GSLB AX Seriesdoes not use this metric, since it would result inan empty IP address list.

The fail-safe option returns a list of server IPaddresses for failed servers to the client. Withoutthis option, IP addresses of failed servers areomitted from the reply.

addition-mx Appends MX records in the Additional section inreplies for A records, when the device is config-ured for DNS proxy or cache mode.

auto-map Enables creation of A and AAAA records for IPresources configured on the AX device. Forexample, this option is useful for auto-mappingVIP addresses to service-IP addresses. (See“Auto-mapping” on page 73.)

backup-alias Returns the alias CNAME record configured forthe service, if GSLB does not receive an answerto a query for the service and no active DNSserver exists. This option is valid in server modeor proxy mode.

To configure the backup alias for a service withina zone, use the following command at the config-uration level for the service: dns-cname-recordalias-name as-backup

backup-server Designates one or more backup servers that canbe returned to the client if the primaries shouldfail.

cache [aging-time seconds| ttl] Enables the GSLB AX device to cache DNS

replies. The AX device uses information in thecached DNS entries to reply to subsequent client




requests, as opposed to sending a new DNSrequest for every client query.

By default, the AX device caches a DNS replyfor the duration of the TTL in the reply. You canoverride the entry TTL by setting the cache agingtime. You can specify 1-1,000,000,000 seconds(nearly 32 years). Do not type commas when youenter the number.

If you change the aging time but later decide torestore it to its default value, use the ttl optioninstead of seconds.

cname-detect Disabling this option skips the Cname response.If enabled, the GSLB-AX applies the zone andservice policy to the Cname record instead ofapplying it to the address record.

delegation Enables sub-zone delegation. The feature allowsyou to delegate authority or responsibility for aportion of the DNS namespace from the parentdomain to a separate sub-domain which mayreside on one or more remote servers and may bemanaged by someone other than the networkadministrator who is responsible for the parentzone. (For more information, see “DNS Sub-zone Delegation” on page 85.)

external-ip Returns the external IP address configured for aservice IP. If this option is disabled, the internaladdress is returned instead.

The external IP address must be configured onthe service IP. (Use the external-ip command atthe configuration level for the service IP.)

external-soa Replaces the internal SOA record with an exter-nal SOA record to prevent external clients fromgaining information that should only be availableto internal clients. If this option is disabled, theinternal address is returned instead.

The external SOA record must be configured inthe GSLB zone. (Use the external-soa recordcommand at the gslb zone configuration level.)

geoloc-action Performs the DNS traffic handling action speci-fied for the client’s geo-location. The action isspecified as part of service configuration in azone.




Note: To configure the DNS action for a service, use the geo-location location-name action-type command at the configuration level for the service. See“gslb zone” on page 180.

geoloc-alias Returns the alias name configured for the client’sgeo-location. (This option does the same thing asthe alias-geoloc option, which is deprecated inAX Release 2.0.)

geoloc-policy Uses the GSLB policy assigned to the client’sgeo-location.

hint {addition | answer | none} Enables hints, which appear in the Additional

Section of the DNS response. Hints are A orAAAA records that are sent in the response to aclient’s DNS request. These records provide amapping between the host names and IPaddresses.

addition – Appends hints in the AdditionalSection (default).

answer – Appends hints in the Answer Sec-tion.

none – Does not append hints in the DNSresponse.

The hint option applies to the following recordtypes: NS, MX, and SRV.

ip-replace Replaces the IP addresses in the DNS reply withthe service IP addresses configured for the ser-vice. (To configure the service IP addresses, usethe service-ip command at the configurationlevel for the service. See “gslb zone” onpage 180.)

ipv6 options Enables support for IPv6 AAAA records. Thefollowing options are supported:

mapping {addition | answer | exclusive |replace} – Specifies the actions in response to an




IPv6 DNS query. You can enable one or more ofthese options.

addition – Append AAAA records in theDNS Addition section of replies.

answer – Append AAAA records in theDNS Answer section of replies.

exclusive – Replace A records (IPv4 addressrecords) with AAAA records.

replace – Reply with AAAA records only.

Note: The current release has the following limitations:

• Health checks and the GSLB protocol use IPv4 only.

• IP address-related metrics such as aRDT are always based on IPv4.

• Virtual servers for GSLB service IPs are required to have both an IPv4 and an IPv6 address.

mix – Enables GSLB to return both AAAA andA records in the same answer.

smart – Enables IPv6 return by query type. Forthe ipv4-ipv6 mapping records, an A query(IPv4) will return an A record and an AAAAquery (IPv6) will return an AAAA record.

logging options Configures DNS logging.

The both | none | query | response option speci-fies the types of messages to log.

To restrict logging to a specific geo-location orIP address, use one of the following options:

proxy block options Blocks DNS t queries from being sent to an inter-

nal DNS server. The AX device must be inGSLB proxy mode for the feature to work. Theoptions can be one or more of the following:

a

aaaa

ns

mx

srv

cname




ptr

soa

txt

num query-type

range {start-query-type end-query-type}

action [drop | reject]

(For more information, see “DNS Proxy Block”on page 91.)

selected-only [num] Enables return of only the selected IP addresses.

You can specify 1-128 records can be returnedafter selection occurs. If the number is greaterthan the selected number, then GSLB ignores thisconfiguration.

server [options] Enables the GSLB AX device to act as a DNS

server, for specific service IPs in the GSLB zone.When you enable the server option, the GSLBAX directly responds to Address queries for spe-cific service IP addresses in the GSLB zone. TheAX device still forwards other types of queries tothe DNS server.

If you use the server option, you do not need touse the cname-detect option. When a clientrequests a configured alias name, GSLB appliesthe policy to the CNAME records.

To place the server option into effect, you alsomust enable the static option on the individualservice IP. (To configure the service IP addresses,use the service-ip command at the configurationlevel for the service. See “gslb zone” onpage 180.)

addition-mx – Enables the GSLB AXdevice to provide the A record containing themail server’s IP address in the Additionalsection, when the device is configured forDNS server mode.

any – Enables the GSLB AX device to pro-vide all resource records that are available,when the AX device is configured for DNSserver mode. When a client issues a type“ANY” request (which is actually a pseudo




resource record that is expressed by the wild-card code “*”), then the AX device includesall RR information it has available.

authoritative [options] – Makes theAX device the authoritative DNS server forthe GSLB zone, for the service IPs in whichyou enable the static option. (See below.) Ifyou omit the authoritative option, the AXdevice is a non-authoritative DNS server forthe zone domain.

addition-mx – This option appends theMX record in the Addition section, when thedevice is configured for DNS server mode.

any – Provides all records.

full-list – The full-list option appendsall A records in the Authoritative section ofDNS replies.

ns-list – This option appends all NameServer (NS) Resource Records (RR) in theAuthority section of DNS replies.

mx – Provides the MX record in the Answersection, and the A record for the mail serverin the Additional section, when the device isconfigured for DNS server mode.

ns [auto-ns] – Provides the name serverrecord. The auto-ns option causes the policyto provide A records for NS records auto-matically.

ptr [auto-ptr] – Provides the pointerrecord. The auto-ptr option causes the pol-icy to provide pointer records automatically.

srv – Provides the service record.

txt – Provides the service record. TXTresource records can be used to carry multi-ple pieces of DNS TXT data within a singlerecord.

Note: The server option is not valid with the ip-replace option. They are mutu-ally exclusive.




sticky [network-mask | /prefix-length] [aging-time minutes][ipv6-mask mask-length] Sends the same service IP address to a client for

all requests from that client for the serviceaddress. Sticky DNS ensures that, during theaging-time, a client is always directed to thesame site.

/prefix-length – Adjusts the granularity ofthe feature. The default prefix length is 32, whichcauses the AX device to maintain separate sticki-ness information for each local DNS server. Forexample, if two clients use DNS 10.10.10.25 astheir local DNS server, and two other clients useDNS 10.20.20.99 as their local DNS server, theAX maintains separate stickiness information foreach set of clients, by maintaining separate stick-iness information for each of the local DNS serv-ers.

aging-time minutes – Specifies howmany minutes a DNS reply remains sticky. Youcan specify 1-65535 minutes.

ipv6-mask mask-length – Adjusts thegranularity of the feature for IPv6. The defaultmask length is 128.

Note: If you enable the sticky option, the sticky time must be as long or longerthan the zone TTL. (Use the ttl command at the configuration level for thezone. See “gslb zone” on page 180.)

ttl num Changes the TTL of each DNS record containedin DNS replies received from the DNS for whichthe AX Series is a proxy. You can specify 0-1000000 (1,000,000) seconds.

Default This command has the following defaults:

• action – disabled

• active-only – disabled; when you enable this option, fail-safe is disabled by default

• addition-mx – disabled

• auto-map – disabled




• backup-alias – disabled

• backup-server – disabled

• cache – disabled; when you enable this option, the default aging time for a cached DNS reply is the TTL set by the DNS server in the reply

• cname-detect – enabled

• delegation – disabled

• external-ip – enabled

• geoloc-action – disabled

• geoloc-alias – disabled

• geoloc-policy – disabled

• hint – enabled for addition option

• ip-replace – disabled

• ipv6 – all options disabled

• logging – disabled

• proxy – disabled

• selected-only – disabled

• server – disabled

• sticky – disabled; when you enable this option, the default prefix is /32, the default aging time is 5 minutes, and the default IPv6 mask length is 128.

• ttl – 10 seconds

Mode GSLB Policy

Usage If more than one of the following options are enabled, GSLB uses them inthe order listed, beginning with sticky:

1. sticky

2. server

3. cache

4. proxy (The command does not have a separately configurable “proxy” option. The proxy option is automatically enabled when you configure the DNS proxy.)




The site address selected by the first option that is applicable to the clientand requested service is used.

Example The following command enables CNAME detection:

AX(config gslb-policy)#dns cname-detect

Example The following configuration excerpt uses the ipv6 mix option to enable mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and AAAA records will be included in replies to either A or AAAA requests from clients.

gslb service-ip ip1 20.20.20.100 port 80 tcpgslb service-ip ip2 20.20.20.102 port 80 tcpgslb service-ip ipv61 fe80::1 port 80 tcpgslb service-ip ipv62 fe80::2 port 80 tcpgslb service-ip ipv63 fe80::3 port 80 tcpgslb policy p8 dns ipv6 mix dns servergslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static dns-a-record ipv61 static dns-a-record ipv62 static dns-a-record ipv63 static

Example The following configuration excerpt uses the ipv6 smart option. For IPv4-IPv6 mapping records, an A query will be answered by an A record and an AAAA query will be answered by an AAAA record. More specifically, if a client sends an A query, GSLB returns A records in the answer section, and AAAA records in the additional section. If a client sends an AAAA query,




GSLB returns AAAA records in the answer section, and A records in the additional section.

gslb service-ip ip1 20.20.20.100 ipv6 ffff::1 port 80 tcpgslb service-ip ip2 20.20.20.102 ipv6 ffff::2 port 80 tcpgslb policy p8 dns ipv6 mapping addition dns ipv6 smart dns servergslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static

dnssec key-generate

Description Generate the DNSSEC keyset.

Syntax [no] dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num


name Name of the DNSSEC keyset.

algorithm Specify which RSA SHA algorithm is used togenerate the DNSSEC key pair (ZSK and KSK):

RSASHA1

RSASHA256

RSASHA512

NSEC3RSASHA1

Note: Selecting one of the first three algorithms (RSASHA1, RSASHA256, orRSASHA512) will cause the standard NSEC resource record to be gener-ated for the zone. However, selecting the fourth algorithm option(NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be gen-




erated for the zone, which is helpful in mitigating the threat posed by zonewalking.

keysize num Number of bits in the DNSSEC key. You canspecify 512-4096 bits, in multiples of 64 bits.The default value is 1024 bits.

Default N/A

Mode Global config

export dnssec-dnskey

Description Export the DS keyset from the child zone to the parent zone.

Syntax [no] import dnssec-dnskey authoritative-zone-name [use-mgmt-port] url


zone-name Authoritative zone name of the dnskey.

use-mgmt-port Uses the management interface as the sourceinterface for the connection to the remote device.

url File transfer protocol, username (if required), anddirectory path.

You can enter the entire URL on the commandline or press Enter to display a prompt for eachpart of the URL. If you enter the entire URL anda password is required, you will still be promptedfor the password. The password can be up to 255characters long.

To enter the entire URL:

tftp://host/file

ftp://[user@]host[:port]/file

scp://[user@]host/file

rcp://[user@]host/file

http://[user@]host/file

https://[user@]host/file

sftp://[user@]host/file

Default N/A




Mode Global config

Usage When using the CLI commands to import/export a DS/DNSKEY record to/from a parent/child zone, it is not necessary to list the AX device’s internalfile name for the resource record. Instead, you can simply include the nameof the DNS zone from which you will be importing or exporting the file.

geo-location

Description Configure a geographic location. GSLB forwards client requests from IP addresses within the location’s range to the GSLB site that serves the loca-tion.

Syntax [no] geo-location location-name start-ip-addr [mask ip-mask | end-ip-addr]


location-name Name of the location, up to 127 alphanumericcharacters.

start-ip-addr Beginning IP address for the range.

mask ip-mask Network mask.

end-ip-addr Ending IP address for the range.

Default None.

Mode GSLB Policy

Usage To prefer the location configured with this command over a globally config-ured location, use the gslb policy geo-location match-first policy com-mand. (See “geo-location match-first” on page 209.)

Example The following example configures geographic location “CN.BeiJing” for IP address range 200.1.1.1 through 200.1.1.253:

AX(config gslb-policy)#geo-location CN.BeiJing 200.1.1.1 200.1.1.253

geo-location match-first

Description Configure the policy to prefer either the globally configured geo-location or the one configured in this policy. If a client IP address matches the IP ranges in a globally configured location and in a location configured in this policy, the geo-location match-first command specifies which matching geo-loca-tion to use.




Syntax [no] geo-location match-first {global | policy}


global GSLB prefers globally configured locations overlocations configured in this policy.

policy GSLB prefers locations configured in this policyover globally configured locations.

Default global

Mode GSLB Policy

Example The following command configures the GSLB AX Series to prefer locations configured in this policy:

AX(config gslb-policy)#geo-location match-first policy

geo-location overlap

Description Enable overlap matching mode. If there are overlapping addresses in the geo-location database, use this option to enable the AX device to find the most precise match.

Syntax [no] geo-location overlap [global | policy]


global GSLB prefers globally configured locations overlocations configured in this policy.

policy GSLB prefers locations configured in this policyover globally configured locations.

Default Disabled

Mode GSLB Policy

Usage If you suspect a public IP address in your domain is not unique and the sameIP address may be associated with different hosts, you can enable the geo-location overlap option. This causes the AX device to search the geo-loca-tion database for the match best (or longest matching IP address). Other-wise, the AX device will use its default behavior, which is to scan thespecified geo-location database using the “match first” algorithm, whichuses the first IP address-region mapping discovered. (See “Geo-locationOverlap” on page 57.)




geographic

Description Enable or disable the Geographic metric. The Geographic metric prefers sites that are within the geographic location of the client.

Syntax [no] geographic

Default Enabled

Mode GSLB Policy

Usage You must configure the geographic location, by configuring a geo-locationname, then assigning the geo-location to a GSLB site. To configure a geo-location, assign a client IP address range to a location name. (See “gslb geo-location” on page 156 and “geo-location” on page 209.) To assign the geo-location to a site, use the geo-location command at the site configurationlevel. (See “gslb site” on page 168.)

Example The following command disables the Geographic metric:

AX(config gslb-policy)#no geographic

health-check

Description Enable or disable the Health-Check metric. The Health-Check metric pre-fers sites that pass their health checks.

Syntax [no] health-check

Default Enabled

Mode GSLB Policy

Usage This metric requires the GSLB protocol to be enabled both on the GSLBcontroller and on the site AX devices, if the default health checks are usedon the service IPs.

If you use a custom health monitor, or you explicitly apply the defaultLayer 3 health monitor to the service, the GSLB protocol is not used for anyof the health checks. In this case, the GSLB protocol is not required to beenabled on the site AX devices, although use of the protocol is still recom-mended.

Example The following command disables the Health-Check metric:

AX(config gslb-policy)#no health-check




import dnssec-dnskey

Description Import the DNSKEY keyset from the child zone to the parent zone.

Syntax [no] import dnssec-dnskey authoritative-zone-name [use-mgmt-port] url


authoritative-zone-name Authoritative zone name of the dnskey.





tftp://host/file







Default N/A

Mode Global config





import dnssec-ds

Description Import the DS keyset from the child zone to the parent zone.

Syntax [no] import dnssec-ds child-zone-name [use-mgmt-port] url


child-zone-name Child zone name of the ds keyset.





tftp://host/file







Default N/A

Mode Global config





ip-list

Description Use an IP list to exclude a set of IP addresses from aRDT polling.

Syntax [no] ip-list list-name

Default None

Usage To configure an IP list, see “gslb ip-list” on page 161.

Example The following commands configure a GSLB IP list and use the list to exclude IP addresses from aRDT data collection:

AX(config)#gslb ip-list iplist1





AX(config-gslb ip-list)#exit


AX(config-gslb policy)#ip-list iplist1

AX(config-gslb policy)#active-rdt ignore-id 3

least-response

Description Enable or disable the Least-Response metric, which prefers VIPs that have the fewest hits.

Syntax [no] least-response

Default Disabled

Mode GSLB Policy

Example The following command enables the Least-Response metric:

AX(config gslb-policy)#least-response




metric-fail-break

Description Enable GSLB to stop if there are no valid service IPs.

Syntax [no] metric-fail-break

Default Disabled

Mode GSLB Policy

metric-force-check

Description Force the GSLB controller to always check all metrics in the policy.

Syntax [no] metric-force-check

Default By default, the GSLB controller stops evaluating metrics for a site once ametric comparison definitively selects or rejects a site.

Mode GSLB Policy

metric-order

Description Configure the order in which the GSLB metrics in this policy are used.

Syntax [no] metric-order metric [metric ...]


metric [metric ...] One or more of the following metrics:

active-rdt

active-servers

admin-preference

bw-cost

capacity

connection-load

geographic

health-check

least-response




num-session

weighted-ip

weighted-site

Default By default, metrics are used in the following order:

1. Health-Check

2. Weighted-IP

3. Weighted-Site

4. Session-Capacity

5. Active-Servers

6. aRDT

7. Geographic

8. Connection-Load

9. Num-Session

10. Admin-Preference

11. BW-Cost

12. Least-Response

The Health-Check, Geographic and Round-Robin metrics are enabled bydefault. The Round-Robin metric does not appear in the list above becausethis is the metric of last resort.

Mode GSLB Policy

Usage The first metric you specify with this command becomes the primary met-ric. If you specify additional parameters, they are used in the priority youspecify. All remaining metrics are prioritized to follow the metrics youspecify.

The GSLB AX Series uses each metric, in the order specified, to comparethe IP addresses returned in DNS replies to clients. If a metric is disabled,the metric order does not change. The GSLB AX Series skips the metric andcontinues to the next enabled metric.

The Round-Robin metric can not be re-ordered.

To display the metric order used in a policy, see “show gslb policy” onpage 234.




num-session

Description Configure the Num-Session metric, which evaluates a site based on availa-ble session capacity and tolerance threshold compared to another site. Sites that are at or below their thresholds of current available sessions are pre-ferred over sites that are above their thresholds.

Example:

Site A has 800,000 sessions available and Site B has 600,000 sessions avail-able. If Num-Session is enabled, then Site A is preferred because it has alarger number of available sessions than site B.

If the tolerance option is enabled (with a default value of 10 percent), and ifSite A has 800,000 sessions available and Site B has 600,000 sessions avail-able, then Site A will continue to be preferred until Site B’s available ses-sions exceed Site A’s available sessions by more than 10 percent. In thiscase, Site A will remain the preferred site until Site B’s available sessionsexceed 800,000 by more than ten percent (or 80,000 sessions). If Site A’savailable sessions remain constant, and Site B’s available sessions increaseto the point that they exceed 880,000 sessions, the Site B would become thepreferred site.

Note: When dealing with smaller base numbers, a small fluctuation in the num-ber of available sessions can cause flapping from one site to another.Thus, when configuring sites with smaller capacities, it is recommendedto use a larger tolerance number to prevent frequent flapping between pre-ferred sites.

Syntax [no] num-session [tolerance num]


num-percentage Number from 0 to 100 specifying the percentageby which the number of available sessions on siteSLB devices can differ without causing the Num-Session metric to select one site device overanother. (See the Usage description.)

Default Disabled. When you enable the Num-Session metric, the default tolerance is10 percent.

Mode GSLB Policy

Usage The GSLB AX Series considers site SLB devices to be equal if the differ-ence in the number of available sessions on each device does not exceed thetolerance percentage. The tolerance percentage ensures that minor differ-




ences in available sessions do not cause frequent, unnecessary, changes insite preference.

This metric requires the GSLB protocol to be enabled both on the GSLBcontroller and on the site AX devices.

Example The following command changes the available-session tolerance threshold to 70 percent:

AX(config gslb-policy)#num-session tolerance 70

round-robin

Description Configure the Round-Robin metric, which selects sites in sequential order.

Syntax [no] round-robin

Default Enabled

Mode GSLB Policy

Usage The AX device uses Round-Robin to select a site at the end of the policyparameters evaluation. This is true even if the Round-Robin metric is disa-bled in the GSLB policy.

Example The following command disables the Round-Robin metric:

AX(config gslb-policy)#no round-robin

weighted-alias

Description Enable the Weighted Alias metric, which prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records.

Syntax [no] weighted-alias

Default Disabled

Mode GSLB Policy




Usage Metric order does not apply to this metric.

To configure the Weighted Alias metric:

1. At the configuration level for the GSLB service, use the weight com-mand to assign a weight to the DNS CNAME record for the service. (See “gslb service-ip” on page 166.)


• Enable the Weighted Alias metric.




(See “dns” on page 197.)

3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See “gslb service-ip” on page 166.)

weighted-ip

Description Configure the Weighted-IP metric, which uses service IP addresses with higher weight values more often than addresses with lower weight values.

Syntax [no] weighted-ip [total-hits]


total-hits First sends requests to the service IP addressesthat have fewer hits. After all service IPaddresses have the same number of hits, GSLBsends requests based on weight. This option isdisabled by default.

Default Disabled

Mode GSLB Policy

Usage As a simple example, assume that the Weighted-IP metric is the only ena-bled metric, or at least always ends up being used as the tie breaker. Thetotal-hits option is disabled. IP address 10.10.10.1 has weight 4 and IPaddress 10.10.10.2 has weight 2. During a given session aging period, thefirst 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and soon, (4 to 10.10.10.1, then 2 to 10.10.10.2).




Here is an example using the same two servers and weights, with the total-hits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, andIP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4requests go to 10.10.10.2, then the requests are distributed according toweight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,and so on. To display the total hits for a service IP address, use the showgslb service-ip command. (See “gslb service-ip” on page 166.)

To assign a weight to a service IP address, use the following command atthe configuration level for the zone service: dns-a-record name weight num

Example The following command disables the Weighted-IP metric:

AX(config gslb-policy)#no weighted-ip

weighted-site

Description Configure the Weighted-Site metric, which uses sites with higher weight values more often than sites with lower weight values.

Syntax [no] weighted-site [total-hits]


total-hits First sends requests to the sites that have fewerhits. After all service sites have the same numberof hits, GSLB sends requests based on weight.This option is disabled by default.

Default Disabled. When you enable the Weighted-Site metric, the default weight ofeach site is 1.

Mode GSLB Policy

Usage As a simple example, assume that the Weighted-Site metric is the only ena-bled metric, or at least always ends up being the tie breaker. Site A hasweight 4 and site B has weight 2. During a given session aging period, thefirst 4 requests go to site A, the next 2 requests go to site B, and so on, (4 toA, then 2 to B).

Here is an example using the same two sites and weights, with the total-hitsoption enabled. Site A has weight 4 with total hits 8, and site B has weight 2with total hits 0. In this case, the first 4 requests go to site B, then requestsare sent as described above. Four requests go to site A, then 2 requests go tosite B, and so on.




To assign a weight to a site, use the following command at the configurationlevel for the site: weight num

Example The following command disables the Weighted-Site metric:

AX(config gslb-policy)#no weighted-site



CLI Command Reference - Show Commands

Show CommandsThis section describes the GSLB show commands.

show gslb cache

Description Show the DNS messages cached on the GSLB AX device. The GSLB AX device caches DNS replies if either of the following GSLB policy options are enabled:

• DNS caching

• aRDT metric (if the single-shot option is used)

Syntax show gslb cache [service-name ...][zone zone-name]

Option Description

zone-name Displays cached DNS messages for the specifiedzone.

service-name Displays cached DNS messages for the specifiedservice.

Mode All

Example The following command displays cached DNS messages for service “www.testme.com:http”:

AX#show gslb cache www.testme.com:http QD = Question Records, AN = Answer Records NS = Authority Records, AR = Additional Records Flag = DNS Flag, Len = Cache Length A = Authoritative Answer, D = Recursion Desired R = Recursion AvailableZone: testme.comService Alias Len TTL Flag QD AN NS AR ---------------------------------------------------------------------------www.testme.com:http 96 3055 DR 1 4 0 0


TABLE 6 show gslb cache fields

Field Description

Zone GSLB zone name.




show gslb config

Description Show the GSLB configuration commands that are in the running-config.

Syntax show gslb config [active-rdt | dns | geo-location | group | ip-list | policy | protocol | service-ip | site | system template | view | zone | common-filters (| include string) ]

Mode All

Usage The show gslb config command can be used in shared partitions, privatepartitions, and gslb-view.

When used in shared partitions

When used within a shared partition, the show gslb config command caninclude the following:

• active-rdt: Show GSLB aRDT configuration

• dns: Show GSLB global DNS configuration

• geo-location: Show GSLB global geo-location configuration

Service GSLB service.

Alias Alias, if configured, that maps to the DNS Canonical Name (CNAME) for the service.

Len Length of the DNS message, in bytes.

TTL Number of seconds for which the cached message is still valid.

TABLE 6 show gslb cache fields (Continued)

Field Description




• group: Show GSLB group configuration

• ip-list: Show GSLB IP list configuration

• policy: Show GSLB policy configuration

• protocol: Show GSLB protocol configuration

• service-ip: Show GSLB service-ip configuration

• site: Show GSLB site configuration

• system: Show GSLB system options

• template: Show GSLB template configuration

• view: Show GSLB view

• zone: Show GSLB zone configuration

When used in private partitions

When used within a private partition, the show gslb config command caninclude the following:

• group: Show GSLB Group configuration



• service-ip: Show GSLB service-IP configuration




Note: When the show gslb config command is used within a private partition,the following command completions are not supported: active-rdt, dns,geo-location, protocol, system, and view.

When used in gslb-view

When used in gslb-view, the show gslb config command can include thefollowing:

• group: Show GSLB Group configuration









Note: When the show gslb config command is used in gslb-view, the followingcommand completions are not supported: active-rdt, dns, geo-location,protocol, service-ip, system, and view.

Details about L3V Deployments

When using the new show gslb config command filters in L3V partitions,only the following command completions are supported: group, ip-list,policy, service-ip, site, template, and zone.

The following show gslb config command options are not supported inL3V deployments, and by extension, not supported by the new gslb showcommand enhancements: active-rdt, dns, geo-location, protocol, system andview.

Show gslb config XXX for shared partitions

The command syntax when used within a shared partition is as follows:

show gslb config [active-rdt | dns | geo-location | group | ip-list | policy | protocol | service-ip | site | system template | view | zone | [common-filters (| include string) ]

CLI Example

• Show gslb config zone

• Show gslb config site zone

• Show gslb config service-ip zone | include aaa




Show gslb config for gslb-view

The command syntax when used within gslb-view is as follows:

show gslb config [group | ip-list | policy | service-ip | site | template | zone | common filters(| include xxx)]

CLI Example:


• Show gslb config site template

• Show gslb config zone | include aaa

Show gslb config for private partition

The command syntax when used within a private partition is as follows:

show gslb config [group | ip-list | policy | service-ip | site | template | zone | common filters(| include xxx)]

CLI Example:


• Show gslb config site template

• Show gslb config service-ip zone | include aaa




show gslb fqdn

Description Show GSLB statistics using a Fully Qualified Domain Name (FQDN).

Syntax show gslb fqdn domain-name [domain-name ... ][dns-a-record | dns-cname-record | dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record | dns-txt-record | session | cache ]

Mode All

Introduced in Release 2.7.0

Usage This command allows you to show various parameters for an FQDN, suchas:

• DNS cache information

• DNS A Record Service-IP statistics

• Statistics for MX, PTR, SRV, CNAME and other record types

• DNS session information




show gslb geo-location

Description Show the status of GSLB geo-location mappings.

Syntax show gslb geo-location {[db [geo-location-name]

[[statistics] ip-range range-start range-end] [[statistics] depth num][[statistics] directory num][[statistics] top num [percent [global]]][statistics]]

[file [file-name]]

[ip ipaddr]

[rdt [active [geo-location-name ...]

[site site-name] [depth num]]

Option Description

db [options] Displays the geo-location database. If you spec-ify a geo-location name, only the entries for thatgeo-location are shown. Otherwise, entries for allgeo-locations are shown.

ip-range – Displays entries for the specified IPaddress range.

depth num – Specifies how many nodes withinthe geo-location data tree to display. For exam-ple, to display only continent and country entriesand hide individual state and city entries, specifydepth 2. By default, the full tree (all nodes) is dis-played.

directory num – Please contact A10 Networksfor information.

top num [percent [global]] – Please contact A10Networks for information.

statistics – Displays client statistics for the spec-ified geo-location.

file [file-name] Displays the geo-location database files on the

AX device, and their load status. (Data from a




geo-location database file does not enter the geo-location database until you load the file. See“gslb geo-location load” on page 158.)

ip ipaddr Displays geo-location database entries for thespecified IP address.

rdt [options] Displays aRDT data for geo-locations. You canuse the following options:

active – Displays data for aRDT.

geo-location-name – Displays aRDT data onlyfor the specified GSLB geo-location.

site site-name – Displays aRDT data only for thespecified GSLB site.

depth num – Specifies how many nodes withinthe geo-location data tree to display. For exam-ple, to display only continent and country entriesand hide individual state and city entries, specifydepth 2. By default, the full tree (all nodes) isdisplayed.

Mode All

Usage The matched client IP address and the hits counter indicate the working sta-tus of the geo-location configuration.

Example The following command shows the status of a geo-location named “pc”:

AX#show gslb geo-location pc Last = Last Matched Client, Hits = Count of Client matched Sub = Count of Sub Geo-location T = Type, G(global)/P(policy), P-Name = Policy name Geo-location: pcFrom To Last Hits Sub T P-Name -----------------------------------------------------------------------------1.2.2.0 1.2.2.255 (empty) 0 0 P default


TABLE 7 show gslb geo-location fields

Field Description

Geo-location Name of the geo-location.

From Beginning address in the address range assigned to the geo-location.




Example The following command shows the load status information for a geo-loca-tion database file:

AX(config)#show gslb geo-location file test1 T = T(Template)/B(Built-in), Per = Percentage of loadingFilename T Template Per Lines Success Error ------------------------------------------------------------------------------test1 T t1 98% 11 10 0

Example The following command displays entries in the geo-location database:

AX(config)#show gslb geo-location db

Last = Last Matched Client, Hits = Count of Client matched T = Type, Sub = Count of Sub Geo-location G(global)/P(policy), S(sub)/R(sub range) M(manually config)

GlobalName From To Last Hits Sub T ------------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G

Geo-location: NA, Global

To Ending address in the address range assigned to the geo-loca-tion.

Last Client IP address that most recently matched the geo-loca-tion. If the value is “empty”, no client addresses have matched.

Hits Total number of client IP addresses that have matched the geo-location.

Sub Number of sublocations within the geo-location. For exam-ple, if you configure the following geo-locations, geo-loca-tion “pc” has two sublocations, “pc.office” and “pc.lab”.

geo-location pc 10.1.0.0 mask /16

geo-location pc.office 10.1.1.0 mask /24

geo-location pc.lab 10.1.2.0 mask /24

T Type of geo-location:

• G – The geo-location is configured at the global level in the AX Series configuration.

• P – The geo-location is configured within a GSLB policy.

P-Name Name of the GSLB policy where the geo-location is config-ured.

TABLE 7 show gslb geo-location fields (Continued)

Field Description




Name From To Last Hits Sub T ------------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS

Geo-location: NA.US, GlobalName From To Last Hits Sub T ------------------------------------------------------------------------------ 69.26.125.0 69.26.125.255 (empty) 0 0 GR 69.26.126.0 69.26.126.255 (empty) 0 0 GR 69.26.127.0 69.26.127.255 (empty) 0 0 GR ...

show gslb group

Description Show information for GSLB controller groups.

Syntax show gslb group [ brief |group-name [...] [statistics] |statistics]

Mode All

Example The following commands add a GSLB controller to the default GSLB group, enable the device’s membership in the group, and display group information:

AX(config)#gslb group default

AX(config-gslb group)#enable

AX(config-gslb group)#show gslb group brief




Name Pri Attrs Master Member

------------------------------------------------------------------------------

default 255 L* local 2


TABLE 8 show gslb group brief fields

Field Description

Name Name of the GSLB controller group.




AX(config-gslb group)#show gslb group




Group: default, Master: 192.168.101.72

Member ID Pri Attrs Status

-----------------------------------------------------------------------------

local 22e40d29 255 L* OK

192.168.1.131 941a1229 100 Synced

192.168.1.132 ab301229 100 P Synced


Pri Priority of the master controller.

Attrs GSLB group attributes of this member:







Master IP address of the current master for the group.

Member Number of GSLB controllers in the group. This number includes all configured group members and all learned group members.

TABLE 8 show gslb group brief fields (Continued)

Field Description

TABLE 9 show gslb group fields

Field Description

Member GSLB controllers currently in the group.

The “local” member is the GSLB controller on which you entered this show command.

ID Group member ID assigned by the controller group feature.




Pri Priority of the GSLB controller.

Attrs GSLB group attributes of the member:







Status When the GSLB group is starting up, this column shows the protocol status. After the group is established, this column shows the group status.

Protocol status:

• Idle

• Active

• OpenSent

• OpenConfirm

• Established

Group status of the member:

• Ready

• FullSync/MasterSync

• Synced

Note: If the group status of the member is OK, this AX device (the one on which you entered the command) knows of the member, but no connection between this AX device and the member is required.

TABLE 9 show gslb group fields (Continued)

Field Description




show gslb ip-list

Description Display information for GSLB IP lists.

Syntax show gslb ip-list [brief | list-name |id num |ip ipaddr |statistics]

Mode All

show gslb memory

Description Display memory allocation information for GSLB.

Syntax show gslb memory [mem-loc-id [...]] [interval seconds]

Mode All

show gslb policy

Description Show GSLB metric settings for GSLB policies.

Syntax show gslb policy [policy-name]

Mode All

Example The following command shows the configuration of GSLB policy “www”:

AX#show gslb policy wwwPolicy name: wwwMO = Metric Order, En-Value = Enabled or ValueType | MO| Option | En-Value | Description================================================================================DNS | | action | no | Action | | active-only | no | Only return active service-IP(s) | | selected-only| no | Only return selected service-IP(s) | | cname-detect| yes | Apply policy on CNAME records | | external-ip | yes | Return external IP | | external-soa| no | Return external SOA




| | IPv6 Mapping| no | A/AAAA Mapping | | IPv6 Mix | no | Both IPv4 and IPv6 Server | | IPv6 Smart | no | Return IPv6 Server by Query Type | | ip-replace | no | Replace DNS server's service-IPs | | GL-alias | no | Return CNAME Records by Geo-loc | | GL-action | no | Action by Geo-location | | GL-policy | no | Policy by Geo-location | | Bak-alias | no | Return Alias when fail | | Bak-server | no | Return fallback server when fail | | cache | no | Cache DNS proxy response | | addition-mx | no | Addition MX Records | | delegation | no | Sub Zone Delegation | | pxy-block | no | Block DNS Queries in proxy mode | | server | no | Run GSLB in DNS server mode | | sticky | no | Stick to DNS Record | | ttl | 10 | TTL value, unit: sec | | Log | global | DNS Logging | | IP List | no | Filter by IP List | | AutoMap | no | Auto build DNS Infrastructure | | Hint | addition | Append Hint Records--------------------------------------------------------------------------------Metric | | Force-Check | no | Check Service-IP for all metrics | | Fail-Break | no | Break if no valid service-IP--------------------------------------------------------------------------------health-check | 1 | | yes | Service-IP's health | | Preference | no | Check Health Preferencegeographic | 7 | | yes | Geographicround-robin | 15| | yes | Round robin selection--------------------------------------------------------------------------------weighted-ip | 2 | | no | Service-IP's weight | | total-hits | no | Weighed IP by total hitsweighted-site | 3 | | no | Site's weight | | total-hits | no | Weighed Site by total hitscapacity | 4 | | no | Session capacity of SLB device | | threshold | 90 | Threshold of session capacity | | fail-break | no | Break when exceed thresholdactive-servers | 5 | | no | Active servers of SLB device | | fail-break | no | Break when no active serveractive-rdt | 6 | | no | Active Round delay time | | tolerance | 10 | RDT tolerance | | difference | 0 | RDT Difference | | samples | 5 | Count of RDT samples | | limit | 16383 | Limit of usable RDT | | fail-break | no | Break when no valid RDT | | single-shot | no | Wait for A-RDT Samples | | timeout | 3 | Timeout of single-shot | | skip | 3 | Skip query if no samples | | keep-track | no | Keep tracking clients | | ignore-id | no | Ignore IP Address by group IDconnection-load | 8 | | no | Service-IP's connection load | | limit | unlimited | Limit of connection load | | fail-break | no | Break when exceed limit | | number | 5 | Number of conn-load samples | | interval | 5 | Interval between two samplesnum-session | 9 | | no | Session number of SLB device | | tolerance | 10 | Tolerance of session number




active-weight | 10| | no | Weight based on active serversadmin-preference| 11| | no | Admin preference of SLB devicebw-cost | 12| | no | Cost of Bandwidth | | fail-break | no | Break when exceed limitleast-response | 13| | no | Least response service-IPadmin-ip | 14| | no | Admin preference of Service-IP | | top-only | no | Highest priority server only--------------------------------------------------------------------------------alias-admin-pf | | | no | Admin preference of alias nameweighted-alias | | | no | Weight of alias name--------------------------------------------------------------------------------auto-map | | module | all | DNS Auto Mapping Modules | | ttl | 300 | DNS Auto Mapping TTL--------------------------------------------------------------------------------geo-location | | match-first | global | Geo-location table to use first | | overlap | no | Geo-location overlap matching


show gslb protocol

Description Show the status of the GSLB protocol on the GSLB AX Series and the SLB devices (site AX Series).

Syntax show gslb protocol [[geo-location-name] port portnum]

Mode All

TABLE 10 show gslb policy fields

Field Description

Policy name Name of the GSLB policy.

Type Name of the GSLB metric.

MO For GSLB metrics, indicates the order in which the metrics are used.

Option Metric or option name.

En-Value For metric, indicates whether they are enabled (yes or no). For options, indicates the value.

Description Description of the metric or option.




Example The following command shows GSLB protocol status information on an AX device acting as a GSLB controller:

AX#show gslb protocol

GSLB site: aapg slb-dev: ax (127.0.0.1) Established Session ID: 26702 Connection succeeded: 1 |Connection failed: 0 Open packet sent: 1 |Open packet received: 1 Open session succeeded: 1 |Open session failed: 0 Sessions Dropped: 0 |Update packet received: 34411 Keepalive packet sent: 1408 |Keepalive packet received: 1407 Notify packet sent: 0 |Notify packet received: 0 Message Header Error: 0

GSLB site: abc slb-dev: ax1 (127.0.0.2) Established Session ID: 65410 Connection succeeded: 1 |Connection failed: 0 Open packet sent: 1 |Open packet received: 1 Open session succeeded: 1 |Open session failed: 0 Sessions Dropped: 0 |Update packet received: 34411 Keepalive packet sent: 1408 |Keepalive packet received: 1407...

show gslb rdt

Description Show aRDT data.

Syntax show gslb rdt

[geo-location [active [geo-location-name ...]


[slb-device [active [geo-location-name ...]

[ip ipaddr [...]]] |

[local-info]

Option Description

geo-location Displays aRDT data based on geo-location.

slb-device Displays aRDT data based on SLB device.

local-info Displays local aRDT data on a site AX device.

active Displays data for aRDT.




site site-name Displays aRDT data only for the specified GSLBsite.

depth num Specifies how many nodes within the geo-loca-tion data tree to display. For example, to displayonly continent and country entries and hide indi-vidual state and city entries, specify depth 2. Bydefault, the full tree (all nodes) is displayed.

ip ipaddr [...] Displays aRDT data only for the specified cli-ents.

Mode All

Usage All of the options except local-info are applicable when you enter the com-mand on a GSLB AX device. To display local aRDT data on a site AXdevice, enter the command on the site AX device and use the local-infooption.

Example Here is an example of the output for this command when entered on the GSLB AX device:

AX#show gslb rdt

TTL = Time to live(Unit: min), T = Type, A(active)

Device: site1/remote

IP TTL T| 1 2 3 4 5 6 7 8

------------------------------------------------------------------------------

10.10.10.2 10 A| 0 0 0 0 0 0 0 0

20.20.20.21 10 A| 41 40 29 46 38 42 34 30

192.168.217.1 10 A| 38 54 46 50 43 38

192.168.217.11 10 A| 41 40 29 46 38 42 34 30

Device: site2/local

IP TTL T| 1 2 3 4 5 6 7 8

------------------------------------------------------------------------------

10.10.10.2 10 A| 35 52 35 40 54 56 44 48

20.20.20.21 10 A| 20 20 16 16 20 16 20 18

192.168.217.1 10 A| 16 44 20 16 20 18

192.168.217.11 10 A| 20 20 16 16 20 16 20 18

T = Type: A(active), TS = Time Stamp(unit: min)




Geo-location Site T RDT TS

------------------------------------------------------------------------------

cn.sh site1 A 38 10

site2 A 18 10

cn.bj site1 A 30 10

site2 A 18 10

jp site1 A 30 10

site2 A 18 10

us site1 A 0 10

site2 A 48 10

This example shows the default display (with no additional options). TheTTL results are organized by site AX device, then by geo-location.


show gslb samples conn

Description Show the number of connections that are currently on a virtual port.

Syntax show gslb samples conn {service-name | vipaddr} port-num[range-start][range range-start range-end]

TABLE 11 show gslb rdt fields

Field Description

Device Site AX device.

IP IP address at the other end of the aRDT exchange.

TTL Time-to-live for the Active-TT entry.

T RDT type, which can be A (aRDT).

1-8 Individual aRDT measurements (in units of seconds).

Geo-location Geo-location name for which aRDT measurements have been taken.

Site GSLB site name within the geo-location.

T RDT type. (See descriptions above.)

RDT Individual aRDT measurements (in units of seconds).

TS System time stamp of the aRDT measurement.




Option Description

service-name | vipaddr Specifies the service name or service IP.

port-num Specifies the virtual port.

range-start Specifies the range start.

range range-start range-end Collects samples only for the specified range of

service port numbers.

Mode All

Usage The number of connections on the site is sampled based on the GSLB statusinterval. (This is configurable using the gslb protocol command. See “gslbprotocol” on page 163.) Samples are listed row by row. The first 7 samplesappear on row 1, the second 7 samples appear on row 2, and so on.

If you disable the GSLB protocol, the data is cleared.

Example The following example shows connection activity for virtual port 80 on vir-tual server “china”.

AX#show gslb samples conn china 80 0 | 1 2 3 4 5 6 7 ----------------------------------------------------------------------------1 | 15000 25000 35000 45000 55000 65000 750002 | 85000 95000 105000

show gslb samples conn-load

Description Show the number of connections on each virtual server.

Syntax show gslb samples conn-load num-samples interval[service-name | vipaddr][port-num]

Option Description

num-samples Number of connection-load samples to collectand display.

num-samples Number of seconds to wait between collection ofeach sample.

service-name | vipaddr Collects samples only for the specified service

IP.




port-num Collects samples only for the specified serviceport number.

Mode All

Example The following command shows 5 connection-load samples, collected at 5-second intervals:

AX#show gslb samples conn-load 5 5ip1:80, average is: 36 | 1 2 3 4 5 6 7 ----------------------------------------------------------------------------1 | 0 0 11 1 168 ip2:80, average is: 38 | 1 2 3 4 5 6 7 ----------------------------------------------------------------------------1 | 0 0 22 2 168 ip3:80, average is: 60 | 1 2 3 4 5 6 7 ----------------------------------------------------------------------------1 | 120 0 0 0 180 ip4:80, average is: 86 | 1 2 3 4 5 6 7 ----------------------------------------------------------------------------1 | 240 0 0 0 192

In this example, five samples, taken at 5-second intervals, are shown foreach of four services (ip1:80 to ip4:80). The services are listed by service IPand service port.

In each section, the numbers across the top are column numbers. The num-bers along the leftmost column are row numbers. The other numbers are theactual connection load data. For example, for ip1:80 (service port 80 on ser-vice IP “ip1”), there were no connections during the first or second datasamples, and 11 connections during the third sample.




show gslb samples rdt

Description Show the aRDT between the GSLB AX Series and a client.

Syntax show gslb samples rdt

[geo-location-name [active [geo-location-name ...]


[slb-device [active [geo-location-name ...]


[local-info]

Option Description

geo-location-name Displays aRDT data only for the specified GSLB

geo-location.

slb-device Displays aRDT data only for the specified SLBdevice.

local-info Displays local aRDT data on a site AX device.

active Displays data for aRDT.

site site-name Displays aRDT data only for the specified GSLBsite.

depth num Specifies how many nodes within the geo-loca-tion data tree to display. For example, to displayonly continent and country entries and hide indi-vidual state and city entries, specify depth 2. Bydefault, the full tree (all nodes) is displayed.

Mode All

Usage Eight aRDT samples are displayed for each device. Times are shown in 10-millisecond (ms) increments. In the example below, the first aRDT time forDevice1 is 50 ms.

If you disable the GSLB protocol, the data is cleared.




show gslb service

Description Show the configuration information for services.

Syntax show gslb service {cache | dns-a-record | dns-cname-record | dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record | session}[service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}]

Option Description

cache Displays service information in the GSLB DNScache.

dns-a-record Displays Address records for GSLB services.

dns-cname-record Displays CNAME records for GSLB services.

dns-mx-record Displays MX records for GSLB services.

dns-ns-record Displays name server records for GSLB services.

dns-ptr-record Displays pointer records for GSLB services.

dns-srv-record Displays service records for GSLB services.

dns-txt-record Displays DNS TXT records for GSLB services.

session Displays current GSLB sessions for services.

service-name Specifies a service name.

zone zone-name Specifies a zone name.

ip ipaddr {subnet-mask | /mask-length} Specifies a client host or subnet address. (This

option applies only to the session option.)

Mode All




Example The following example shows CNAME information for zone “a10.com”:

AX#show gslb service dns-cname-record a10.comZone: a10.com Alias = Alias Name, Geoloc = Geo-location G-Geoloc = Matched Global Geo-location P-Geoloc = Matched Policy Geo-locationService Alias Geoloc G-Geoloc P-Geoloc ------------------------------------------------------------------------------http:www http.a10.com pc1 (empty) (empty)ftp:ftp ftpp.a10.com pc1 (empty) pc1

show gslb service-ip

Description Shows information for a GSLB service.

show gslb service-ip {service-name | vipaddr | local-info}

Option Description

service-name | vipaddr Specifies the service name or VIP address.

local-info Shows local SLB virtual-server information.

Example The following command shows information for the “beijing” service:

AX#show gslb service-ip beijing V = Is Virtual server, E = Enabled P-Cnt = Count of Service PortsService-IP IP V E State P-Cnt Hits ------------------------------------------------------------------------------:Device1:beijing 2.1.1.10 Y Y UP 3 0


TABLE 12 show gslb service-ip fields

Field Description

Service-IP Device name and service IP name.

IP IP address of the service.

V Indicates whether the service IP is a virtual server IP address (Y) or a real server IP address (N).

E Indicates whether the service IP is enabled.

State Indicates the service IP state: UP or DOWN.

P-Cnt Number of service ports on the service IP.

Hits Number of times the service IP has been selected.




show gslb service-port

Description Show information about the GSLB service ports configured on the sites.

Syntax show gslb service-port [local-info]

Option Description

local-info Shows local SLB virtual-port information.

Mode All

Example The following command shows information about all the configured GSLB service ports.

AX#show gslb service-port Attrs = Attributes, Act-Svrs = Active Real Servers Curr-Conn = Current Connections D = Disabled, P = GSLB Protocol, L = Local ProtocolService-Port Attrs State Act-Svrs Curr-Conn------------------------------------------------------------------------------10.77.27.222:80 L DOWN 0 010.10.10.1:80 DOWN 0 067.67.6.84:80 UP 1 067.67.6.82:21 UP 1 0192.168.100.6:80 DOWN 0 0


show gslb session

Description Show cached GSLB policy selections.

Selections are cached on a zone:service basis. While a cached GSLB policyselection is valid (that is, before it ages out), the cached selection is used forsubsequent requests from the same client for the same zone and service.

TABLE 13 show gslb service-port fields

Field Description

Service-Port Service IP address and service port number.

Attrs Indicates whether the service port is reached using the GSLB protocol or the local (SLB) protocol.

State Indicates the service state: IP or DOWN.

Act-Svrs Number of active real servers for the service.

Curr-Conn Current number of connections to the service.




Syntax show gslb session[service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}]

Option Description

service-name Specifies a service name.

zone zone-name Specifies a zone name.

ip ipaddr {subnet-mask | /mask-length} Specifies a client host or subnet address.

Mode All

show gslb site

Description Show GSLB site information.

Syntax show gslb site [site-name ...] [bw-cost] [statistics]

Option Description

site-name Displays information only for the specified site.

bw-cost Displays BW-Cost information.

statistics Displays statistics.

Mode All

Example The following command shows information for GSLB site “Site1”:

AX#show gslb site Site1Site Device/server VIP Vport State Hits -------------------------------------------------------------------Site1 Device1 (device) 2.1.1.10 Up 0 1.2.2.2 21 Up 23 Up 80 Up 2.1.1.11 Up 0 21 Up 80 Up 2.1.1.12 Up 0 21 Up 23 Up 80 Up serverB (server) Up 0 3.1.1.10 80 Up





Table 15 describes the fields in the command output when the bw-costoption is used.

Example The following command shows GSLB site statistics:

AX#show gslb site statistics Site Hits Last -----------------------------------------------------------------------------site1 14 2.1.1.10 site2 0 (empty) site3 0 (empty) site4 0 (empty)

TABLE 14 show gslb site fields

Field Description

Site GSLB site name.

Device/server Device name and device IP address or real server name and real server IP address.

VIP Virtual IP address for the service.

Vport Virtual port number.

State Virtual port state.

Hits Number of times the service IP was selected.

TABLE 15 show gslb site bw-cost fields

Field Description


Template SNMP template name.

Current Current value of the SNMP object used for measurement.

Highest Highest value of the SNMP object used for measurement.

Limit Limit configured for the BW-Cost metric.

U Indicates whether the site is usable, based on the BW-Cost measurement.

Type Data type of the SNMP object.

Len Data length of the SNMP object.

Value Value of the SNMP object.

TI Time interval between measurements.




Table 16 describes the fields in the command output when the statisticsoption is used.

show gslb slb-device

Description Show information about an SLB device used by GSLB.

Syntax show gslb slb-device [device-name | local-info | rdt active [device-name ... | ip ipaddr ...] ]

Option Description

device-name Displays information only for the specified SLBdevice.

local-info Displays local SLB device information on a siteSLB device.

rdt options Displays aRDT data. You can use the followingoptions:

active – Displays data for aRDT.

device-name – Displays aRDT data only for thespecified SLB device.

ip ipaddr – Displays aRDT data only for thespecified client IP address(es).

Mode All

TABLE 16 show gslb site statistics fields

Field Description


Hits Number of times the site was selected.

Last Site that was most recently selected.




Example The following command shows information about SLB device “Device1”:

AX#show gslb slb-device Device1 APF = Administrative Preference, Sub-Cnt = Count of Service-IPs Sesn-Uzn = Session Utilization Sesn-Num = Number of Available SessionsDevice IP APF Sesn-Uzn Sesn-Num Sub-Cnt ------------------------------------------------------------------------------site1:Device1 1.2.2.2 200 0% 0 3


show gslb state

Description Show GSLB state information collected by GSLB debugging.

Syntax show gslb state

Mode All

Usage To collect state information, enable GSLB debugging and use the stateoption. (See the example below.)

Example The following commands enable GSBL debugging with retention of state information, and initiate display of the state information:

site-ax-1(config)#debug gslb statesite-ax-1(config)#show gslb state

show gslb statistics

Description Show statistics for the GSLB protocol, for sites, or for zones.

Syntax show gslb statistics {message | site | zone}

TABLE 17 show gslb site fields

Field Description

Device Site name and device name.

IP SLB device’s IP address.

APF Administrative preference for the device.

Sesn-Uzn Current session utilization on the device.

Sesn-Num Number of sessions available on the device.

Sub-Cnt Number of service IPs on the device.




Mode All

Usage The show gslb statistics message command shows the same output as theshow gslb protocol command. Similarly, the show gslb statistics site com-mand shows the same output as the show gslb site statistics command, andthe show gslb statistics zone command shows the same output as the showgslb zone statistics command.

Example The following command shows statistics for the GSLB protocol:

AX#show gslb statistics message GSLB site: site1 slb-dev: remote (20.20.20.2) Established Session ID: 40576 Connection success: 4 |Connection failure: 0 Open packet sent: 4 |Open packet received: 1 Open session success: 1 |Open session failure: 3 Dropped sessions: 0 |Update packet received: 5101 Keepalive packet sent: 1219 |Keepalive packet received: 1218 Notify packet sent: 0 |Notify packet received: 0 Message Header Error: 0 | 0 GSLB site: site2 slb-dev: local (192.168.217.2) Established Session ID: 104 Connection success: 1 |Connection failure: 1 Open packet sent: 1 |Open packet received: 1 Open session success: 1 |Open session failure: 0 Dropped sessions: 0 |Update packet received: 22 Keepalive packet sent: 2 |Keepalive packet received: 1 Notify packet sent: 0 |Notify packet received: 0 Message Header Error: 0 | 0 GSLB controller: 192.168.217.2 Established Session ID: 104 Connection success: 0 |Connection failure: 0 Open packet sent: 1 |Open packet received: 1 Open Sent 1 |Open session failure: 0 Dropped sessions: 0 |Update packet sent: 22 Keepalive packet sent: 2 |Keepalive packet received: 1 Notify packet sent: 0 |Notify packet received: 0 Message Header Error: 0 | 0

show gslb zone

Description Show GSLB zone information.

Syntax show gslb zone [zone-name] [dns-mx-record] [dns-ns-record] [dns-soa-record] [statistics]




Option Description

zone-name Displays information only for the specified zone.

dns-mx-record Displays the MX records for the zone(s).

dns-ns-record Displays the name server records for the zone(s).

dns-soa-record Displays the start-of-authority records for thezone(s).

statistics Displays statistics for the zone(s).

Mode All

Example The following example shows information for zone “a10.com”:

AX#show gslb zone a10.comZone Service Policy TTL ------------------------------------------------------------------------------a10.com www 20 http:www www 20 ftp:ftp ftp 30


Example The following command shows MX records for zones:

AX#show gslb zone dns-mx-recordPri = Priority, Last = Last ServerOwner MX-Record Pri Hits Last------------------------------------------------------------------------------mail.abc.com:smtp mail1.abc.com 0 0 mail2.xyz.com 10

TABLE 18 show gslb zone fields

Field Description

Zone Zone name.

Service Service type and service name.

Policy GSLB policy name.

TTL DNS TTL value set by GSLB in DNS replies to queries for the zone address.





Example The following command shows GSLB zone statistics:

AX(config-gslb zone-gslb service)#show gslb zone example.com statisticsGSLB Zone example.com:Total Number of Services configured: 1 Rcv-query = Received Query, Sent-resp = Sent Response M-Proxy = Proxy Mode, M-Cache = Cache Mode M-Svr = Server Mode, M-Sticky = Sticky ModeService Rcv-query Sent-resp M-Proxy M-Cache M-Svr M-Sticky -----------------------------------------------------------------------------http:www 16 15 3 0 0 12Total 16 15 3 0 0 12


TABLE 19 show gslb zone dns-mx-record fields

Field Description

Owner Zone and service name to which the MX record belongs.

MX-Record Name of the MX record.

Pri Priority (preference) set for the MX record.

Hits Number of times the record has been used.

Last Most recent time the record was used.

TABLE 20 show gslb zone statistics fields

Field Description

GSLB Zone Zone name.

Total Number of Services config-ured

Number of GSLB services configured for the zone.

Service Service type and service name.

Rcv-query Number of DNS queries received for the service.

Sent-resp Number of DNS replies sent to clients for the service.

M-Proxy Number of DNS replies sent to clients by the AX device as a DNS proxy for the service.

M-Cache Number of cached DNS replies sent to clients by the AX device for the service. (This statistic applies only if the DNS cache option is enabled in the policy.)

M-Svr Number of DNS replies sent to clients by the AX device as a DNS server for the service. (This statistic applies only if the DNS server option is enabled in the policy.)




M-Sticky Number of DNS replies sent to clients by the AX device to keep the clients on the same site. (This statistic applies only if the DNS sticky option is enabled in the policy.)

TABLE 20 show gslb zone statistics fields (Continued)

Field Description



CLI Command Reference - Clear Command

Clear Command

clear

Description Clear statistics or reset functions. Sub-command parameters are required for specific sub-commands.

Syntax clear gslb {options}

Sub-Command Description

all Clears all GSLB statistics.

cache Clears the GSLB DNS cache.

debug Clears debug statistics.

fqdn Clears FQDN statistics.

geo-location Clears geo-location statistics.

group Clears GSLB group statistics.

ip-list Clears IP-list statistics.

memory Clears memory statistics.

protocol Clears GSLB protocol statistics.

rdt Clears RDT samples.

samples Clears aRDT samples.

server Clears server statistics.

service Clears service statistics.

session Clears GSLB sessions.

site Clears site statistics.

slb-device Clears SLB device samples.

statistics options Clears message, site, or zone statistics.

zone Clears zone statistics.



CLI Command Reference - DNSSEC Commands

DNSSEC CommandsThis section describes the commands for DNSSEC.

(For more on this feature, see “DNSSEC Support” on page 133.)

dnssec key-generate

Description Generate a key for DNSSEC.

Syntax dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num


name Key filename.

algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] RSA SHA algorithm to use to generate the DNS-

SEC key pair (ZSK and KSK). You can specifyany of the following algorithms:

– RSASHA1 (default)

– RSASHA256

– RSASHA512

– NSEC3RSASHA1

Selecting one of the first three algorithms(RSASHA1, RSASHA256, or RSASHA512)will cause the standard NSEC resource record tobe generated for the zone. However, selecting thefourth algorithm option (NSEC3RSASHA1)causes the NSEC3/NSEC3PARAM record to begenerated for the zone, which is helpful in miti-gating the threat posed by zone walking.

Different zones can use different DNSSEC tem-plates and thus have different algorithms.

keysize num number of bits in the DNSSEC key, which canrange from 512-4096 bits. Values must be speci-fied in multiples of 64 bits, and the default valueis 1024 bits.




Default See above.


dnssec template

Description Configure a DNSSEC template.

Syntax [no] dnssec template template-name

This command changes the CLI to the configuration level for the specifiedDNSSEC template, where the following commands are available.

Command Description

[no] combinations-limit num Maximum number of combinations per Resource

Record Set (RRset), where RRset is defined asall the records of a particular type for a particulardomain, such as all the “quad-A” (IPv6) recordsfor www.example.com. You can specify 1-65535.

[no] dnskey-ttl seconds Lifetime for DNSSEC key resource records. The

TTL can range from 1-864,000 seconds.

[no] ksk name Key signing key (KSK) for establishing the chainof trust and is the private counterpart to the pub-lic zone signing key used to sign authenticationkeys for the zone. At least one KSK is needed tosign successfully, but no more than two KSKscan be configured.

[no] return-nsec-on-failure Returns an NSEC or NSEC3 record in response

to a client request for an invalid domain. As orig-inally designed, DNSSEC would expose the listof device names within a zone, allowing anattacker to gain a list of network devices thatcould be used to create a map of the network.

[no] signature-validity-period days Period for which a signature will remain valid.

The time can range from 5 to 30 days.




[no] zsk name [active | published | deprecated] Zone signing key (ZSK) for signing the domain

name’s zone. At least one ZSK is needed to signsuccessfully, but no more than two ZSKs can beconfigured.

active – Sets key status to active.

published – Sets key status to published.

deprecated – Sets key status to deprecated.

Default The “default” DNSSEC template has the following defaults:

• combinations-limit – 31

• dnskey-ttl – 14,400 seconds (4 hours)

• ksk – Not set

• return-nsec-on-failure – enabled

• signature-validity-period – 10

• zsk – Not set


dnssec sign-zone-now

Description Immediately trigger zone-signing.

Syntax dnssec sign-zone-now name


name Name of the DNS zone.

Default Signing begins 30 seconds after the zone or DNSSEC template configura-tion is changed.





show dnssec template

Description Display information for a DNSSEC template.

Syntax show dnssec template name

Mode All



260

Performance by Design

Corporate Headquarters

A10 Networks, Inc.3 West Plumeria DrSan Jose, CA 95134 USA

Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support – toll-free in USA)Tel: +1-408-325-8676 (support – direct dial)Fax: +1-408-325-8666

www.a10networks.com

© 2012 A10 Networks Corporation. All rights reserved.


Documents

AX_GSLB_Guide_v2_7_0-20121010