Cisco GSS Configuration Guide (Software Version 1.1)
Building and Modifying DNS Rules
Download this chapter
Building and Modifying DNS RulesBuilding and Modifying DNS Rules
Download the complete book
Cisco Global Site Selector Configuration Guide Book-Length PDF, Software Version 1.1Cisco Global Site Selector Configuration Guide Book-Length PDF, Software Version 1.1 (PDF - 5 MB)
give_us_feedback

Table Of Contents

Building and Modifying DNS Rules

DNS Rule Configuration Overview

DNS Rule Wizard

DNS Rule Builder

Building DNS Rules Using the Wizard

DNS Rule Wizard—Source Address List Page

DNS Rule Wizard—Source Address List Page 2

DNS Rule Wizard—Source Address List Page 3

DNS Rule Wizard—Domain List Page

DNS Rule Wizard—Domain List Page 2

DNS Rule Wizard—Domain List Page 3

DNS Rule Wizard—Answer Group Page

DNS Rule Wizard - Answer Group Page 2

DNS Rule Wizard - Answer Group Page 3

DNS Rule Wizard - Answer Group Page 4

DNS Rule Wizard—Balance Method Page

DNS Rule Wizard—Summary

Building DNS Rules Using the DNS Rule Builder

Modifying DNS Rules

Suspending a DNS Rule

Reactivating a DNS Rule

Suspending or Reactivating All DNS Rules Belonging to an Owner

Deleting a DNS Rule

Configuring DNS Rule Filters

Removing DNS Rule Filters

Delegation to GSS Devices


Building and Modifying DNS Rules

Once you have configured your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will govern all global server load balancing on your GSS network.

When building DNS rules, you specify actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list).

The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of your GSS host devices.

Note Before creating your DNS rules, review Chapter 1, Introducing the Global Site Selector, the "GSS Architecture" section.

This chapter contains the following major sections:

DNS Rule Configuration Overview

Building DNS Rules Using the Wizard

Building DNS Rules Using the DNS Rule Builder

Modifying DNS Rules

Suspending a DNS Rule

Reactivating a DNS Rule

Suspending or Reactivating All DNS Rules Belonging to an Owner

Deleting a DNS Rule

Configuring DNS Rule Filters

Removing DNS Rule Filters

Delegation to GSS Devices

DNS Rule Configuration Overview

Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:

DNS Rule Wizard

DNS Rule Builder

DNS Rule Wizard

The DNS Rule Wizard (Figure 8-1) is an easy-to-use tool that guides you through the process of creating a DNS rule. The DNS Rule Wizard provides explanations for each step in the rule authoring process. The DNS Rule Wizard allows you to create source address lists, domain lists, answer groups, and balance methods on the fly.

Note Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be created prior to using the wizard.

Figure 8-1 DNS Rule Wizard - Introduction Page

When you use the wizard, the Next and Back buttons step you forward and backward through the rule-building process. Alternatively, use the navigation links under the Wizard Contents heading to move back and forth to any step in the wizard.

To access the DNS Rule Wizard, click the DNS Rules tab and then click the Rule Wizard icon. See the "Building DNS Rules Using the Wizard"section for details.

DNS Rule Builder

If you are an experienced GSS user, you can use the DNS Rule Builder (Figure 8-2) to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created. Using the fields and drop-down menus provided, you can assign a name for your rule and then configure the rule with up to three balance clauses for the GSS to choose an answer.

Figure 8-2 DNS Rule Builder Window

Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. For example, an answer group added while the DNS Rule Builder window is open automatically appears in the drop-down list of answer groups.

To access the DNS Rule Builder, click the DNS Rules tab and then click the Open Rule Builder icon. See the "Building DNS Rules Using the DNS Rule Builder"section for details.

Building DNS Rules Using the Wizard

To create a DNS rule using the DNS Rule Wizard:

Note Owners, regions, and locations are not created as part of the DNS Rule Wizard and must be creating prior to using the wizard.

1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-3).

Figure 8-3 DNS Rules List Page

2. Click the Rule Wizard icon. The DNS Rule Wizard introduction page appears (Figure 8-4). Read this page carefully; it provides an overview of the steps necessary to create a DNS rule.

Figure 8-4 DNS Rule Wizard—Introduction Page

3. Click the Next and Back buttons to step forward or backwards through the DNS rule-building process. Alternatively, use the links under the Wizard Contents table of contents to jump back and forth to any step in the Wizard.

The following procedures describe how to configure the properties for the individual pages in the DNS Rule Wizard.

DNS Rule Wizard—Source Address List Page

DNS Rule Wizard—Domain List Page

DNS Rule Wizard—Answer Group Page

DNS Rule Wizard—Balance Method Page

DNS Rule Wizard—Summary

DNS Rule Wizard—Source Address List Page

This step uses the Source Address List section of the DNS Rule Wizard (Figure 8-5) to identify your source address list.

Figure 8-5 DNS Rule Wizard—Source Address List Page 1

Perform one of the following:

To have this DNS rule apply to requests originating from any DNS proxy, click the Any Address option, then click Next. See the DNS Rule Wizard—Domain List Page section for information on using the Domain List detail page in the wizard.

To have this DNS Rule apply to requests originating from a list of DNS proxies that you have not yet configured but now want to configure, click the Manually-entered source address list option, then click Next. See the DNS Rule Wizard—Source Address List Page 2 section for information on using the Source Address List detail page in the wizard.

To have this DNS rule apply to requests originating from a list of DNS proxies that you have already configured using the Source Address Lists feature, click the Predefined source address list option, then click Next. See the DNS Rule Wizard—Source Address List Page 3 section for information on using the Domain List detail page in the wizard.

DNS Rule Wizard—Source Address List Page 2

If you chose the Manually-entered Source Address List option in the Source Address List section of the wizard, perform the following steps to create your Source Address List (Figure 8-6). Once you configure your Source Address List using the wizard, it is available for other DNS rules as well.

Figure 8-6 DNS Rule Wizard—Source Address List Page 2

1. Enter a name for your Source Address List in the List Name field.

2. Optionally, click the List Owner drop-down list and select a GSS owner name.

3. In the space provided, enter one or more source CIDR-format IP addresses that make up the list. You can enter individual IP addresses or address blocks. If you wish to enter multiple IP addresses, separate the addresses using semicolons.

For example: 

192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16

4. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Domain List Page section for information.

DNS Rule Wizard—Source Address List Page 3

If you selected the Predefined Source Address List option in the Source Address List section of the wizard, perform the following procedure to create your Source Address List (Figure 8-7).

Figure 8-7 DNS Rule Wizard—Source Address List Page 3

1. Click the name of the Source Address List in the list to highlight it.

2. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Domain List Page section for information.

DNS Rule Wizard—Domain List Page

This step uses the Domain List section of the DNS Rule Wizard (Figure 8-8) to specify the domains that users will be requesting. Each GSS can support a maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum of 500 hosted domains supported for each domain list. If using a KAL-AP type answer, the GSS can support up to 1024 domains managed by any single server load balancing device such as a Cisco Content Services Switch (CSS) or Content Switching Module (CSM).

Figure 8-8 DNS Rule Wizard—Domains List Page 1

Perform one of the following:

To have the DNS rule apply to requests for a hosted domain that you have not yet configured but now want to configure, click the Manually-entered domain list option, then click Next. See the DNS Rule Wizard—Domain List Page 2 section for information on using this Domain List detail page in the wizard.

To have the DNS Rule apply to requests for a domain from a list of hosted domains already configured using the Domain Lists feature of the primary GSSM, click the Predefined domain list option, then click Next. See the DNS Rule Wizard—Domain List Page 3 section for information on using this Domain List detail page in the wizard.

DNS Rule Wizard—Domain List Page 2

If you chose the Manually-entered Domain List option in the Domain List section of the wizard, perform the following steps to manually configure the domains that users will be requesting(Figure 8-9). Once you have configured your Domain List using the DNS Rule Wizard, it is available for other DNS rules as well.

Figure 8-9 DNS Rule Wizard—Domains List Page 2

1. Enter a name for your Domain List in the List Name field.

2. Optionally, click the List Owner drop-down list and select an owner name.

3. In the space provided, enter one or more domain names that make up the list. You can enter complete domain names, or any regular expression that specifies a pattern by which the GSS can match incoming addresses. Any request for a hosted domain that matches that pattern is directed accordingly.

For example, if you had only three hosted domains—www.cisco.com, support.cisco.com, and customer.cisco.com—for which the GSS was responsible, you might want to enter only those domains in your domain list, as follows: 

www.cisco.com; support.cisco.com; customer.cisco.com

However, if you had 20 or more possible domains for which the GSS was responsible—www1.cisco.com, www2.cisco.com, and so on—manually entering each address is time consuming. In such a situation, you could create a wildcard expression that would cover all those domains, as follows: 

.*\.cisco\.com

4. When you complete entering the domain names, click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Answer Group Page section for information.

DNS Rule Wizard—Domain List Page 3

If you selected the Predefined Domain List option, this step allows you to select from a list of previously configured domains (Figure 8-10).

Figure 8-10 DNS Rule Wizard—Domains List Page 3

1. Click the name of the domain list so that its name is highlighted.

2. Click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the DNS Rule Wizard—Answer Group Page section for information.

DNS Rule Wizard—Answer Group Page

This step of the DNS Rule Wizard uses the Answer Groups section of the wizard (Figure 8-11) to configure an Answer Group.

Figure 8-11 DNS Rule Wizard—Answer Group Page 1

Perform one of the following:

To have this DNS rule respond to the request for the hosted domain using resources (answers) that you have not yet configured, click the Enter addresses option, then click Next. See the DNS Rule Wizard - Answer Group Page 2 section for information on using this Answer Group detail page in the wizard.

To have this DNS rule respond to the request for the hosted domain using resources (answers) that you already configured using the Answers and Answer Group features, click the Select an existing answer group option, then click Next. See the DNS Rule Wizard - Answer Group Page 4 section for information on using this Answer Group detail page in the wizard.

DNS Rule Wizard - Answer Group Page 2

If you chose the Enter Addresses option in the Answer Group section of the wizard (Figure 8-12), perform the following steps to create your answers and answer group. Once you configure your Answer Group using the Wizard, it is available for other DNS Rules as well.

Figure 8-12 DNS Rule Wizard—Answer Group Page 2

1. Enter a name for your answer group in the Group Name field.

2. Optionally, select an owner for the answer group by clicking the Group Owner drop-down list and selecting a GSS owner from the list.

3. Select an answer group type by clicking one of the three option buttons provided. Once you select an answer group type, only answers of that type (VIP, NS, or CRA) can be added to the group.

VIP—Virtual IP (VIP) addresses associated with an SLB as such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web server, cache or other geographically dispersed SLBs in a global network deployment.

Name Server—A configured DNS name server on your network that can answer queries that the GSS cannot resolve.

CRA—Content routing agents that use a resolution process called DNS race to send identical and simultaneous requests back to a user's D-proxy.

4. Click Next to begin configuring answers for your answer group. See the DNS Rule Wizard - Answer Group Page 3 section for information on using this Answer Group detail page in the wizard.

DNS Rule Wizard - Answer Group Page 3

This step uses the Answer Group page of the DNS Rule Wizard to configure answers for the specified answer group type: VIP, NS, or CRA (Figure 8-13).

Figure 8-13 DNS Rule Wizard—Answer Group Page 3

1. Perform one of the following:

If configuring a VIP type answer group, use the following steps to identify the VIPs that provide the answers that make up the answer group. Assign an order, load threshold, and weight to each answer in the answer group.

a. Enter the address of each VIP that belongs to the answer group in the IP Address fields provided.

b. Click the Location drop-down list and select an optional Location.

c. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group.

d. If using the Ordered List balance method, assign an order to each VIP listed in the answer group using the Order field provided. The number you assign represents the order of the answer in the list. Subsequent VIPs on the list will only be used in the event that preceding VIPs on the list are unavailable. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

e. If using a KAL-AP-type answer, assign a load threshold between 0 and 255 using the Load Threshold field. If the VIP answer reports a load above the specified threshold the GSS will deem the device unavailable to handle further requests.

If configuring a new name server-type answer group, use the following steps to identify the name servers that provide the answers that make up the answer group:

a. Enter the address of each name server that belongs to the answer group to the IP Address fields provided.

b. For each name server IP address select an optional location by clicking the Location drop-down list.

c. If using the Weighted Round Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A will receive 10 requests for every 1 directed to Answer B.

d. If you are using the Ordered List balance method with this answer group, assign an order to each name server listed in the answer group using the Order drop-down list provided. The number you assign represents the order of the answer in the list. Subsequent name servers on the list will only be used in the event that preceding name servers on the list are unavailable. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

If configuring a CRA type answer group, use the following steps to identify the content routing agents (CRAs) that provide the answers that make up the answer group, then assign a location for each answer in the answer group.

a. Enter the address of each CRA that belong to the answer group in the IP Address fields provided.

b. For each CRA IP address, select an optional location by clicking on the Location drop-down list.

2. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule Wizard—Balance Method Page section for information.

DNS Rule Wizard - Answer Group Page 4

If you selected the Select an Existing Answer Group option, this step allows you to select from a series of previously configured answers (Figure 8-14).

Figure 8-14 DNS Rule Wizard—Answer Group Page 4

1. Click the name of the answer group in the list so that the name is highlighted.

2. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the DNS Rule Wizard—Balance Method Page section for information.

DNS Rule Wizard—Balance Method Page

This step of the DNS Rule Wizard uses the Balance Method page of the wizard (Figure 8-15) to select a balance method to use when selecting the answer from your answer group that is best suited to respond to the DNS query. Your choice of balance methods is limited by the type of answer group (name server, VIP, or CRA) you selected. The DNS Rule Wizard only supports selection of a single balance clause. If necessary, you can modify the DNS rule and add additional balance clauses using the DNS Rule Builder (see the "Modifying DNS Rules" section).

Figure 8-15 DNS Rule Wizard—Balance Method Page

Perform one of the following:

1. If configuring a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:

Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.

By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.

Least Loaded—Available for VIP-type answer groups only using a KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.

Ordered List—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding responses or answer are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

Round Robin—The GSS cycles through the list of answers that are available as requests are received.

Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.

2. If you configured a CRA Answer Group to respond to requests:

Boomerang is automatically assigned by the GSS software as the balance method.

Enter a "last gasp" address in the Last Gasp field provided. This address serves as the answer in the event that no content routing agents reply to the request. If you specify a "last gasp" address, the GSS automatically:

Creates an answer for this address

Creates an answer group that contains the "last gasp" answer

Adds a second balance clause to the DNS rule with the suffix -GROUP and uses ordered list as the balance method.

3. Click Next to proceed to the Summary page of the DNS Rule Wizard. An overview of your rule is provided that supplies information on the selected source address list, domain List, answer group, and balance method. See the DNS Rule Wizard—Summary section for information.

DNS Rule Wizard—Summary

The Summary page (Figure 8-16) provides an overview of your rule, including information on the source address list, domain List, answer group, and balance method chosen.

Figure 8-16 DNS Rule Wizard—Summary Page

Using the fields provided on the Summary page, complete your DNS rule as follows:

1. Enter a name for your DNS Rule in the Rule Name field.

2. Optionally, associate the rule with an GSS owner by selecting an owner name from the Rule Owner drop-down list.

3. Indicate what type of DNS queries applies to this rule by selecting a query type from the Match DNS Query Type drop-down list:

All - The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.

Note When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.

A record - The DNS rule is applied only to answer address record (A record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.

4. Select an operating status for the rule from the Rule Status drop-down list:

Active—The DNS rule immediately begins processing requests

Suspended—The DNS rule is listed on the DNS Rules list page, but has a status of "suspended". The DNS rule is not used to process any incoming DNS queries.

5. Click Finish to save your DNS Rule. You return to the DNS Rules list page.

Building DNS Rules Using the DNS Rule Builder

If you are comfortable with the process of building a DNS rule and have already configured your domain lists, answers, and answer groups, use the DNS Rule Builder to quickly assemble a DNS rule.

The DNS Rule Builder is an interface that pulls together all the GSS elements needed to create new DNS rules. Because the DNS Rule Builder is launched in its own window, you can leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder.

In addition, the DNS Rule Builder allows you to configure multiple clauses for your DNS rule; that is, additional answer group and balance method pairs that can be tried in the event that the first answer group and balance method specified does not yield an answer.

To create a DNS rule using the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules navigation link. The DNS Rules list appears (Figure 8-17).

Figure 8-17 DNS Rules List Page

2. Click the Open Rule Builder icon. The DNS Rule Builder page opens in a separate window (Figure 8-18.)

Figure 8-18 Create New DNS Rule Window

3. In the Rule Name field, enter a name for your new DNS Rule. Rule names cannot contain spaces.

4. From the Rule Owner drop-down list, choose a contact with whom the rule will be associated. The default Rule Owner is System.

5. From the Source Address List drop-down list, choose a Source Address List from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.

6. From the Domain List drop-down list, choose a domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list.

7. From the Match DNS Query Type drop-down list, indicate what type of DNS queries applies to this rule:

All - The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three Balance Clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.

Note When you select All as the Match DNS Query Type you must configure one Balance Clause to include a name server-type answer group.

A record - The DNS rule is applied only to answer address record (A record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to then make a subsequent A-record query.

8. At the Balance Clause 1 heading:

Select the answer group component of your first answer group/balance method pairing from the drop-down list. This is the first effort the GSS uses to select an answer for the DNS query.

Select the balance method for the answer group from the drop-down list. Your choice of balance methods changes based on the type of answer group (Name Server, VIP, or CRA) you selected.

9. If you selected a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:

Note If you selected a CRA-type Answer Group, the balance method is automatically set to Boomerang.

Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance method. The GSS allows you to apply one or both hashed balance methods to the specified answer group.

By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.

By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.

Least Loaded—Available for VIP-type answer groups only using a KAL-AP keepalive. The GSS selects an answer from the list based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.

Ordered List—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

Round Robin—The GSS cycles through the list of answers that are available as requests are received.

Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.

10. If you selected a VIP-type answer group, configure the following configuration information in the fields provided:

DNS TTL—The duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer.

Return Record Count—The number of address records (A-records) that you want the GSS to return for requests that match the DNS rule.

11. If you selected a CRA-type answer group, configure the following configuration information in the fields provided:

DNS TTL—The duration of time in (units) that the requesting DNS proxy caches the response sent from the GSS and consider it to be a valid answer.

Fragment Size—The preferred size of the boomerang race response that is produced by a match to a DNS rule and sent to the requesting client.

Pad Size—The amount of extra data (in bytes) included with each CRA response packet and used to evaluate CRA bandwidth as well as latency when making load balancing decisions.

IP TTL—The maximum number of network hops that should be utilized when returning a response to a CRA from a match on a DNS rule.

Secret—A text string, up to 64 characters, that is used to encrypt critical data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.

Max Prop. Delay—The maximum propagation delay, the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA.

Server Delay—The maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS returns the address of its "last gasp" server as a response to the requesting name server.

12. If you wish, repeat Step 8 through Step 10 to select additional answer group/balance method pairings for Balance Clause 2 and Balance Clause 3. These answer pairs are only applied if the preceding clause is unable to provide an answer for the DNS query.

13. Click Save to save your DNS Rule. You return to the DNS Rules list page. The DNS rule is now active and processing incoming DNS requests.

Modifying DNS Rules

As with the creation of DNS rules, you can also use the DNS Rule Builder or the DNS Rule Wizard to modify a DNS rule. To modify a previously created DNS rule, perform one of the following:

To modify a DNS rule using the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.

2. Click the Modify DNS Rule Using Rule Builder Interface button located to the left of the DNS rule you want to modify. The Modify DNS Rule details page opens in a separate window.

3. Make modifications as necessary to the DNS rule. See "Building DNS Rules Using the DNS Rule Builder" for details about using the DNS Rule Builder.

4. Click Save when you complete your modifications. You return to the DNS Rules list page.

To modify a DNS rule using the DNS Rule Wizard:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.

2. Click the Modify DNS Rule Using Wizard button located to the left of the DNS rule you want to modify. The Modify DNS Rule Wizard appears.

3. Make modifications as necessary to the DNS rule in the DNS Rule Wizard. Click here "Building DNS Rules Using the Wizard" for details about using the DNS Rule Wizard.

4. Click Finish when you complete your modifications. You return to the DNS Rules list page.

Suspending a DNS Rule

If you want to stop requests from being processed by a DNS rule on your GSS, use the suspend feature to temporarily deactivate the rule. You can use the suspend feature to temporarily halt traffic to particular answers while those resources are receiving maintenance.

Once a rule has been suspended, you must reactivate it from the primary GSSM GUI before it can again be used to process incoming DNS queries.

To suspend a DNS rule from the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to suspend. The DNS Rule Builder page appears in a separate browser window.

3. Click the Suspend icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to suspend the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.

To suspend a DNS rule from the DNS Rule Wizard:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears.

3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16).

4. From the Rule Status drop down list, select the Suspended operating status for the DNS rule.

5. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Suspended.

Reactivating a DNS Rule

To reactivate operation of a suspended DNS rule from the DNS Rule Builder:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule you want to activate. All suspended DNS rules have a status of Suspended in the list. The DNS Rule Builder window appears.

3. Click the Activate icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to activate the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.

To reactivate operation of a suspended DNS rule from the DNS Rule Wizard:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule you want to suspend. The DNS Rule Wizard appears.

3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 8-16).

4. From the Rule Status drop down list, select the Active operating status for the DSN rule.

5. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as Active.

Suspending or Reactivating All DNS Rules Belonging to an Owner

DNS rules can be grouped and managed according to a GSS owner that has been established and with which the DNS rules have been associated. Using owners to manage your DNS rules makes it easier for you to quickly suspend or activate rules related to a particular group or department within your organization (for example, HR or Sales) without requiring to individually edit each rule that serves that owner.

To suspend or reactivate DNS rules belonging to an owner:

1. From the primary GSSM GUI, click Resources tab.

2. Click the Owners navigation link. The Owners list page appears (Figure 8-19).

Figure 8-19 Owners List Page

3. Click the Modify Owner icon located to the left of the owner responsible for the DNS rules you want to suspend or reactivate. The Modifying Owner details page appears (Figure 8-20).

Figure 8-20 Modifying Owners Details Page

4. Perform one of the following:

To suspend all DNS rules associated with this owner, click the Suspend All DNS Rules for This Owner icon in the upper-right corner of the details page.

To reactivate all suspended DNS rules associated with this owner, click the Activate All DNS Rules for This Owner icon in the upper-right corner of the details page.

5. Confirm your decision to suspend or activate the answers. Click OK. You return to the Owner list page.

Deleting a DNS Rule

Use the delete feature on the primary GSSM GUI to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated the DNS rule.

Caution Deletions of any kind cannot be undone in the GSSM. If you might want to use the deleted data at a later point in time, we recommend performing a database backup of your GSSM. Refer to Chapter 9, GSS Administration and Troubleshooting for details.

To delete a DNS rule:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Modify DNS Rule using rule builder interface icon located to the left of the DNS rule you want to delete. The DNS Rule Builder window appears.

3. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the DNS rule.

4. Click OK to confirm your decision. You return to the DNS Rule list page.

Configuring DNS Rule Filters

As your GSS network grows, so will your collection of DNS rules for handling traffic to and from your network. In time, it may become difficult to locate the rules that you need. For that reason, the GSS GUI provides filters that can be applied to your DNS rules, allowing you to view only those rules that have the properties you are interested in. For example, you can create a filter that will limit your view of the DNS rules to include only those that involve a certain source address list or domain list, use a certain balance method, are owned by a particular user, or have a status of "active."

To configure a DNS rule filter:

1. From the primary GSSM GUI, click the DNS Rules tab.

2. Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter details page appears (Figure 8-21).

Figure 8-21 Configure DNS Rule List Filter Details Page

3. To filter your list by any of the properties displayed on the Filter List page, enter a complete or partial (wildcard) value into the fields provided. This page is divided by Source Address List Filter Parameters, Domain List Filter Parameters, Balance Clause Filter Parameters, and DNS Rule Filter Parameters The GSS supports filtering combinations in the properties of all four sections of the details page.

Table 8-1 lists the parameters that can be used to filter your DNS rules list and provides explanations and sample entries for each parameter.

Table 8-1 DNS Rules Filter Parameters 

Parameter
Description
Selection Examples
Source Address List Filter Parameters

Name

Name assigned to a source address list associated with the DNS rule

VIP1

VIP*

NameServerList

IP Address Block

IP address or address block assigned to a source address list associated with the DNS rule

192.168.110.100

192.168.*

Owner

Name of the owner assigned to the source address list associated with the DNS rule

Any

System

Education

Domain List Filter Parameters

Name

Name assigned to a domain list associated with the DNS rule

CiscoSystems

Cisco*

Domain

Domain included on the domain list associated with the DNS rule

www.cisco.com

support.cisco.com

www.*

Owner

Name of the owner assigned to the domain list associated with the DNS rule

Any

System

Sales

Balance Clause Filter Parameters

Answer Group Name

Name assigned to an answer group associated with the DNS rule

VIP_answer_Group_1

VIP_answer_Group_2

VIP_*

Answer Group Owner

Name of the owner assigned to the answer group associated with the DNS rule

Any

System

HR

Answer Group Type

Type of answer group associated with the DNS rule

CRA

Name Server

VIP

Contains Answer

Answer belonging to an answer group associated with the DNS rule

192.161.1.2

192.168.*

Balance Method

Type of balance method (such as boomerang and ordered list) associated with the DNS rule

Boomerang

Hashed

Least Loaded

Order List

Round-Robin

Weighted Round-Robin

DNS Rule Filter Parameters

Name

Name of the DNS rule

Cisco_Rule

Cisco*

Owner

Name of the owner assigned to the DNS rule

Any

System

Sales

Status

Status of the DNS rule, either active or suspended

Any

Active

Suspended


4. Click Submit to confirm your decision. The DNS Rule list page reappears. The displayed DNS rules are those DNS rules that match your search criteria. If no DNS Rule parameters match the parameters that you used to filter the list, a message appears: 

No DNS rules match the filter specification.

Removing DNS Rule Filters

Use the Show All DNS Rules icon on the DNS Rules list page to remove any filters that have been applied to your DNS Rules. The Show All DNS Rules icon removes all filters and displays a complete list of DNS Rules on your GSS network.

To remove DNS rule filters:

1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.

2. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes, displaying all configured DNS rules.

Delegation to GSS Devices

Once you have configured your GSS devices to connect to your network and have created the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you are ready to complete the final step that integrates your new global server load-balancing device into your network's DNS infrastructure and starts delivering user queries to your GSS: modifying your parent domain's DNS server to delegate parts of its name space to your GSSs.

Note You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.

Modifying your DNS servers to accommodate your GSS devices involves the following steps:

1. Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs

2. Adding "glue" address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address

Example 8-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type.

In Example 8-1, the delegated domains are:

www.cisco.com

ftp.cisco.com

media.cisco.com

The GSS devices are:

gss1.cisco.com

gss2.cisco.com

Example 8-1 Sample BIND Zone Configuration File Delegating GSSs 

cisco.com. 	IN SOA ns1.cisco.com. postmaster.cisco.com. 	(

		2001111001	; serial number

		36000	; refresh 10 hours

		3600		; retry   1  hour

		3600000	; expire  42 days

		360000	; minimum 100 hours )


; Corporate Name Servers for cisco.com

		IN	NS	ns1.cisco.com.

		IN	NS	ns2.cisco.com.

ns1		IN	A	192.168.157.209

ns2		IN	A	192.168.150.100


; Sub-domains delegated to GSS Network

www		IN	NS	gss1.cisco.com.

		IN	NS	gss2.cisco.com.

media		IN	CNAME	 www

ftp		IN	NS	gss1.cisco.com.

		IN	NS	gss2.cisco.com.


; "Glue" A records with GSS interface addresses

;		Cisco GSS Dallas

gss1		IN	A	172.16.2.3

;		Cisco GSS London

gss2		IN	A	192.168.3.6

.

.

.

When reviewing this zone file, remember that there are any number of possible GSS deployments that you can use, some of which may suit your needs and your network better than the example listed. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.