Cisco GSS CLI-Based Global Server Load-Balancing Configuration Guide (Software Version 2.0) - Building and Modifying DNS Rules [Cisco ACE GSS 4400 Series Global Site Selector Appliances]

Table Of Contents

Building and Modifying DNS Rules

Logging in to the CLI and Enabling Privileged EXEC Mode

Building DNS Rules

Configuring Balance Clauses for a DNS Rule

Configuring Balance Clauses that Use VIP-Type Answer Groups

Configuring Balance Clauses that Use NS-Type Answer Groups

Configuring Balance Clauses that Use CRA-Type Answer Groups

Modifying DNS Rules and Balance Clauses

Modifying DNS Rule Properties

Modifying Balance Clause Properties

Displaying DNS Rule Properties

Suspending a DNS Rule

Reactivating a DNS Rule

Suspending or Reactivating All DNS Rules Belonging to an Owner

Deleting a DNS Rule

Configuring DNS Rule Filters

Removing DNS Rule Filters

Delegating to GSS Devices

Where To Go Next

Building and Modifying DNS Rules

This chapter describes how to build and modify Domain Name System (DNS) rules on your GSS network. After you configure your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will control global server load balancing on your GSS network.

When building DNS rules, you specify the actions for the GSS to perform when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. The GSS uses one of a variety of balance methods to determine the best response to the request, which is based on the status and load of your GSS host devices.

Note Before you create DNS rules, review the "GSS Architecture" section in Chapter 1, Introducing the Global Site Selector.

This chapter contains the following major sections:

•Logging in to the CLI and Enabling Privileged EXEC Mode

•Building DNS Rules

•Modifying DNS Rules and Balance Clauses

•Displaying DNS Rule Properties

•Suspending a DNS Rule

•Reactivating a DNS Rule

•Suspending or Reactivating All DNS Rules Belonging to an Owner

•Deleting a DNS Rule

•Configuring DNS Rule Filters

•Removing DNS Rule Filters

•Delegating to GSS Devices

•Where To Go Next

Logging in to the CLI and Enabling Privileged EXEC Mode

Note To log in and enable privileged EXEC mode in the GSS, you must be a configured user with admin privileges. See the Cisco Global Site Selector Administration Guide for information on creating and managing user accounts.

To log in to the primary GSSM and enable privileged EXEC mode at the CLI:

1. If you are remotely logging in to the primary GSSM through Telnet or SSH, enter the hostname or IP address of the GSSM to access the CLI.

If you are using a direct serial connection between your terminal and the GSSM, use a terminal emulation program to access the CLI. For details about making a direct connection to the GSS device using a dedicated terminal and about establishing a remote connection using SSH or Telnet, see the Cisco Global Site Selector Getting Started Guide.

2. Specify your GSS administrative username and password to log in to the GSSM. The CLI prompt appears.
gssm1.example.com> 
3. At the CLI prompt, enable privileged EXEC mode as follows:
gssm1.example.com> enable
gssm1.example.com# 
Building DNS Rules

You can build the DNS rules that specify the actions that each GSS is to perform when it receives a request from a known source for a known hosted domain. Do so by entering the dns rule command in global server load-balancing configuration mode.

The syntax of this command is as follows:

dns rule name {owner name | source-address-list name | domain-list name | query {a | all}}

Note After you enter the dns rule name command, the prompt changes to the rule configuration mode where you specify and configure load-balance clauses and optional DNS sticky and network proximity settings.

The keywords and arguments for this command are as follows:

•name—Name for the DNS rule. Enter a unique alphanumeric name with a maximum of 80 characters. Names should not contain spaces.

•owner name—Specifies the name of a previously created owner with whom the rule will be associated. The default owner is System.

•source-address-list name—Specifies the name of a previously created source address list from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.

•domain-list name—Specifies the name of a previously created domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list.

•query—Specifies the type of DNS query to apply to the rule. Choose one of the following:

– a —The DNS rule is applied only to answer address record (A-record) requests originating from a host on the configured source address list. Any requests with unsupported query types (for example, MX, PTR, or CNAME records) that match this DNS rule are dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response for the requester to make a subsequent A-record query.

–All—The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three balance clauses. When the GSS receives the response from the name server, it delivers the response to the requesting client D-proxy.

Note When you select All, you must configure one balance clause to include a name server-type answer group.

For example, to create a DNS rule called drule02, enter:
gssm1.example.com(config)# gslb
gssm1.example.com(config-gslb)# dns rule drule02 owner WEB-SERVICES 
source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a
gssm1.example.com(config-gslb-rule[rule-name])#
To delete a DNS rule called drule02, enter:
gssm1.example.com(config)# gslb
gssm1.example.com(config-gslb)# no dns rule drule02 owner WEB-SERVICES 
source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a	 
Configuring Balance Clauses for a DNS Rule

After you create a DNS rule, you configure the balance clauses used by the rule by specifying the answer group and balance method that make up each balance clause. In addition, you can configure optional DNS sticky and network proximity settings. If you intend to use DNS sticky or network proximity, see Chapter 8, Configuring DNS Sticky or Chapter 9, Configuring Network Proximity for the configuration procedures.

The GSS can use a maximum of three possible balance method clauses in a DNS rule to select the most appropriate resource to serve a user request. Each balance method provides a different algorithm for selecting one answer from a configured answer group. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group.

The balance clauses that you configure in a DNS rule are evaluated in order, with parameters established to determine when a clause is skipped and the next clause used. A balance clause is skipped when any one of the following conditions exits:

•A least-loaded balance method is selected and the load threshold for all online answers is exceeded.

•The VIP answers in the specified VIP answer group are offline.

•Proximity is enabled for a VIP-type answer group and the DRP agents do not return any RTT values that meet the value set for acceptable-rtt.

•All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers.

To create balance clauses for a DNS rule, you use the clause command in the rule configuration mode. The syntax for this command is as follows:

clause number {cra-group name | ns-group name | vip-group name}

The keywords and arguments for this command are as follows:

•number—Balance clause number (1, 2, or 3). For clauses that use VIP- or NS-type answer groups, you can specify 1, 2, or 3. For clauses that use CRA-type answer groups, you can specify only 1 or 2.

•cra-group name—Specifies that the balance clause is to use a CRA-type answer group. Enter the name of a previously created CRA-type answer group.

•ns-group name—Specifies that the balance clause is to use an NS-type answer group. Enter the name of a previously created NS-type answer group.

•vip-group name—Specifies that the balance clause is to use a VIP-type answer group. Enter the name of a previously created VIP-type answer group.

The answer group type (VIP, NS, or CRA) that you select for your balance clause determines the keywords and arguments that appear in the CLI.

This section contains the following topics:

•Configuring Balance Clauses that Use VIP-Type Answer Groups

•Configuring Balance Clauses that Use NS-Type Answer Groups

•Configuring Balance Clauses that Use CRA-Type Answer Groups

Configuring Balance Clauses that Use VIP-Type Answer Groups

You can create balance clauses for a DNS rule that use VIP-type answer groups by entering the clause number vip-group name command in the rule configuration mode.

The syntax for this command is as follows:

clause number vip-group name [method {round-robin | least-loaded | ordered | weighted-round-robin | hashed {domain-name | source-address | both}} [count number | ttl number]]

The keywords and arguments for this command are as follows:

•number—Balance clause number (1, 2, or 3). You can specify a maximum of three balance clauses that use VIP-type answers.

•vip-group name—Specifies the name of a previously created VIP-type answer group.

•method—(Optional) Specifies the method type for each balance clause. Method types are as follows:

– round-robin—The GSS cycles through the list of answers that are available as requests are received. This is the default.

– least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive.

– ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will use only the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

–weighted-round-robin—The GSS cycles through the list of answers that are available as the requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.

–hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group as follows:

• source-address—The GSS selects the answer based on a hash value created from the source address of the request.

• domain-name—The GSS selects the answer based on a hash value created from the requested domain name.

•both—The GSS selects the answer based on both the source address and domain name.

•count number—(Optional) Specifies the number of address records (A-records) that you want the GSS to return for requests that match the DNS rule. The default is 1 record.

•ttl number—(Optional) Specifies the duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds.

For example, to configure a balance clause for a DNS rule, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group 
ANSGRP-VIP-01 method ordered ttl 60 
Note If you configured a DNS rule with a balance clause that uses a CRA-type answer group, you must immediately follow the CRA-type clause with a balance clause that uses a VIP-type answer group. This ensures that if none of the Content Routing Agents successfully respond to the DNS race request, a "last gasp" server response from the VIP-type balance clause is sent to the requesting name server.

To reset the balance clause settings to their defaults for the DNS rule, use the no form of the clause command. For example, enter:
gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 vip-group 
ANSGRP-VIP-01 method ordered ttl 60
You can create a maximum of three balance clauses that use VIP-type answer groups. A second or third balance clause applies only when the preceding clause is unable to provide an answer for the DNS query.

Note If you plan to configure DNS sticky in the DNS rule, see Chapter 8, Configuring DNS Sticky. If you plan to configure network proximity in the DNS rule, see Chapter 9, Configuring Network Proximity.

Configuring Balance Clauses that Use NS-Type Answer Groups

You can create balance clauses for a DNS rule that uses NS-type answer groups by using the clause number ns-group name command in the rule configuration mode.

The syntax for this command is as follows:

clause number ns-group name [method {round-robin | least-loaded | ordered | weighted-round-robin | hashed {domain-name | source-address | both}}]

The keywords and arguments for this command are as follows:

•number—Balance clause number (1, 2, or 3). You can specify a maximum of three balance clauses that use NS-type answers.

•ns-group name—Specifies the name of a previously created ns-type answer group.

•method—Specifies the method type for each of your balance clauses. Method types are as follows:

– round-robin—The GSS cycles through the list of answers that are available as requests are received. This is the default.

– least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive.

– ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list.

Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.

–weighted-round-robin—The GSS cycles through the list of answers that are available as requests are received but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.

–hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group as follows:

• domain-name—The GSS selects the answer based on a hash value created from the requested domain name.

• source-address—The GSS selects the answer based on a hash value created from the source address of the request.

•both—The GSS selects the answer based on both the source-address and domain name.

For example, to configure a balance clause for the DNS rule, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 ns-group 
ANSGRP-NS-01 method hashed both 
To reset the balance clause settings for the DNS rule to their defaults, use the no form of the clause command. For example:
gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 ns-group 
ANSGRP-NS-01 method hashed both 
You can create a maximum of three balance clauses that use NS-type answer groups. A second or third balance clause applies only when the preceding clause is unable to provide an answer for the DNS query.

Configuring Balance Clauses that Use CRA-Type Answer Groups

You can create balance clauses for a DNS rule that use CRA-type answer groups by using the clause number cra-group name command in the rule configuration mode.

The syntax for this command is as follows:

clause number cra-group name [method boomerang | fragment number | ip-ttl number | max-prop-delaynumber | pad number | secret key | server-delay number | ttl number]

The keywords and arguments for this command are as follows:

•number—Balance clause number (1 or 2 ). You can specify a maximum of two balance clauses that use CRA-type answers.

•cra-group name—Specifies the name of a previously created CRA-type answer group.

•method boomerang—Specifies that the balance method uses the boomerang DNS race to determine the best site. See the "DNS Race (Boomerang) Method" section in Chapter 1, Introducing the Global Site Selector, for more information on this balance method type. This is the default setting and cannot be changed.

•fragment number—(Optional) Specifies the number of address records (A-records) that you want the GSS to return for requests that match the DNS rule. The default is 1 record.

•ip-ttl number—(Optional) Specifies the maximum number of network hops that should be used when returning a response to a CRA from a match on a DNS rule.

•max-prop-delaynumber—(Optional) Specifies the maximum propagation delay, which is the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA.

•pad number—(Optional) Specifies the amount of extra data (in bytes) included with each CRA response packet that is used to evaluate CRA bandwidth and latency when making load-balancing decisions.

•secret key—(Optional) Specifies a text string with a maximum of 64 characters used to encrypt critical data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.

•server-delay number—(Optional) Specifies the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS returns the address of its "last gasp" server as a response to the requesting name server.

•ttl number—(Optional) Specifies the duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds.

For example, to configure a balance clause for the DNS rule, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 cra-group 
ANSGRP-CRA-01 fragment 2 pad 20 
Note Always follow a balance clause that uses a CRA-type answer group with a balance clause that uses a VIP-type answer group. This ensures that if none of the Content Routing Agents successfully respond to the DNS race request, a "last gasp" server response from the VIP-type balance clause is sent to the requesting name server.

To reset the balance clause settings for the DNS rule to their defaults, use the no form of the clause command. For example:
gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 cra-group 
ANSGRP-CRA-01 fragment 2 pad 20 
You can create a maximum of two balance clauses that use CRA-type answer groups. A second balance clause applies only when the first clause is unable to provide an answer for the DNS query.

Modifying DNS Rules and Balance Clauses

You can use the CLI to modify properties for an existing DNS rule or the balance clauses within a DNS rule. This section contains the following topics:

•Modifying DNS Rule Properties

•Modifying Balance Clause Properties

Modifying DNS Rule Properties

To modify an existing DNS rule, perform the following steps:

1. Display the current property settings for a DNS rule by entering the show gslb-config dns rule name command. See the "Displaying DNS Rule Properties" section for more information.

2. Change the settings for a DNS rule by entering the dns rule name command in global server load-balancing configuration mode.

The syntax of this command is as follows:

dns rule name {owner name | source-address-list name | domain-list name | query {a | all}}:

See the "Building DNS Rules" section for details about the keywords and arguments for this command.

3. Make modifications as necessary to the DNS rule options.

For example, to change the domain list for an existing DNS rule named drule02, enter:
gssm1.example.com(config-gslb)# show gslb-config dns rule drule02
dns rule drule02  owner WEB-SERVICES source-address-list 
WEB-GLOBAL-LISTS domain-list E-COMMERCE query  a
clause 1 vip-group ANSGRP6 least-loaded  ttl 20 count 2 sticky disable
gssm1.example.com(config-gslb)# dns rule drule02 owner WEB-SERVICES 
source-address-list WEB-GLOBAL LISTS domain-list SECURITY query a
gssm1.example.com(config-gslb-rule[rule-name])#
Modifying Balance Clause Properties

To modify balance clause properties for an existing DNS rule using the CLI, perform the following steps:

1. Display the current property settings for a DNS rule and the balance clauses for that rule by entering the show gslb-config dns rule name command. See the "Displaying DNS Rule Properties" section for more information.

2. Change the balance clause properties for an existing DNS rule by using the dns rule name command in global server load-balancing configuration mode. This command allows you to access the rule configuration mode for the desired rule.

For example, enter:
gssm1.example.com(config-gslb)# dns rule drule02
gssm1.example.com(config-gslb-rule[rule-name])#
3. Modify balance clause properties by using the clause command. The syntax of the clause command varies according to the answer group type (VIP, CRA, or NS) that it uses. See the following sections for clause command syntax based on answer group type:

•Configuring Balance Clauses that Use VIP-Type Answer Groups

•Configuring Balance Clauses that Use NS-Type Answer Groups

•Configuring Balance Clauses that Use CRA-Type Answer Groups

4. Make modifications as necessary to the balance clause keywords and arguments.

For example, to change the method type for clause 1 of the DNS rule drule02 from least-loaded to round-robin, enter:
gssm1.example.com(config-gslb)# show gslb-config dns rule drule02
dns rule drule02  owner WEB-SERVICES source-address-list 
WEB-GLOBAL-LISTS domain-list E-COMMERCE query  a
clause 1 vip-group ANSGRP6 least-loaded  ttl 20 count 2 sticky disable
gssm1.example.com(config-gslb)# dns rule drule02
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group 
ANSGRP6 method round-robin ttl 20 count 2
Displaying DNS Rule Properties

You can use the show gslb-config dns rule command to display the current property settings for all DNS rules and balance clauses for each rule.

The syntax of this command is as follows:

show gslb-config dns rule [name]

The optional name argument specifies the name of a previously created DNS rule.

For example, to display the properties for the DNS rule drule02, enter:
gssm1.example.com(config-gslb)# show gslb-config dns rule drule02
dns rule drule02  owner WEB-SERVICES source-address-list 
WEB-GLOBAL-LISTS domain-list E-COMMERCE query  a
clause 1 vip-group ANSGRP6 least-loaded  ttl 20 count 2 sticky disable
gssm1.example.com(config-gslb)#

Suspending a DNS Rule

If you want to stop requests from being processed by a DNS rule on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Suspending a DNS Rule," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details.

Reactivating a DNS Rule

If you want to reactivate the operation of a suspended DNS rule on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Reactivating a DNS Rule," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details.

Suspending or Reactivating All DNS Rules Belonging to an Owner

You can group and manage your DNS rules according to an established GSS owner. Using a GSS owner to manage your DNS rules enables you to quickly suspend or activate all rules related to a particular group or department within your organization (for example, HR or Sales) without individually editing each rule that serves that owner.

To suspend or reactivate all DSN rules associated with a GSS owner, use the owner command with the suspend-all-rules and activate-all-rules keywords.

To display the currently configured DNS rules and their associated owners, use the show gslb-config dns rule command. See the "Displaying DNS Rule Properties" section for more information.

For example, to suspend all DNS rules associated with the owner WEB-SERVICES, enter:
gssm1.example.com(config)# gslb
gssm1.example.com(config-gslb)# owner WEB-SERVICES suspend-all-rules
gssm1.example.com(config-gslb)# 
To reactivate all DNS rules associated with the owner WEB-SERVICES, enter:
gssm1.example.com(config)# gslb
gssm1.example.com(config-gslb)# owner WEB-SERVICES activate-all-rules
gssm1.example.com(config-gslb)# 
Deleting a DNS Rule

You can use the no form of the dns rule command to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated with the DNS rule.

Caution Deletions of any kind cannot be undone in the primary GSSM. Before deleting any data that you think you might want to use at a later point in time, perform a database backup of your GSSM. See the Global Site Selector Administration Guide for details.

To delete a DNS rule, perform the following steps:

1. Display the current DNS rules by using the show gslb-config dns rule command. See the Displaying DNS Rule Properties section for more information.

2. Identify the DNS rule that you want to delete, and then use the no form of the dns rule command to delete the rule.

For example, to delete a DNS rule named RULE1, enter:
gssm1.example.com(config-gslb)# show gslb-config dns rule
...
dns rule RULE1 owner OWNER1 source-address-list Anywhere domain-list 
www.wonderland.com query  a
	clause 1 vip-group ans-grp1 method ordered  ttl 20 count 1 sticky 
disable
...
gssm1.example.com(config)# gslb
gssm1.example.com(config-gslb)# no dns rule RULE1 owner OWNER1 
source-address-list ANYWHERE domain-list WWW.WONDERLAND.COM query A	 
gssm1.example.com(config-gslb)#

Configuring DNS Rule Filters

If you want to configure DNS rule filters on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Configuring DNS Rule Filters," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details.

Removing DNS Rule Filters

If you want to remove DNS rule filters on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Removing DNS Rule Filters," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details.

Delegating to GSS Devices

After you configure your GSS devices to connect to your network and create the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you can integrate your global server load-balancing device into your network's DNS infrastructure to deliver user queries to your GSS. To accomplish this integration, you must modify your parent domain's DNS server to delegate parts of its name space to your GSS devices.

You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.

Modifying your DNS servers to accommodate your GSS devices involves the following steps:

1. Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs.

2. Adding "glue" address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address.

Note The A-records which define the name servers within the domain are frequently called glue records.

Example 7-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type.

In Example 7-1, the delegated domains are as follows:

•www.cisco.com

•ftp.cisco.com

•media.cisco.com

The GSS devices are as follows:

•gss1.cisco.com

•gss2.cisco.com

Example 7-1 Sample BIND Zone Configuration File Delegating GSSs
cisco.com. 	IN SOA ns1.cisco.com. postmaster.cisco.com. 	(
		2001111001	; serial number
		36000	; refresh 10 hours
		3600		; retry   1  hour
		3600000	; expire  42 days
		360000	; minimum 100 hours )
; Corporate Name Servers for cisco.com
		IN	NS	ns1.cisco.com.
		IN	NS	ns2.cisco.com.
ns1		IN	A	192.168.157.209
ns2		IN	A	192.168.150.100
; Sub-domains delegated to GSS Network
www		IN	NS	gss1.cisco.com.
		IN	NS	gss2.cisco.com.
media		IN	CNAME	 www
ftp		IN	NS	gss1.cisco.com.
		IN	NS	gss2.cisco.com.
; "Glue" A records with GSS interface addresses
;		Cisco GSS Dallas
gss1		IN	A	172.16.2.3
;		Cisco GSS London
gss2		IN	A	192.168.3.6
.
.
You can use many possible GSS deployments when reviewing this zone file; some deployments may suit your needs and your network better than the previous example. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.

Where To Go Next

If you plan to use DNS sticky for your global server load balancing, configure local or global DNS sticky for GSS devices in your network. See Chapter 8, Configuring DNS Sticky, for details.

If you plan to use network proximity for your global server load balancing, configure proximity for GSS devices in your network. See Chapter 9, Configuring Network Proximity, for details.

	Cisco GSS CLI-Based Global Server Load-Balancing Configuration Guide (Software Version 2.0)
	Building and Modifying DNS Rules
Cisco GSS CLI-Based Global Server Load-Balancing Configuration Guide (Software Version 2.0) Index Preface Introducing the Global Site Selector Configuring Resources Configuring Source Address Lists Configuring Domain Lists Configuring Keepalives Configuring Answers and Answer Groups Building and Modifying DNS Rules Configuring DNS Sticky Configuring Network Proximity Configuring DDoS Prevention Creating and Playing GSLB Configuration Files Displaying Global Server Load-Balancing Configuration Information Displaying GSS Global Server Load-Balancing Statistics Primary GSSM Global Server Load-Balancing Error Messages Sticky and Proximity XML Schema Files Glossary	Download this chapter Building and Modifying DNS Rules Download the complete book Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide, Book-Length PDF (PDF - 6 MB) Table Of Contents Building and Modifying DNS Rules Logging in to the CLI and Enabling Privileged EXEC Mode Building DNS Rules Configuring Balance Clauses for a DNS Rule Configuring Balance Clauses that Use VIP-Type Answer Groups Configuring Balance Clauses that Use NS-Type Answer Groups Configuring Balance Clauses that Use CRA-Type Answer Groups Modifying DNS Rules and Balance Clauses Modifying DNS Rule Properties Modifying Balance Clause Properties Displaying DNS Rule Properties Suspending a DNS Rule Reactivating a DNS Rule Suspending or Reactivating All DNS Rules Belonging to an Owner Deleting a DNS Rule Configuring DNS Rule Filters Removing DNS Rule Filters Delegating to GSS Devices Where To Go Next Building and Modifying DNS Rules This chapter describes how to build and modify Domain Name System (DNS) rules on your GSS network. After you configure your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will control global server load balancing on your GSS network. When building DNS rules, you specify the actions for the GSS to perform when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. The GSS uses one of a variety of balance methods to determine the best response to the request, which is based on the status and load of your GSS host devices. Note Before you create DNS rules, review the "GSS Architecture" section in Chapter 1, Introducing the Global Site Selector. This chapter contains the following major sections: •Logging in to the CLI and Enabling Privileged EXEC Mode •Building DNS Rules •Modifying DNS Rules and Balance Clauses •Displaying DNS Rule Properties •Suspending a DNS Rule •Reactivating a DNS Rule •Suspending or Reactivating All DNS Rules Belonging to an Owner •Deleting a DNS Rule •Configuring DNS Rule Filters •Removing DNS Rule Filters •Delegating to GSS Devices •Where To Go Next Logging in to the CLI and Enabling Privileged EXEC Mode Note To log in and enable privileged EXEC mode in the GSS, you must be a configured user with admin privileges. See the Cisco Global Site Selector Administration Guide for information on creating and managing user accounts. To log in to the primary GSSM and enable privileged EXEC mode at the CLI: 1. If you are remotely logging in to the primary GSSM through Telnet or SSH, enter the hostname or IP address of the GSSM to access the CLI. If you are using a direct serial connection between your terminal and the GSSM, use a terminal emulation program to access the CLI. For details about making a direct connection to the GSS device using a dedicated terminal and about establishing a remote connection using SSH or Telnet, see the Cisco Global Site Selector Getting Started Guide. 2. Specify your GSS administrative username and password to log in to the GSSM. The CLI prompt appears. gssm1.example.com> 3. At the CLI prompt, enable privileged EXEC mode as follows: gssm1.example.com> enable gssm1.example.com# Building DNS Rules You can build the DNS rules that specify the actions that each GSS is to perform when it receives a request from a known source for a known hosted domain. Do so by entering the dns rule command in global server load-balancing configuration mode. The syntax of this command is as follows: dns rule name {owner name \| source-address-list name \| domain-list name \| query {a \| all}} Note After you enter the dns rule name command, the prompt changes to the rule configuration mode where you specify and configure load-balance clauses and optional DNS sticky and network proximity settings. The keywords and arguments for this command are as follows: •name—Name for the DNS rule. Enter a unique alphanumeric name with a maximum of 80 characters. Names should not contain spaces. •owner name—Specifies the name of a previously created owner with whom the rule will be associated. The default owner is System. •source-address-list name—Specifies the name of a previously created source address list from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere. •domain-list name—Specifies the name of a previously created domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list. •query—Specifies the type of DNS query to apply to the rule. Choose one of the following: – a —The DNS rule is applied only to answer address record (A-record) requests originating from a host on the configured source address list. Any requests with unsupported query types (for example, MX, PTR, or CNAME records) that match this DNS rule are dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response for the requester to make a subsequent A-record query. –All—The DNS rule is applied to all DNS queries originating from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three balance clauses. When the GSS receives the response from the name server, it delivers the response to the requesting client D-proxy. Note When you select All, you must configure one balance clause to include a name server-type answer group. For example, to create a DNS rule called drule02, enter: gssm1.example.com(config)# gslb gssm1.example.com(config-gslb)# dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a gssm1.example.com(config-gslb-rule[rule-name])# To delete a DNS rule called drule02, enter: gssm1.example.com(config)# gslb gssm1.example.com(config-gslb)# no dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a Configuring Balance Clauses for a DNS Rule After you create a DNS rule, you configure the balance clauses used by the rule by specifying the answer group and balance method that make up each balance clause. In addition, you can configure optional DNS sticky and network proximity settings. If you intend to use DNS sticky or network proximity, see Chapter 8, Configuring DNS Sticky or Chapter 9, Configuring Network Proximity for the configuration procedures. The GSS can use a maximum of three possible balance method clauses in a DNS rule to select the most appropriate resource to serve a user request. Each balance method provides a different algorithm for selecting one answer from a configured answer group. Each clause specifies that a particular answer group serve the request and a specific balance method be used to select the best resource from that answer group. The balance clauses that you configure in a DNS rule are evaluated in order, with parameters established to determine when a clause is skipped and the next clause used. A balance clause is skipped when any one of the following conditions exits: •A least-loaded balance method is selected and the load threshold for all online answers is exceeded. •The VIP answers in the specified VIP answer group are offline. •Proximity is enabled for a VIP-type answer group and the DRP agents do not return any RTT values that meet the value set for acceptable-rtt. •All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers. To create balance clauses for a DNS rule, you use the clause command in the rule configuration mode. The syntax for this command is as follows: clause number {cra-group name \| ns-group name \| vip-group name} The keywords and arguments for this command are as follows: •number—Balance clause number (1, 2, or 3). For clauses that use VIP- or NS-type answer groups, you can specify 1, 2, or 3. For clauses that use CRA-type answer groups, you can specify only 1 or 2. •cra-group name—Specifies that the balance clause is to use a CRA-type answer group. Enter the name of a previously created CRA-type answer group. •ns-group name—Specifies that the balance clause is to use an NS-type answer group. Enter the name of a previously created NS-type answer group. •vip-group name—Specifies that the balance clause is to use a VIP-type answer group. Enter the name of a previously created VIP-type answer group. The answer group type (VIP, NS, or CRA) that you select for your balance clause determines the keywords and arguments that appear in the CLI. This section contains the following topics: •Configuring Balance Clauses that Use VIP-Type Answer Groups •Configuring Balance Clauses that Use NS-Type Answer Groups •Configuring Balance Clauses that Use CRA-Type Answer Groups Configuring Balance Clauses that Use VIP-Type Answer Groups You can create balance clauses for a DNS rule that use VIP-type answer groups by entering the clause number vip-group name command in the rule configuration mode. The syntax for this command is as follows: clause number vip-group name [method {round-robin \| least-loaded \| ordered \| weighted-round-robin \| hashed {domain-name \| source-address \| both}} [count number \| ttl number]] The keywords and arguments for this command are as follows: •number—Balance clause number (1, 2, or 3). You can specify a maximum of three balance clauses that use VIP-type answers. •vip-group name—Specifies the name of a previously created VIP-type answer group. •method—(Optional) Specifies the method type for each balance clause. Method types are as follows: – round-robin—The GSS cycles through the list of answers that are available as requests are received. This is the default. – least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive. – ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list. Note For answers that have the same order number in an answer group, the GSS will use only the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group. –weighted-round-robin—The GSS cycles through the list of answers that are available as the requests are received, but sends requests to favored answers in a ratio determined by the weight value assigned to that resource. –hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group as follows: • source-address—The GSS selects the answer based on a hash value created from the source address of the request. • domain-name—The GSS selects the answer based on a hash value created from the requested domain name. •both—The GSS selects the answer based on both the source address and domain name. •count number—(Optional) Specifies the number of address records (A-records) that you want the GSS to return for requests that match the DNS rule. The default is 1 record. •ttl number—(Optional) Specifies the duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds. For example, to configure a balance clause for a DNS rule, enter: gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group ANSGRP-VIP-01 method ordered ttl 60 Note If you configured a DNS rule with a balance clause that uses a CRA-type answer group, you must immediately follow the CRA-type clause with a balance clause that uses a VIP-type answer group. This ensures that if none of the Content Routing Agents successfully respond to the DNS race request, a "last gasp" server response from the VIP-type balance clause is sent to the requesting name server. To reset the balance clause settings to their defaults for the DNS rule, use the no form of the clause command. For example, enter: gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 vip-group ANSGRP-VIP-01 method ordered ttl 60 You can create a maximum of three balance clauses that use VIP-type answer groups. A second or third balance clause applies only when the preceding clause is unable to provide an answer for the DNS query. Note If you plan to configure DNS sticky in the DNS rule, see Chapter 8, Configuring DNS Sticky. If you plan to configure network proximity in the DNS rule, see Chapter 9, Configuring Network Proximity. Configuring Balance Clauses that Use NS-Type Answer Groups You can create balance clauses for a DNS rule that uses NS-type answer groups by using the clause number ns-group name command in the rule configuration mode. The syntax for this command is as follows: clause number ns-group name [method {round-robin \| least-loaded \| ordered \| weighted-round-robin \| hashed {domain-name \| source-address \| both}}] The keywords and arguments for this command are as follows: •number—Balance clause number (1, 2, or 3). You can specify a maximum of three balance clauses that use NS-type answers. •ns-group name—Specifies the name of a previously created ns-type answer group. •method—Specifies the method type for each of your balance clauses. Method types are as follows: – round-robin—The GSS cycles through the list of answers that are available as requests are received. This is the default. – least-loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request.The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive. – ordered—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports gaps in numbering in an ordered list. Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group. –weighted-round-robin—The GSS cycles through the list of answers that are available as requests are received but sends requests to favored answers in a ratio determined by the weight value assigned to that resource. –hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group as follows: • domain-name—The GSS selects the answer based on a hash value created from the requested domain name. • source-address—The GSS selects the answer based on a hash value created from the source address of the request. •both—The GSS selects the answer based on both the source-address and domain name. For example, to configure a balance clause for the DNS rule, enter: gssm1.example.com(config-gslb-rule[rule-name])# clause 1 ns-group ANSGRP-NS-01 method hashed both To reset the balance clause settings for the DNS rule to their defaults, use the no form of the clause command. For example: gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 ns-group ANSGRP-NS-01 method hashed both You can create a maximum of three balance clauses that use NS-type answer groups. A second or third balance clause applies only when the preceding clause is unable to provide an answer for the DNS query. Configuring Balance Clauses that Use CRA-Type Answer Groups You can create balance clauses for a DNS rule that use CRA-type answer groups by using the clause number cra-group name command in the rule configuration mode. The syntax for this command is as follows: clause number cra-group name [method boomerang \| fragment number \| ip-ttl number \| max-prop-delaynumber \| pad number \| secret key \| server-delay number \| ttl number] The keywords and arguments for this command are as follows: •number—Balance clause number (1 or 2 ). You can specify a maximum of two balance clauses that use CRA-type answers. •cra-group name—Specifies the name of a previously created CRA-type answer group. •method boomerang—Specifies that the balance method uses the boomerang DNS race to determine the best site. See the "DNS Race (Boomerang) Method" section in Chapter 1, Introducing the Global Site Selector, for more information on this balance method type. This is the default setting and cannot be changed. •fragment number—(Optional) Specifies the number of address records (A-records) that you want the GSS to return for requests that match the DNS rule. The default is 1 record. •ip-ttl number—(Optional) Specifies the maximum number of network hops that should be used when returning a response to a CRA from a match on a DNS rule. •max-prop-delaynumber—(Optional) Specifies the maximum propagation delay, which is the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS forwards a DNS request to a CRA. •pad number—(Optional) Specifies the amount of extra data (in bytes) included with each CRA response packet that is used to evaluate CRA bandwidth and latency when making load-balancing decisions. •secret key—(Optional) Specifies a text string with a maximum of 64 characters used to encrypt critical data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA. •server-delay number—(Optional) Specifies the maximum delay (in milliseconds) that is observed before the boomerang server component of the GSS returns the address of its "last gasp" server as a response to the requesting name server. •ttl number—(Optional) Specifies the duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds. For example, to configure a balance clause for the DNS rule, enter: gssm1.example.com(config-gslb-rule[rule-name])# clause 1 cra-group ANSGRP-CRA-01 fragment 2 pad 20 Note Always follow a balance clause that uses a CRA-type answer group with a balance clause that uses a VIP-type answer group. This ensures that if none of the Content Routing Agents successfully respond to the DNS race request, a "last gasp" server response from the VIP-type balance clause is sent to the requesting name server. To reset the balance clause settings for the DNS rule to their defaults, use the no form of the clause command. For example: gssm1.example.com(config-gslb-rule[rule-name])# no clause 1 cra-group ANSGRP-CRA-01 fragment 2 pad 20 You can create a maximum of two balance clauses that use CRA-type answer groups. A second balance clause applies only when the first clause is unable to provide an answer for the DNS query. Modifying DNS Rules and Balance Clauses You can use the CLI to modify properties for an existing DNS rule or the balance clauses within a DNS rule. This section contains the following topics: •Modifying DNS Rule Properties •Modifying Balance Clause Properties Modifying DNS Rule Properties To modify an existing DNS rule, perform the following steps: 1. Display the current property settings for a DNS rule by entering the show gslb-config dns rule name command. See the "Displaying DNS Rule Properties" section for more information. 2. Change the settings for a DNS rule by entering the dns rule name command in global server load-balancing configuration mode. The syntax of this command is as follows: dns rule name {owner name \| source-address-list name \| domain-list name \| query {a \| all}}: See the "Building DNS Rules" section for details about the keywords and arguments for this command. 3. Make modifications as necessary to the DNS rule options. For example, to change the domain list for an existing DNS rule named drule02, enter: gssm1.example.com(config-gslb)# show gslb-config dns rule drule02 dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a clause 1 vip-group ANSGRP6 least-loaded ttl 20 count 2 sticky disable gssm1.example.com(config-gslb)# dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL LISTS domain-list SECURITY query a gssm1.example.com(config-gslb-rule[rule-name])# Modifying Balance Clause Properties To modify balance clause properties for an existing DNS rule using the CLI, perform the following steps: 1. Display the current property settings for a DNS rule and the balance clauses for that rule by entering the show gslb-config dns rule name command. See the "Displaying DNS Rule Properties" section for more information. 2. Change the balance clause properties for an existing DNS rule by using the dns rule name command in global server load-balancing configuration mode. This command allows you to access the rule configuration mode for the desired rule. For example, enter: gssm1.example.com(config-gslb)# dns rule drule02 gssm1.example.com(config-gslb-rule[rule-name])# 3. Modify balance clause properties by using the clause command. The syntax of the clause command varies according to the answer group type (VIP, CRA, or NS) that it uses. See the following sections for clause command syntax based on answer group type: •Configuring Balance Clauses that Use VIP-Type Answer Groups •Configuring Balance Clauses that Use NS-Type Answer Groups •Configuring Balance Clauses that Use CRA-Type Answer Groups 4. Make modifications as necessary to the balance clause keywords and arguments. For example, to change the method type for clause 1 of the DNS rule drule02 from least-loaded to round-robin, enter: gssm1.example.com(config-gslb)# show gslb-config dns rule drule02 dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a clause 1 vip-group ANSGRP6 least-loaded ttl 20 count 2 sticky disable gssm1.example.com(config-gslb)# dns rule drule02 gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group ANSGRP6 method round-robin ttl 20 count 2 Displaying DNS Rule Properties You can use the show gslb-config dns rule command to display the current property settings for all DNS rules and balance clauses for each rule. The syntax of this command is as follows: show gslb-config dns rule [name] The optional name argument specifies the name of a previously created DNS rule. For example, to display the properties for the DNS rule drule02, enter: gssm1.example.com(config-gslb)# show gslb-config dns rule drule02 dns rule drule02 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query a clause 1 vip-group ANSGRP6 least-loaded ttl 20 count 2 sticky disable gssm1.example.com(config-gslb)# Suspending a DNS Rule If you want to stop requests from being processed by a DNS rule on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Suspending a DNS Rule," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details. Reactivating a DNS Rule If you want to reactivate the operation of a suspended DNS rule on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Reactivating a DNS Rule," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details. Suspending or Reactivating All DNS Rules Belonging to an Owner You can group and manage your DNS rules according to an established GSS owner. Using a GSS owner to manage your DNS rules enables you to quickly suspend or activate all rules related to a particular group or department within your organization (for example, HR or Sales) without individually editing each rule that serves that owner. To suspend or reactivate all DSN rules associated with a GSS owner, use the owner command with the suspend-all-rules and activate-all-rules keywords. To display the currently configured DNS rules and their associated owners, use the show gslb-config dns rule command. See the "Displaying DNS Rule Properties" section for more information. For example, to suspend all DNS rules associated with the owner WEB-SERVICES, enter: gssm1.example.com(config)# gslb gssm1.example.com(config-gslb)# owner WEB-SERVICES suspend-all-rules gssm1.example.com(config-gslb)# To reactivate all DNS rules associated with the owner WEB-SERVICES, enter: gssm1.example.com(config)# gslb gssm1.example.com(config-gslb)# owner WEB-SERVICES activate-all-rules gssm1.example.com(config-gslb)# Deleting a DNS Rule You can use the no form of the dns rule command to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated with the DNS rule. Caution Deletions of any kind cannot be undone in the primary GSSM. Before deleting any data that you think you might want to use at a later point in time, perform a database backup of your GSSM. See the Global Site Selector Administration Guide for details. To delete a DNS rule, perform the following steps: 1. Display the current DNS rules by using the show gslb-config dns rule command. See the Displaying DNS Rule Properties section for more information. 2. Identify the DNS rule that you want to delete, and then use the no form of the dns rule command to delete the rule. For example, to delete a DNS rule named RULE1, enter: gssm1.example.com(config-gslb)# show gslb-config dns rule ... dns rule RULE1 owner OWNER1 source-address-list Anywhere domain-list www.wonderland.com query a clause 1 vip-group ans-grp1 method ordered ttl 20 count 1 sticky disable ... gssm1.example.com(config)# gslb gssm1.example.com(config-gslb)# no dns rule RULE1 owner OWNER1 source-address-list ANYWHERE domain-list WWW.WONDERLAND.COM query A gssm1.example.com(config-gslb)# Configuring DNS Rule Filters If you want to configure DNS rule filters on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Configuring DNS Rule Filters," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details. Removing DNS Rule Filters If you want to remove DNS rule filters on your GSS, log in to the primary GSSM GUI and access the DNS Rules tab. See the "Removing DNS Rule Filters," section in Chapter 7, Building and Modifying DNS Rules, in the Cisco Global Site Selector GUI-Based Global Server Load-Balancing Configuration Guide for details. Delegating to GSS Devices After you configure your GSS devices to connect to your network and create the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you can integrate your global server load-balancing device into your network's DNS infrastructure to deliver user queries to your GSS. To accomplish this integration, you must modify your parent domain's DNS server to delegate parts of its name space to your GSS devices. You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration. Modifying your DNS servers to accommodate your GSS devices involves the following steps: 1. Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs. 2. Adding "glue" address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address. Note The A-records which define the name servers within the domain are frequently called glue records. Example 7-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type. In Example 7-1, the delegated domains are as follows: •www.cisco.com •ftp.cisco.com •media.cisco.com The GSS devices are as follows: •gss1.cisco.com •gss2.cisco.com Example 7-1 Sample BIND Zone Configuration File Delegating GSSs cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. ( 2001111001 ; serial number 36000 ; refresh 10 hours 3600 ; retry 1 hour 3600000 ; expire 42 days 360000 ; minimum 100 hours ) ; Corporate Name Servers for cisco.com IN NS ns1.cisco.com. IN NS ns2.cisco.com. ns1 IN A 192.168.157.209 ns2 IN A 192.168.150.100 ; Sub-domains delegated to GSS Network www IN NS gss1.cisco.com. IN NS gss2.cisco.com. media IN CNAME www ftp IN NS gss1.cisco.com. IN NS gss2.cisco.com. ; "Glue" A records with GSS interface addresses ; Cisco GSS Dallas gss1 IN A 172.16.2.3 ; Cisco GSS London gss2 IN A 192.168.3.6 . . You can use many possible GSS deployments when reviewing this zone file; some deployments may suit your needs and your network better than the previous example. For example, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs. Where To Go Next If you plan to use DNS sticky for your global server load balancing, configure local or global DNS sticky for GSS devices in your network. See Chapter 8, Configuring DNS Sticky, for details. If you plan to use network proximity for your global server load balancing, configure proximity for GSS devices in your network. See Chapter 9, Configuring Network Proximity, for details.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.