-
Cisco GSS CLI-Based Global Server Load-Balancing Configuration Guide (Software Version 3.0)
-
Index
-
Preface
-
Introducing the Global Site Selector
-
Configuring Resources
-
Configuring Source Address Lists
-
Configuring Domain Lists
-
Configuring Keepalives
-
Configuring Answers and Answer Groups
-
Building and Modifying DNS Rules
-
Configuring DNS Sticky
-
Configuring the Network Proximity
-
Configuring DDoS Prevention
-
Configuring and Playing GSLB Configuration Files
-
Displaying Global Server Load-Balancing Configuration Information
-
Displaying GSS Global Server Load-Balancing Statistics
-
Primary GSSM Global Server Load-Balancing Error Messages
-
Sticky and Proximity XML Schema Files
-
Glossary
-
Table Of Contents
Proximity Network Design Guidelines
Network Proximity Quick Start Guide
Configuring the GSS as a DRP Agent
GSS DRP Agent Configuration Quick Start
Enabling the DRP Authentication Key Chain ID
Configuring the ICMP Probe Timeout Parameter
Configuring the Path Probe Parameters
Configuring the Destination Port
Configuring an Initial Time-to-Live
Configuring the Number of Last Successive Failure Packets
Configuring the Maximum Time-to-Live
Configuring the TCP Probe Parameters
Configuring the Destination Port
Configuring a Cisco Router as a DRP Agent
Choosing a Cisco Router as a DRP Agent
Cisco IOS Release 12.1 Interoperability Considerations
Logging in to the CLI and Enabling Privileged EXEC Mode
Synchronizing the GSS System Clock with an NTP Server
Creating Zones Using the Primary GSSM CLI
Associating a Proximity Zone With a Location
Associating a Proximity-Based Location with an Answer
Configuring Proximity Using the Primary GSSM CLI
Adding a Proximity Balance Clause to a DNS Rule
Proximity Balance Clause Overview
Adding Proximity to a DNS Rule that uses VIP-Type Answer Groups
Playing Static Proximity Group Configurations
Deleting a Proximity Group IP Address Block
Configuring Static Proximity Database Entries
Adding Static Proximity Entries
Static Entries and the Aging-Out Process
Deleting Static Entries from the Proximity Database
Deleting Entries from the Proximity Database
Dumping Proximity Database Entries to a File
Running a Periodic Proximity Database Backup
Loading Proximity Database Entries
Initiating Probing for a D-proxy Address
Disabling Proximity Locally on a GSS for Troubleshooting
Configuring Network Proximity
This chapter describes how to configure a GSS to perform network proximity to determine the best (most proximate) resource for handling global load-balancing requests.
This chapter contains the following major sections:
•
Proximity Network Design Guidelines
•
•
•
•
•
•
•
•
•
Each GSS supports a comprehensive set of show CLI commands to display network proximity statistics for the device. In addition, the primary GSSM GUI displays statistics about proximity operation for the GSS network. See Chapter 13, Displaying GSS Global Server Load-Balancing Statistics, for details about viewing network proximity statistics.
Network Proximity Overview
The GSS responds to DNS requests with the most proximate answers (resources) relative to the requesting D-proxy. Proximity refers to the distance or delay in terms of network topology, not geographical distance, between the requesting client's D-proxy and its answer.
To determine the most proximate answer, the GSS communicates with proximity probing agents located in each proximity zone to gather round-trip time (RTT) metric information measured between the requesting client's D-proxy and the zone. Each GSS directs client requests to an available server with the lowest RTT value. The proximity probing agent can be either a Cisco IOS-based router or another GSS configured as a DRP agent.
The proximity selection process is initiated as part of the DNS rule balance method clause. When a request matches the DNS rule and balance clause with proximity enabled, the GSS responds with the most proximate answer.
This section describes the major functions in GSS network proximity:
Proximity Zones
A network can be logically partioned into zones based on the arrangement of devices and network partioned characteristics. A zone can be geographically related to data centers in a continent, a country, or a major city. All devices, such as web servers in a data center, that are located in the same zone have the same proximity value when communicating with other areas of the Internet.
You can configure a GSS proximity network with a maximum of 32 zones. Within each zone, there is an active proximity probing agent that is configured to accept probing instructions from any GSS device. Probing refers to the process of measuring RTT from one proximity probing agent to a requesting D-proxy.
A location is a method to logically group devices in data centers for administrative purposes. A location can represent a physical point, such as a building or a rack. When you use the GSS to perform network proximity, each location must be assigned to a zone. In addition, you assign each answer used in a GSS proximity DNS rule to a location that is associated with a zone. This configuration hierarchy informs the GSS about resources when determining the most proximate answer.
Probe Management and Probing
Probe management is the intelligence behind each GSS device's interaction with the proximity probing agent in a zone. Within each zone, there must be at least one proximity probing agent and, optionally, a backup proximity probing agent. If the primary proximity probing agent fails, the probes are redirected to the backup device. Once the primary proximity probing agent becomes available, probes are redirected back to the primary proximity probing agent.
The GSS uses Director Response Protocol (DRP) to communicate with the proximity probing agents (called DRP agents) in each zone. DRP is a general User Datagram Protocol (UDP)-based query and response information exchange protocol developed by Cisco Systems.The GSS communicates with the proximity probing agent using the DRP RTT query and response method.
You can use another GSS as the proximity probing agent in a zone by enabling the DRP agent in the GSS. The GSS acting as a DRP agent supports ICMP, TCP, and path-probe RTT. You may also use any Cisco router as the proximity probing agent in a zone that can support the DRP agent software and measure ICMP or TCP; however, path-probe is not supported in the Cisco IOS router or other traditional DRP agent devices.
Each DRP agent accepts probing instructions from the GSS and returns probing results to the GSS based on the DRP protocol. DRP allows for the authentication of packets exchanged between the DRP agent and the GSS.
The GSS transmits DRP queries to one or more proximity probing agents in the GSS network, instructing the DRP agent in the proximity probing agent to probe specific D-proxy IP addresses. Each proximity probing agent responds to the query by using a standard protocol, such as ICMP or TCP, to measure the RTT between the DRP agent in the zone and the IP address of the requesting client's D-proxy device.
When the GSS receives a request from a D-proxy, it decides if it can provide a proximate answer. If the GSS is unable to determine a proximate answer from the proximity database (PDB), it sends a probe to one or more proximity probing agents to get proximity information between those proximity probing agents and the new D-proxy. After the GSS receives the probing results, it adds the RTT information to the PDB.
Figure 9-1 shows the probing process between a GSS (DRP client) and a proximity probing agent (DRP agent).
Figure 9-1 DRP Communication in a GSS Network
The GSS supports two types of probing methods:
•
•
Note
Proximity Database
The PDB provides the core intelligence for all proximity-based decisions made by a GSS. Proximity lookup occurs when a DNS rule is matched and the associated clause has the proximity option enabled. When the GSS receives a request from a D-proxy and decides that a proximity response should be provided, the GSS identifies the most proximate answer (the answer with the smallest RTT time) from the PDB that resides in GSS memory and sends that answer to the requesting D-proxy. If the PDB is unable to determine a proximate answer, the GSS collects the zone-specific RTT results, measured from proximity probing agents in every zone in the proximity network, and puts the results in the PDB.
For example, a GSS communicates with three zones to determine the most proximate answer and receives the following RTT values from the proximity probing agents in each zone to a particular client D-proxy:
•
•
•
From the three RTT values in the PDB, the GSS selects Zone1 as the most proximate zone for the client's D-proxy request because it has the smallest RTT value.
The GSS supports a maximum of 500,000 D-proxy IP address entries in the PDB table, including both dynamic and static entries. The GSS creates dynamic entries in the PDB as the result of requests for new D-proxy IP addresses. If necessary, you can add static entries to the PDB by specifying permanent RTT values (gathered by other means), and optionally, alternative IP addresses to probe.
The primary GSSM supports the creation of proximity groups that allow you to configure multiple blocks of D-proxy IP addresses that each GSS device stores in its PDB as a single entry. Instead of multiple PDB entries, the GSS uses only one entry in the PDB for multiple D-proxies. The GSS treats all D-proxies in a proximity group as a single D-proxy when responding to DNS requests with the most proximate answers. Requests from D-proxies within the same proximity group receive the RTT values from the database entry for the group. The benefits of proximity grouping are as follows:
•
•
•
The dynamic entries in the PDB age out based on the user-specified global inactivity setting to keep the PDB size manageable. The inactivity timeout setting defines the maximum period of time that can occur without a PDB entry receiving a lookup request, after which the GSS deletes the entry from the PDB.
When the total number of entries in the PDB exceeds 480,000, the GSS automatically removes the least recently used entries. The GSS determines the least recently used entries as those dynamic entries in the PDB that have not been hit within a fixed cutoff time of 60 minutes (one hour). The GSS does not automatically remove static entries from the PDB. You must manually delete PDB static entries from the GSS CLI.
When the PDB reaches a maximum of 500,000 entries, the GSS does not add entries to the PDB and any new requests for answers result in a failure. The GSS tracks how many entries are dropped when the maximum limit has been reached. Once the number of PDB entries drops below 500,000, the GSS resumes adding new entries to the PDB.
Example of Network Proximity
The process outlined below describes how the GSS interacts with the proximity probing agents in multiple zones to perform network proximity. See Figure 9-2 for an illustration of the following steps.
1.
2.
3.
4.
5.
6.
7.
Figure 9-2 Network Proximity Using the Cisco Global Site Selector
Proximity Network Design Guidelines
When developing your proximity network, ensure that you include a sufficient number of GSS devices to support the expected load. Follow these guidelines when designing your proximity network:
•
•
•
•
–
–
To use an answer group with a proximity balance method, the answers in the answer group must be contained in locations that are tied to a zone.
Network Proximity Quick Start Guide
Table 9-1 provides a quick overview of the steps required to configure the GSS for proximity network operation. Each step includes the primary GSSM CLI command required to complete the task. For detailed procedures to configure the GSS for proximity, see the sections that follow the table.
Table 9-1 Proximity Configuration Quick Start
1.
For example, enter:
gssm1.example.com> enablegssm1.example.com# configgssm1.example.com(config)# ntp-server 172.16.1.2 172.16.1.3gssm1.example.com(config)# ntp enable2.
3.
For example, enter:
gssm1.example.com(config)# gslbgssm1.example.com(config-gslb)#4.
For example, enter:
gssm1.example.com(config-gslb)# zone Z1 index 1 probe 192.168.11.1 backup probe 192.168.11.55.
For example, enter:
gssm1.example.com(config-gslb)# proximity-propertiesgssm1.example.com(config-gslb-proxprop)#6.
For example, enter:
gssm1.example.com(config-gslb-proxprop)# enablegssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#7.
•
•
•
•
•
•
Note
•
•
•
•
•
See the "Configuring Proximity" section for a complete description of these settings.
For example, to enable global proximity and specify settings, enter:
gssm1.example.com(config-gslb)# proximity-propertiesgssm1.example.com(config-gslb-proxprop)# enablegssm1.example.com(config-gslb-proxprop)# mask 255.255.255.255gssm1.example.com(config-gslb-proxprop)# timeout 4320gssm1.example.com(config-gslb-proxprop)# equivalence 20gssm1.example.com(config-gslb-proxprop)# refresh-interval 6 gssm1.example.com(config-gslb-proxprop)# discovery-sequence icmp gssm1.example.com(config-gslb-proxprop)# acceptable-rtt 100gssm1.example.com(config-gslb-proxprop)# acceptable-zone 40 gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#8.
For example, to create two new DRP keys, enter:
gssm1.example.com(config-gslb)# proximity-propertiesgssm1.example.com(config-gslb-proxprop)# enablegssm1.example.com(config-gslb-proxprop)# key drp 10 DRPKEY1gssm1.example.com(config-gslb-proxprop)# key drp 20 DRPKEY2gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#9.
For example, to associate the zone z3 with the location London, enter:
gssm1.example.com(config-gslb)# location London zone z3gssm1.example.com(config-gslb)#10.
For example, to associate the location "Paris" with the VIP answer called "SEC-PARIS2" enter:
gssm1.example.com(config-gslb)# answer vip 172.16.27.6 name SEC-PARIS2 location Parisgssm1.example.com(config-ansvip[ans-ip])11.
For example, enter:
gssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# dns rule drule03 owner WEB-SERVICES source-address-list WEB-GLOBAL-LISTS domain-list E-COMMERCE query Agssm1.example.com(config-gslb-rule[rule-name])#12.
For example, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group method ordered ANSGRP-VIP-03 proximity enablegssm1.example.com(config-gslb-rule[rule-name])#13.
•
•
•
For example, to set up Balance Clause 1 with proximity for a previously created DNS rule, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group ANSGRP-VIP-03 method ordered proximity enable rtt 75 zone 5014.
For example, enter:
gssm1.example.com(config-gslb-rule[rule-name])# clause 2 vip-group ANSGRP-VIP-03 method ordered proximity enable rtt 120 zone 55gssm1.example.com(config-gslb-rule[rule-name])#15.
16.
For example, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity group ProxyGroup1 ip 192.168.3.0 netmask 255.255.255.017.
For example, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity assign group ISP2 zone-data "1:100,2:200,3:300,4:400,5:500"
Configuring the GSS as a DRP Agent
The DRP agent module allows you to configure a GSS to act as a DRP agent, either as dedicated DRP agent device or in combination with its global server load-balancing functionality.
This section explains the features of the GSS DRP agent and contains the following topics:
•
•
•
•
•
The GSS DRP agent supports three types of RTT probing mechanisms: ICMP, TCP, and path-probe. Path-probe is not supported in traditional DRP agent devices, such as the Cisco IOS router.
The ICMP and TCP probing mechanisms on the GSS DRP agent are identical to those on the Cisco IOS router. To obtain configuration commands for ICMP and TCP probes, see the following website:
Path-probe is a mechanism introduced in version 2.0, which calculates the RTT when the querying D-proxy is behind a firewall. When the D-proxy is behind a firewall, the GSS DRP agent is unable to reach it using the conventional ICMP and TCP probing mechanisms. After trying the conventional probing mechanisms, the GSS DRP agent uses path-probe as the fallback mechanism to calculate the RTT of the D-proxy. In the path-probe process, all participating DRP agents use traceroute to trace their paths to the D-proxy and report their paths (along with the RTTS) to the GSS.
To obtain configuration commands for path-probe, see the following website:
GSS DRP Agent Configuration Quick Start
Table 9-2 provides a quick overview of the steps required to configure the GSS as a DRP agent. Each step includes the primary GSSM CLI command required to complete the task. For the procedures to configure the GSS as a DRP agent, see the sections that follow the table.
Enabling the GSS DRP Agent
You can enable the DRP agent on the GSS by using the enable command in DRP agent configuration mode.
The syntax of this command is as follows:
enable
To disable the DRP agent, use the no form of the command.
To enable the DRP agent, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# enablegssm1.example.com(config-drp)# exitgssm1.example.com(config)#To disable the DRP agent, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# no enablegssm1.example.com(config-drp)# exitgssm1.example.com(config)#Enabling the DRP Authentication Key Chain ID
You can enable a DRP authentication key chain ID by using the authentication key command in DRP agent configuration mode.
The syntax of this command is as follows:
authentication key key-id
The key-id argument is the DRP keychain identifier. Enter a value from 0 to 255. To disable a keychain identifier, use the no form of the command.
To enable the DRP keychain ID 240, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# authentication key 240gssm1.example.com(config-drp)# exitgssm1.example.com(config)#To disable the keychain ID 240, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# no authentication key 240gssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the ICMP Probe Timeout Parameter
You can configure the ICMP probe timeout parameter by using the probe icmp-rtt timeout command in DRP agent configuration mode.
The syntax of this command is as follows:
probe icmp-rtt timeout time
The time argument is the timeout value in seconds. Enter a value from 1 to 5. The default is 3. To configure the probe not to time out, use the no timeout command.
To configure the ICMP probe timeout to 5 seconds, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe icmp-rtt timeout 5gssm1.example.com(config-drp-icmp-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the ICMP probe not to time out, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe icmp-rttgssm1.example.com(config-drp-icmp-rtt)# no timeoutgssm1.example.com(config-drp-icmp-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Path Probe Parameters
You can enter path probe configuration mode to configure the path probe parameters by using the probe path-rtt command in DRP configuration mode.
The syntax of this command is as follows:
probe path-rtt
To enter path probe configuration mode, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)#This section contains the following topics:
•
•
•
•
Configuring the Packet Type
You can specify the type of packet to use for path probing by using the probe-type command in path probe configuration mode.
The syntax of this command is as follows:
probe-type {tcp | udp}
The keywords for this command are as follows:
•
•
The default is a TCP-SYN-ACK packet.
To set the path probe packet type to UDP, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# probe-type udpgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Burst Size
You can configure the number of TCP-SYN-ACK packets to send at a time by using the burst-size command in path probe configuration mode.
The syntax of this command is as follows:
burst-size burst_size
The burst-size argument is the number of packets to send at a time. Enter a value of 1 to 20. The default is 5. To specify that burst sizes are not sent, use the no form of the command.
To set the burst size to 15 packets, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# burst-size 15gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no burst size, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no burst-sizegssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Timeout
You can configure the timeout value of the path probe by using the timeout command in path probe configuration mode.
The syntax of this command is as follows:
timeout time
The time argument is the number of seconds to elapse before the probe times out. Enter a value of 1 to 10. The default is 3. To configure the probe not to time out, use the no timeout command.
To set the timeout value to 3 seconds, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# timeout 3gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe not to time out, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no timeoutgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Destination Port
You can configure the destination port of the path probe by using the destination-port command in path probe configuration mode.
The syntax of this command is as follows:
destination-port port
The port argument is the destination port number. Enter a value of 1 to 65535. The default is 53. To configure the probe with no destination port number, use the no destination-port command.
To set the destination port to 555, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# destination-port 555gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drTo configure the probe with no destination port number, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no destination-portgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Source Port
You can configure the source port of the path probe by using the sourceport command in path probe configuration mode.
The syntax of this command is as follows:
sourceport {dynamic | static} port
The keywords and arguments are as follows:
•
•
•
To configure the probe with no source port number, use the no form of the command.
To set the static source port to 65530, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# sourceport static 65530gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no static source port number, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no sourceport staticgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring an Initial Time-to-Live
You can configure an initial Time-to-Live for the path probe by using the init-ttl command in path probe configuration mode.
The syntax of this command is as follows:
init-ttl time
The time argument is the initial Time-to-Live in seconds. Enter a value from 1 to 32. The default is 1. To configure the probe with no initial Time-to-Live, use the no init-ttl command.
To set the initial Time-to-Live to 20 seconds, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# init-ttl 20gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no initial Time-to-Live, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no init-ttlgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Number of Last Successive Failure Packets
You can configure an acceptable number of last successive failure packets the path probe by using the max-failure-ttl command in path probe configuration mode.
The syntax of this command is as follows:
max-failure-ttl number_packets
The number_packets argument is the acceptable number of last successive failure packets. Enter a value from 1 to 32. The default is 5. To configure the probe with no acceptable number of last successive failure packets, use the no max-failure-ttl command.
To set the acceptable number of last successive failure packets to 12, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# max-failure-ttl 12gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no acceptable number of last successive failure packets, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no max-failure-ttlgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Maximum Time-to-Live
You can configure the maximum Time-to-Live for path probing by using the max-ttl command in path probe configuration mode.
The syntax of this command is as follows:
max-ttl number_packets
The number_packets argument is the maximum Time-to-Live value in seconds. Enter a value from 1 to 255. The default is 32. To configure the probe with no maximum Time-to-Live, use the no max-ttl command.
To set the maximum Time-to-Live to 37, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# max-ttl 37gssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no maximum Time-to-Live, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe path-rttgssm1.example.com(config-drp-path-rtt)# no max-ttlgssm1.example.com(config-drp-path-rtt)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the TCP Probe Parameters
You can enter TCP RTT configuration mode to configure the TCP probe parameters by using the probe tcp-rtt command in DRP configuration mode.
The syntax of this command is as follows:
probe tcp-rtt
To enter TCP RTT Probe configuration mode, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)#This section contains the following topics:
•
Configuring the Destination Port
You can configure the destination port of the TCP probe by using the destination-port command in TCP probe configuration mode.
The syntax of this command is as follows:
destination-port port
The port argument is the destination port number. Enter a value of 1 to 65535. The default is 53. To configure the probe with no destination port number, use the no destination-port command.
To set the probe destination port to 555, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)# destination-port 555gssm1.example.com(config-drp-tcp-rttprobe)# exitgssm1.example.com(config-drp)To configure the probe with no destination port number, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttport)# no destination-portgssm1.example.com(config-drp-tcp-rttport)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Source Port
You can configure the source port of the TCP probe by using the sourceport command in TCP probe configuration mode.
The syntax of this command is as follows:
sourceport {dynamic | static} port
The keywords and arguments are as follows:
•
•
•
To configure the TCP probe with no source port number, use the no form of the command.
To set the probe static source port to 65530, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)# sourceport static 65530gssm1.example.com(config-drp-tcp-rttprobe)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe with no static source port number, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)# no sourceport staticgssm1.example.com(config-drp-tcp-rttprobe)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring the Timeout
You can configure the timeout value of the TCP probe by using the timeout command in TCP probe configuration mode.
The syntax of this command is as follows:
timeout timeout
The timeout argument is the number of seconds to elapse before the probe times out. Enter a value of 1 to 10. The default is 3. To configure the probe so that it does not timeout, use the no timeout command.
To set the probe timeout value to 3 seconds, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)# timeout 3gssm1.example.com(config-drp-tcp-rttprobe)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#To configure the probe so that it does not time out, enter:
gssm1.example.com(config)# drpgssm1.example.com(config-drp)# probe tcp-rttgssm1.example.com(config-drp-tcp-rttprobe)# no timeoutgssm1.example.com(config-drp-tcp-rttprobe)# exitgssm1.example.com(config-drp)# exitgssm1.example.com(config)#Configuring a Cisco Router as a DRP Agent
When you enable DRP on a Cisco router, the router gains the additional functionality of operating as a DRP agent in the GSS network. A DRP agent can communicate with multiple GSSs and support multiple distributed servers.
This section includes the following background information about choosing and configuring the Cisco router in each proximity zone as a DRP agent. It contains the following topics:
•
•
Choosing a Cisco Router as a DRP Agent
When selecting a Cisco router as the DRP agent in a zone, you should ensure the following:
•
•
Configuring the DRP Agent
You can configure and maintain the DRP agent in the Cisco IOS-based router by performing the tasks described in the "Configuring a DRP Server Agent" section, of the Cisco IOS IP Configuration Guide. The Cisco IOS-based router must support the DRP protocol in a proximity zone. DRP is supported in the following Cisco IOS Release trains: 12.1, 12.1E, 12.2T, 12.2, 12.3, and later releases. ICMP probing is supported only in Cisco IOS Release 12.2T, 12.3, and later.
The GSS operates with Cisco IOS-based routers using the following DRP RTT probing methods: TCP ("DRP Server Agent") and ICMP ("ICMP ECHO-based RTT probing by DRP agents"). The Cisco IOS feature names shown in the Cisco Feature Navigator II are as follows: "DRP Server Agent" and "ICMP ECHO-based RTT probing by DRP agents."
The following process is required to configure a Cisco IOS-based router as a DRP agent:
1.
2.
3.
4.
Cisco IOS Release 12.1 Interoperability Considerations
If you use a GSS in a network proximity zone configuration with a router running Cisco IOS Release 12.1, you should ensure the DRP authentication configuration is identical on both devices. For example, if you intend to perform DRP authentication between a GSS and a router running Release 12.1, ensure that you properly enable and configure authentication on both devices. The same is true if you choose not to use DRP authentication; you must disable authentication on both devices.
If you disable DRP authentication on a router running Cisco IOS Release 12.1 but enable DRP authentication on a GSS, all measurement probes sent by a GSS to the router will fail. This occurs because the router fails to recognize the DRP echo query packets sent by a GSS and the GSS cannot detect a potential failure of measurement packets sent to the router. The GSS identifies the router as being ONLINE in its show statistics proximity probes detailed CLI command, yet the measurement response packets monitored in the Measure Rx field do not increment. These two conditions may indicate a DRP authentication mismatch.
If the DRP probe requests fail between the GSS and a Cisco router running Release 12.1, even if the GSS indicates that the router is ONLINE, verify the DRP authentication configurations on both the GSS and the Cisco router as follows:
•
•
Modify the DRP authentication configuration on either the router running Cisco IOS Release 12.1 or the primary GSSM and make them consistent to avoid a DRP authentication mismatch.
Logging in to the CLI and Enabling Privileged EXEC Mode
Note
To log in to the primary GSSM and enable privileged EXEC mode at the CLI, perform the following steps:
1.
If you are using a direct serial connection between your terminal and the GSSM, use a terminal emulation program to access the CLI. For details about making a direct connection to the GSS device using a dedicated terminal and about establishing a remote connection using SSH or Telnet, see the Cisco Global Site Selector Getting Started Guide.
2.
gssm1.example.com>3.
gssm1.example.com> enablegssm1.example.com#If you are accessing the GSS remotely using Telnet or SSH, the CLI prompts you for the enable password. The default password is default. For more information about the enable password and configuring a new password, see the Cisco Global Site Selector Getting Started Guide.
The prompt changes from the user-level EXEC right angle bracket (>) prompt to the privileged-level EXEC pound sign (#).
Synchronizing the GSS System Clock with an NTP Server
We strongly recommend that you synchronize the system clock of each GSS device in your network with a Network Time Protocol (NTP) server. NTP is a protocol designed to synchronize the clocks of computers over a network with a dedicated time server.
Synchronizing the system clock of each GSS ensures that the PDB and probing mechanisms function properly by having the GSS internal system clock remain constant and accurate within the network. Changes in the GSS system clock can affect the time stamp used by PDB entries and the probing mechanism used in a GSS.
You must specify the NTP server(s) for each GSS device operating in the proximity network before you enable proximity for those devices from the primary GSSM. This sequence ensures that the clocks of each GSS device are synchronized.
Note
You can specify one or more NTP servers for GSS clock synchronization by using the ntp-server global configuration mode command.
The syntax of this CLI command is as follows:
ntp-server ip_or_host
The ip_or_host argument specifies the IP address or hostname of the NTP time server in your network that provides the clock synchronization. You can specify a maximum of four IP addresses or hostnames. Enter the IP address in dotted-decimal notation (for example, 172.16.1.2) or a mnemonic hostname (for example, myhost.mydomain.com).
You can enable the NTP service by using the ntp enable global configuration mode command.
The syntax of this command is as follows:
ntp enable
To specify the IP addresses of two NTP time servers for a GSS device and enable the NTP service, enter:
gssm1.example.com> enablegssm1.example.com# configgssm1.example.com(config)# ntp-server 172.16.1.2 172.16.1.3gssm1.example.com(config)# ntp enableCreating Zones Using the Primary GSSM CLI
A proximity zone is a logical grouping of network devices that also contains one active proximity probing agent and a possible backup proximity probing agent. A zone can be geographically related to a continent, a country, or a major city. Each zone can include one or more locations. A location is a method to logically group collocated devices for administrative purposes.
During the proximity selection process, the GSS chooses the most proximate zones that contain one or more valid answers based on RTT data received from the proximity probing agents configured in the zone. You can configure a proximity network with a maximum of 32 zones.
This section includes the following topics:
•
•
Configuring a Proximity Zone
You can configure a proximity zone from the primary GSSM by using the zone command in global server load-balancing configuration mode.
The syntax of this command is as follows:
zone name {index number | probe ip_address} [backup probe ip_address]
The keywords and arguments are as follows:
•
•
•
•
For example, enter:
gssm1.example.com(config-gslb)# zone Z1 index 1 probe 192.168.11.1 backup 192.168.11.5To modify the properties for a previously created zone, enter:
gssm1.example.com(config-gslb)# zone Z1 index 1 probe 192.168.11.2 backup 192.168.11.9
Note
Deleting a Proximity Zone
Use the no form of the zone command to delete a zone.
For example, to delete zone "z1," enter:
gssm1.example.com(config-gslb)# no zone Z1 index 1 probe 192.168.11.1 backup 192.168.11.5or
gssm1.example.com(config-gslb)# no zone Z1Associating a Proximity Zone With a Location
You can associate an existing proximity zone with a location by using the location command in global server load-balancing configuration mode. You can make the association for a new location or for an existing location. To display a list of existing locations, use the show gslb-config location command (see the "Displaying Resource Information" section in Chapter 2, Configuring Network Proximity, for more information).
The syntax of this command is as follows:
location name [region name | comments text | zone name]
The keywords and arguments are as follows:
•
•
•
•
To create a location named San_Francisco and associate it with the region Western_USA and the zone z1, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# location SAN_FRANCISCO region WESTERN_USA zone z1To associate the zone "z3" with the location London, enter:
gssm1.example.com(config-gslb)# show gslb-config location...location London region Western_EU...gssm1.example.com(config-gslb)# location London zone z3gssm1.example.com(config-gslb)#Associating a Proximity-Based Location with an Answer
You can assign a location that is associated with a proximity zone to an answer by using the answer vip ip_address command in global server load-balancing configuration mode. You can make the association for a new answer or for an existing answer. To display a list of existing answers, use the show gslb-config answer command (see the "Displaying Answer Properties" section in Chapter 6, Configuring Answers and Answer Groups, for more information).
The syntax of this command is as follows:
answer vip ip_address [name name | location name | active | suspend]
The keywords and arguments are as follows:
•
•
•
•
•
To create a VIP answer called "SEC-LONDON1" and associate it with the "London" location, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# answer vip 10.86.209.232 name SEC-LONDON1 location LONDONgssm1.example.com(config-ansvip[ans-ip])To associate the location Paris with the VIP answer called SEC-PARIS2, enter:
gssm1.example.com(config-gslb)# show gslb-config answer...answer vip 172.16.27.6 name SEC-PARIS2 activekeepalive type tcp port 180 active...gssm1.example.com(config-gslb)# answer vip 172.16.27.6 name SEC-PARIS2 location Parisgssm1.example.com(config-ansvip[ans-ip])Configuring Proximity Using the Primary GSSM CLI
This section describes how to configure the GSS for network proximity from the primary GSSM CLI, how to add proximity to a DNS rule, and how to manage the proximity database. It contains the following topics:
•
•
•
•
•
•
Configuring Proximity
The GSS contains proximity settings that function as the default values used by the GSS network when you enable proximity in a DNS rule.
You can enter the proximity properties configuration mode by using the proximity-properties command from global server load-balancing configuration mode. In the proximity properties configuration mode, enable proximity and modify the DNS proximity settings for the GSS network. Proximity settings are applied as soon as you exit from the proximity properties configuration mode or enter a new mode.
To enable proximity and configure the proximity settings from the proximity properties configuration mode, specify one or more of the following commands:
•
•
When you define a proximity group for incoming D-proxy addresses, and an incoming D-proxy address does not match any of the entries in a defined proximity group, the GSS uses this global netmask value to calculate a grouped D-proxy network address. See the "Creating Proximity Groups" section for more information.
•
•
For example, with an equivalence setting of 20 percent and a series of returned RTT values:
•
•
•
The GSS determines that Zone1 has the lowest RTT value. In this case, the GSS adds 20 percent (20 ms) to the RTT value to make Zone1 and Zone2 equally proximate in regards to the GSS selecting an answer. The RTT equivalence window range is 100 ms to 120 ms, and the GSS considers any zone that returns an RTT value in that range to be equally proximate.
Use this parameter to adjust the granularity of the proximity decision process. Enter an equivalence value from 0 to 100 percent. The default value is 20 percent.
•
•
–
–
•
Note
When the GSS fails to receive the minimum acceptable RTT metrics from the DRP agents, it sends a query message to the proximity probing agents configured for each zone instructing the DRP agent running on the GSS to probe using the path-probe method instead. If at least one of the DRP agents returns RTT using the legacy ICMP or TCP probing methods, the path-probe is not triggered.
Note
The metrics obtained from the DRP agents configured for each zone are compared by the GSS to arrive at a common gateway. The best (smallest) RTT metric to the first common gateway is used to determine the closest content serving site. This method differs from the TCP and ICMP probe methods by calculating RTT to the common gateway, not to the D-proxy.•
a.
b.
c.
Use this setting to adjust the granularity of the proximity decision process. Enter an acceptable-rtt value from 50 to 2000 ms. The default value is 100 ms.
•
Use this parameter to adjust the granularity of the proximity decision process. Enter a percentage of zones from 3 to 100 percent. The default value is 40 percent.
Note
•
•
•
Specify the following settings for the key drp command:
–
–
See the "Creating DRP Keys" section for more information.
To enable global proximity and specify settings, enter:
gssm1.example.com(config-gslb)# proximity-propertiesgssm1.example.com(config-gslb-proxprop)# enablegssm1.example.com(config-gslb-proxprop)# mask 255.255.255.0gssm1.example.com(config-gslb-proxprop)# timeout 4320gssm1.example.com(config-gslb-proxprop)# equivalence 20gssm1.example.com(config-gslb-proxprop)# refresh-interval 6 gssm1.example.com(config-gslb-proxprop)# discovery-sequence icmp gssm1.example.com(config-gslb-proxprop)# acceptable-rtt 100gssm1.example.com(config-gslb-proxprop)# acceptable-zone 40 gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#To reset various global proximity settings back to the default setting, use the no form of the command. For example, enter:
gssm1.example.com(config-gslb-proxprop)# no mask 255.255.255.0gssm1.example.com(config-gslb-proxprop)# no timeout 4320gssm1.example.com(config-gslb-proxprop)# no equivalence 20gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#Creating DRP Keys
DRP supports the authentication of packets exchanged between the DRP agent (proximity probing agent) and the DRP client (the GSS). Use the authentication drp enable and key drp commands in proximity properties configuration mode to enable DRP authentication and create one or more DRP keys. See the "Configuring Proximity" section for details on these two commands. Each DRP key contains a key identification number and a key authentication string. The primary GSSM supports a maximum of 32 keys.
The DRP key is stored locally on each GSS in the network. The key functions as an encrypted password to help prevent DRP-based denial-of-service attacks, which can be a security threat. Each GSS generates DRP packets that contain all of the configured keys and sends the packets to the DRP agent in each configured zone. The DRP agent in each proximity probing agent examines the packet for a matching key (see the "Configuring the DRP Agent" section). If it finds a matching key, the DRP agent considers the DRP connection as authentic and accepts the packet.
To create three new DRP keys, enter:
gssm1.example.com(config-gslb)# proximity-propertiesgssm1.example.com(config-gslb-proxprop)# authentication drp enablegssm1.example.com(config-gslb-proxprop)# key drp 10 DRPKEY1gssm1.example.com(config-gslb-proxprop)# key drp 20 DRPKEY2gssm1.example.com(config-gslb-proxprop)# key drp 30 DRPKEY3gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#Deleting DRP Keys
You can remove DRP authentication keys by using the no form of the key drp command.
For example, enter:
gssm1.example.com(config-gslb-proxprop)# no key drp 30 DRPKEY3gssm1.example.com(config-gslb-proxprop)# exitgssm1.example.com(config-gslb)#Adding a Proximity Balance Clause to a DNS Rule
This section contains the following topics:
•
•
Proximity Balance Clause Overview
After you enable and configure network proximity from the primary GSSM, add proximity to a DNS rule for VIP-type answer groups using the clause command in rule configuration mode. The balance method configured in the matched clause of the DNS rule determines the answer that the GSS selects when multiple valid answers are present in the most proximate zones and returns this answer as the DNS response to the requesting D-proxy. If the GSS does not find an answer, it evaluates the other balance methods in the DNS rule to choose a new answer.
The GSS supports proximity in a DNS rule with the following balance methods:
•
•
•
•
You can configure proximity individually for the three balance clauses in a DNS rule. Proximity lookup occurs when the DNS rule is matched and the associated clause has the proximity option enabled. When the GSS receives a request from a D-proxy and decides that a proximity response should be provided, the GSS identifies the most proximate answer (the answer with the smallest RTT time) from the PDB residing in GSS memory and sends that answer to the requesting D-proxy. If the PDB is unable to determine a proximate answer, the GSS collects the zone-specific RTT results, measured from proximity probing agents in every zone in the proximity network, and puts the results in the PDB.
When there are no valid answers in the answer group of a proximity balance clause, the GSS skips that balance clause and moves on to the next clause listed in the DNS rule unless you specify a proximity wait condition. In that case, the GSS waits to perform a proximity selection until it receives the appropriate RTT and zone information based on the proximity settings. The GSS does not return an answer to the requesting client's D-proxy until the GSS obtains sufficient proximity data to complete the selection process.
Note
Adding Proximity to a DNS Rule that uses VIP-Type Answer Groups
To add proximity balance clauses to a DNS rule that uses VIP-type answer groups, perform the following steps:
1.
2.
3.
The syntax of this command is as follows:
clause number vip-group name [method {round-robin | least-loaded | ordered | weighted-round-robin | hashed {domain-name | source-address | both}} | count number | proximity {enable [rtt number | wait {enable | disable} zone number] | disable} | ttl number]
The keywords and arguments are as follows:
•
•
Note
•
–
–
The least-loaded option is available only for VIP-type answer groups that use a KAL-AP or Scripted keepalive.
–
Note
–
–
domain-name—The GSS selects the answer based on a hash value created from the requested domain name.
source-address—The GSS selects the answer based on a hash value created from the source address of the request.
both—The GSS selects the answer based on both the source address and domain name.
•
•
–
rtt number—Changes the proximity-acceptable RTT for the balance clause to value that differs from the global proximity configuration. The GSS uses this value as the user-specified acceptable RTT when determining the most proximate answer. See the acceptable-rtt number option in the "Configuring Proximity" section for details. Enter an acceptable RTT value from 50 to 2000 ms. The default value is 100 ms.
–
–
–
•
4.
To set up Balance Clauses 1 and 2 with proximity for the previously created DNS rule named drule03, enter:
gssm1.example.com(config-gslb)# dns rule drule03gssm1.example.com(config-gslb-rule[rule-name])# clause 1 vip-group ANSGRP-VIP-03 method ordered proximity enable rtt 75 zone 50gssm1.example.com(config-gslb-rule[rule-name])# clause 2 vip-group ANSGRP-VIP-03 method least-loaded proximity enable rtt 125 zone 50gssm1.example.com(config-gslb-rule[rule-name])#Creating Proximity Groups
This section contains the following topics:
•
•
Proximity Group Overview
The primary GSSM supports the creation of proximity groups. A proximity group allows you to configure multiple blocks of D-proxy IP addresses that each GSS device stores in its PDB as a single entry. Instead of multiple PDB entries, the GSS uses only one entry in the PDB for multiple D-proxies. The GSS treats all D-proxies in a proximity group as a single D-proxy when responding to DNS requests with the most proximate answers. Requests from D-proxies within the same proximity group receive the RTT values from the database entry for the group.
You create proximity groups from the primary GSSM CLI to obtain better scalability of your configuration and to allow for easy proximity group creation through automated scripts. The primary GSSM supports a maximum of 5000 proximity groups. Each proximity group contains 1 to 30 blocks of IP addresses and subnet masks (in dotted-decimal format).
The benefits of proximity grouping are as follows:
•
•
•
In addition to creating proximity groups of multiple D-proxy IP addresses from the CLI, you can configure a global netmask from the primary GSSM to uniformly group contiguous D-proxies (see the "Configuring Proximity" section). The global netmask is used by the GSS device when no proximity group matches the incoming D-proxy address. The GSS uses the full incoming D-proxy IP address (255.255.255.255) and the global netmask as the key to look up the proximity database. The default global mask is 255.255.255.255.
Figure 9-3 shows how the DNS requests from D-proxies 192.168.9.2, 192.168.9.3, and 172.16.5.1 all map to the identified group name, ProxyGroup1, through proximity group entries 192.168.9.0/24 and 172.16.5.1/32. If no match is found in the PDB for an incoming D-proxy IP address, the GSS applies a user-specified global netmask to calculate a network address as the database key. In this example, DNS requests from 192.168.2.1 and 192.168.7.2 use the database entries keyed as 192.168.2.0 and 192.168.7.0 with a specified global netmask of 255.255.255.0.
Figure 9-3 Locating a Grouped Proximity Database Entry
Creating a Proximity Group
From the primary GSSM CLI, you can create a proximity group by using the proximity group global server load-balancing configuration mode command to identify the name of the proximity group and add an IP address block to the group. Use the no form of the command to delete a previously configured IP address block from a proximity group or to delete a proximity group.
Create proximity groups at the CLI of the primary GSSM to obtain better scalability of your configuration and to allow easy proximity group creation through automated scripts. Proximity groups are saved in the primary GSSM database. All GSS devices in the network receive the same proximity group configuration. You cannot create proximity groups at the CLI of a standby GSSM or individual GSS devices.
The syntax of this command is as follows:
proximity group {groupname} ip {ip-address} netmask {netmask}
The keywords and arguments are as follows:
•
•
•
To create a proximity group called ProxyGroup1 with an IP address block of 192.168.9.0 255.255.255.0, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity group ProxyGroup1 ip 192.168.9.0 netmask 255.255.255.0Reenter the proximity group command if you want to perform the following:
•
•
Each proximity group can have a maximum of 30 blocks of defined IP addresses and subnet masks. The GSS prohibits duplication of IP addresses and subnet masks among proximity groups.
Playing Static Proximity Group Configurations
If the size of static proximity group configuration is quite large, you should use the proximity play-config command to play the static proximity configuration. This command plays the proximity commands more efficiently than script play-config.
Note
The syntax of this command is as follows:
proximity play-config filename
The filename specifies the file containing the proximity configuration.
To use this command, perform the following steps:
1.
2.
3.
4.
5.
6.
7.
Note
To play a static proximity configuration, enter:
gssm1.example.com# proximity play-config prox.txtTue Mar 6 13:10:43 2007 waiting for postmaster to start....done Tue Mar 6 13:10:43 2007 postmaster successfully started proximity group proxa1 ip 11.1.1.4 netmask 255.255.255.252 proximity group proxa1 ip 11.1.1.8 netmask 255.255.255.252 ... proximity group proxa50 ip 11.1.2.140 netmask 255.255.255.252 proximity group proxa50 ip 11.1.2.144 netmask 255.255.255.252########################################### Please use the following Key required while, playing "proximity play-config" on SGSSM. Key: 89l25l5fa7339c1b60a20b60142493328b997b ###########################################Deleting a Proximity Group IP Address Block
You can delete a previously configured IP address block from a proximity group by using the no form of the proximity group command. For example, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# no proximity group ProxyGroup1 IP 192.168.9.0 netmask 255.255.255.0Deleting a Proximity Group
You can delete a proximity group and all configured IP address blocks by using the no form of the proximity group command. For example, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# no proximity group ProxyGroup1Configuring Static Proximity Database Entries
This section describes how to configure static entries in the PDB. It contains the the following topics:
•
•
•
Adding Static Proximity Entries
In the PDB, entries can be both dynamic and static. The GSS creates dynamic entries in the PDB as the result of requests from new D-proxy IP addresses. If you need to configure static proximity metrics for zones in your GSS network or assign proximity probing agents to specific D-proxies, you must define a series of static entries in the PDB by using the proximity assign global server load-balancing configuration mode command. If the same entry, dynamic or static, already exists in the proximity database, the GSS will overwrite that entry with the newly-assigned entry. You can use automated scripts if you intend to add numerous static entries in the PDB of each GSS.
You can also successfully add static proximity entries on the primary GSS. However, you cannot add entries by zone on any other GSS. When you attempt to use static entries locally and configure them separately on each GSS using the proximity assign CLI command, the GSS responds that this command is valid only on the primary GSSM.
Note
There are two different keywords and arguments to consider here when using the proximity assign command:
•
•
For more information on these and all other proximity assign keywords and arguments, see the "Static Entries and the Aging-Out Process" section.
To synchronize the proximity static entries for the group round-trip time (RTT) data, perform the following steps.
1.
gss-primary.example.com# proximity database dump PDB2007_6_21 format binary entry-type assigned2.
gss-other.example.com# ftp <primary_GSS_ipaddress>
Note
3.
gss1.example.com# proximity database load PDB2007_6_21 format binaryStatic Entries and the Aging-Out Process
Static entries in the PDB do not age out; they remain in the PDB until you delete them. Static entries are not subject to the automatic database cleanup of least recently used entries when the PDB size is almost at the maximum number of entries. Use the no proximity assign command to delete static entries as described in the "Deleting Static Entries from the Proximity Database" section.
You can specify permanent RTT values for the static entries. When the GSS uses permanent RTT values, it does not perform active probing with the DRP agent. Instead of RTT values, you can specify alternative IP addresses as targets for probing by the proximity probing agents to obtain RTT data. The GSS probes the alternative probe target for requests from D-proxies matching these static entries.
Static entries in the PDB are either static RTT-filled or probe-target IP-filled.
You can create static entries in the PDB by using the proximity assign global server load-balancing configuration mode command.
The syntax of this command is as follows:
proximity assign {group {groupname}} | ip {entryaddress} | [probe-target {ip-address} | zone-data {"zoneId:RTT"}]
Note
The options and variable are as follows:
•
•
•
•
To configure an alternative probing target for the proximity group ISP1, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity assign group ISP1 probe-target 192.168.2.2To configure an alternative probing target for D-proxy subnet 192.168.8.0 (assuming the global mask configuration is 255.255.255.0), enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity assign ip 192.168.8.0 probe-target 192.168.2.2To configure static RTT metrics for the proximity group ISP2 using zone indexes created previously through the primary GSSM, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity assign group ISP2 zone-data "1:100,2:200,3:300,4:400,5:500"To configure static RTT metrics for D-proxy subnet 192.168.8.0 (assuming the global mask configuration is 255.255.255.0), enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# proximity assign ip 192.168.8.0 zone-data "1:100,2:200,3:300,4:400,5:500"Deleting Static Entries from the Proximity Database
The GSS allows you to remove entries from the PDB of each GSS device using the CLI. To delete static entries from the PDB in the GSS memory, use the no form of the proximity assign global server load-balancing configuration mode command.
Note
To delete static RTT entries for the proximity group ISP1, enter:
gssm1.example.com# configgssm1.example.com(config)# gslbgssm1.example.com(config-gslb)# no proximity assign group ISP1 zone-data "1:100,2:200,3:300,4:400,5:500"Deleting Entries from the Proximity Database
You can remove PDB entries from the GSS memory by using the proximity database delete command. This command, however, does not delete PDB entries saved as part of an automatic dump to a backup file on disk, which the GSS loads upon a reboot or restart to initialize the PDB. To ensure that you successfully remove the desired PDB entries from both GSS memory and disk, enter the proximity database delete command followed by the proximity database periodic-backup now command to force an immediate backup of the empty PDB residing in GSS memory.
The syntax of this command is as follows:
proximity database delete {all | assigned | group {name} | inactive minutes | ip {ip-address} netmask {netmask} | no-rtt | probed}
The keywords and arguments are as follows:
•
Caution
•
•
•
•
•
•
To remove the D-proxy IP address 192.168.8.0 and subnet mask 255.255.255.0, enter:
gssm1.example.com# proximity database delete ip 192.168.8.0 255.255.255.0Dumping Proximity Database Entries to a File
The GSS automatically dumps PDB entries to a backup file on the disk approximately every hour. The GSS uses this backup file to initialize the PDB upon system restart or reboot to enable the GSS to recover the contents of the database.
You can dump all or selected entries from the PDB to a named file as a user-initiated backup file. You can then use the ftp command in EXEC or global configuration mode to launch the FTP client and transfer the file to a remote machine.
To view the entire contents of a PDB XML output file from the GSS, use the type command. See the Cisco Global Site Selector Administration Guide for details about displaying the contents of a file.
The GSS includes options that provide a level of granularity for dumping entries from the PDB. The GSS supports binary and Extensible Markup Language (XML) output formats. Optionally, you can specify filters, such as PDB entry type and entry IP network address, to clarify the information dumped from the PDB. PDB entry types can be either statically entered (see the "Configuring Static Proximity Database Entries" section) or dynamically learned by the GSS. You can instruct the GSS to dump both type of entries from the PDB. If you do not specify an entry type, the GSS automatically dumps all entries from the PDB.
If you attempt to overwrite an existing proximity database dump file with the same filename, the GSS displays the following message:
Proximity Database dump failed, a file with that name already exists.
You can dump entries contained in the PDB to a named file by using the proximity database dump command.
The syntax of this command is as follows:
proximity database dump {filename} format {binary | xml} [entry-type {all | assigned | probed}] [entry-address {ip-address} netmask {netmask}]
The keywords and arguments are as follows:
•
•
–
–
Note
•
–
–
–
•
•
This example shows how to dump the dynamic PDB entries to a file named PDB2004_6_30 in XML format. If the dump contains a large number of entries, progress messages may appear.
gssm1.example.com# proximity database dump PDB2004_6_30 format xml entry-type probed entry-address 172.23.5.7 netmask 255.255.255.255Starting Proximity Database dump.gssm1.example.com# proximity database dump PDB2004_6_30 format xml entry-type probed entry-address 172.23.5.7 netmask 255.255.255.255Proximity Database dump is in progress...Proximity Database has dumped 15678 of 34512 entriesgssm1.example.com# proximity database dump PDB2004_6_30 format xml entry-type probed entry-address 172.23.5.7 netmask 255.255.255.255Proximity Database dump completed. The number of dumped entries: 34512When the dump finishes, a "completed" message displays and the CLI prompt reappears.
Running a Periodic Proximity Database Backup
You can instruct the GSS to dump PDB entries to an output file on the GSS disk before the scheduled time. You may want to initiate a PDB dump as a database recovery method to ensure you store the latest PDB entries before shutting down the GSS.
You can force an immediate backup of the PDB residing in GSS memory by using the proximity database periodic-backup now command. The GSS sends the PDB entries to the system dump file as the proximity database file. Upon a reboot or restart, the GSS reads this file and loads the contents to initialize the PDB at boot time.
The syntax of this command is as follows:
proximity database periodic-backup now
For example, enter:
gssm1.example.com# proximity database periodic backup nowLoading Proximity Database Entries
The GSS enables you to load and merge a PDB from a file into the existing PDB in GSS memory. This PDB merge capability supports the conversion and migration of PDB entries from one GSS into the PDB of another GSS. The file must be in binary format for loading into GSS memory. Proximity RTT metrics loaded from the file replace overlapping entries that exist in the database and supplement the nonoverlapping database entries.
You can load a PDB from disk into GSS memory by using the proximity database load command.
The syntax of this command is as follows:
proximity database load filename format binary [override]
The keywords and arguments are as follows:
•
•
•
–
–
If you do not specify the override option, the GSS loads the most recent entries into memory, which will replace the older entries of the same type (dynamic or static) in the PDB. For example, the most recent dynamic entries replace the older dynamic entries in the PDB.
To load the entries from the GSS3PDB file without overriding the existing entries in the GSS PDB, enter:
gssm1.example.com# proximity database load file GSS3PDB format binaryTo override the same entries located in the existing GSS PDB, enter:
gssm1.example.com# proximity database load GSS3PDB format binary overrideInitiating Probing for a D-proxy Address
The GSS sends a probe request to each configured probe device in a specified zone to obtain probe information (RTT values). The GSS uses the obtained probe information from the D-proxy to update the PDB entry if the entry can be found in the PDB.
You may need to instruct the proximity probing agent in one or all zones (broadcast) to send a probe to a specific D-proxy address, obtain an RTT value, and save the entry in the PDB. You can initiate direct probing to a specific D-proxy IP address or direct probing to one or more zones by using the proximity probe command.
The syntax of this command is as follows:
proximity probe {dproxy_address} [zone {zoneId | all}]
The keywords and arguments are as follows:
•
•
•
To instruct the proximity probing agent in zone 1 to send a probe to the D-proxy at 172.16.5.7, enter:
gssm1.example.com# proximity probe 172.16.5.7 zone 1Disabling Proximity Locally on a GSS for Troubleshooting
You can disable proximity for a single GSS when you need to locally override the globally-enabled proximity option to troubleshoot or debug the device.The GSS does not store the local disable setting in its running-config file.
When you enter the proximity stop command, the GSS immediately stops the following operations:
•
•
•
•
•
When you restart the device, the GSS reenables network proximity.
To locally disable proximity on a GSS device using the proximity stop command, enter:
gssm1.example.com# proximity stopTo locally reenable proximity on a GSS device using the proximity start command, enter:
gssm1.example.com# proximity startWhere to Go Next
Chapter 10, Configuring DDoS Prevention, describes how to configure a GSS to prevent Distributed Denial of Service attacks.
