Table Of Contents
Building and Modifying DNS Rules
DNS Rule Configuration Overview
DNS Rule Wizard
DNS Rule Builder
Building DNS Rules Using the Wizard
Identifying a Source Address List in the DNS Rule Wizard
Specifying a Domain List in the DNS Rule Wizard
Configuring an Answer Group in the DNS Rule Wizard
Choosing a Balance Method in the DNS Rule Wizard
Reviewing the Summary Page in the DNS Rule Wizard
Building DNS Rules Using the DNS Rule Builder
Modifying DNS Rules
Suspending a Clause
Reactivating a Clause
Reactivating Operationally Suspended Clauses
Suspending a DNS Rule
Reactivating a DNS Rule
Suspending or Reactivating All DNS Rules Belonging to an Owner
Deleting a DNS Rule
Configuring DNS Rule Filters
Removing DNS Rule Filters
Delegating to GSS Devices
Where To Go Next
Building and Modifying DNS Rules
This chapter describes how to build and modify Domain Name System (DNS) rules on your GSS network. After you configure your source address lists, domain lists, answers, and answer groups, you are ready to begin constructing the DNS rules that will control global server load balancing on your GSS network.
When building DNS rules, you specify the actions for the GSS to perform when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). The DNS rule specifies which response (answer) is given to the requesting user's local DNS host (D-proxy) and how that answer is chosen. The GSS uses one of a variety of balance methods to determine the best response to the request, which is based on the status and load of your GSS host devices.
Note 
Before you create DNS rules, see the "GSS Architecture" section in Chapter 1, Introducing the Global Site Selector.
This chapter contains the following major sections:
•DNS Rule Configuration Overview
•Building DNS Rules Using the Wizard
•Building DNS Rules Using the DNS Rule Builder
•Modifying DNS Rules
•Suspending a Clause
•Reactivating a Clause
•Reactivating Operationally Suspended Clauses
•Suspending a DNS Rule
•Reactivating a DNS Rule
•Suspending or Reactivating All DNS Rules Belonging to an Owner
•Deleting a DNS Rule
•Configuring DNS Rule Filters
•Removing DNS Rule Filters
•Delegating to GSS Devices
•Where To Go Next
DNS Rule Configuration Overview
Because of the complexity of DNS rules, the primary GSSM GUI provides you with a choice of two methods for creating a DNS rule:
•DNS Rule Wizard
•DNS Rule Builder
Both of these topics are explained in the sections that follow.
DNS Rule Wizard
The DNS Rule Wizard (see Figure 7-1) guides you through the process of creating a DNS rule. The DNS Rule Wizard allows you to create source address lists, domain lists, answer groups, and balance methods as required. Owners, regions, and locations are not created as part of the DNS Rule Wizard, however. Instead, you must create them before using the wizard.
The DNS sticky and network proximity global server load-balancing applications are configurable only from the DNS Rule Builder, not from the DNS Rule Wizard. Use the DNS Rule Builder to enable DNS sticky, proximity, or the manual reactivation function (see "Managing Global Manual Reactivation of Answers and Clauses" section on page 2-11) in a DNS rule.
Figure 7-1 DNS Rule Wizard—Introduction Page
When you use the wizard, click the Next and Back buttons to move you forward and backward through the rule-building process. Alternatively, you can click the navigation links under the Wizard Contents heading to move between any step in the wizard.
To access the DNS Rule Wizard, perform the following steps:
1. Click the DNS Rules tab.
2. Click the Rule Wizard icon.
See the "Building DNS Rules Using the Wizard"section for details.
DNS Rule Builder
You can use the DNS Rule Builder (see Figure 7-2) to quickly assemble DNS rules from source address lists, domain lists, owners, and answers that you have already created. By using the available fields and drop-down menus, you can assign a name for your rule and then configure the rule with up to three balance clauses for the GSS to choose an answer.
The balance clauses that you configure in a DNS rule are evaluated in order. Parameters are established to determine when a clause is skipped and the next clause is used. A balance clause is skipped when any one of the following conditions exits:
•The least-loaded balance method is selected and the load threshold for all online answers is exceeded.
•The VIP answers in the specified VIP answer group are offline.
•Proximity is enabled for a VIP-type answer group and the Director Response Protocol (DRP) agents do not return any RTT values that meet the value set for acceptable-rtt.
•All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers.
Figure 7-2 DNS Rule Builder Window
The DNS Rule Builder pulls together all the GSS elements needed to create new DNS rules. The DNS Rule Builder is launched in its own window, which enables you to leave it open and return to the primary GSSM GUI to review or add answers, answer groups, owners, domain lists, and more. Any changes made to your GSS network configuration while the DNS Rule Builder is open are immediately reflected in the DNS Rule Builder. For example, an answer group added while the DNS Rule Builder window is open automatically appears in the drop-down list of answer groups.
In addition, the DNS Rule Builder allows you to configure multiple clauses for your DNS rule; that is, you can configure additional answer group and balance method pairs that can be tried if the first answer group and balance method specified does not yield an answer.
To access the DNS Rule Builder, perform the following steps:
1. Click the DNS Rules tab.
2. Click the Open Rule Builder icon.
See the "Building DNS Rules Using the DNS Rule Builder" section for details.
Building DNS Rules Using the Wizard
To create a DNS rule using the DNS Rule Wizard:
Note Owners, regions, and locations are not created as part of the DNS Rule Wizard. You must create them before you use the wizard.
Note The DNS sticky and network proximity global server load-balancing applications are configurable only from the DNS Rule Builder, not from the DNS Rule Wizard. Use the DNS Rule Builder to enable DNS sticky or proximity in a DNS rule.
1. From the primary GSSM GUI, click the DNS Rules tab and then the DNS Rules navigation link. The DNS Rules list appears (see Figure 7-3).
Figure 7-3 DNS Rules List Page
2. Click the Rule Wizard icon. The DNS Rule Wizard introduction page appears (see Figure 7-4). This page provides an overview of the steps necessary to create a DNS rule.
Figure 7-4 DNS Rule Wizard—Introduction Page
3. Click the Next and Back buttons to move through the DNS rule-building process. Alternatively, you can click the links under the Wizard Contents table of contents to move between steps in the Wizard.
This section describes how to configure the properties for the individual pages in the DNS Rule Wizard. It contains the following topics:
•Identifying a Source Address List in the DNS Rule Wizard
•Specifying a Domain List in the DNS Rule Wizard
•Configuring an Answer Group in the DNS Rule Wizard
•Choosing a Balance Method in the DNS Rule Wizard
•Reviewing the Summary Page in the DNS Rule Wizard
Identifying a Source Address List in the DNS Rule Wizard
The Source Address List section of the DNS Rule Wizard (see Figure 7-5) allows you to identify a source address list, which is a list of address blocks that identify DNS proxies.
Figure 7-5 DNS Rule Wizard—Source Address List Page 1
To identify a source address list in the DNS Rule Wizard, perform the following steps:
1. Perform one of the following actions:
•To apply the DNS rule to requests originating from any DNS proxy, click the Any Address option, and then click Next. See the "Specifying a Domain List in the DNS Rule Wizard" section for information on using the Domain List detail page in the wizard.
• To apply the DNS Rule to requests originating from a list of DNS proxies that you want to configure, click Manually-entered source address list, and then click Next. Proceed to Step 2 for information on using the Source Address List Page 2 in the wizard.
• To apply the DNS rule to requests originating from a list of DNS proxies that you have configured using the Source Address Lists function, click Predefined source address list, and then click Next. Proceed to Step 3 for information on using the Source Address List Page 3 in the wizard.
2. If you chose the Manually-entered Source Address List option in the Source Address List section of the wizard, use the Source Address List Page 2 (see Figure 7-6) of the wizard to create your Source Address List. Configuring the source address list by using the wizard makes it available for use by other DNS rules.
Figure 7-6 DNS Rule Wizard—Source Address List Page 2
a. Enter a name for your Source Address List in the List Name field.
b. (Optional) Click the List Owner drop-down list and choose a GSS owner name.
c. In the space provided, enter one or more source classless interdomain routing (CIDR)-format IP addresses that make up the list. You can enter individual IP addresses or address blocks. If you want to enter multiple IP addresses, separate the addresses using semicolons. For example, enter:
192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16
d. Click Next to proceed to the Domain List detail page of the DNS Rule Wizard. See the Specifying a Domain List in the DNS Rule Wizard section for information.
3. If you chose the Predefined Source Address List option in the Source Address List section of the wizard, use the Source Address List Page 3 (see Figure 7-7) of the wizard to select an existing source address list.
Figure 7-7 DNS Rule Wizard—Source Address List Page 3
a. Click the name of the source address list in the list to highlight it.
b. Click Next to select the source address list and proceed to the Domain List detail page of the DNS Rule Wizard. See the "Specifying a Domain List in the DNS Rule Wizard" section for information.
Specifying a Domain List in the DNS Rule Wizard
The Domain List section of the DNS Rule Wizard (see Figure 7-8) allows you to specify the domains that users will request. Each GSS can support up to 2000 total domains. If using a KAL-AP type answer, the GSS can support up to 1024 domains managed by any single server load-balancing device such as a Cisco Content Services Switch (CSS) or Content Switching Module (CSM).
Figure 7-8 DNS Rule Wizard—Domain List Page 1
To specify a domain list in the DNS Rule Wizard, perform the following steps:
1. Apply the DNS rule to requests for a hosted domain that you want to configure by clicking Manually-entered domain list, and then clicking Next. Proceed to Step 3 for information on using the Domain List Page 2 in the wizard.
or
2. Apply the DNS Rule to requests for a domain from a list of hosted domains previously configured using the Domain Lists function by clicking Predefined domain list, and then clicking Next. Proceed to Step 4 for information on using the Domain List Page 3 in the wizard.
3. If you chose the Manually-entered Domain List option in the Domain List section of the wizard, use the Domain List Page 2 (see Figure 7-9) of the wizard to manually configure the requested domains names. Configuring the domain list using the DNS Rule Wizard makes it available for use by other DNS rules.
Figure 7-9 DNS Rule Wizard—Domain List Page 2
a. Enter a name for your Domain List in the List Name field.
b. (Optional) Click the List Owner drop-down list and choose an owner name.
c. In the space provided, enter the names of any hosted domains that you want to add to the domain list. You can enter complete domain names or any regular expression that specifies a pattern by which the GSS can match incoming addresses. Enter the domain names of resources for which the GSS acts as the authoritative DNS server.
Hosted domains cannot exceed 128 characters. The following examples show domain names configured on the GSS:
If entering multiple domain names, separate each name with a semicolon, for example, enter:
www.cisco.com; support.cisco.com; cdn.cisco.com
The GSS supports domain names that use wildcards. The GSS supports POSIX 1003.2-extended regular expressions when matching wildcards. Any request for a hosted domain that matches the pattern is directed accordingly.
For example, assume that you have 20 or more possible domains, such as www1.cisco.com, www2.cisco.com, and so on. You can create a wildcard expression that covers all of those domains:
For domain names with wildcards that are valid regular expressions, the GSS can match strings up to 256 characters.
d. When you complete entering the domain names, click Next to proceed to the Answer Group detail page of the DNS Rule Wizard. See the Configuring an Answer Group in the DNS Rule Wizard section for information.
4. If you chose the Predefined Domain List option, use Domain List Page 3 (see Figure 7-10) of the wizard to choose from a list of previously configured domains.
Figure 7-10 DNS Rule Wizard—Domain List Page 3
a. Click the name of the domain list so that its name is highlighted.
b. Click Next to choose the domain list and proceed to the Answer Group detail page of the DNS Rule Wizard. See the "Configuring an Answer Group in the DNS Rule Wizard" section for information.
Configuring an Answer Group in the DNS Rule Wizard
The Answer Group section of the DNS Rule Wizard (see Figure 7-11) allows you to configure answers for a specific answer group type: VIP, NS, or CRA. Answers are a group of resources that the GSS considers for the response to the requesting client's DNS proxy.
Figure 7-11 DNS Rule Wizard—Answer Group Page 1
To configure an answer group in the DNS Rule Wizard, perform the following steps:
1. Have the DNS rule respond to the request for the hosted domain using resources (answers) that you want to configure by clicking Enter addresses, and then clicking Next. Proceed to Step 3 for information on using the Answer Group Page 2 in the wizard.
or
2. Have the DNS rule respond to the request for the hosted domain using resources (answers) previously configured using the Answer Group function by clicking Select an existing answer group, and then clicking Next. Proceed to Step 4 for information on using the Answer Group Page 3 in the wizard.
3. If you chose the Enter Addresses option in the Answer Group section of the wizard, use Answer Group Page 2 (see Figure 7-12) in the wizard to create your answer group. Configuring the answer group using the DNS Rule Wizard makes it available for use by other DNS rules.
Figure 7-12 DNS Rule Wizard—Answer Group Page 2
a. Enter a name for your answer group in the Group Name field.
b. (Optional) Choose an owner for the answer group by clicking the Group Owner drop-down list and selecting a GSS owner from the list.
c. Select an answer group type by clicking one of the three option buttons. Once you select an answer group type, only answers of that type (VIP, NS, or CRA) can be added to the group:
VIP—Virtual IP (VIP) addresses associated with an SLB as such the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web server, cache, or other geographically dispersed SLBs in a global network deployment.
Name Server—Configured DNS name server on your network that can answer queries that the GSS cannot resolve.
CRA—Content routing agents that use a resolution process called DNS race to send identical and simultaneous requests back to a user's D-proxy.
d. Click Next to use the Answer Group Page 3 of the wizard to configure answers for your answer group. Proceed to Step 4.
4. Use Answer Group Page 3 of the DNS Rule Wizard (see Figure 7-13) to configure answers for the specified answer group type: VIP, NS, or CRA.
Figure 7-13 DNS Rule Wizard—Answer Group Page 3
5. Perform one of the following actions:
• If configuring a VIP-type answer group, perform the following steps to identify the VIPs that provide the answers that make up the answer group. Assign an order, load threshold, and weight to each answer in the answer group.
a. Enter the address of each VIP that belongs to the answer group in the IP Address fields provided.
b. Click the Location drop-down list and choose an optional Location.
c. If using the Weighted Round-Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group.
d. If using the Ordered List balance method, assign an order to each VIP listed in the answer group using the Order field provided. The number that you assign represents the order of the answer in the list. Subsequent VIPs on the list will only be used if the preceding VIPs on the list are unavailable. The GSS supports numbering gaps in an ordered list.
Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
e. If using a KAL-AP-type answer, assign a load threshold between 0 and 255 using the Load Threshold field. If the VIP answer reports a load above the specified threshold, the GSS will determine that the device is unavailable to handle further requests.
• If configuring a new name server-type answer group, perform the following steps to identify the name servers that provide the answers for the answer group:
a. Enter the address of each name server that belongs to the answer group to the IP Address fields provided.
b. For each name server IP address, choose an optional location by clicking the Location drop-down list.
c. If using the Weighted Round-Robin balance method, click the Weight drop-down list and assign a weight between 1 and 10 to each answer in the answer group. The weight is used to create a ratio that the GSS uses when directing requests to each answer. For example, if Answer A has a weight of 10 and Answer B has a weight of 1, Answer A will receive 10 requests for every 1 directed to Answer B.
d. If using the Ordered List balance method with this answer group, assign an order to each name server listed in the answer group using the Order drop-down list provided. The number that you assign represents the order of the answer in the list. Subsequent name servers on the list will only be used if the preceding name servers on the list are unavailable. The GSS supports numbering gaps in an ordered list.
Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
• If configuring a CRA-type answer group, perform the following steps to identify the CRAs that provide the answers that make up the answer group, and then assign a location for each answer in the answer group.
a. Enter the address of each CRA that belongs to the answer group in the IP Address fields provided.
b. For each CRA IP address, choose an optional location by clicking on the Location drop-down list.
c. Click Next to proceed to the Balance Method details page of the DNS Rule Wizard. See the "Choosing a Balance Method in the DNS Rule Wizard" section for information.
6. If you chose the Select an Existing Answer Group option, use Answer Group Page 4 (see Figure 7-14) in the wizard to choose from a series of previously configured answers.
Figure 7-14 DNS Rule Wizard—Answer Group Page 4
a. Click the name of the answer group in the list so that the name is highlighted.
b. Click Next to choose the answer group and proceed to the Balance Method details page of the DNS Rule Wizard. See the "Choosing a Balance Method in the DNS Rule Wizard" section for information.
Choosing a Balance Method in the DNS Rule Wizard
The Balance Method page of the DNS Rule Wizard (see Figure 7-15) allows you to choose a balance method that specifies how a GSS answer should be chosen from the answer group to respond to a given DNS query. Your choice of balance methods is controlled by the type of answer group (name server, VIP, or CRA) that you choose.
Note The DNS Rule Wizard supports the selection of a single balance clause. If necessary, you can modify the DNS rule and add additional balance clauses using the DNS Rule Builder (see the "Modifying DNS Rules" section).
Figure 7-15 DNS Rule Wizard—Balance Method Page
To choose a balance method in the DNS Rule Wizard, perform the following steps:
1. If configuring a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
•Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group.
By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.
By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.
• Least Loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request. Least Loaded is available only for VIP-type answer groups that use a KAL-AP keepalive.
• Ordered List—The GSS selects an answer based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding responses or answer are unavailable to respond to the request. The GSS supports numbering gaps in an ordered list.
Note For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
• Round Robin—The GSS cycles through the list of answers that are available as requests are received.
• Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
2. If configuring a CRA answer group to respond to requests, the GSS automatically assigns Boomerang as the balance method. Enter a "last gasp" address in the Last Gasp field provided. This address serves as the answer in the event that no content routing agents reply to the request. When you specify a "last gasp" address, the GSS automatically performs the following:
• Creates an answer for this address
•Creates an answer group that contains the "last gasp" answer
•Adds a second balance clause to the DNS rule with the suffix -GROUP and uses an ordered list as the balance method.
3. Click Next to proceed to the Summary page of the DNS Rule Wizard. An overview of your rule is provided that supplies information on the selected source address list, domain List, answer group, and balance method. See the Reviewing the Summary Page in the DNS Rule Wizard section for information.
Reviewing the Summary Page in the DNS Rule Wizard
The Summary page of the DNS Rule Wizard (see Figure 7-16) allows you to verify information about your DNS rule, including information on the selected source address list, domain list, answer group, and balance method.
Figure 7-16 DNS Rule Wizard—Summary Page
To complete your DNS rule in the Summary page, perform the following steps:
1. Enter a name for your DNS Rule in the Rule Name field.
2. (Optional) Associate the rule with a GSS owner by choosing an owner name from the Rule Owner drop-down list.
3. Indicate the type of DNS queries that apply to this rule. Choose a query type from the Match DNS Query Type drop-down list:
• All—The DNS rule is applied to all DNS queries that originate from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three balance clauses. When the GSS receives the response from the name server, it then delivers the response to the requesting client D-proxy.
When you choose All as the Match DNS Query Type, you must configure one balance clause to include a name server-type answer group.
• A record—The DNS rule is applied only to answer address record (A- record) requests originating from a host on the configured source address list. For any request with an unsupported query types (for example, MX, PTR, or CNAME record) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response in order for the requester to make a subsequent A-record query.
4. Choose an operating status for the rule from the Rule Status drop-down list:
• Active—The DNS rule immediately begins processing requests.
• Suspended—The DNS rule is listed on the DNS Rules list page but has a status of "suspended." The DNS rule is not used to process any incoming DNS queries.
5. Click Finish to save your DNS Rule. You return to the DNS Rules list page.
Building DNS Rules Using the DNS Rule Builder
If you are familiar with the process of building a DNS rule and have previously configured your domain lists, answers, and answer groups, use the DNS Rule Builder to quickly assemble a DNS rule.
If you intend to use the DNS rule builder for more advanced GSS load-balancing applications such as DNS sticky or network proximity, see Chapter 8, Configuring DNS Sticky, or Chapter 9, Configuring Network Proximity, for the configuration procedures.
To create a DNS rule using the DNS Rule Builder, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab, and then click the DNS Rules navigation link. The DNS Rules list appears (see Figure 7-17).
Figure 7-17 DNS Rules List Page
2. Click the Open Rule Builder icon. The DNS Rule Builder page opens in a separate window (see Figure 7-18).
Figure 7-18 Create New DNS Rule Window
3. In the Rule Name field, enter a name for your new DNS Rule. Rule names cannot contain spaces.
4. From the Rule Owner drop-down list, choose a contact with whom the rule will be associated. The default Rule Owner is System.
5. From the Source Address List drop-down list, choose a Source Address List from which requests will originate. The DNS rule is applied only to requests coming from one of the addresses in the source address list. If you do not choose a source address list, the GSS automatically uses the default list Anywhere.
6. From the Domain List drop-down list, choose a domain list to which DNS queries will be addressed. The DNS rule is applied only to requests coming from one of the addresses in the source address list and for a domain on the specified domain list.
7. From the Match DNS Query Type drop-down list, indicate what type of DNS queries applies to this rule:
• All—The DNS rule is applied to all DNS queries that originate from a host on the configured source address list. For any request other than an A-record query (for example, MX or CNAME record), the GSS forwards the request to a name server configured in one of the three balance clauses. When the GSS receives the response from the name server, it delivers the response to the requesting client D-proxy.
When you choose All as the Match DNS Query Type, you must configure one balance clause to include a name server-type answer group.
• A record—The DNS rule is applied only to answer address record (A- record) requests that originate from a host on the configured source address list. For any request with unsupported query types (for example, MX, PTR, or CNAME records) that match this DNS rule, those query types will be dropped and not answered by the GSS. For an AAAA query with a configured host domain, the GSS returns a NODATA (No Answer, No Error) response for the requester to make a subsequent A-record query.
8. Disable sticky for the DNS rule by clicking None (default) as the Select Sticky Method option. This setting overrides the enabled state on the Global Sticky Configuration details page.
If you plan to configure DNS sticky in the DNS rule, see "Using the DNS Rule Builder to Add Sticky to a DNS Rule that use VIP-Type Answer Groups" in Chapter 8, Configuring DNS Sticky.
9. At the Balance Clause 1 heading, do the following:
•Choose the answer group component of your first answer group/balance method pairing from the drop-down list. This is the first effort the GSS uses to select an answer for the DNS query.
•Choose the balance method for the answer group from the drop-down list. Your choice of balance methods changes based on the type of answer group (VIP, name server, or CRA) that you selected.
10. If you chose a VIP or name server answer group to respond to requests, choose from the following balance methods for each of your DNS rule clauses:
Note If you select a CRA-type answer group, the balance method is automatically set to Boomerang.
•Hashed—The GSS selects the answer based on a unique value created from information stored in the request. The GSS supports two hashed balance methods. The GSS allows you to apply one or both hashed balance methods to the specified answer group.
By Source Address—The GSS selects the answer based on a hash value created from the source address of the request.
By Domain Name—The GSS selects the answer based on a hash value created from the requested domain name.
• Least Loaded—The GSS selects an answer based on the load reported by each VIP in the answer group. The answer reporting the lightest load is chosen to respond to the request. The least loaded balance method is available only for VIP-type answer groups that use a KAL-AP keepalive.
• Ordered List—The GSS selects an answer from the list based on precedence; answers with a lower order number are tried first, while answers further down the list are tried only if preceding answers are unavailable to respond to the request. The GSS supports numbering gaps in an ordered list. For answers that have the same order number in an answer group, the GSS will only use the first answer that contains the number. We recommend that you specify a unique order number for each answer in an answer group.
• Round Robin—The GSS cycles through the list of answers that are available as requests are received.
• Weighted Round Robin—The GSS cycles through the list of answers that are available as requests are received but sends requests to favored answers in a ratio determined by the weight value assigned to that resource.
11. If you chose a VIP-type answer group, a series of fields appear below the active balance clause on the Create New DNS Rule window. Figure 7-19 shows an example of the DNS Rule window with a selected VIP-type answer group.
Figure 7-19 Create New DNS Rule Window With VIP-Type Answer Group Fields
Configure the following VIP-type configuration information in the fields provided below the active balance clause:
• DNS TTL—The duration of time in seconds that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds.
• Return Record Count—The number of address records (A-records) that you want the GSS to return for requests that match the DNS rule.
•Proximity Enable—If you plan to configure network proximity as part of the DNS rule balance clause, see the "Using the DNS Rule Builder to Add Proximity to a DNS Rule" section in Chapter 9, Configuring Network Proximity.
•Manual Reactivation—Determines whether the GSS reactivates the clause automatically when its state changes from unavailable to available or if you must manually reactivate the clause. Check the check box (not included in Figure 7-19) to enable the manual reactivation function.
A clause becomes unavailable for use by the GSS when all the answers in the answer group associated with it are either offline or overloaded. When at least one of the answers returns to an online state, the clause becomes available once again and the GSS, by default, begins using it. To manually control when the GSS reverts to using a clause that returns to an available state, you enable the manual reactivation function from the primary GSSM.
Note If you enable the manual reactivate function for a clause, you must also enable the global manual reactivate function for it to work (see the "Managing Global Manual Reactivation of Answers and Clauses" section on page 2-11).
•Status—Determines the operating state of the clause. Select one of the following options from the drop-down list:
Active—The DNS rule immediately begins processing requests.
Suspended—The DNS rule is listed on the DNS Rules list page but has a status of "suspended." The DNS rule is not used to process any incoming DNS queries.
For more information, see the "Suspending a Clause" and "Reactivating a Clause" sections.
12. If you chose a CRA-type answer group, a series of fields appear below the active balance clause on the DNS Rule Builder window. Figure 7-20 shows an example of the DNS Rule Builder window with a selected CRA-type answer group.
Figure 7-20 Create New DNS Rule Window With CRA-Type Answer Group Fields
Configure the following configuration information in the fields provided below the active balance clause:
• DNS TTL—The duration of time in (units) that the requesting DNS proxy caches the response sent from the GSS and considers it to be a valid answer. Valid entries are 0 to 604,800 seconds. The default is 20 seconds.
• Fragment Size—The preferred size of the boomerang race response that is produced by a match to a DNS rule and sent to the requesting client.
• Pad Size—The amount of extra data (in bytes) included with each CRA response packet and used to evaluate CRA bandwidth and latency when making load-balancing decisions.
• IP TTL—The maximum number of network hops that should be utilized when returning a response to a CRA from a match on a DNS rule.
• Secret—A text string, up to 64 characters, that is used to encrypt critical data sent between the GSS boomerang server and CRAs. This key must be the same for each configured CRA.
• Max Prop. Delay—The maximum propagation delay, which is the maximum delay (in milliseconds) observed before the boomerang server component of the GSS forwards a DNS request to a CRA.
• Server Delay—The maximum delay (in milliseconds) observed before the boomerang server component of the GSS returns the address of its "last gasp" server as a response to the requesting name server.
•Manual Reactivation—Determines whether the GSS reactivates the clause automatically when its state changes from unavailable to available or if you must manually reactivate the clause. Check the check box to enable the manual reactivation function.
A clause becomes unavailable for use by the GSS when all the answers in the answer group associated with it are either offline or overloaded. When at least one of the answers returns to an online state, the clause becomes available once again and the GSS, by default, begins using it. To manually control when the GSS reverts to using a clause that returns to an available state, you enable the manual reactivation function from the primary GSSM.
Note If you enable the manual reactivate function for a clause, you must also enable the global manual reactivate function for it to work (see the "Managing Global Manual Reactivation of Answers and Clauses" section on page 2-11).
•Status—Determines the operating state of the clause. Select one of the following options from the drop-down list:
Active—The DNS rule immediately begins processing requests.
Suspended—The DNS rule is listed on the DNS Rules list page but has a status of "suspended." The DNS rule is not used to process any incoming DNS queries.
For more information, see the "Suspending a Clause" and "Reactivating a Clause" sections.
13. Repeat Steps 9 through 12 to choose additional answer group and balance method pairings for Balance Clause 2 and Balance Clause 3. These answer pairs only apply when the preceding clause is unable to provide an answer for the DNS query.
Note Always follow a balance clause that uses a CRA-type answer group with a balance clause that uses a VIP-type answer group. This ensures that if none of the Content Routing Agents successfully respond to the DNS race request, a "last gasp" server response from the VIP-type balance clause is sent to the requesting name server.
14. Click Save to save your DNS Rule. You return to the DNS Rules list page. The DNS rule is now active and processing incoming DNS requests.
Modifying DNS Rules
You can use the DNS Rule Builder or the DNS Rule Wizard to modify a DNS rule.
Note If you have the manual reactivation function enabled for a clause and the GSS has the clause operationally suspended, modifying the clause will reactivate it.
To modify a DNS rule using the DNS Rule Builder, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.
2. Click the Modify DNS Rule Using Rule Builder Interface button located to the left of the DNS rule that you want to modify. The Modify DNS Rule details page opens in a separate window.
3. Make modifications as necessary to the DNS rule. See the "Building DNS Rules Using the DNS Rule Builder" section for details about using the DNS Rule Builder.
4. Click Save when you complete your modifications and return to the DNS Rules list page.
To modify a DNS rule using the DNS Rule Wizard, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list appears.
2. Click the Modify DNS Rule Using Wizard button located to the left of the DNS rule that you want to modify. The Modify DNS Rule Wizard appears.
3. Make modifications as necessary to the DNS rule in the DNS Rule Wizard. See the "Building DNS Rules Using the Wizard" section for details about using the DNS Rule Wizard.
4. Click Finish when you complete your modifications and return to the DNS Rules list page.
Suspending a Clause
You can temporarily stop the GSS from using an active clause associated with a rule by performing the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule that you want to suspend. The DNS Rule Builder page appears in a separate browser window.
3. Choose Suspended from the Status drop-down list.
4. Click Save to save your DNS Rule. You return to the DNS Rules list page. The DNS rule clause is now suspended.
Reactivating a Clause
You can reactivate a clause that you suspended by performing the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule that you want to suspend. The DNS Rule Builder page appears in a separate browser window.
3. Choose Active from the Status drop-down list.
4. Click Save to save your DNS Rule. You return to the DNS Rules list page. The DNS rule clause is now active.
Reactivating Operationally Suspended Clauses
When you enable the manual reactivation function in a clause configuration and the clause becomes unavailable for use by the GSS, the primary GSSM operationally suspends the clause. The clause remains operationally suspended even when it returns to an available state and is ready for service. This enables you to manage when the GSSs on the GSS mesh revert to using all operationally suspended clauses.
Use the Manual Reactivation navigation link in the Resources tab to reactivate operationally suspended clause. For information, see "Managing Global Manual Reactivation of Answers and Clauses" section on page 2-11.
Suspending a DNS Rule
If you want to stop requests from being processed by a DNS rule on your GSS, use the Suspend icon to temporarily deactivate the rule. You can use the suspend feature to temporarily halt traffic to particular answers while those resources are receiving maintenance. Once you suspend a DNS rule, you must reactivate the rule before you can use it to process incoming DNS queries.
To suspend a DNS rule from the DNS Rule Builder, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule that you want to suspend. The DNS Rule Builder page appears in a separate browser window.
3. Click the Suspend icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to suspend the DNS rule.
4. Click OK to confirm your decision and return to the DNS Rule list page. The status of the DNS rule appears as "Suspended."
To suspend a DNS rule from the DNS Rule Wizard, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule that you want to suspend. The DNS Rule Wizard appears.
3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 7-16).
4. From the Rule Status drop down list, choose the Suspended operating status for the DNS rule.
5. Click Finish to confirm your decision and return to the DNS Rule list page. The status of the DNS rule appears as "Suspended."
Reactivating a DNS Rule
To reactivate operation of a suspended DNS rule from the DNS Rule Builder, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to the left of the DNS rule that you want to activate. All suspended DNS rules have a status of "Suspended" in the list. The DNS Rule Builder window appears.
3. Click the Activate icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to activate the DNS rule.
4. Click OK to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as "Active."
To reactivate operation of a suspended DNS rule from the DNS Rule Wizard, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule Using Wizard icon located to the left of the DNS rule that you want to suspend. The DNS Rule Wizard appears.
3. Click the Summary navigation link in the Wizard Contents table of contents. The Summary page appears (see Figure 7-16).
4. From the Rule Status drop down list, choose the Active operating status for the DNS rule.
5. Click Finish to confirm your decision. You return to the DNS Rule list page. The status of the DNS rule appears as "Active."
Suspending or Reactivating All DNS Rules Belonging to an Owner
You can group and manage your DNS rules according to an established GSS owner. Using a GSS owner to manage your DNS rules can simplify the process to suspend or activate all rules related to a particular group or department within your organization (for example, HR or Sales) without requiring to individually edit each rule that serves that owner.
To suspend or reactivate DNS rules belonging to an owner, perform the following steps:
1. From the primary GSSM GUI, click Resources tab.
2. Click the Owners navigation link. The Owners list page appears (see Figure 7-21).
Figure 7-21 Owners List Page
3. Click the Modify Owner icon located to the left of the owner responsible for the DNS rules that you want to suspend or reactivate. The Modifying Owner details page appears (see Figure 7-22).
Figure 7-22 Modifying Owners Details Page
4. Perform one of the following:
•To suspend all DNS rules associated with this owner, click the Suspend All DNS Rules for This Owner icon in the upper-right corner of the details page.
•To reactivate all suspended DNS rules associated with this owner, click the Activate All DNS Rules for This Owner icon in the upper-right corner of the details page.
5. Click OK to confirm your decision to suspend or activate the answers. You return to the Owner list page.
Deleting a DNS Rule
Use the Delete icon to remove a previously created DNS rule from the GSSM database. Deleting a DNS rule does not delete the source address lists, domain lists, owners, and answer groups associated with the DNS rule.
Caution Deletions of any kind cannot be undone in the primary GSSM. Before deleting any data that you think you might want to use at a later point in time, perform a database backup of your GSSM. See the
Global Site Selector Administration Guide for details.
To delete a DNS rule, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Modify DNS Rule using rule builder interface icon located to the left of the DNS rule that you want to delete. The DNS Rule Builder window appears.
3. Click the Delete icon in the upper right corner of the page. The GSS software prompts you to confirm your decision to delete the DNS rule.
4. Click OK to confirm your decision. You return to the DNS Rule list page.
Configuring DNS Rule Filters
As your GSS network grows, so will your collection of DNS rules for handling traffic to and from your network. In time, it may become difficult to locate the rules that you need. For that reason, the primary GSSM GUI provides filters that you can apply to your DNS rules to view only those rules that have the properties in which you are interested. For example, you can create a filter that will limit your view of the DNS rules to include only those rules that involve a certain source address list or domain list, use a certain balance method, are owned by a particular user, or have a status of "active."
To configure a DNS rule filter, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab.
2. Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter details page appears (see Figure 7-23).
Figure 7-23 Configure DNS Rule List Filter Details Page
3. Filter your list by any of the properties displayed on the Filter List page by entering a complete or partial (wildcard) value into the fields provided. The GUI divides the Filter List page by Source Address List Filter Parameters, Domain List Filter Parameters, Balance Clause Filter Parameters, and DNS Rule Filter Parameters. The GSS supports filtering combinations in the properties of all four sections of the details page.
Table 7-1 lists the parameters that you can use to filter your DNS rules list, along with explanations and sample entries for each parameter.
Table 7-1 DNS Rules Filter Parameters
Parameter
|
Description
|
Selection Examples
|
Source Address List Filter Parameters
|
Name
|
Name assigned to a source address list associated with the DNS rule
|
VIP1
VIP*
NameServerList
|
IP Address Block
|
IP address or address block assigned to a source address list associated with the DNS rule
|
192.168.110.100
192.168.*
|
Owner
|
Name of the owner assigned to the source address list associated with the DNS rule
|
Any
System
Education
|
Domain List Filter Parameters
|
Name
|
Name assigned to a domain list associated with the DNS rule
|
CiscoSystems
Cisco*
|
Domain
|
Domain included on the domain list associated with the DNS rule
|
www.cisco.com
support.cisco.com
www.*
|
Owner
|
Name of the owner assigned to the domain list associated with the DNS rule
|
Any
System
Sales
|
Balance Clause Filter Parameters
|
Answer Group Name
|
Name assigned to an answer group associated with the DNS rule
|
VIP_answer_Group_1
VIP_answer_Group_2
VIP_*
|
Answer Group Owner
|
Name of the owner assigned to the answer group associated with the DNS rule
|
Any
System
HR
|
Answer Group Type
|
Type of answer group associated with the DNS rule
|
CRA
Name Server
VIP
|
Contains Answer
|
Answer belonging to an answer group associated with the DNS rule
|
192.161.1.2
192.168.*
|
Balance Method
|
Type of balance method (such as boomerang and ordered list) associated with the DNS rule
|
Boomerang
Hashed
Least-Loaded
Order List
Round-Robin
Weighted Round-Robin
|
DNS Rule Filter Parameters
|
Name
|
Name of the DNS rule
|
Cisco_Rule
Cisco*
|
Owner
|
Name of the owner assigned to the DNS rule
|
Any
System
Sales
|
Status
|
Status of the DNS rule, either active or suspended
|
Any
Active
Suspended
|
4. Click Submit to confirm your decision and return to the DNS Rule list page. The displayed DNS rules are those DNS rules that match your search criteria. If no DNS Rule parameters match the parameters that you used to filter the list, a message appears:
No DNS rules match the filter specification.
Removing DNS Rule Filters
You can use the Show All DNS Rules icon on the DNS Rules list page to remove any filters applied to DNS rules. The Show All DNS Rules icon removes all filters and displays a complete list of DNS rules on your GSS network.
To remove DNS rule filters, perform the following steps:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list page appears.
2. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes, displaying all configured DNS rules.
Delegating to GSS Devices
After you configure your GSS devices to connect to your network and create the logical resources (source address lists, domain lists, answers and answer groups, and DNS rules) required for global server load balancing, you can integrate your global server load-balancing device into your network's DNS infrastructure to deliver user queries to your GSS. To accomplish this integration, you must modify your parent domain's DNS server to delegate parts of its name space to your GSS devices.
You should carefully review and perform a test of your GSS deployment before making changes to your DNS server configuration that will affect your public or enterprise network configuration.
Modifying your DNS servers to accommodate your GSS devices involves the following steps:
1. Adding name server (NS) records to your DNS zone configuration file that delegates your domain or subdomains to one or more of your GSSs.
2. Adding "glue" address (A) records to your DNS zone configuration file that map the DNS name of each of your GSS devices to an IP address.
Note The A records which define the name servers within the domain are frequently called glue records.
Example 7-1 provides an example of a DNS zone configuration file for a fictitious cisco.com domain that has been modified to delegate primary DNS authority for three domains to two GSS devices. Relevant lines are shown in bold type.
In Example 7-1, the delegated domains are as follows:
•www.cisco.com
•ftp.cisco.com
•media.cisco.com
The GSS devices are as follows:
•gss1.cisco.com
•gss2.cisco.com
Example 7-1 Sample BIND Zone Configuration File Delegating GSSs
cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. (
2001111001 ; serial number
360000 ; minimum 100 hours )
; Corporate Name Servers for cisco.com
; Sub-domains delegated to GSS Network
www IN NS gss1.cisco.com.
ftp IN NS gss1.cisco.com.
; "Glue" A records with GSS interface addresses
When you review this zone file, note that there are any number of possible GSS deployments you can use; some deployments may suit your needs and your network better than the listed example. For instance, instead of having all subdomains shared by all GSS devices, you may want to allocate specific subdomains to specific GSSs.
Where To Go Next
If you plan to use DNS sticky for your global server load balancing, configure local or global DNS sticky for GSS devices in your network. See Chapter 8, Configuring DNS Sticky, for details.
If you plan to use network proximity for your global server load balancing, configure proximity for GSS devices in your network. See Chapter 9, Configuring Network Proximity, for details.
