Cisco
Global Site Selector
Vikas Deolaliker
Product Manager, ECBU
September, 2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Global Site Selector
PRODUCT OVERVIEW
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Cisco GSS in a Nutshell
Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider.
DNS Services
DNS authority for A-records and AAAA records (Rel. 4.1)
Answers of type: A-record, AAAA, NS and CRA
Ddos for DNS Security
12K – 28K DNS RPS depending upon configuration complexity
GSS Network
Configuration
Limits
GSLB Services
Destination: 2000 hosted domains (128 chars with wildcards)
Source:
60 Source Address Lists
Resources: 4000 VIPs across 256 SLBs (increasing to 8K in Rel 4.1)
KALs:
MP, ICMP, TCP, HTTP/Head, KAL-AP, SNMP, CRA, NS
Policy:
4000 DNS rules across GSS Network
Resource Affinity: Sticky, Cookies.
Pricing
HW
SW
DDoS
GeoIP GSLB Support
IPv6 Support
Availability: Site Level Failover
GSLB Methods: Geographical, Topological, Least Loaded, Client Source Resolver
Hast, Ordered List, Ratio, RR/WRR
Management,
Monitoring &
Logging
ACE GSS4492R-K9
SF-GSS-V1.3-K9
SF-GSS-DDOSLIC
SF-GSS-GIPLICFX
SF-GSS-V6LICFX
User Interface: GUI (with new Cisco Kubric Look & feel) & CLI
Authorization: RBAC
Management Station Support: ANM Support
$ 20K plus licenses for DDOS, GeoIP
© 2011 Cisco and/or its affiliates. All rights reserved.
• License free IPv6 Support
• DDoS Protection
• Geographical and Resource Affinity
• Supports Cisco ACE/CSS/CSM
http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_install
ation_and_configuration_guides_list.html
3
Cisco Confidential
More
specifically …
GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS
Security policies.
• Provides Universal DNS-based Disaster Recovery – redirects clients to
back-up data center for any device that support SNMP MIB and uses DNS
• Protects the DNS infrastructure with DNS-based DDOS mitigation
software
• Delivers Advance Global Traffic Management
Global Server Load Balancing (GSLB) for geographically dispersed Server Load
Balancers and Caches
Connect clients to the best server based on:
Network topology
Server load
Availability of content and devices
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Release 4.1 Highlights
Key Benefits
1. Route clients based on
geographical proximity to
application
2. Support for IPv6
addressing for clients and
servers
3. Extreme scalability for
cloud datacenters
4. Reduce operational costs
through enhanced GUI
and ANM integration
2001:0DB8:AC10:FE01::
LDNS
Datacenter A
GSS
Network
d
c
User
b
- Geographical
Proximity
- RTT Proximity
- Site Persistence
2001:0DB8:AC10:FE01::
Available on CCO: September 22nd, 2011
© 2011 Cisco and/or its affiliates. All rights reserved.
SLB
a
Globally route clients
based on
SLB
2001:0DB8:AC10:FE01:: -
Site Health
Datacenter B
Cisco Confidential
5
Geolocation Based Global Delivery
Geolocation Highlights
a
c
(a) GeoIP based Proximity
SLB
LDNS
Datacenter A
GSS
•
(b) GeoRegions: GeoIP based Regions
•
Regions based on GeoIP database entries. (Add
single country or multiple countries). Granularity
down to states
•
Sticky support for GeoRegions
Network
User
(c) GeoSAL: GeoIP based Source
2001:0DB8:AC10:FE01::
b
Proximity calculations using GeoIP distances
d
SLB
Datacenter B
Address Lists
•
SALs can be based on GeoIP based
Regions
(d) New GUI Design (Kubric Look & Feel)
•
© 2011 Cisco and/or its affiliates. All rights reserved.
GUI option to configure all GeoIP
functionality
Cisco Confidential
6
GeoProximity
Data Center C
Data Center A
Data Center D
Data Center B
User
2001:0DB8:AC10:FE01::
Servers
•
Override RTT based
Proximity
•
Pick the application
based on geographical
distance between
probing device and client
LDNS
•
Licensable Feature
Internet
GSS
ACE
Internet
© 2011 Cisco and/or its affiliates. All rights reserved.
LDNS
Cisco Confidential
7
GeoRegions
GeoRegions
US-Central-Datacenter
© 2011 Cisco and/or its affiliates. All rights reserved.
o
Define Regions based on logical
groups. For example BRIC (Brazil,
Russia, India, China).
o
Create geographically grouped
resource pools. For example, USCentral-Datacenter Use the regions to
group resources (VIPs, NS, CRA) and
clients (source address lists)
o
Define persistence policy based on
GeoRegions
Cisco Confidential
8
Operational Flexibility
Lower the Operation Expense
• ANM
•
•
Import GSSM configuration into ANM
and monitor VIP status and DNS rules
status/hit count statistics from ANM GUI
•
Suspend/Activate VIPs/Rules/GSS SW
Rel Num from ANM GUI
HTTPs KAL
•
© 2011 Cisco and/or its affiliates. All rights reserved.
Add HTTPS-HEAD to existing KAL
types: ICMP, TCP, HTTP HEAD, KAL-AP,
Scripted KAL, CRA, and Name Server
•
Global Shared KeepAlive
Activate/Suspend
•
GUI Logging
Cisco Confidential
9
Ease of Management
GSS network is managed as a system – reduces number of touchpoints
• GSS is a system not a device
 Self synchronization of upto 16 GSSes
Ease of Management
 Single Point of management via GUI
 Does not sacrifice device level access (SSH to box)
 Any GSS can run GUI and a 2nd GSS serves as standby
GSS
Network
ANM
• Easy to use Interface
 IOS Syntax
 100 new CLI commands since v1.3
 Single interface for monitoring, troubleshooting and configuration
 Supports Import/Export of Configuration in industry standard formats
 Role based Access Control
 Remote Syslog Support
• Management Integration with ANM
GSS
GUI
 ANM - support the activation and suspension of a DNS rules and answers
 ANM – communicates to the primary GSS manager (PGSSM) via CLI, RMI
and SSH. Configuration parameters to establish this communication is the
GSS IP address and SSH credentials
© 2011 Cisco and/or its affiliates. All rights reserved.
 Four of eight Administrators Logon consumed by ANM
Cisco Confidential
10
IDN Support
1.
Internationalized Domain
Names (IDNs) are domain
names that contain nonASCII characters. (for
example, Arabic or
Chinese).
2.
The ASCII form of an IDN
label is termed as "Alabel". Non-ascii code
uses Unicode form or "Ulabel".
3.
GSS can be configured for
non-ascii URL
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
DNSSEC Ready
1. DNSSEC requests are automatically
forwarded *matching* non-A DNS
queries to the external name server.
Configuration is quick and simple.
gss2-tb1.cisco.com# configure terminal
2. For *matching* A queries with DO
(DNS OK) flag setGSS forwards the
request to the external name server
and the external NS provides a
DNSSEC response which the GSS
forwards to the D-proxy;
3. For all rest, GSS responds back as
it currently does with a plain DNS
response.
© 2011 Cisco and/or its affiliates. All rights reserved.
gss2-tb1.cisco.com(config)#property
set ServerConfig.dnsserver.enableEDNS 1
gss2-tb1.cisco.com(config)#property
set
ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag1
Cisco Confidential
12
Extreme Scalability
(a) Thousand of Applications
-
(b) Vast Pools of Resources
-
Global Application Delivery
GSS answers are VIPs declared on ACE. In Rel
4.1, GSS support 256 ACEs and 8000 VIPs and
2000 domains
ACE
LDNS
KeepAlive is the way GSS monitors resources
behind the VIP that it serves. KAL-AP is Cisco
proprietary keepalive. In Rel 4.1, GSS supports 128
KAL-APs configuration.
(c) Global Clients and Servers
Utilization
c
Datacenter A
GSS
Network
b
User
- GSS responds with VIPs that are closest to the
requesting client (LDNS). In Rel 4.1, GSS uses GeoIP
to determine proximity in addition to existing probing
mechanisms.
(d) ANM for Cluster Management
Utilization
ACE
a
Datacenter B
d
- ANM can activate/suspend answers on GSS and
manage all 16 GSSes in a cluster
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
End to End Solutions: GSS, ACE, N7K
ACE+GSS Cloud Solution
Integration Points
(a) Wide Area Vmotion (OTV/DWS)
LDNS
User
- GSS upon notification of a vmotion
changes the answer for an query thereby
helping customer preserve WAN
bandwidth
GSS
Network
(b) ACE Virtualization
- GSS treats ACE contexts as separate ACE
devices thereby enabling virtual
datacenters for each customer B, C, D, …
(c) Virtual GSS
With Rel 5.1 (CY12), vGSS can offer
dedicated GSS functionality per VLAN.
-
© 2011 Cisco and/or its affiliates. All rights reserved.
ACE
ACE
DCB
vm
Primary
Datacenter
a
vm
Secondary
Datacenter
B
b
Cisco Confidential
c
14
GSS IPv6 Support
Component
IPv6 is Supported on …
Platform & Tools
access-group, access-list, interface ip, ip default-gateway, ip route, ip
anycast, setup, ping, dnslookup, show, traceroute, tcpdump, ftp, scp,
telnet
KAL
ICP, TCP, HTTP, HTTPs, KALAP
Resource
Grouping
VIP, Name Server, CRA, Locations, Regions, Zones
Traffic
Management
Proximity, DNS Rules
GSLB
Response with AAAA for queries from IPv4 or IPv6 LDNS
Respond with both A and AAAA records if available
DNS Rules supports IPv6 Source Address Lists and AAAA Query type
filters
SNMP and
Monitoring
IPv6 SNMP MIB Support
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
GSS 4.1 – Q4CY11
(a) GeoIP based GSLB
a
GeoIP based proximity
•
GeoIP based DNS Rules and Sticky
(b) IPv6
SLB
LDNS
Datacenter A
GSS
d
Network
•
c
•
Support for AAAA response
•
Support for persistence
•
IPv6 Management over IPv6 interface
(c) New GUI Design (Kubric Look & Feel)
User
2001:0DB8:AC10:FE01::
b
SLB
Datacenter B
© 2011 Cisco and/or its affiliates. All rights reserved.
(d) Configuration Scalability
•
8000 answers
Cisco Confidential
16
GSS Release Map
Release 3.2
- HTTPs KAL
- Workaround DNSSEC
- Bug Fixes
Release 3.3 (Private Only)
- Geo IP Proximity
- 8K Answers Support
- ANM support for 8K
Answers
Release 4.1.1
- IPv6 dot.ONE release
- Bug Fixes
2011
Jan
2012
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Release 4.1
- IPv6 Support
- Geo IP GSLB
- ANM support for 8K Answers
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
GSS
Direction
2011
2012
Release 5.0 (CC’ed)
DNSSec with FIPS
SOA & NS Record
HW Refresh
Release 4.1 (September, 2011)
IPv6 Support (AAAA)
GeoIP (Proximity, GeoRegions,
GeoSALs)
Release 3.2 (Feb, 2011)
HTTPs KAL
DNSSec Forwarding
Critical Bug Fixes
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
GlobalStrike GSS 5.1
Key Asks in GlobalStrike
Concept Committed 8/22/2011
1. Security and Compliance
•
a
•
•
•
SLB
LDNS
Datacenter A
GSS
c
d
Netw
ork
User
2001:0DB8:AC10:FE01::
b
© 2011 Cisco and/or its affiliates. All rights reserved.
2. Platfom Refresh
• (c) UCS server based appliance (San Luis)
• vGSS
3.
GeoIP Enhancements
4.
KAL- AP
SLB
Datacenter B
(a) DNSSEC strengthens the integrity of DNS Query/Response
transaction from threats such as
•
Forged or bogus response
•
Removal of Records (RRs) in responses
•
Incorrect application of wildcard expansion rules
(b) USGv6 and IPv6 Ph 2 Logo certification
FIPS compliant or validated encryption with acceleration
Common Criteria EAL-2
• (d) Logical Grouping of Geo Regions
• Enhancements and scalability
Cisco Confidential
19
GSS Roadmap
Rel 4.0
Rel 5.0
Q4CY11
1HCY12
DNS Services
1
•
IPv6: Support for AAAA,
A6, CNAME DNS Records
1
Operation Optimization
2
SLB
LDNS
1
2
Datacenter A
GSS
Network
4
3
•
•
•
•
Audit Logs
Log Source IP
Sync CLI and GUI User
View KAL logs through GUI
GSLB Services
•
Geo IP based Proximity
DNS Services
•
•
Operational Optimization
2
3
•
•
•
•
•
SLB
4
DCI Services
•
Automation to support
Vmotion over DCI
4
Authentication using AD
Automated Backup
Activate/Suspend Answers
Enhanced Reporting
Alerts/Alarms
GSLB Services
•
•
User
3
DNSSEc with FIPS
SOA & NS Record Support
Share KAL Status Among
Peers
KAL-AP with VIP
Capacity/Load
DCI Services
•
•
Automation through
integration with ANM
Exploring LISP Support
Datacenter B
5
© 2011 Cisco and/or its affiliates. All rights reserved.
Hardware Platform
•
GSS-4492R
5
Hardware Platform
•
Hardware Refresh with
FIPS compliance
Cisco Confidential
20
Ease
of Deployment
GSS participates in the DNS infrastructure – Lower Latency
Intermediate Name
Server
Supporting: .com
Root Name Server
GSS becomes the Authoritive Name Server for
the entire Zone supporting all applications for
the SP
DNS Global
Control Plane
IP Control/Forwarding Plane
DNS
CNR
ISP#1
ISP#2
Fixed
Cable
Wireless
© 2011 Cisco and/or its affiliates. All rights reserved.
Mobile
QIP
BIND
DSL
ISP#3
Dedicated/
ATM/FR
DNS Resolvers (DNSR): IE, Firefox, etc.
ISDN/Dial
Client
Name
servers
(D-proxy)
Clients
Requesting
Web Sites
Data Center #2
Data Center #1
DNS
DNS Requests
DNS Response
21
Confidential
Layer 3Cisco
Communications
Use Case: Policy based GSLB
GSLB policy enables redirection based on proximity, site health, server load and
user preferences
www.fifa.com
nameserver.fifa.com

Site Health Check
3
DNS
P-DNS2
16.1.1.1
Add DNS Rules
+ SAL
+ DDL
+ Qtype
+ Add Clauses
Link
GSS Johannesburg
10.86.191.150
DNS
 Datacenter Load

GSS Milan
10.86.191.134
2 Create Mesh
A” Record
10.86.191.147
 Disaster Recovery
Datacenter A
VIP=10.86.191.131
Mesh
Link

Selects Answer based on lowest RTT.
RTT measured between client’s dproxy and a probing device (Cisco
Router and/or GSS)
GSS uses DRP to communicate with
probes
10.86.191.134


1
SLB
Add NS Record
for both GSSes
DNS Query
www.fifa.com
 Proximity
www.fifa.com “NS” Record 10.86.191.150
“NS” Record 10.86.191.134
DNS query
www.fifa.com
GSLB Can Redirect Traffic Based On
KAL-AP
 Ratio based GLSB
User
SLB
Datacenter B
© 2011 Cisco and/or its affiliates. All rights reserved.
VIP=10.86.191.147
Cisco Confidential
22
Use Case: BCDR
DNS Global Control Plane
GSS Cluster
Mobile
Resolver
Fixed
Wireless
DNS Name
Servers
Cable
DSL
Dedicated/
ATM/FR
ISDN/Dial
IP Control/
Forwarding Plane
Recovering Service Availability after Failure
Active-Passive Design
Network fail-over can happen within 10s
Application/Server
Recovery time is based on the time it take to
complete data Synchronization of back-end
data base, application servers and Web
servers
Supported by Cisco’s Solutions
GSS, CSS, CSM, ACE
© 2011 Cisco and/or its affiliates. All rights reserved.
Chicago
Data
Center #1
NJ
Back-up
Data
Center #3
Tokyo
Data
Center #2
Cisco Confidential
23
Use Case: Securing DNS Infrastructure
DNS Global Control Plane
Mobile
Resolver
Fixed
Wireless
Cable
Rate limits these
specific DNS Request
Compromised DNS Name
Servers or DNS bots
DSL
Dedicated/
ATM/FR
ISDN/Dial
IP Control/
Forwarding Plane
Provides Security Focused,
highly available, DNS/DHCP/TFTP
infrastructure for one or more data
centers.
Chicago
Data
Center #1
Automatically identifies DNS-based
DDOS attack and mitigates the attacks
© 2011 Cisco and/or its affiliates. All rights reserved.
NJ
Back-up
Data
Center #3
Tokyo
Data
Center #2
Cisco Confidential
24
GSS Release 3.1.2
Before
1
No support for IDNA
1
IDNA Support
2
Limited Integration with
SLB Management (ANM)
2
Integration with SLB
Management (ANM)
3
Bug Fixes
3
Bug Fixes
4
KALs did not support
HTTPs transport
4
KALs on HTTPs
Transport
SLB
LDNS
1
Datacenter A
2
GSS
Network
User
After
3
KAL
4
SLB
Datacenter B
© 2011 Cisco and/or its affiliates. All rights reserved.
4
Tentative
Cisco Confidential
25
GSS Release 3.2.0
Before
1
No HTTPs KAL
1
HTTPs KAL
2
DNSSec Deployments
Break
2
DNSSec workaround to
forward A4 records
3
GUI based Config
Changes not logged
3
Audit Log for GUI based
Config Changes
4
SSL Vulnerabilities
4
Secure Communication
on SSL
SLB
LDNS
4
Datacenter A
2
GSS
Network
User
After
3
KAL
1
SLB
Datacenter B
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
Management
GSLB Services
DNS
Services
GSS Competitive Side by Side
Feature
F5 GTM
Netscalar
GSLB
Brocade GSLB
RadWare
GSLB
Cisco
DNS Services
Uses Bind
Uses Bind
Uses Bind
Uses Bind
CNR*
DNS Defense
Yes
No
No
Unknown
Yes
Dedicated Appl.
Yes
Yes
No
Yes
Yes
GLSB Functions
Yes, 7 methods
Yes, 3 method
Yes, 3 methods
Yes, 3 methods
Yes, 7 methods
Dynamic Ratio
Yes
No
No
Unknown
Yes
Persistence
Yes
Yes
No
Yes
Yes
Topological
Yes
No
No
Yes
Yes (manual load)
Geographical
Yes
Yes
Yes
Yes
Yes (manual load)
GUI, CLI and
Wizard
Yes
No
No
Unknown
Yes
Administrative
Login
Authentication
Local Only
Local Only
Local Only
Local Only
RADIUS and
RBAC
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
GSS Performance & Configuration Scalability
Performance
Configuration Limits
Single VIP (ans/sec)
30,000
Complex Configuration (ans/sec)
13,000
NS Forwarding
1500
Configuration Limits
Answer Groups (per group max)
2000 (100)
Name Server addresses for NS Forwarding (max
per answer group)
100 (30)
DNS Race CRA Devices (max per race, max per
answer group)
200 (20,20)
DNS Rules
4000
Source IP Addresses configurable for DNS Rules
500
VIP (Standard/Shared)
2000/4000
Source Address Groups (Max per group)
60 (30)
# of Active SLBs Probed
256
Hosted Domains (Max per SLB)
2000 (1000)
Max active GSSes in Mesh
16
Hosted Domain Lists (Max per Domain List)
2000 (500)
HTTP Probes (Standard/Fast)
500/100
Administrative Owners
500
ICMP Probes (Standard/Fast)
750/150
Administrative Regions (Locations)
20 (1000)
TCP Probes (Standard/Fast)
1500/150
Max user ids
256
Scripted SNMP Probes (Standard/Fast)
384/120
Max GUI (CLI) sessions
128 (8)
KALAP Probes (Standard/Fast)
128/40
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Questions?
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
BACKUP
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
Security Focused Functionality
• Improves availability and
resiliency of DNS infrastructure
with high performance and self
protecting DDOS software
• Complete and Centralized DNS/DHCP/TFTP
management for network-enabled applications
• Offloads and optimizes BIND/DNS
processing and selects the best
• Security conscious features:
site based on:
• DDOS Mitigation Software
– Intelligent load balancing algorithms &
“clauses”
– Proximity to user request
– Data center and server loads, availability
& health
– Persistence to prevent lost session
information
© 2011 Cisco and/or its affiliates. All rights reserved.
• Client to GSS and GSS to GSS
communication encrypted
• Private DNS code base
• Supports all DNS-compatible devices
• Can be deployed with or without content
switches
Cisco Confidential
31
Improving DNS Survivability
Detects and mitigates the DNS focused Distributed Denial of Service
(DDoS) attacks. Multiple defenses including source verification
With the granularity and accuracy to provide new levels of business
continuity by processing only legitimate DNS requests
Delivering the performance and architecture suitable for the largest
enterprises and providers
Addresses DDoS attacks today, and its network-based behavioral anomaly
capability will be extended to additional DNS focused threats
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Security Focused GSS deployment
Un-secure DNS traffic
Why here?
-Public IP and DNS Host Names
- Layers of firewalls and Nating
between DNS and internal servers
ISP-1
DNS Server Cisco GSS
Not here?
DMZ
Others
-If hacked private IP available
-- DNS traffic Tunneled though
firewall
- Violates recommend “Split DNS”
Best Practices
© 2011 Cisco and/or its affiliates. All rights reserved.
ISP-2
Public
Web Servers
Datacenter A
Secure Web Servers
Cisco Confidential
33
Rule – bxb.com
Source Address List - Anywhere
0.0.0.0 – 255.255.255.255
Source Address List Anywhere
Domain List
bxb
Balance Clause 1:
AnswerGroup grp-bxb
Balance Method Round Robin
Balance Clause 2:
Balance Clause 3:
Domain List bxb
www.bxb.com
AnswerGroup grp-bxb
Answer-1 (NY)
Answer-1(Bos)
Answer-1(Bos)
VIP-A 10.86.191.147
Rule – goodFellas.com
Source Address List Asia
Domain List
Answer-1(NY)
VIP-A 10.86.191.131
AnswerGroup grp-rtp
Answer-2 (NY)
Answer-2(Bos)
rest
Balance Clause 1:
AnswerGroup grp-bxb
Balance Method Round Robin
Balance Clause 2:
© 2011 Cisco and/or its affiliates. All rights reserved.
Balance
Clause 3:
Domain List rest
www.bxb.com
www.sjc.com
Source Address List Asia
124.0.0.0 – 145.0.0.0
87.0.0.0 - 94.0.0.0
Answer-2(NY)
VIP-B 10.86.191.136
Shared Keepalive
Type kal-ap
10.86.191.129 | 10.86.191.145
Answer-2(Bos)
VIP-B 10.86.191.153
Cisco Confidential
34
GSS vs F5 GTM
Feature
GSS
F5
Global Traffic Management
Advance Multi-Site Traffic Management w/ Persistence
Yes
Yes
Integrate DC selection with Server Load
Yes
Yes
Universal Health checks for Traffic Management
Yes
Yes
Leverages Cisco
Router Technology for DC selection
Yes
NO!
Provides HA for any type of DNS traffic
Yes
Yes
Business Continuance
Manageability
Yes
Dynamic configuration , secure Auto-sync
Yes
Network Server Consolidation
Appliance Based DNS
Yes (but we have retired CNR)
Yes (with
Bind)
Full DHCP/TFTP Services
Yes (but we have retired CNR)
NO!
Integrated DNS-based DDOS protection
Yes
NO!
Protects BIND Infrastructure
Yes
NO!
Not-Subject to BIND vulnerabilities
Yes
Security Focused DNS Infrastructure
© 2011 Cisco and/or its affiliates. All rights reserved.
NO!
Cisco Confidential
35
GSLB Core Balance Functions
Load Balancing Methods
1. Ordered List
-
Uses next VIPs when all previous VIPs are
overloaded or down
6. Source Address and Domain hash
IP address of client’s DNS proxy and domain used
Always sticks same client to same VIP
2. Static Based on Client’s DNS Address
Maps IP address of client’s DNS to available VIPs
7. DNS Race
–
–
3. Round Robin
–
8. DRP-based Dynamic Network Proximity
–
Actively localizes client traffic by probing the client
DNS Name servers and routing the client to the
closest data center based on the lowest RTT
measurement.
–
Scales to greater than 400,000
Cycles through available VIPs in order
Initiates race of A-record responses to client
Finds closest SLB to client’s d-proxy
4. Weighted Round Robin
–
Weighting causes repeat hits (up to 10) to a VIP
9. Global Sticky DNS Database
–
Dynamically tracks where clients are sent then
ensures they are sent to the same device for
subsequent requests
–
Entries are based the IP address of client name
server and the domain name requested
–
Sticky answers are shared between GSSs
5. Least Loaded
–
–
10. Drop
Least connections on CSM and least loaded on CSS
Load communicated via CAPP UDP
© 2011 Cisco and/or its affiliates. All rights reserved.
–
Silently discards the DNS request
Cisco Confidential
36
Keep Alives (KAL)
Site 1
Servers
CSS-A
CSS-B
Keepalives:
TCP
ICMP
HTTP-Head
SNMP
Site 2
Servers
CSS-A
CSS-B
• KALs – back-end process gathers state and load information
from devices within the data center such as local server load
balancers, and origin servers
• KAL can be grouped and logically “AND” together
• V2.0 added a new KAL type --- SNMP based
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
Types of GSLB Solutions
GSS is a DNS based GSLB Solution
Underlying
Platform
DNS Based GLSB
Network Insertion
DNS Authority
DNS Proxy
DNS Traffic Intercept
Pros
Accurate Load Info
Accurate Proximity Info
Cons
Dominant Use Case
Proximity between Client
and Resolver
Disaster Recovery and
Business Continuance
Caching at
client/server/proxy
Global Traffic Management
DNS Security
Host Route
Injection
SLB Add-On
Router Add-On
Server Add-On
No new protocols required
GSLB is a routing
problem
Support for multiple ISP
Route Flapping
Less accurate
Load/Proximity Info
No dominant use case
Triangle Data Flow
SLB Add-On
Accurate Proximity
Reverse Path
Traffic Localization to nearest
Datacenter
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
GSS 3.2.0 Bug Fixes
Identifier
Headline
Comments
CSCsz42912
Request to implement the show mem command in SNMP
CSCtc38727
CSCtc39127
CSCtd01467
CSCte64381
CSCtf30643
Manual Reactivation answers in OS with secondary circuit specified kalap
GSS Running Config is gone, GUI is unavailable but is passing traffic
IMPORTANT TLS/SSL SECURITY UPDATE
Cisco GSS not functioning as per Internet DNS Standards
getBulkRequest with max repetitions 0 crashes snmp on GSS
CSCtg60511
GSS sticky mesh staying in INIT state and not replicating sticky entries
CSCti20170
CSCti91605
CSCti93734
CSCtj23186
High rate of tcp dns request causing dnsserver to crash
GSS running out of inodes, unable to ssh
During initialzation GSS returns NXDomain
Need check to prevent answer-group being added to dns rule w/out answers
COPART issue
CSCtj24854
GSS running out of inodes, needs cleanup on /tmp
JPMC issue
CSCtj28476
ENH: Need to add "core-files verbose" output to gss tech-report
CSCtj55505
Tech report should be enhanced & add more sticky and selector logs
Enh request from escalation
To get more debugs from cases like stream the
world
© 2011 Cisco and/or its affiliates. All rights reserved.
Fix for Chrystler
Cisco Confidential
39
Thank you.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40