A10 4.1.1-P11 GSLB

ACOS 4.1.
1-P11
Global Server Load Balancing Guide
for A10 Thunder® Series and AX™ Series
29 May 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any
means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
GSLB Introduction ...................................................................................................................... 11

About this Manual ................................................................................................................11
Audience and Prerequisites ..................................................................................................................... 11
Manual Structure ....................................................................................................................................... 12
GSLB Deployment Options ......................................................................................................... 13

DNS-Based GSLB Protocol...................................................................................................13
GSLB Overview ........................................................................................................................................... 13
GSLB Controller and Devices ................................................................................................................... 14
Configuring the GSLB Controller ............................................................................................................. 14
Configuring GSLB Site ACOS Devices ................................................................................................... 15
GSLB Deployment Modes ....................................................................................................15
Server Mode ................................................................................................................................................ 15
Proxy Mode ................................................................................................................................................. 16
Controller Groups and GSLB Synchronization....................................................................17
GSLB Controller Groups ........................................................................................................................... 17
Election of the Master Controller ............................................................................................................ 18
GSLB Synchronization .............................................................................................................................. 18
Configuring GSLB Controller Groups ..................................................................................................... 20
Controller Group Parameters ........................................................................................................... 20
Configuring the Group Master .......................................................................................................... 20
Configuring the Secondary Devices ................................................................................................ 21
Controller Group Configuration Example ....................................................................................... 21
Partition-specific Group Management ................................................................................22
aVCS......................................................................................................................................22
Cloud-based Computing Solution........................................................................................22
GSLB Implementation Examples ................................................................................................ 25

Overview................................................................................................................................25
Basic GSLB Configuration....................................................................................................25
Scenario 1: GSLB Proxy Mode .............................................................................................27
Scenario 2: GSLB Server Mode ............................................................................................30
Scenario 3: GSLB Controllers and Site Devices ..................................................................33
Scenario 4: Main Campus Basic Configuration ..................................................................36
Scenario 5: GSLB Server Active/Standby Mode .................................................................39
SLB Setup .................................................................................................................................................... 39
Configuring Open DNS Virtual Appliance and VRRP on vMaster .............................................. 40
Configuring GSLB Controller ............................................................................................................. 44
page 3
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
Configuring VRRP Interface on vBlade ........................................................................................... 49

GSLB Setup ................................................................................................................................................. 52
Functionality of Setup ............................................................................................................................... 53
Internal Client Access to adfs.FPA.org ........................................................................................... 53
External Client Access to adfs.FPA.org .......................................................................................... 54
Scenario 6: GSLB Disaster Recovery Solution....................................................................55
GSLB Disaster Recovery Setup ............................................................................................................... 56
Configuring Disaster Recovery ............................................................................................................... 57
Configuring CLI ........................................................................................................................................... 58
Primary Site Configuration ................................................................................................................ 58
Configuring Primary Site and Disaster Recovery Site ........................................................................ 59
GSLB Elements ........................................................................................................................... 61

GSLB and the DNS Namespace...........................................................................................61
Basic GSLB Data Structures .................................................................................................................... 61
FQDNs and FQDN Service Groups ......................................................................................................... 62
Configuring GSLB Elements.................................................................................................62
Creating an FQDN String (Zones and Services) .................................................................................. 63
Configuring a Zone ............................................................................................................................. 63
Configuring the Service ..................................................................................................................... 63
Configuring Sites ........................................................................................................................................ 63
Configuring Service IPs ............................................................................................................................ 64
Configuring Service-IP Parameters ................................................................................................. 65
Configuring Policies .................................................................................................................................. 66
Configuring FQDN Service Groups ......................................................................................69
GSLB Metrics ............................................................................................................................. 71

Managing GSLB Metrics ......................................................................................................71
Enabling and Disabling Metrics (CLI) ..................................................................................................... 71
Metrics That Require the GSLB Protocol on Site ACOS Devices ..................................................... 72
Changing the Metric Order ....................................................................................................................... 72
Metric Descriptions ..............................................................................................................74
Health-Check .............................................................................................................................................. 74
Health-Check Precedence ................................................................................................................. 75
Configure Health Monitors ................................................................................................................ 75
Weighted-IP ................................................................................................................................................. 75
Weighted-Site ............................................................................................................................................. 75
Session Capacity ....................................................................................................................................... 76
Active Servers ............................................................................................................................................. 76
Active-Round Delay Time (aRDT) ........................................................................................................... 76
Default Settings ................................................................................................................................... 77
Single Sample (Single Shot) .............................................................................................................. 77
Multiple Samples ................................................................................................................................ 77
Store-By ................................................................................................................................................. 78
Tolerance .............................................................................................................................................. 78
Enabling aRDT ..................................................................................................................................... 78
page 4
Contents
Changing aRDT Settings for a Site .................................................................................................. 79

Excluding a Set of IP Addresses from aRDT Polling .................................................................... 80
GSLB Controller-Based Metrics ........................................................................................................ 80
Geographic .................................................................................................................................................. 82
Geo-Location ........................................................................................................................................ 82
CNAME Support .................................................................................................................................. 82
Connection Load ........................................................................................................................................ 83
Num Session .............................................................................................................................................. 83
Admin Preference ...................................................................................................................................... 83
BW Cost ....................................................................................................................................................... 83
Configuring Bandwidth Cost (Process) .......................................................................................... 84
Least-Response ......................................................................................................................................... 87
Admin-IP ...................................................................................................................................................... 87
Round-Robin ............................................................................................................................................... 87
Alias-Admin-Preference ............................................................................................................................ 87
Configuring Alias Admin Preference ............................................................................................... 88
Configuring Alias Admin Preference (CLI) ..................................................................................... 88
Weighted-Alias ............................................................................................................................................ 88
Configuring Weighted Alias .............................................................................................................. 89
Configuring Weighted Alias (CLI) ..................................................................................................... 89
DNS Options ............................................................................................................................... 91

DNS Options Preference ......................................................................................................91
Append NS Records in DNS Authority Section ...................................................................91
Support for DNS TXT Records .............................................................................................92
Configuring DNS TXT Records ................................................................................................................ 92
Displaying DNS TXT Records .................................................................................................................. 92
Support for DNS CNAME Records .......................................................................................93
Configuring DNS CNAME Load Balancing (CLI) .................................................................................. 93
DNS Option Descriptions .....................................................................................................94
DNS Action .................................................................................................................................................. 95
DNS Active-only .......................................................................................................................................... 95
Configuring DNS Active-Only (CLI) .................................................................................................. 95
DNS Addition-MX ....................................................................................................................................... 96
DNS Auto-Mapping .................................................................................................................................... 96
Configuring Auto-Mapping (CLI) ...................................................................................................... 96
DNS Backup Alias ...................................................................................................................................... 97
DNS Backup Server mode ........................................................................................................................ 98
Configuring Backup Server Mode (CLI Example) ......................................................................... 98
DNS Cache .................................................................................................................................................. 98
DNS CNAME detect ................................................................................................................................... 99
DNS Sub-zone Delegation ........................................................................................................................ 99
Configuring DNS Sub-Zone Delegation (CLI Example #1) ........................................................101
Configuring DNS Sub-Zone Delegation (CLI Example #2) ........................................................101
DNS External-IP ........................................................................................................................................104
DNS External-SOA ....................................................................................................................................104
page 5
Contents
DNS Geoloc-Action ..................................................................................................................................104

DNS Geoloc-Alias .....................................................................................................................................105
DNS Geoloc-Policy ...................................................................................................................................105
Hints in DNS Responses ........................................................................................................................105
Configuring DNS Response Hints (CLI) ........................................................................................105
DNS IP-Replace ........................................................................................................................................106
DNS IPv6 ....................................................................................................................................................106
DNS Logging .............................................................................................................................................106
Enabling DNS Logging for a GSLB Policy (Process) ..................................................................107
Enabling DNS Logging for a GSLB Policy (CLI Example) ..........................................................107
GSLB DNS Log Messages Sent to Remote Log Server .............................................................108
DNS Proxy .................................................................................................................................................110
DNS Proxy Block ......................................................................................................................................110
Configuring GSLB DNS Proxy Block (CLI) ....................................................................................111
DNS Selected-only ...................................................................................................................................112
DNS Server ................................................................................................................................................112
DNS Sticky .................................................................................................................................................112
DNS TTL Override ....................................................................................................................................112
Geo Location Mappings ........................................................................................................... 115

Loading or Configuring Geo-Location Mappings............................................................. 115
Geo-Location Database Files ................................................................................................................115
Geo-Location Mappings .........................................................................................................................115
Example Database File ...........................................................................................................................116
Converting IP Addresses into bin4 Format ..................................................................................117
CSV File Field Delimiters ..................................................................................................................117
Creating and Loading a Custom Geo-Location Database ........................................................117
Configuring the CSV Template ....................................................................................................... 118
Importing the CSV File .....................................................................................................................118
Loading the CSV File Data into the Geo-Location Database .................................................... 118
Manually Configuring Geo-Location Mappings ............................................................... 119
Displaying the Geo-Location Database ...............................................................................................119
Geo-location Overlap ......................................................................................................... 120
Geo-location Databases Background ..................................................................................................120
When to Use Geo-Location Overlap ..............................................................................................121
Geo-location-based Access Control ................................................................................. 122
Using a Class List ....................................................................................................................................122
Class List Example ...........................................................................................................................123
Using a Black/White List ........................................................................................................................124
Configuring the Black/White List ...................................................................................................124
Displaying and Clearing SLB Geo-Location Information ...........................................................125
Black/White List Example ...............................................................................................................125
Full-Domain Checking .............................................................................................................................126
Configuring Full-Domain Checking ................................................................................................126
Enabling PBSLB Statistics Counter Sharing ................................................................................127
page 6
Contents
Gateway Health Monitoring ...................................................................................................... 129

Configuring Gateway Health Checking for GSLB Sites ................................................... 130
Sites with Multiple Gateway Links ........................................................................................................130
Disabling a Gateway Health-Check ......................................................................................................130
Displaying the Health Status of a Site Gateway ................................................................................131
Site with Single Gateway Link........................................................................................... 131
Site with Multiple Gateway Links ..................................................................................... 132
Multiple-Port Health Monitoring ....................................................................................... 133
Application Groups ................................................................................................................... 135

Site persistence With Per-VIP Failover Granularity ......................................................... 135
Configuring Persistence and Dependency .........................................................................................135
Configuring GSLB through the GUI ........................................................................................... 139

GSLB Proxy Mode (Scenario 1)......................................................................................... 139
GSLB Server Mode Group (Scenario 2) ............................................................................ 144
GSLB Controllers and Devices (Scenario 3)..................................................................... 148
Configuring GSLB Controller-Based Metrics.................................................................... 156
GSLB CLI Command Reference ................................................................................................ 161

Main Configuration Commands........................................................................................ 161
delete geo-location ....................................................................................................................162
gslb active-rdt .............................................................................................................................162
gslb dns action ...........................................................................................................................164
gslb dns logging .........................................................................................................................164
gslb geo-location ........................................................................................................................165
gslb group ....................................................................................................................................166
gslb health monitor .................................................................................................................... 168
gslb ip-list .....................................................................................................................................168
gslb policy ....................................................................................................................................169
gslb protocol ...............................................................................................................................170
gslb protocol limit ...................................................................................................................... 171
gslb service-group ......................................................................................................................173
gslb service-ip .............................................................................................................................174
gslb site ........................................................................................................................................177
gslb system age-interval ........................................................................................................... 181
gslb system auto-map module ...............................................................................................181
gslb system auto-map ttl .........................................................................................................182
gslb system geo-location load ................................................................................................183
gslb system ip-ttl ........................................................................................................................183
gslb system wait ........................................................................................................................184
gslb template csv .......................................................................................................................184
gslb template snmp ...................................................................................................................185
gslb zone ......................................................................................................................................187
import geo-location ...................................................................................................................194
page 7
Contents
Policy Configuration Commands...................................................................................... 195

active-rdt ......................................................................................................................................197
active-servers .............................................................................................................................. 199
active-servers-enable ................................................................................................................200
admin-ip .......................................................................................................................................201
admin-ip-enable ..........................................................................................................................201
admin-preference .......................................................................................................................201
alias-admin-preference .............................................................................................................202
auto-map ......................................................................................................................................203
bw-cost .........................................................................................................................................203
bw-cost-enable ...........................................................................................................................204
capacity ........................................................................................................................................204
connection-load ..........................................................................................................................206
dns action ....................................................................................................................................207
dns active-only ............................................................................................................................207
dns addition-mx ..........................................................................................................................209
dns auto-map ..............................................................................................................................209
dns backup-alias ........................................................................................................................210
dns backup-server ...................................................................................................................... 212
dns cache ....................................................................................................................................213
dns cname-detect ......................................................................................................................214
dns delegation ............................................................................................................................ 215
dns external-ip ............................................................................................................................ 216
dns external-soa ......................................................................................................................... 217
dns geoloc-action ....................................................................................................................... 218
dns geoloc-alias ..........................................................................................................................219
dns geoloc-policy .......................................................................................................................220
dns hint .........................................................................................................................................221
dns ip-replace ..............................................................................................................................222
dns ipv6 mapping .......................................................................................................................223
dns ipv6 mix ................................................................................................................................224
dns ipv6 smart ............................................................................................................................225
dns logging ..................................................................................................................................226
dns proxy block <query> ...........................................................................................................227
dns proxy block <type> .............................................................................................................228
dns proxy block action ..............................................................................................................229
dns selected-only .......................................................................................................................230
dns server ....................................................................................................................................231
dns sticky .....................................................................................................................................233
dns ttl ............................................................................................................................................235
edns client-subnet geographic ................................................................................................236
geo-location .................................................................................................................................238
geo-location-match ....................................................................................................................239
geographic ...................................................................................................................................240
health-check ................................................................................................................................240
ip-list .............................................................................................................................................241
least-response ............................................................................................................................241
page 8
Contents
metric-fail-break .........................................................................................................................242
metric-force-check .....................................................................................................................242
metric-order .................................................................................................................................242
num-session ................................................................................................................................243
num-session-enable ..................................................................................................................245
round-robin ..................................................................................................................................245
weighted-alias ............................................................................................................................. 245
weighted-ip ..................................................................................................................................246
weighted-ip-enable ..................................................................................................................... 247
weighted-site ............................................................................................................................... 247
weighted-site-enable .................................................................................................................248
Show Commands .............................................................................................................. 249
show gslb cache .........................................................................................................................250
show gslb config ........................................................................................................................251
show gslb fqdn ...........................................................................................................................253
show gslb geo-location .............................................................................................................254
show gslb group .........................................................................................................................257
show gslb ip-list ..........................................................................................................................260
show gslb memory ....................................................................................................................260
show gslb policy .........................................................................................................................260
show gslb protocol ....................................................................................................................261
show gslb rdt .............................................................................................................................. 262
show gslb samples conn ..........................................................................................................264
show gslb samples conn-load .................................................................................................264
show gslb samples rdt .............................................................................................................. 266
show gslb service .......................................................................................................................267
show gslb service-group ...........................................................................................................268
show gslb service-ip ..................................................................................................................268
show gslb service-port ..............................................................................................................269
show gslb session .....................................................................................................................270
show gslb site .............................................................................................................................270
show gslb slb-device .................................................................................................................272
show gslb state .......................................................................................................................... 273
show gslb statistics ................................................................................................................... 273
show gslb zone ........................................................................................................................... 275
Clear Command ................................................................................................................. 278
clear gslb ......................................................................................................................................278
page 9
Contents
page 10
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
GSLB Introduction
Global Server Load Balancing (GLSB) refers to load balancing applications that direct users to multiple
data center sites. Each site consists of server farms that provide users with fast response time and
sufficient redundancy to protect against the failure of a complete data center. Each GSLB implementa-
tion falls under one of these categories:
• DNS-Based GSLB: Domain Name System technology is utilized to extend load balance globally
• IP-Based GSLB: Route health injection advertises VIP availability throughout the network.
The A10 implementation of GSLB extends load balancing to a global geographic scale by offering a
choice of DNS Proxy or DNS Server methods. A10 GSLB adds a layer of availability and performance to
applications with minimal impact to existing DNS architectures while allowing the selection of the most
appropriate method for a network environment:
• Proxy Mode: The ACOS device acts as proxy for an external DNS server. The device can update
A and AAAA records in response to client requests and forwards requests for all other record
types to the external DNS server.
• Server Mode: The ACOS device directly responds to queries for specific service IP addresses in
the GSLB zone while forwarding other query types to the DNS server). In server mode, the device
can reply with A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS
device attempts proxy mode.
The device can be configured to use only DNS server mode for all replies. If the configuration does
not contain the applicable DNS record, the controller responds with a server failure message if is
not managing the FQDN.
About this Manual

The Global Server Load Balancing Guide serves as a reference manual for the A10 GSLB implementa-
tion and provides configuration examples that demonstrate system capabilities and specific features.
The final chapter includes a description of commands available in the ACOS command line interface.
Audience and Prerequisites

The Global Server Load Balancing Guide is intended for network administrators who are responsible for
implementing or maintaining ACOS GSLB configurations. A basic knowledge of networking principles,
Feedback page 11
FeedbackFF
About this Manual FFee
e
including routing and load balancing, is assumed. While some examples include Server Load Balancing
(SLB) instructions, the reader is assumed to have a basic understanding of A10 system administration
and Server Load Balancing (SLB) concepts and procedures. A10 manuals that provide information con-
cerning these topics include the “System Configuration and Administration Guide”, the “Application
Delivery and Server Load Balancing Guide”, and the “Command Line Interface Reference for ADC”.
Manual Structure
The GSLB Guide includes the following chapters:
• GSLB Introduction – Provides a brief description of GSLB and this manual.
• GSLB Deployment Options – Describes controllers and devices; proxy and server modes; config-
uration synchronization; and usage within A10 partitions and aVCS environments.
• GSLB Implementation Examples – Provides several GSLB configuration examples.
• GSLB Elements – Describes basic GSLB data structures
• GSLB Metrics – Describes GSLB metrics.
• DNS Options – Describes DNS options supported by the device that complement the GSLB
implementation.
• Geo Location Mappings – Describes loading geo-locations: manually or by loading from a file.
• Gateway Health Monitoring – Describes GSLB health monitoring.
• Application Groups – Describes site persistence and dependence in Application Groups.
• Configuring GSLB through the GUI – Provides GUI steps for many of the processes presented in
the guide.
• GSLB CLI Command Reference – Describes CLI commands that configure GSLB.
page 12
GSLB Deployment Options
This chapter describe the following GSLB Deployment Concepts and Options:
• “DNS-Based GSLB Protocol” on page 13
• “GSLB Deployment Modes” on page 15
• “Controller Groups and GSLB Synchronization” on page 17
• “Partition-specific Group Management” on page 22
• “aVCS” on page 22
• “Cloud-based Computing Solution” on page 22
DNS-Based GSLB Protocol

The following sections describe GSLB concepts:
• “GSLB Overview” on page 13
• “GSLB Controller and Devices” on page 14
• “Configuring the GSLB Controller” on page 14
• “Configuring GSLB Site ACOS Devices” on page 15
GSLB Overview
DNS-based GSLB uses Domain Name Service (DNS) technology to extend load balancing to a global
scale. Global Server Load Balancing (GSLB) adds intelligence to authoritative DNS servers. The GSLB
controller evaluates DNS replies and directs traffic to the 'best' site by replacing the IP address in the
DNS reply.
GSLB provides the following advantages:
• Provide data center failover to minimize downtime and ensure application availability
• Optimize multi-site deployments
• Maximize network access speed
Feedback page 13
FeedbackFF
DNS-Based GSLB Protocol FFee
e
• Provide faster performance and improved user experience by directing users to the nearest site
• Increase data center efficiency by using flexible policies to distribute traffic to multiple sites
GSLB is disabled by default and requires proper configuration to operate.
GSLB Controller and Devices

ACOS devices use the GSLB protocol to manage traffic between a controller and the accessible sites.
The interval between protocol updates range from one second to five minutes (default is 30 seconds).
VIP information is sent asynchronously.
A GSLB controller manages protocol functionalities. The protocol must be enabled on the ACOS
instance or device designated to perform controller functions.
The GSLB controller collects the following information from the accessible site load balancers:
• Virtual IP addresses & active servers
• Active-Round Delay Time (aRDT)
• Site session capacity statistics
• Connection load
• Number of active sessions
A GSLB Controller Group consists of multiple controllers, within a GSLB zone, whose service IP status
and GSLB configurations are synchronized. GSLB Controller Groups provide redundancy that protects
against the failure of an individual device. The ACOS device can automatically synchronize GSLB
configurations and VIP-server status among multiple GSLB controllers for a GSLB zone. See “Controller
Groups and GSLB Synchronization” on page 17 for more information.
Enabling the protocol on site devices within a GSLB configuration is operational for base configuration.
Specific policy options and the default health checks require the protocol to be enabled.
When running GSLB in server mode, a VIP for the DNS is required; the configuration of a real server or
service group is not required. When running GSLB in proxy mode, the real server and service group are
required along with the VIP.
For additional information on DNS configuration for Server mode and Proxy mode see “DNS Options”
on page 91.
Configuring the GSLB Controller

To configure GSLB on the GSLB ACOS device:
page 14
Feedback
GSLB Deployment Modes
1. Configure health monitors for the DNS server to proxy and the GSLB services to be load balanced.
2. Configure a GSLB policy as described in “Configuring Policies” on page 66).This can be skipped
when using a default profile.
3. Configure services.
4. Configure sites.
5. Configure a zone.
6. Enable the GSLB protocol for the GSLB controller function (gslb protocol enable controller
command).
Configuring GSLB Site ACOS Devices

GSLB deals with multiple sites. Each site has a unique IP address or IP addresses for management
interfaces or the VRRP interfaces. Each IP address is associated with a set of parameters. A site
selection policy can be evaluated based on these parameters.
To configure GSLB on the site ACOS devices:
1. Configure SLB on the device.

2. Enable the GSLB protocol for the GSLB site device function. (gslb protocol enable device com-
mand)
See “gslb protocol” on page 170 for a description of gslb protocol commands.
GSLB Deployment Modes

ACOS supports GSLB Server and Proxy modes.
Server Mode
An ACOS device in server mode responds directly to queries for specific service IP addresses in the
GSLB zone; the device still forwards other types of queries to the DNS server. In server mode, the ACOS
device can reply with A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS
device attempts proxy mode.
You can configure GSLB to use only the GSLB DNS server for all replies. When the configuration does
not
contain the applicable DNS record, the controller responds with a server failure message when it does
page 15
FeedbackFF
GSLB Deployment Modes FFee
e
not
manage the FQDN.
An ACOS device becomes a GSLB ACOS device when you configure GSLB on the device and enable the
GSLB protocol, for the controller function. The GSLB protocol uses port 4149. The protocol is registered
on this port for both TCP and UDP.
The dns server command is a GSLB Policy mode command that enables an ACOS device to act as a
DNS server for specific service IPs in the GSLB zone to which the policy is applied. To configure DNS
server mode on a device, apply a policy with a DNS server command to a zone or service on the device.
Example
This command configures a policy to setup a device as a DNS server to use DNS TXT resource records
to carry multiple pieces of DNS TXT data within one TXT record, then applies the policy to a service.
ACOS(config)# gslb policy kaibab

ACOS(config-policy:kaibab)# dns server txt
ACOS(config-policy:kaibab)# exit
ACOS(config)# gslb zone example.com
ACOS(config-zone:example.com)# service 80 www
ACOS(config-zone:example.com-service:www)# policy kaibab
ACOS(config-zone:example.com-service:www)# dns-txt-record obj-1 aaaa
ACOS(config-zone:example.com-service:www)# dns-txt-record obj-2 bbbb
ACOS(config-zone:example.com-service:www)# dns-txt-record obj-3 cccc
ACOS(config-zone:example.com-service:www)# exit
ACOS(config-zone:example.com)# show run | sec gslb
gslb policy kaibab
dns server txt
gslb zone example.com
service 80 www
policy kaibab
dns-txt-record obj-1 aaaa
dns-txt-record obj-2 bbbb
dns-txt-record obj-3 cccc
ACOS(config-zone:example.com)#
Proxy Mode
An ACOS device in proxy mode acts as a proxy for an external DNS server. In proxy mode, the ACOS
device updates A and AAAA records in response to client requests and forwards requests for other
record types to the external DNS server. DNS proxy is a DNS virtual service; its configuration is similar
to that of an SLB service.
page 16
Feedback
Controller Groups and GSLB Synchronization
By default, a GSLB policy configures the device to act in DNS proxy mode. The no dns server com-
mand disables DNS server mode within a policy where DNS server mode was previously enabled.
These steps describe the DNS proxy configuration process. For a description of SLB commands and
processes, see the “ADC Command Line Interface Reference Guide” and the “Application Delivery and
Server Load Balancing Guide”.
1. Configure a real server for the DNS server to be proxied (slb server command)
2. Configure a DNS port on the server (port command).

3. Enable health monitoring of the DNS service (health-check command).
Layer 3 health monitoring using the default Layer 3 health monitor is already enabled by default.
4. Configure a service group and add the DNS proxy (real server) (slb service-group command).
5. Add the DNS server to the service group (member command).
6. Configure a virtual server for the DNS proxy and bind it to the real server and service group (slb
virtual-server command).
7. Add the DNS port (port command)

8. Bind the DNS port to the DNS proxy service group (service-group command)
9. Enable GSLB on the port (gslb-enable command)
“Scenario 1: GSLB Proxy Mode” on page 27 contains a DNS proxy configuration example.

This section describes GSLB Controller Groups and GSLB configuration synchronization.
GSLB Controller Groups

A GSLB Controller Group consists of multiple controllers, within a GSLB zone, whose service IP status
and GSLB configurations are synchronized. GSLB Controller Groups provide redundancy that protects
against the failure of an individual device.
Each group consists of member ACOS devices. Among the members, the group a Master which man-
ages group synchronization. The Master device synchronizes GSLB configurations and VIP-server
status among the GSLB controllers within the group. A group can contain up to 15 members.
On each GSLB controller, the configuration for a GSLB group includes a list of primary group members.
By default, no primary members are defined. Group member addresses, are pushed to the other
devices in the group after they are configured on the Master device. After the GSLB process starts on
page 17
FeedbackFF
Controller Groups and GSLB Synchronization FFee
e
an ACOS device, the device joins the controller group by connecting to the primary group members to
exchange group management traffic.
Controller groups provide a learning option that enables an ACOS device to learn IP addresses of
member when they are added to the group. Learning is enabled by default.
This feature is different from the ACOS Series Virtual Chassis System (aVCS) feature. aVCS is used for
multiple ACOS devices that serve as mutual backups within the same LAN.
Election of the Master Controller

Each GSLB controller in a controller group has a configurable priority value that ranges from 1 to 255.
During master election, the GSLB controller with the highest priority is elected master for the group. If
more than one controller has the highest priority value, the controller with the highest last 4 bytes in its
management interface MAC address is elected.
The master controller and the other controllers periodically send keepalive messages. If the other con-
trollers stop receiving keep-alive messages from the master controller, a new master is elected.
To designate a master controller for the GSLB group, set the priority of the desired ACOS device to a
higher value than the other members. It is recommended that you make GSLB configuration changes
for the group-wide parameters on the master. The group synchronization feature will push your config-
uration to the other group members.
GSLB Synchronization
The master controller synchronizes GSLB configurations and VIP server status among multiple control-
lers in a GSLB group. The master synchronizes the following GSLB configuration items when updating
the configurations on other controllers:
• Service IPs
• Sites, including SLB-device parameters
• Zones, including services
• GSLB policies (only those that are used by services)
• SLB information for DNS proxy
• GSLB protocol settings
• Health Monitors (if configured using the GSLB option)
• Sticky Persistence
page 18
Feedback
The following items are not synchronized:
• Geo-location files
• Black/white list files
The master controller sends the following status information to the other controllers:
• aRDT data
• Connection load data
• Virtual port status
• Virtual server status
• Device status
Until the configuration synchronization status reaches “FullSync”, GSLB configuration information can
be edited directly on group members that are not the master. When multiple devices are configured
differently, changes on the master overwrite changes on other group members when “FullSync” is
reached.
After the configuration status reaches “FullSync”, by default directly changing the
configuration on a member device is not supported and generates the error message “Operation denied
by Group Master”.
• When a L3V network contains two or more controllers that use the same public NAT address, a
GSLB group accepts only one controller as a group member. The ACOS GSLB controller rejects
subsequent connection requests from the same external IP.
• In VRRP-A deployments for clusters, the GSLB configuration synchronizes with the active
VRRP-A device, which then pushes the GSLB configuration changes to the VRRP-A standby
device.
• Management port and VRRP must be enabled in every device, pointing to its management
device.
• The CLI prompt displays the ACOS device role within the GSLB group. Status indicator can be
either “Master” or “Member”, as shown in these examples:
ACOS-Master(config)#
ACOS-Member(config)#
The group role indicator is disabled with the no terminal gslb-prompt command.
page 19
FeedbackFF
Controller Groups and GSLB Synchronization FFee
e
Configuring GSLB Controller Groups
Controller Group Parameters

The following is a list of configurable GSLB group parameters, accompanied with the command. The
GSLB group command places the CLI in gslb-group configuration mode. All other commands in this
section are accessed from gslb-group mode.
• Group name: Name of the GSLB controller group (gslb group)
• Group state: State of the group on the ACOS device. (enable)
• DNS auto-mapping: Maps group IP resources to IP addresses on the ACOS device. (auto-map)
• DNS discover: Discovers group members using DNS. (dns-discover)
• DNS suffix: DNS suffix used for DNS discovery. You can specify the suffix (name) that GSLB
appends to the domain name when sending a dns-discover query. For example, for group name
“group” and suffix “example.com”, strings are sent in the DNS discovery query as “group.exam-
ple.com”. (suffix)
• Priority: Value used during master election for the group. Higher priority values are preferred
over lower priority values. For example, priority value 200 is preferred over priority value 100.
(priority)
• Primary controller: IP addresses of the other GSLB controllers to connect to within the group.
You can specify up to 15 IP addresses. (primary)
• Learning: Allows the device to learn the IP addresses of additional group members from primary
controllers (learn).
• Automatic configuration save: Automatically saves the configuration on a group member
when the configuration is saved on the group’s master controller. (config-save)
• Automatic configuration merge following master takeover: Automatically merges the
previous master’s configuration to the new master following takeover of the master role. (con-
fig-merge)
• Configuration allowed on all group members: Allows GSLB configuration to be performed

on any group member. (config-anywhere)
• Inherit configuration: Allows a GSLB controller to acquire its GSLB configuration from another
device. (inherit)
• Standalone operation: Allows this GSLB controller to operate independently of the group.
(standaone)
Configuring the Group Master

1. Configure the GSLB parameters that will be synchronized with the other controllers.
page 20
Feedback
2. Configure local GSLB parameters as applicable to your deployment.

3. Add the device to the GSLB controller group and change the group priority value to 255.
4. Enable the device’s membership in the group.
Configuring the Secondary Devices

1. Add the device to the GSLB controller group. Set the priority to a value that is less than the master.
2. Enable the ACOS device’s membership in the group.
3. Configure local GSLB parameters as applicable to your deployment.
Controller Group Configuration Example

These commands add a GSLB controller to the default GSLB group, enable the device’s membership in
the group, and display group information:
ACOS(config)# gslb group default

ACOS(config-gslb group:default)# enable
ACOS(config-gslb group:default)# show gslb group brief
Pri = Priority, Attrs = Attributes
D = Disabled, L = Learn
P = Passive, * = Master
Name Pri Attrs Master Member
-----------------------------------------------------------------------------
default 100 L 192.168.101.72 2
ACOS(config-gslb group:default)# show gslb group

Group: default, Master: 192.168.101.72
Member ID Pri Attrs Status
-----------------------------------------------------------------------------
local 22e40d29 255 L* OK
192.168.1.131 941a1229 100 Synced
192.168.1.132 ab301229 100 P Synced
page 21
FeedbackFF
Partition-specific Group Management FFee
e
Partition-specific Group Management

The ACOS device supports Global Server Load Balancing (GSLB) configuration within L3V partitions.
The shared partition and individual L3V partitions can each have their own GSLB configuration parame-
ters. To configure GSLB parameters for an individual partition, assign them to the same partition.
The following GSLB parameters cannot be configured for individual partitions; they are only configured
globally and are effective within all ACOS device partitions:
• GSLB system-wide settings: gslb system, gslb dns, gslb protocol, and gslb active-rdt
• GSLB geo-locations (gslb geo-location)
GSLB parameter labels do not span partitions; zones in two partitions cannot use the same zone name.
For each partition, you can create one group, the “partition group”. Only one GSLB Group is supported to
implement mapping. The following synchronization scenario is supported: from shared partition group
to shared partition group. View and inheritance features are not supported in this release.
For additional information about L3V Partitions, see the System Configuration and Administration Guide.
aVCS
Typical aVCS deployments support a virtual chassis with multiple devices. Real-time configuration
synchronization results in virtual chassis devices with identical GSLB configurations. This can result in
multiple GSLB controllers tying for highest priority. In this case, the controller with the highest last 4
bytes in its management interface MAC address is elected group master.
GSLB groups synchronize configuration between ACOS devices. When a group is enabled and the
GSLB configuration can be managed by the GSLB group, aVCSdoes not synchronize the GSLB
configuration to the vBlade. When the vMaster is not the same device as the GSLB group master,
configuring GSLB in a member controller requires enabling the config-anywhere option in the GSLB
group.
Cloud-based Computing Solution

GSLB supports dynamic generation of a service-ip based on the ACOS device hostname. When an SLB
has an FQDN but lacks the associated IP address, the GSLB protocol provides for querying the DNS
server for an A record or CNAME record to learn the device IP address. The GSLB ACOS device, or GSLB
controller, can acquire the IP address of the device and apply it to the service-ip. This information is
page 22
Feedback
Cloud-based Computing Solution
used to configure the SLB server (with hostname) as an ip-server or vip-server of a GSLB site. The IP
address that appears in the A record or CNAME record becomes the SLB service-ip.
The feature supports IPv4 resource records and does not support IPv6 records.
The GSLB Cloud Computing Solution may be appropriate when using multiple web-based service pro-
viders to provide server load balancing services. It can allow you to shift from one web-based service
provider to another to use services that cost less or that have better health metrics. When using a
cloud-based SLB service provider for web-based services, the provider sends a CNAME record to
access the cloud servers. The cloud servers can be dynamically imported into the ACOS device via the
CNAME record in order to do GSLB.
The example below shows the generation of dynamic service-ip addresses by hostname via DNS. This
can be accomplished using the following CLI configurations on an ACOS device:
1. Configure the cloud-based service provider number 1:

ACOS(config)# slb server www www.example2.com
ACOS(config-real server)# exit

ACOS(config)# slb server mail mail.example2.com

ACOS(config)# slb server www1 www1.example2.com
4. Configure three sites for each web-based service provider:

ACOS(config)# gslb site sanjose
ACOS(config-gslb site:sanjose)# slb-dev ACOS5200 192.168.1.2
ACOS(config-gslb site:sanjose-slb dev:ACO...)# exit
ACOS(config-gslb site:sanjose)# ip-server www
page 23
FeedbackFF
Cloud-based Computing Solution FFee
e
ACOS(config-gslb site:sanjose)# ip-server mail

ACOS(config-gslb site:sanjose)# ip-server www1
ACOS(config-gslb site:sanjose)#
page 24
GSLB Implementation Examples
Overview
This chapter lists the GSLB configuration steps (“Basic GSLB Configuration” on page 25) and contains
CLI commands that implement several GSLB scenarios.
These scenarios demonstrate this configuration process. Supplemental steps are added to the basic
process for more complex configurations.
• “Scenario 1: GSLB Proxy Mode” on page 27
• “Scenario 2: GSLB Server Mode” on page 30
• “Scenario 3: GSLB Controllers and Site Devices” on page 33
• Scenario 4: Main Campus Basic Configuration
• Scenario 5: GSLB Server Active/Standby Mode
• Scenario 6: GSLB Disaster Recovery Solution
Basic GSLB Configuration

The basic GSLB configuration requires these steps:
Configuring the FQDN String
1. Create an FQDN string by configuring a zone and the service that corresponds to that string.
2. If a custom policy is required, create a GSLB policy to specify a set of metrics and DNS options.
3. To implement the custom policy, apply it to the zone or individual services.
4. (Optional) Configure an action to perform on DNS queries for the FQDN:
• Forward Response – Forwards responses to local DNS server; does not forward queries to
Authoritative DNS server.
• Forward Both – Forwards queries to Authoritative DNS server; forwards responses to local DNS
server.
• Forward Query – Forwards queries to Authoritative DNS server; does not forward responses to
local DNS server.
Feedback page 25
FeedbackFF
Basic GSLB Configuration FFee
e
• Drop – Drops DNS queries from local DNS server.

• Ignore – Sends an empty response.
• Reject – Rejects DNS queries from local DNS server; returns “Refused” message in replies.
5. Enable or disable the service.
Configuring the Site
6. Select a Site to configure with the FQDN.

7. If needed, apply a GSLB template to the FQDN configuration.
8. Configure the weight (bias) for the site, or use the default (1).
Configure Service-IP Parameters
9. Select a service-IP type. See “Step 1: Select a service-IP type” on page 65.
10.Configure DNS Records. See “Step 2: Configure DNS Records” on page 65.
11.Manually configure Geo-Location entries. See “Step 3: Manually Configure Geo-location Entries (If
Required)” on page 66.
page 26
Feedback
Scenario 1: GSLB Proxy Mode

This scenario presents a GSLB Proxy Mode configuration as depicted in Figure 1 See “GSLB Proxy
Mode (Scenario 1)” on page 139. for the GUI implementation.
FIGURE 1 Scenario 1: GSLB Proxy Mode
Device ACOS-1: Creating a VIP for DNS Queries
These commands create and enable the VIP for GSLB client DNS queries.
vThunder(config)# hostname ACOS-1

ACOS-1(config)# slb server ACOS-11 10.10.0.53
ACOS-1(config-real server)# port 53 tcp
ACOS-1(config-real server-node port)# exit
ACOS-1(config-real server)# exit
ACOS-1(config)# slb service-group DNS-GP1 tcp
ACOS-1(config-slb svc group)# member ACOS-11 53
ACOS-1(config-slb svc group-member:53)# exit
ACOS-1(config-slb svc group)# exit
ACOS-1(config)# slb virtual-server DNS1 10.10.0.100
ACOS-1(config-slb vserver)# port 53 dns-tcp
ACOS-1(config-slb vserver-vport)# service-group DNS-GP1
ACOS-1(config-slb vserver-vport)# gslb-enable
ACOS-1(config-slb vserver-vport)# exit
ACOS-1(config-slb vserver)# exit
ACOS-1(config)#
Service IP Assignment
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
page 27
FeedbackFF
Scenario 1: GSLB Proxy Mode FFee
e
ACOS-1(config)# gslb service-ip LANE 10.10.1.58

ACOS-1(config-service-ip:LANE)# port 80 tcp
ACOS-1(config-service-ip:LANE-port:tcp)# exit
ACOS-1(config-service-ip:LANE)# port 25 tcp
ACOS-1(config-service-ip:LANE-port:tcp)# exit
ACOS-1(config-service-ip:LANE)# exit
ACOS-1(config)# gslb service-ip BENTON 10.10.2.68
ACOS-1(config-service-ip:BENTON)# port 80 tcp
ACOS-1(config-service-ip:BENTON-port:tcp)# exit
ACOS-1(config-service-ip:BENTON)# port 25 tcp
ACOS-1(config-service-ip:BENTON-port:tcp)# exit
ACOS-1(config-service-ip:BENTON)# exit
GSLB Site
These commands create a GSLB site and binds the virtual servers to the site. (See “Configuring Sites”
on page 63.)
ACOS-1(config)# gslb site EUGENE

ACOS-1(config-gslb site:EUGENE)# ip-server LANE
ACOS-1(config-gslb site:EUGENE)# exit
ACOS-1(config)# gslb site CORVALLIS
ACOS-1(config-gslb site:CORVALLIS)# ip-server BENTON
ACOS-1(config-gslb site:CORVALLIS)# exit
GSLB Policy
These commands create a GSLB policy that, when applied, places the device in proxy mode for the
specified zone. (See “Configuring Policies” on page 66.). By default, policies place a zone in proxy mode.
ACOS-1(config)# gslb policy HELIUM

ACOS-1(config-policy:HELIUM)# exit
GSLB Zone
These commands create a GSLB zone and implement two services within the zone. DNS address
records are included for each zone. (See “Creating an FQDN String (Zones and Services)” on page 63.)
ACOS-1(config)# gslb zone a10-brown.com

ACOS-1(config-zone:a10-brown.com)# policy HELIUM
ACOS-1(config-zone:a10-brown.com)# service 80 www
ACOS-1(config-zone:a10-brown.com-service:www)# dns-a-record LANE static
ACOS-1(config-zone:a10-brown.com-service:www)# dns-a-record BENTON static
ACOS-1(config-zone:a10-brown.com-service:www)# exit
ACOS-1(config-zone:a10-brown.com)# service 25 mail
ACOS-1(config-zone:a10-brown.com-service:m...)# dns-a-record LANE static
ACOS-1(config-zone:a10-brown.com-service:m...)# dns-a-record BENTON static
ACOS-1(config-zone:a10-brown.com-service:m...)# exit
ACOS-1(config-zone:a10-brown.com)# exit
page 28
Feedback
ACOS-1(config)#
Displaying the Configuration

ACOS-1(config)# show run | sec slb
slb server ACOS-11 10.10.0.53
port 53 tcp
slb service-group DNS-GP1 tcp
member ACOS-11 53
slb virtual-server DNS1 10.10.0.100
port 53 dns-tcp
gslb-enable
service-group DNS-GP1
gslb service-ip LANE 10.10.1.58
port 80 tcp
port 25 tcp
gslb service-ip BENTON 10.10.2.68
port 80 tcp
port 25 tcp
gslb site EUGENE
ip-server LANE
gslb site CORVALLIS
ip-server BENTON
gslb policy HELIUM
gslb zone a10-brown.com
policy HELIUM
service 80 www
dns-a-record BENTON static
dns-a-record LANE static
service 25 mail
dns-a-record BENTON static
dns-a-record LANE static
ACOS-1(config)#
page 29
FeedbackFF
Scenario 2: GSLB Server Mode FFee
e
Scenario 2: GSLB Server Mode

This scenario presents a GSLB Server Mode configuration as depicted in Figure 2. See “GSLB Server
Mode Group (Scenario 2)” on page 144. for the GUI implementation.
FIGURE 2 Scenario 2: GSLB Server Mode

Device ACOS-2: Service IP Assignment
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
ACOS-2(config)# gslb service-ip PIERCE 10.20.1.58

ACOS-2(config-service-ip:PIERCE)# port 80 tcp
ACOS-2(config-service-ip:PIERCE-port:tcp)# exit
ACOS-2(config-service-ip:PIERCE)# port 25 tcp
ACOS-2(config-service-ip:PIERCE-port:tcp)# exit
ACOS-2(config-service-ip:PIERCE)# exit
ACOS-2(config)# gslb service-ip KING 10.20.2.68
ACOS-2(config-service-ip:KING)# port 80 tcp
ACOS-2(config-service-ip:KING-port:tcp)# exit
page 30
Feedback
Scenario 2: GSLB Server Mode
ACOS-2(config-service-ip:KING)# port 25 tcp

ACOS-2(config-service-ip:KING-port:tcp)# exit
ACOS-2(config-service-ip:KING)# exit
Device ACOS-2: GSLB Site
These commands create two GSLB sites and bind the virtual servers to the sites. (See “Configuring
Sites” on page 63.)
ACOS-2(config)# gslb site TACOMA

ACOS-2(config-gslb site:TACOMA)# ip-server PIERCE
ACOS-2(config-gslb site:TACOMA)# exit
ACOS-2(config)# gslb site BELLEVUE
ACOS-2(config-gslb site:BELLEVUE)# ip-server KING
ACOS-2(config-gslb site:BELLEVUE)# exit
Device ACOS-2: GSLB Policy
These command create a GSLB policy that, when applied, places the device in server mode for the
specified zone (See “Configuring Policies” on page 66.).
ACOS-2(config)# gslb policy BORON

ACOS-2(config-policy:BORON)# dns server
ACOS-2(config-policy:BORON)# dns server authoritative
ACOS-2(config-policy:BORON)# exit
Device ACOS-2: GSLB Zone
records are included for each zone (See “Creating an FQDN String (Zones and Services)” on page 63.).
ACOS-2(config)# gslb zone a10-blue.com

ACOS-2(config-zone:a-blue.com)# policy BORON
ACOS-2(config-zone:a-blue.com)# service 80 www
ACOS-2(config-zone:a-blue.com-service:www)# dns-a-record PIERCE static
ACOS-2(config-zone:a-blue.com-service:www)# dns-a-record KING static
ACOS-2(config-zone:a-blue.com-service:www)# exit
ACOS-2(config-zone:a-blue.com)# service 25 mail
ACOS-2(config-zone:a-blue.com-service:mail)# dns-a-record PIERCE static
ACOS-2(config-zone:a-blue.com-service:mail)# dns-a-record KING static
ACOS-2(config-zone:a-blue.com-service:mail)# exit
ACOS-2(config-zone:a-blue.com)# exit
Device ACOS-2: Displaying the Configuration

ACOS-2(config)# show run | sec slb
slb virtual-server DNS2 10.20.0.53
port 53 dns-tcp
gslb-enable
page 31
FeedbackFF
Scenario 2: GSLB Server Mode FFee
e
gslb service-ip PIERCE 10.20.1.58

port 80 tcp
port 25 tcp
gslb service-ip KING 10.20.2.68
port 80 tcp
port 25 tcp
gslb site TACOMA
ip-server PIERCE
gslb site BELLEVUE
ip-server KING
gslb policy BORON
dns server authoritative
gslb zone a10-blue.com
policy BORON
service 80 www
dns-a-record KING static
dns-a-record PIERCE static
service 25 mail
dns-a-record KING static
dns-a-record PIERCE static
ACOS-2(config)#
page 32
Feedback
Scenario 3: GSLB Controllers and Site Devices

This scenario presents a GSLB Server Mode configuration that includes one A10 device configured as a
GSLB controller and two A10 devices configured as GSLB site devices, as depicted in Figure 3.
See “GSLB Controllers and Devices (Scenario 3)” on page 148. for the GUI implementation.
FIGURE 3 Scenario 3: GSLB Server Mode – Controller and Devices

Device ACOS-3: Service IP Assignment
This code configures the service IP addresses.
ACOS-3(config)# gslb service-ip PIMA 10.30.0.131

ACOS-3(config-service-ip:PIMA)# port 80 tcp
page 33
FeedbackFF
Scenario 3: GSLB Controllers and Site Devices FFee
e
ACOS-3(config-service-ip:PIMA-port:tcp)# exit
ACOS-3(config-service-ip:PIMA)# port 25 tcp
ACOS-3(config-service-ip:PIMA-port:tcp)# exit
ACOS-3(config-service-ip:PIMA)# exit
ACOS-3(config)# gslb service-ip COCONINO 10.30.0.132
ACOS-3(config-service-ip:COCONINO)# port 80 tcp
ACOS-3(config-service-ip:COCONINO-port:tcp)# exit
ACOS-3(config-service-ip:COCONINO)# port 25 tcp
ACOS-3(config-service-ip:COCONINO-port:tcp)# exit
ACOS-3(config-service-ip:COCONINO)# exit
Device ACOS-3: GSLB Site
For each site SLB device, enter the IP address of the ACOS device that provides SLB at the site. For the
VIP server names, enter the service IP name as previously configured.
ACOS-3(config)# gslb site TUCSON

ACOS-3(config-gslb site:TUCSON)# slb-dev ACOS-31 10.30.0.131
ACOS-3(config-gslb site:TUCSON-slb dev:ACOS...)# vip-server PIMA
ACOS-3(config-gslb site:TUCSON-slb dev:ACOS...)# exit
ACOS-3(config-gslb site:TUCSON)# exit
ACOS-3(config)# gslb site FLAGSTAFF
ACOS-3(config-gslb site:FLAGSTAFF)# slb-dev ACOS-32 10.30.0.132
ACOS-3(config-gslb site:FLAGSTAFF-slb dev:A...)# vip-server COCONINO
ACOS-3(config-gslb site:FLAGSTAFF-slb dev:A...)# exit
ACOS-3(config-gslb site:FLAGSTAFF)# exit
Device ACOS-3: GSLB Policy
These command create a GSLB policy that, when applied, places the device in server mode for the
specified zone.
ACOS-3(config)# gslb policy SODIUM

ACOS-3(config-policy:SODIUM)# dns server
ACOS-3(config-policy:SODIUM)# dns server authoritative
ACOS-3(config-policy:SODIUM)# exit
Device ACOS-3: GSLB Zone
records are included for each zone (See “Creating an FQDN String (Zones and Services)” on page 63.).
ACOS-3(config)# gslb zone a10-black.com

ACOS-3(config-zone:a10-black.com)# policy SODIUM
ACOS-3(config-zone:a10-black.com)# service 80 www
ACOS-3(config-zone:a10-black.com-service:www)# dns-a-record PIMA static
ACOS-3(config-zone:a10-black.com-service:www)# dns-a-record COCONINO static
ACOS-3(config-zone:a10-black.com-service:www)# exit
ACOS-3(config-zone:a10-black.com)# service 25 mail
page 34
Feedback
ACOS-3(config-zone:a10-black.com-service:mail)# dns-a-record PIMA static

ACOS-3(config-zone:a10-black.com-service:mail)# dns-a-record COCONINO static
ACOS-3(config-zone:a10-black.com-service:mail)# exit
ACOS-3(config-zone:a10-black.com)# exit
Enabling GSLB Protocol on ACOS-3 as a Controller

ACOS-3(config)# gslb protocol enable controller
Device ACOS-31 and ACOS-32: Configuring the GSLB Devices
These commands create and enable the VIP for GSLB client DNS queries on ACOS-31.

ACOS-31(config)# slb server SERVER-PIMA 10.30.1.58
ACOS-31(config)# slb service-group SG-PIMA-WWW tcp
ACOS-31(config-slb svc group)# member SERVER-PIMA 80
ACOS-31(config)# slb service-group SG-PIMA-MAIL tcp
ACOS-31(config-slb svc group)# member SERVER-PIMA 25
ACOS-31(config)# slb virtual-server VIP-31 10.30.0.131
ACOS-31(config-slb vserver)# port 80 tcp
ACOS-31(config-slb vserver-vport)# service-group SG-PIMA-WWW
ACOS-31(config-slb vserver-vport)# service-group SG-PIMA-MAIL
Enabling GSLB Protocol on ACOS-31 as a Device
ACOS-31(config)# gslb protocol enable device
These commands create and enable the VIP for GSLB client DNS queries on ACOS-32.

ACOS-32(config)# slb server SERVER-COCONINO 10.30.2.68
page 35
FeedbackFF
Scenario 4: Main Campus Basic Configuration FFee
e

ACOS-32(config)# slb service-group SG-COCONINO-WWW tcp
ACOS-32(config-slb svc group)# member SERVER-COCONINO 80
ACOS-32(config)# slb service-group SG-COCONINO-MAIL tcp
ACOS-32(config-slb svc group)# member SERVER-COCONINO 25
ACOS-32(config)# slb virtual-server VIP-32 10.30.0.132
ACOS-32(config-slb vserver-vport)# service-group SG-COCONINO-WWW
ACOS-32(config-slb vserver-vport)# service-group SG-COCONINO-MAIL
Enabling GSLB Protocol on ACOS-32 as a Device
ACOS-32(config)# gslb protocol enable device
Scenario 4: Main Campus Basic Configuration

This scenario specifies a sample campus network. Different zones and partitions can be setup for each
campus area: South Campus, North Campus, and so on.
Shared partition can be configured with:
• Management IP
• Interfaces and Trunks (Link Aggregation)
• aVCS
• VRRP-A and VRRP-A hello interfaces / VLANs
• GSLB protocol
The perimeter network or screened subnetwork called DMZ setup, can include the following
configurations:
• VLAN configuration
• VLAN interface configuration
• Routing configuration (for example, default route to upstream firewall)
page 36
Feedback
Scenario 4: Main Campus Basic Configuration
• Source NAT pool
• Client SSL template
• Server SSL template
• Proxy Real Servers
• Proxy Service-group
• Public Proxy VIP
• GSLB VIP
• GSLB service IPs
• GSLB group
• GSLB sites
• GSLB policy
• GSLB zone
Internal zone includes the following configurations:
• VLAN configuration
• VLAN interface configuration
• Routing configuration (e.g. default route to upstream firewall)
• Source NAT pool
• Client SSL template
• Server SSL template
• Proxy real servers
• Proxy service-group
• Public proxy VIP
• GSLB VIP
• GSLB service IPs
• GSLB group
• GSLB sites
• GSLB policy
• GSLB zone
page 37
FeedbackFF
Scenario 4: Main Campus Basic Configuration FFee
e
The South Campus can be configured with a similar setup except for the VRRP-A and aVCS
configuration. Other configuration options are user accounts, authentication options, logging, alerts,
and more.
Each ACOS device can be configured with a shared or default screened subnetwork, and an Internal
partition. This will ensure proper segmentation of DMZ and Internal traffic. The Internal partitions can
use the same physical links to the existing switch or firewall infrastructure. The physical interfaces can
be enabled in the shared partition, and then VLANs must be configured in each partition and tagged to
the physical links that have been enabled in the shared partition. Optionally, The DMZ and Internal
partitions can "own" their physical interfaces. For example, this means that if the DMZ partition has
tagged VLANs on Ethernet 1, the Internal partition cannot also tag on Ethernet 1. If this physical port
ownership is desired, the interfaces must be enabled from within the desired partition instead of from
the shared partition.
Example of enabling interfaces in the shared partitions and tagging VLANs in sub-network and Internal
partitions:
ACOS-Active-vMaster# config
ACOS-Active-vMaster(config:1)#int eth 6
ACOS-Active-vMaster(config:1-if:ethernet:6)#enable
This operation applied to device 1
ACOS-Active-vMaster(config:1-if:ethernet:6)#exit
ACOS-Active-vMaster(config:1)#act adfs-internal
Current active partition: adfs-internal
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#vlan 590
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#tagged ethernet 6
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#exit
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#act adfs-dmz
Current active partition: adfs-dmz
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#vlan 490
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#tagged ethernet 6
page 38
Feedback
Scenario 5: GSLB Server Active/Standby Mode
Example of DMZ partition owning Ethernet 6. Internal partition cannot use it now:
ACOS-Active-vMaster# config
-vMaster(config:1)#act adfs-dmz
Current active partition: adfs-dmz
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#int eth 6
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-if:ethernet:6)#enable
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-if:ethernet:6)#vlan 490
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#tagged ethernet 6
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#exit
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#act adfs-internal
Current active partition: adfs-internal
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#vlan 590
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#tagged ethernet 6
Interface is owned by another partition.

This section provides configuration details for ACOS device with VRRP setup for both Active and
Standby Mode. In this example, in the screened subnetwork, the shared partition uses the
administrator IP to always prefer the configured site. In the internal partition, they use static
geo-locations mapped to internal user subnets.
Use the command 'admin-preference' to always prefer one site over another or by 'admin-ip' to ensure
that any record associated with a service at the preferred site is always selected.
This scenario presents a GSLB Server Active/Standby Mode configuration that includes one A10 device
configured as a GSLB controller and A10 devices configured as GSLB site devices, as depicted in
Figure 3. The configuration requires these steps:
• SLB Setup
• GSLB Setup
• Functionality of Setup
SLB Setup
The SLB configuration setup is as follows:
page 39
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
Configuring Open DNS Virtual Appliance and VRRP on vMaster

1. Client is configured to use an Open DNS Virtual Appliance as primary and secondary DNS server.
a. For ABC client, primary is at ABC and secondary is at DEF
b. If DEF client, primary is at DEF and secondary is at ABC
2. Client queries where is “https://adfs.FPA.org"
3. Internal Open-DNS (10.125.15.121 or 10.125.15.122 or 10.100.2.121 or 10.100.2.122)
”FPA.org" matches Open-DNS internal DNS forward policy
!
vrrp-a common
device-id 1
set-id 10
enable
!
device-context 1
vcs enable
!
device-context 2
vcs enable
!
vcs floating-ip 10.202.1.100 255.255.255.0
!
vcs device 1
priority 200
interfaces management
enable
!
vcs device 2
priority 180
interfaces management
enable
!
4. Setup access list and warning

access-list 5 permit any log
!
banner login Warning: Access to this equipment is restricted. Unauthorized use is pro-
hibited. All connections are monitored.
!
authentication type local radius
!
monitor buffer-usage 711760
!
!
!
page 40
Feedback
no terminal auto-size
terminal length 0
!
5. Setup DNS for Virtual IP address. Configure the Internal OpenDNS (10.125.15.121 or
10.125.15.122 or 10.100.2.121 or 10.100.2.122) for adfs.FPA.org. Client queries will be sent to
these addresses.
ip dns primary 10.125.15.121
!
ip dns secondary 10.100.2.122
!
ip dns suffix FPA.org
!
vlan 1/580
tagged ethernet 1
router-interface ve 580
!
vlan 2/580
tagged ethernet 1
!
6. Setup DMZ partition for internal sub-network and implement LLDP on ACOS device.
partition dmz id 10 application-type adc
!
partition inside id 20 application-type adc
!
lldp system-name CCC-MDF-3030S-01
lldp system-description CCC-MDF-3030S-01
lldp enable rx tx
lldp notification interval 30
!
device-context 1
hostname CCC-MDF-3030S-01
!
device-context 2
hostname IST-MDF-3030S-01
!
7. Configure all interfaces.

device-context 1
interface management
access-list 5 in
ip address 10.202.1.101 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 10.202.1.1
lldp enable rx tx
lldp notification enable
page 41
FeedbackFF
e
!
device-context 2
interface management
access-list 5 in
ip address 10.202.1.102 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 10.202.1.1
!
interface ethernet 1/1
enable
!
!
!
!
!
!
!
!
enable
lldp enable rx tx
!
!
enable
lldp enable rx tx
!
!
enable
!
!
!
page 42
Feedback
!
!
!
!
!
!
!
!
!
interface ve 1/580
ip address 10.0.0.1 255.255.255.252
!
interface ve 2/580
ip address 10.0.0.2 255.255.255.252
!
vrrp-a vrid 0
device-context 1
blade-parameters
priority 200
device-context 2
blade-parameters
priority 180
!
ip nat alg pptp enable
!
vrrp-a interface ethernet 1/1
vlan 580
!
vrrp-a interface ethernet 2/1
vlan 580
!
logging monitor information
!
logging console information
!
!
page 43
FeedbackFF
e
Configuring GSLB Controller

To setup the GSLB network, GSLB controller and devices must be configured:
1. Configure GSLB and SNMP parameters.

!
gslb protocol enable controller
!
gslb protocol enable device
!
snmp-server enable service
!
snmp-server location "4700 Research Way, Lakeland, FL 33805"
!
snmp-server view view 1.2.3 included
!
snmp-server group group v3 auth read view
!
!
end
2. View the current configuration commit to partition 0 in classical-mode configuration, using the
show running configuration command:
Commit the current configuration commit to partition 0 in classical-mode configuration
!Current configuration: 1650 bytes
!Configuration last updated at 13:58:18 EDT Wed Apr 18 2018
!Configuration last saved at 10:25:02 EDT Wed Apr 18 2018
!
active-partition dmz
!
!
!
vlan 1/91
tagged ethernet 9
name dmz
!
vlan 2/91
tagged ethernet 9
name dmz
!
enable
!
page 44
Feedback
name dmz
enable
!
interface ve 1/91
access-list 99 in
ip address 10.200.240.198 255.255.255.0
!
interface ve 2/91
access-list 99 in
ip address 10.200.240.199 255.255.255.0
!
vrrp-a vrid 0
floating-ip 10.200.240.200
device-context 1
blade-parameters
priority 200
tracking-options
interface ethernet 9 priority-cost 40
gateway 10.200.240.254 priority-cost 40
device-context 2
blade-parameters
priority 180
tracking-options
!
3. Configure the NAT configuration for IP pool.

ip nat pool SNAT-POOL-DMZ 10.200.240.50 10.200.240.55 netmask /24 gateway 10.200.240.254
ip-rr
!
4. Setup the default IP route for each device or virtual instance.

device-context 1
ip route 0.0.0.0 /0 10.200.240.254 1 description "default route"
!
device-context 2
!
5. Setup health monitoring and SLB server, service group, and client configurations.
health monitor TCP-80
method tcp port 80
!
method tcp port 443
!
health monitor gatewayhm1
page 45
FeedbackFF
e
up-retry 3
interval 2 timeout 1
!
slb template cipher TEMPLATE-CIPHER
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA priority 50
TLS1_ECDHE_RSA_AES_128_SHA priority 80
TLS1_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_128_SHA256 priority 70
!
slb template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
close-notify
version 33 33
use-client-sni
template cipher TEMPLATE-CIPHER
!
slb server CCC-TESTA10-01 10.200.240.31
port 80 tcp
!
slb server CCC-TESTA10-02 10.200.240.32
port 80 tcp
!
slb server FPC-ADFSPROXY01 10.200.240.10
port 443 tcp
!
slb server gateway1 10.200.240.254
health-check gatewayhm1
!
slb service-group CCC-ADFSPROXY tcp
member FPC-ADFSPROXY01 443
!
slb service-group dmz_test tcp
member CCC-TESTA10-01 80
member CCC-TESTA10-02 80
!
slb template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
chain-cert incommon-intermediate-2024
cert adfs.FPA.org-2020
key adfs.FPA.org-2020
disable-sslv3
version 33 33
!
slb template persist cookie TEMPLATE-PERSIST-COOKIE
page 46
Feedback
expire 86400
!
slb template http TEMPLATE-HTTP-X-FORWARDED-FOR
insert-client-ip X-Forwarded-For replace
!
slb template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP
insert-client-ip X-MS-Forwarded-Client-IP
!
slb virtual-server VS-10.200.240.150-53 10.200.240.150
description name "External GSLB"
port 53 udp
gslb-enable
!
6. Setup SLB virtual server.

description "ADFS"
port 80 http
source-nat pool SNAT-POOL-DMZ
service-group CCC-ADFSPROXY
redirect-to-https
port 443 https
aflex aFlex-logging_clients
source-nat pool SNAT-POOL-DMZ
service-group CCC-ADFSPROXY
template persist cookie TEMPLATE-PERSIST-COOKIE
template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP
template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
!
7. Setup GSLB virtual server and service group as follows:

gslb service-ip VS-10.200.240.201-443 10.200.240.201
external-ip 71.40.176.174
port 443 tcp
!
port 443 tcp
!
gslb group default
enable
primary 10.200.240.200
priority 200
!
8. Associate the main zones or DMZs, DEF and ABC to the GSLB group.
gslb site DEF
page 47
FeedbackFF
e
slb-dev DEF-10.100.99.198-DMZ 10.100.99.198

vip-server VS-10.100.99.201-443
!
gslb site ABC
slb-dev ABC-10.200.240.200-DMZ 10.200.240.200
vip-server VS-10.200.240.201-443
!
gslb site DR
!
gslb policy GSLB-POLICY-ADFS-EXTERNAL
admin-ip-enable
admin-ip top-only
no round-robin
metric-order health-check admin-ip
dns selected-only
dns logging query
!
9. Define the GSLB zone gslb.FPA.org

gslb zone gslb.FPA.org
policy GSLB-POLICY-ADFS-EXTERNAL
service 443 adfs
dns-a-record 10.100.99.201 static admin-ip 180
dns-a-record 10.200.240.201 static admin-ip 200
!
end
page 48
Feedback
Configuring VRRP Interface on vBlade

Current configuration commit point for partition 1 is config mode is classical-mode.
1. Configure the management interface and VRRP interfaces on ACOS vBlade.

!Current configuration: 1664 bytes
!Configuration last updated at 13:58:18 EDT Wed Apr 18 2018
!Configuration last saved at 10:25:02 EDT Wed Apr 18 2018
!
active-partition inside
!
!
!
no terminal auto-size
terminal width 0
!
vlan 1/514
tagged ethernet 11
name inside
!
vlan 2/514
tagged ethernet 11
!
enable
!
enable
!
interface ve 1/514
access-list 10 in
ip address 10.125.14.198 255.255.255.0
!
interface ve 2/514
name inside
access-list 10 in
ip address 10.125.14.199 255.255.255.0
!
2. Define VRRP interfaces for partition 1

vrrp-a vrid 0
floating-ip 10.125.14.200
device-context 1
blade-parameters
page 49
FeedbackFF
e
priority 200
tracking-options
device-context 2
blade-parameters
priority 180
tracking-options
!
ip nat pool SNAT-POOL-INSIDE 10.125.14.50 10.125.14.55 netmask /24 gateway 10.125.14.254
ip-rr
!
device-context 1
!
device-context 2
!
method tcp port 443
!
health monitor gatewayhm1
up-retry 3
interval 2 timeout 1
!
slb template cipher TEMPLATE-CIPHER
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA priority 50
!
slb template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
close-notify
version 33 33
use-client-sni
!
slb server CCC-ADFS01 10.125.15.9
port 443 tcp
!
slb server gateway1 10.125.14.254
health-check gatewayhm1
page 50
Feedback
!
slb service-group CCC-ADFS tcp
member CCC-ADFS01 443
!
slb template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
chain-cert incommon-intermediate-2024
cert adfs.FPA.org-2020
key adfs.FPA.org-2020
disable-sslv3
version 33 33
!
slb template persist cookie TEMPLATE-PERSIST-COOKIE
expire 86400
!
slb template http TEMPLATE-HTTP-X-FORWARDED-FOR
insert-client-ip X-Forwarded-For replace
!
slb template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP
insert-client-ip X-MS-Forwarded-Client-IP
!
description "Internal GSLB"
port 53 udp
gslb-enable
!
slb virtual-server VS-10.125.14.224 10.125.14.224
description "ADFS Layer 4 helper"
port 80 http
source-nat pool SNAT-POOL-INSIDE
service-group CCC-ADFS
redirect-to-https
port 443 tcp
!
slb virtual-server VS-10.125.14.225 10.125.14.225
description "ADFS"
port 80 http
redirect-to-https
port 443 https
aflex aFlex-logging_clients
template persist cookie TEMPLATE-PERSIST-COOKIE
page 51
FeedbackFF
e
template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP

template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
!
GSLB Setup
The GSLB configuration setup is as follows for ADFS with Active site called ABC and Standby site
called DEF.
1. Configure the service IP addresses for GSLB server IP address 71.40.176.174:

!
port 443 tcp
2. Configure the virtual service IP addresses for GSLB server IP address 71.40.176.225:
!
port 443 tcp
3. Configure the default IP addresses for GSLB group with primary service address 10.200.240.200:
!
gslb group default
enable
primary 10.200.240.200
priority 200
4. Setup GSLB for the DEF site. Set active/standby mode on DEF by setting admin-preference
priority:
!
gslb site DEF
admin-preference 180
slb-dev DEF-10.100.99.198-DMZ 10.100.99.198
vip-server VS-10.100.99.201-443
5. Setup GSLB for the ABC site. ABC now has higher admin-preference priority:
!
gslb site ABC
admin-preference 200
slb-dev ABC-10.200.240.200-DMZ 10.200.240.200
vip-server VS-10.200.240.201-443
page 52
Feedback
6. Setup the disaster recovery site:

!
gslb site DR
!
gslb policy GSLB-POLICY-ADFS-EXTERNAL
admin-ip-enable
admin-ip top-only
no round-robin
metric-order health-check admin-preference
dns selected-only
dns logging query
!
7. Configure the GSLB zone for gslb.FPA.org.

gslb zone gslb.FPA.org
policy GSLB-POLICY-ADFS-EXTERNAL
service 443 adfs
dns-a-record 10.100.99.201 static
dns-a-record 10.200.240.201 static
!
Functionality of Setup
Internal Client Access to adfs.FPA.org

Once the internal client access to adfs.FPA.org is created, the internal client access functionality of the
setup is as follows:
1. Client is configured to use an OpenDNS Virtual Appliance as primary and secondary DNS server.
a. If ABC is client, then primary is at ABC and secondary is at DEF
b. If DEF is client, then primary is at DEF and secondary is at ABC
2. Configure the Internal OpenDNS (10.125.15.121 or 10.125.15.122 or 10.100.2.121 or
10.100.2.122) for adfs.FPA.org. Client queries will be sent to these addresses.
3. This matches to the OpenDNS internal DNS forward policy. Set the Internal ADC DNS to
(10.120.1.203 or 10.100.2.100).
4. The ADC DNS points to adfs.gslb.FPA.org
a. In the FPA.org forward zone, there are A records for GSLBNS1 and GSLBNS2.
b. GSLB NS1 and GSLB NS2 are the GSLB-enabled VIPs at each site: ABC: GSLB NS1
(10.125.15.150) and DEF: GSLB NS2 (10.100.2.150).
c. Internal AD DNS assigns gslb.FPA.org to NS records GSLB NS1 and GSLB NS2.
page 53
FeedbackFF
e
5. AD DNS follows the Client queries will be sent to these addresses GSLBNS1 or GSLBNS2
d. Geo-locations for ABC and DEF are defined in GSLB policy
• The virtual IP address is returned from the corresponding zone.
e. The DNS query chain uses pseudo round-robin NS server selection.
• The original forwarded query from Open DNS Virtual Active devices is sent to the Internal
ADC DNS Server at ABC or DEF.
• The recursive query from the Internal AD DNS Server at either campus could be sent to
GSLBNS1 or GSLBNS2.
• Thus, the recursive query arriving at either GSLBNS1 or GSLBNS2 could be from either ABC
or DEF; as a result, the AD FS VIP returned to the client could be for ABC or DEF.
6. AD DNS forwards the response to the Open DNS Virtual Active.
7. The Open DNS VA forwards the response to the client. Depending on the response from AD DNS
server, the client establishes an HTTPS connection to the ABC or DEF Internal AD FS VIP.
8. The AD FS VIP source NAT establishes a separate HTTPS connection to the back end AD FS
server. The original client source IP in included in the HTTP header.
9. The AD FS server replies through the VIP source NAT, and the VIP forwards the reply to the client.
The internal client receives the response.
External Client Access to adfs.FPA.org

1. Client is configured to use a public DNS server. Client queries from public DNS, like Google Public
DNS (8.8.8.8 or 8.8.4.4)
2. Public DNS finds name server for FPA.org, for example, GoDaddy Public DNS.
3. The public DNS is now connected to the following:
a. Client name customer pointing adfs.FPA.org to adfs.gslb.FPA.org
b. A GSLBNS1.FPA.org at 192.168.1.15
c. A GSLBNS2.FPA.org at 192.167.1.15
d. NS record for gslb.FPA.org delegating to gslbns1.FPA.org
e. NS record for gslb.FPA.org delegating to gslbns2.FPA.org
4. The public DNS sends the following the queries for the configured DNS.
a. A recursive query is sent to GSLBNS1 (DMZ GSLB-enabled VIP at ABC) or GSLBNS2 (DMZ
GSLB-enabled VIP at DEF)
b. The DMZ firewall has NAT configuration for the GSLB-enabled IPv6 VIPs:
192.168.1.15:24::10.200.99.150:53 and 192.167.1.15:24::10.100.99.150:53
page 54
Feedback
Scenario 6: GSLB Disaster Recovery Solution
c. GSLB policy always returns the ACOS firewall service proxy VIP, external IP for ABC unless it is
down:
• The ABC ACOS firewall service proxy VIP is 10.200.240.201 with external IP 71.40.176.174
• The DEF AD FS Proxy VIP is 10.100.99.201 with external IP 71.40.181.225
5. GoDaddy forwards the response to the client
6. The client establishes an HTTPS connection to the ABC AD FS Proxy VIP
a. ABC firewall NAT 192.168.1.15:443::10.200.99.150:443
b. DEF firewall NAT 192.167.1.15:443::10.100.99.150:443
7. The ABC AD FS Proxy VIP source NAT establishes a separate HTTPS connection to the AD FS
Proxy. The original client source IP is included in HTTP header
8. The AD FS Proxy connects with the internal AD FS server through a Layer-4 VIP.
a. At ABC, this L4 VIP is 10.125.15.224
b. At DEF, this L4 VIP is 10.100.2.224
c. The AD FS Proxy at each site is configured with a host adfs.FPA.org to the local VIP
d. The VIP does not interact with HTTP or SSL/TLS
e. This is required since the AD FS server uses TLS client authentication to authenticate the AD FS
proxy, and the certificates keys are used frequently.
10.The VIP source NAT connects to the AD FS server. The AD FS server responds to the AD FS proxy
through the VIP source NAT. The AD FS proxy responds to the external client through the ABC AD FS
Proxy VIP source NAT. The external client receives the response.

A10 Networks ACOS GSLB technology provides site disaster recovery and failure protection. The GSLB
controller monitors each active site in the GSLB domain to verify the health of each site. If an active site
fails the health check mechanism, the GSLB controller shifts application traffic to an alternate site
dynamically.
The fail-over is a transparent process to users connecting to a FQDN serviced by the A10 GSLB
controllers. The GSLB site fail-over process can also be accomplished manually in case of scheduled
site maintenance. The operator can force traffic to an alternate site by a simple procedure.
Concept Topics
The following topic explains the design and prerequisites for a sample ACOS GSLB setup:
page 55
FeedbackFF
Scenario 6: GSLB Disaster Recovery Solution FFee
e
• GSLB Disaster Recovery Setup
Task Topics
The task topics provide example site setup configurations for disaster recovery:
• Configuring Disaster Recovery
• Configuring CLI
• Configuring Primary Site and Disaster Recovery Site
GSLB Disaster Recovery Setup

Following is an Active - Standby design in GSLB server mode. Each site has a GSLB controller and the
GSLB controllers are authoritative for the delegated DNS zone.
FIGURE 4 Figure 1: GSLB Disaster Recovery design
High-level overview of the GSLB Disaster Recovery setup is as follows:
• Users connecting to www.a10example.com:
• Queries are sent to the local DNS server and the recursive lookup process continues to the root
DNS servers.
• The A10 GSLB controllers communicate using the GLSB protocol for health check monitors to
verify site availability.
• CNAME is used for delegation of the FQDN to the A10 GSLB controllers.
page 56
Feedback
• The Primary or the DR GSLB controller responds to the users with the Primary site HTTP VIP
address if the Primary site is up.
• If the A10 GSLB controllers determine the Primary site is down:
• The A10 GSLB controller responds with the HTTP VIP address of the DR site.
• User traffic is directed to the DR site.
• When the GSLB Protocol determines the Primary site is up:
• User traffic is directed to the Primary site.
Configuring Disaster Recovery

To configure the GSLB active and standby sites based on Figure 1: GSLB Disaster Recovery design:
• Enable the GSLB controller process for the GSLB protocol to exchange site health information.
ACOS(config)# gslb protocol enable controller
• If SLB is also combined with GSLB, enable the GSLB device.

ACOS(config)# <gslb protocol enable device>
• Enable the DNS VIP for a standalone DNS server, configure the port, and enable GSLB.
ACOS(config)# slb virtual-server <name> <IP address>
ACOS(config-slb vserver)# <port <number> < udp>
ACOS (config-slb vserver-vport)# <gslb-enable>
• Configure the Service IP address for each site. This is the SLB VIP address or remote host IP
address the DNS VIP will respond with, to direct traffic to the site. Define the port and protocol.
ACOS(config)# <gslb service-ip <name> <IP address>>
ACOS(config-service-ip:PRI-GSLB-HTTP)# <port <number> <udp or tcp>>
• Configure the GSLB controller for each site. Configure the site parameters and set the adminis-
trative preference to prefer Primary site for all traffic. The default administrative preference value
is 100. Set the active site to a higher administrative value than the default value to prefer traffic
over the DR site. Add the GSLB service VIP address to each site configuration.
ACOS(config)# <gslb site <name>>
ACOS(config-gslb site:name)# <slb-dev <name> <IP address>>
ACOS(config-gslb site:name-slb dev:name)# <admin-preference <0-255>>
ACOS(config-gslb site:name-slb dev:name)# <vip-server <GSLB VIP name>>.
• Configure the GSLB policy to determine how GSLB traffic will be distributed to each site. Enable
the DNS attributes to respond with a single IP and be authoritative for the zone. Enable adminis-
trative-preference and disable round robin based on the active-standby design. Order the metrics
for the desired GSLB behavior.
ACOS(config)# <gslb policy <name>>
ACOS(config-policy:name)# <dns selected-only 1>
ACOS(config-policy:name)# <dns server authoritative>
ACOS(config-policy:name)# <admin-preference>
page 57
FeedbackFF
e
ACOS(config-policy:name)# <no round-robin>

ACOS(configpolicy:name)# <metric-order admin-preference health-check>
• Enable the zone information for DNS query response for the FQDN zone. Bind the GSLB policy to
the zone configuration. Enter the CNAME if it was used for zone delegation on the A10 GSLB
controllers or enter the zone. Define the service prefix for the FQDN and associated service port.
Configure the DNS A Record for each GSLB VIP address of each site which will return the HTTP
VIP address with the DNS response.
ACOS(config)# <gslb zone <zone name>
ACOS(config-zone:zone-name)# <policy <name>>
ACOS(config-zone:zone-name)# <service <port number> <service prefix for zone>>
ACOS(config-zone:zone-name.-service...)# <dns-a-record <GSLB VIP name> <static>>
Configuring CLI
Configure GSLB with the following steps using the CLI for the illustrated GSLB Disaster Recovery
design. The CNAME, gslb.a10example.com, is used for the zone, www.a10example.com.
Primary Site Configuration

ACOS-PRI(config)# gslb protocol enable controller
ACOS-PRI(config)# gslb protocol enable device
ACOS-PRI(config)# slb virtual-server DNS-VIP 192.168.20.53
ACOS-PRI(config-slb vserver)# port 53 udp
ACOS-PRI(config-slb vserver-vport)# gslb-enable
ACOS-PRI(config)# gslb service-ip PRI-GSLB-HTTP 192.168.20.200
ACOS-PRI(config-service-ip:PRI-GSLB-HTTP)# port 80 tcp
ACOS-PRI(config)# gslb service-ip DR-GSLB-HTTP 192.168.40.200
ACOS-PRI(config-service-ip:DR-GSLB-HTTP)# port 80 tcp
ACOS-PRI(config)# gslb site Primary
ACOS-PRI(config-gslb site:Primary)# slb-dev PRI 192.168.20.125
ACOS-PRI(config-gslb site:Primary-slb dev:PRI)# admin-preference 200
ACOS-PRI(config-gslb site:Primary-slb dev:PRI)# vip-server PRI-GSLB-HTTP
ACOS-PRI(config)# gslb site DRsite
ACOS-PRI(config-gslb site:DRsite)# slb-dev DR 192.168.40.125
ACOS-PRI(config-gslb site:DRsite-slb dev:DR)# vip-server DR-GSLB-HTTP
ACOS-PRI(config)# gslb policy A10health
ACOS-PRI(config-policy:a10health)# dns selected-only-1
ACOS-PRI(config-policy:a10health)# dns server authoritative
ACOS-PRI(config-policy:a10health)# admin-preference
ACOS-PRI(config-policy:a10health)# no round-robin
ACOS-PRI(config-policy:a10health)# metric-order health-check admin-preference
ACOS-PRI(config)# gslb zone gslb.a10example.com
ACOS-PRI(config-zone:gslb.a10example.)# policy A10health
ACOS-PRI(config-zone:gslb.a10example.)# service 80 www
ACOS-PRI(config-zone:gslb.a10example.-service...)# dns-a-record PRI-GSLB-HTTP static
page 58
Feedback
ACOS-PRI(config-zone:gslb.a10example.-service...)# dns-a-record DR-GSLB-HTTP static
Configuring Primary Site and Disaster Recovery Site

The GSLB configuration example for both sites is as follows:
page 59
FeedbackFF
e
FIGURE 5 GSLB design template configuration for Primary and Disaster Recovery Site
page 60
GSLB Elements
This chapter describes the primary structural components of a GSLB Configuration. Sections include:
• “GSLB and the DNS Namespace” on page 61
• “Configuring GSLB Elements” on page 62
• “Configuring FQDN Service Groups” on page 69
“GSLB Implementation Examples” on page 25 provides examples demonstrating usage of elements

this chapter describes.
GSLB and the DNS Namespace

The DNS distributed database is indexed by domain names, each of which references a path in the
domain database. A fully qualified domain name (FQDN) is an absolute domain name that is written
relative to the root and unambiguously identifies a node in terms of its location in the namespace
hierarchy.
GSLB data structures reference FQDNs within a DNS namespace.
Basic GSLB Data Structures

GSLB data structures upon which the protocol operates includes zone, service, site, and service-ip.
• Zones – A GSLB zone is a DNS domain for GSLB. An ACOS device can be configured with one or
more GSLB zones.
Example: mydomain.com is a zone.
• Services – A service is an application, such as HTTP or FTP. Each service is given an FQDN with
a zone managed by the GSLB. A zone may include the FQDN of multiple services,
Example: www.mydomain.com is an FQDN where www is the HTTP service.
• Sites – A site is a server farm that is locally managed by an ACOS device that performs load
balancing for the site. Each zone can contain one or more GSLB sites.
• Service-IP – A service-ip identifies a virtual server by its IP address and specifies the port that
hosts the service provided by the server. The service-ip definition can also include health checks
and an external IP address that facilitates access from outside of the internal network.
Feedback page 61
FeedbackFF
Configuring GSLB Elements FFee
e
• Policies – A policy is a data structure that defines a set of metric settings and DNS options. After
a policy is configured, it is applied to a zone or a service level within a zone. Zones and services
use policies to manage client requests by selecting the best site and specifying DNS options for
the request.
GSLB zones can be configured with the same domain on multiple partitions, facilitating independent
policies for internal and external services for a domain. This also allows the same domain to be
configured on different partitions, regardless of the mode each partition is running.
Policies, service groups, and service-IP names can be duplicated in different partitions, but they must
be configured separately in each partition. The default GSLB policy is used globally and can only be
configured in the shared partition. GSLB site configurations are unique and cannot be duplicated in
different partitions.
FQDNs and FQDN Service Groups

The combination of a service name and zone name comprises a fully-qualified domain name (FQDN).
Example: The zone name “example.com” and service name combine to form the
“www.example.com” FQDN.
You can configure all of a service’s parameters, including its site, service-IP, and zone membership. You
can configure a service and all its required parameters.
An FQDN group combines multiple FQDNs (services) to provide a single point of contact for enabling or
disabling services at multiple levels of granularity.
“Configuring FQDN Service Groups” on page 69 describes the process of configuring FQDN Service
Groups.
Configuring GSLB Elements

These sections describe GSLB Elements:
• “Creating an FQDN String (Zones and Services)” on page 63
• “Configuring Sites” on page 63
• “Configuring Service IPs” on page 64
• “Configuring Policies” on page 66
page 62
Feedback
Creating an FQDN String (Zones and Services)
Configuring a Zone
The gslb zone command places the device in zone configuration mode, which includes a command
that associates a service to the zone. The command creates a zone when it references a zone not yet
configured. See “gslb zone” on page 187..
Example: This command creates a zone named a10-venus.com and places the device in zone
configuration mode.
ACOS(config)# gslb zone a10-venus.com
ACOS(config-zone:a10-venus.com)#
Configuring the Service

The service command, available in zone configuration mode, associates a service to the zone and
places the device in zone-service configuration mode. The command specifies the port that accesses
the service. Multiple services can be defined for a zone. (See “[no] service port [service-name]”
on page 189.)
Command are available in service configuration mode to configure a DNS records for the service,
specify DNS traffic actions, enable health check parameters, and configure geo-location settings.
Example: These commands create the www service for the previously created a1-venus.com zone and
configure two DNS Address records for the service. The device remains in a10-venus.com-www service
configuration after the commands.
ACOS(config-zone:a10-venus.com)# service 80 www

ACOS(config-zone:a10-venus.com-service:www)# dns-a-record 10.10.1.1 static
ACOS(config-zone:a10-venus.com-service:www)# dns-a-record 10.20.1.1 static
ACOS(config-zone:a10-venus.com-service:www)# exit
ACOS(config-zone:a10-venus.com)# exit
Configuring Sites
The gslb site command places the device in site configuration mode, which includes commands that
associate real servers and a service to the zone. The command creates a new zone when it references
a zone that is not yet configured. See “gslb site” on page 177.
The ip-server command, available from site configuration mode, associates the real server at the
specified IP address to the configuration mode site. See “[no] ip-server service-ip” on
page 179.
The slb-dev command specifies an access IP address for the site and places the device in slb-dev
configuration mode. Within this mode, commands are available that map virtual servers to the site and
page 63
FeedbackFF
e
specifies access attributes to the device. See “[no] slb-dev device-name [ip-addr]” on
page 180.
The vip-server command adds the GSLB VIP server to the SLB device.
Example 1: This example creates the “oxygen” site and associates the real server at 10.10.1.1 with the
site.
ACOS(config)# gslb service-ip red-1 10.10.1.1

ACOS(config-service-ip:red-1)# exit
ACOS(config)# gslb site oxygen
ACOS(config-gslb site:oxygen)# ip-server red-1
ACOS(config-gslb site:oxygen)# exit
The ip-server command references the name of a previously configured service-ip which, in addi-
tion to the IP address of the real server, defines server implementation parameters within the site.
Example 2: This example creates the “nitrogen” site and associates a virtual server at 10.10.1.5 with the
site. This command includes a command that references an SLB that serves as the virtual server. SLB
configuration is beyond the scope of this manual and covered in the ADC Configuration Guide.
ACOS(config)# gslb service-ip red-2 10.10.3.211

ACOS(config-service-ip:red-2)# exit
ACOS(config)# gslb site nitrogen
ACOS(config-gslb site:nitrogen)# slb-dev nitro-device 10.10.1.5
ACOS(config-gslb site:nitrogen-slb dev:ni...)# vip-server red-2
Configuring Service IPs

A Service IP identifies a virtual server by its IP address and specifies the port that hosts the service pro-
vided by the server. The service-ip definition can include health checks and an external IP address to
facilitate access from outside the internal network.
The gslb service-ip command places the device in service-ip configuration mode. The command cre-
ates a service IP when it references one that is not yet configured. See “gslb service-ip” on page 174..
The service-ip label is referenced by sites to associate servers to the site.
Example: This command creates the blue-1 service-ip at IP address 10.12.2.1
ACOS(config)# gslb service-ip blue-1 10.12.2.1

ACOS(config-service-ip:blue-1)# exit
• To assign an external IP address to the service, use the external-ip command. An external IP
address is needed if the service IP address is an internal IP address that cannot be reached from
outside the internal network.
• To configure a service port on the service, use the port command.
• To enable health monitoring of the service, use the health-check command:
page 64
Feedback
Configuring Service-IP Parameters

These steps describe the process of configuring Service-IP parameters.
Step 1: Select a service-IP type
The following describe the Service IP types and their options
SLB direct-conn real server

SLB direct-conn real server – The ACOS device you currently are configuring for GSLB is directly
connected to the real server. Options include:
• Server – IP address of the server.
• Name – Name for the directly-connected server in the GSLB configuration.
• Health Monitor – Health monitor used to check the reachability and responsiveness of the ser-
vice.
SLB self-service device
SLB self-service device – The ACOS device you currently are configuring for GSLB is also the ACOS
device that is configured to perform SLB for the VIP that provides the service to clients. This is the
VIP bound to a service group containing the real servers on which the service is located. Options
include:
• VIP – Virtual IP address.
• Name – Name for the virtual server.
• Dev Name – Name for the SLB device (this device) in the GSLB configuration.
• Health Monitor – Health monitor for checking the reachability and responsiveness of the ser-
vice.
SLB device
SLB device – The service is load balanced by another ACOS device. Options included
• Device Name – Name for the SLB device. (This name does not need to be the same as the host-
name of the SLB device, although this is a handy way to simplify administration.)
• Device IP – IP address of the SLB device.
• VIP – VIP address.
• Name – Name for this SLB device in the GSLB configuration.
• Health Monitor – Health monitor for checking the reachability and responsiveness of the ser-
vice.
Step 2: Configure DNS Records
Configure DNS records for the service. GSLB returns these records, when applicable, in response to
DNS requests. You can configure the following types of records:
page 65
FeedbackFF
e
• MX – Mail Exchange record.

• CNAME – Canonical Name record.
• NS – Name Server record.
• SRV – Service Record.
• PTR – Pointer record.
• TXT – Text record.
An Address (A) record for the service-IP is created automatically.
Step 3: Manually Configure Geo-location Entries (If Required)
A geo-location maps a range of client IP addresses to a description of the clients’ geographic location.
GSLB includes an IANA geo-location database, which is loaded by default.
Create a geo-location string name, then configure one of the following:

• Alias – Returns this alias for the geo-location.
• Action – Action to perform on DNS queries for the FQDN:
• Forward Response – Forwards responses to the local DNS server, but does not forward que-
ries to the Authoritative DNS server.
• Forward Both – Forwards queries to the Authoritative DNS server, and forwards responses
to the local DNS server.
• Forward Query – Forwards queries to Authoritative DNS server; does not forward responses
to local DNS server.
• Drop – Drops DNS queries from the local DNS server.
• Ignore – Sends an empty response.
• Reject – Rejects DNS queries from the local DNS server and returns the “Refused” message
in replies.
• Policy – Uses the selected GSLB policy instead of the policy used by the zone.
Configuring Policies
A policy is a data structure that defines a set of DNS Options and metric settings that zones and ser-
vices use to evaluate each site. For the evaluation of sites, A10 uses a fixed list of site addresses. This
list is constructed based on the original list when a site becomes active. This fixed metric evaluation
function does not do ordering or re-ordering of the original list.
After a policy is configured, it is applied to a zone or a service level within a zone. Zones and services
use policies to manage client requests by selecting the best site and specifying DNS options for the
request.
For a description of GSLB Policies and specific implementation details, See “GSLB Metrics” on page 71.
page 66
Feedback
For a description of DNS options and specific implementation details, See “DNS Options” on page 91.
The gslb policy command places the device in policy configuration mode, which includes commands
that associate real servers and a service to the zone. The command creates a zone when it references
a zone that is not yet configured. See “gslb policy” on page 169.
Example: This command creates the kaibab policy and places the device in kaibab policy configuration
mode.
ACOS(config)# gslb policy kaibab

ACOS(config-policy:kaibab)#
The zone (See “[no] policy policy-name” on page 188.) and zone-service (See “[no] service
port [service-name]” on page 189.) configuration modes include a policy command that applies a
specified policy to the zone or service.
Example: This command applies the kaibab policy on the example.com zone. The policy is referenced
by all services configured on the zone.

ACOS(config-zone:example.com)# policy kaibab
Example: This command applies the kaibab policy on the www.example.com service.

ACOS(config-zone:example.com-service:www)# policy kaibab
ACOS(config-zone:example.com-service:www)#
Default Policy
In the “default” GSLB policy, the following metrics are enabled by default:
• Health-Check
• Geographic
• Round-Robin
All other metrics are disabled.
Although the Geographic metric is enabled by default, there are no default geo-location mappings. To
use the Geographic metric, you must load or manually configure geolocation mappings. (See “Loading
or Configuring Geo-Location Mappings”.
GSLB defines a default policy that is used by zones and policy for which a custom policy is not explicitly
assigned. The default policy has default settings and can be modified from policy configuration mode.
The default policy cannot be deleted.
page 67
FeedbackFF
e
Example: This command places the device in default policy configuration mode, where subsequent
commands modify the default policy.
ACOS(config)# gslb policy default

ACOS(config-policy:default)#
page 68
Feedback
Configuring FQDN Service Groups
Configuring FQDN Service Groups

An FQDN service group consists of multiple FQDNs Service groups simplify administration, by provid-
ing a single location for enabling or disable services at any of the following levels of granularity
• Entire FQDN group (all zones in the group, and all their services)
• Individual sites (all services within the site)
• Individual FQDNs (individual services in individual zones)
The gslb service-group command places the device in service-group configuration mode. See “gslb
service-group” on page 173.
Commands that are available in this mode include:
• Member — adds a specified service to the group. (“[no] member service-name.zone-

name” on page 173)
• Persistent site — Implements site persistence for the group. (“[no] persistent site
[AGE][V4][V6]” on page 173)
Example: These commands create an FQDN group called “example-group” and add an FQDN for GSLB
services to it.
ACOS(config)# gslb service-group example-group

ACOS(config-svc group:example-group)# member www.example.com
ACOS(config-svc group:example-group)#
page 69
FeedbackFF
Configuring FQDN Service Groups FFee
e
page 70
GSLB Metrics
GSLB Metrics that are assigned through policies assigned to GSLB sites. This chapter presents these
topics
• “Managing GSLB Metrics” on page 71
• “Metric Descriptions” on page 74)
Managing GSLB Metrics

GSLB metrics are implemented through enabling commands and managed by selecting the order by
which the metrics are applied. The following sections describe these processes:
• “Enabling and Disabling Metrics (CLI)” on page 71
• “Metrics That Require the GSLB Protocol on Site ACOS Devices” on page 72
• “Changing the Metric Order” on page 72
Enabling and Disabling Metrics (CLI)

The Health-Check, Geographic, and Round-Robin metrics are enabled by default. All other metrics are
disabled by default.
To enable a metric, enter the metric name at the configuration level for the policy. For example, to
enable the Admin-Preference metric, enter the following commands:
ACOS(config)# gslb policy oxygen

ACOS(config-policy:oxygen)# admin-preference
To disable a GSLB metric, use the “no” form of the metric at the configuration level for the policy. For
example, to disable the Health-Check metric, enter these commands:

ACOS(config-policy:oxygen)# no health-check
Feedback page 71
FeedbackFF
Managing GSLB Metrics FFee
e
Metrics That Require the GSLB Protocol on Site ACOS Devices

ACOS devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on
the GSLB controller.
GSLB does not need to be enabled on the site ACOS devices, but enabling it is recommended to collect
site information that GSLB requires to generate the following metrics:
• Session-capacity
• aRDT
• Connection-Load
• Num-Session
Enabling the GSLB protocol is required when using default health-check methods. However, when you
modify default health checks, the GSLB protocol does not need to be enabled. (See “Health-Check” on
page 74.)
Changing the Metric Order

The metric order and the configuration of each metric are specified in a GSLB policy. Policies can be
applied to GSLB zones and to individual services. The GSLB ACOS device has a default GSLB policy,
named “default”, which is automatically applied to a zone or service.
Metric order does not apply to the Alias-Admin-Preference and Weighted-Alias metrics. When enabled,
Alias-Admin-Preference always has high priority.
The metric-order command configures the precedence order of metrics in a GSLB policy (See “metric-
order” on page 242.). The following is the default metric order:
1. Health-Check
2. Weighted-IP
3. Weighted-Site
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10.Admin-Preference
page 72
Feedback
Managing GSLB Metrics
11.BW-Cost
12.Least-Response
13.Admin-IP
page 73
FeedbackFF
Metric Descriptions FFee
e
Metric Descriptions
A GSLB policy consists of one or more metrics. These sections describe GSLB Metrics that are imple-
mented through policies that are applied to zones and services.
This section includes the following metrics:
• “Health-Check” on page 74
• “Weighted-IP” on page 75
• “Weighted-Site” on page 75
• “Session Capacity” on page 76
• “Active Servers” on page 76
• “Active-Round Delay Time (aRDT)” on page 76
• “Geographic” on page 82
• “Connection Load” on page 83
• “Num Session” on page 83
• “Admin Preference” on page 83
• “BW Cost” on page 83
• “Least-Response” on page 87
• “Admin-IP” on page 87
• “Round-Robin” on page 87
• “Alias-Admin-Preference” on page 87
• “Weighted-Alias” on page 88
Health-Check
The Health-Check metric checks the availability (health) of the real servers and service ports. Sites
whose real servers and service ports respond to the health checks are preferred over sites in which
servers or service ports are unresponsive to the health checks.
GSLB supports health check methods for the following services:
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, RADIUS, LDAP,
RTSP, SIP
You can use the default health methods or configure new methods for any of these services.
By default, the GSLB protocol generates its own packets when sending a health check to a service. If
the GSLB protocol cannot reach the service, then another health check is performed using standard
network traffic.
page 74
Feedback
Metric Descriptions
Health-Check Precedence
Health monitoring for a GSLB service can be performed at the following levels and in the following
order:
1. Gateway health check

2. Port health check
3. IP health check (Layer 3 health check of service IP)
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor config-
uration includes health monitors in GSLB group synchronizations. For GSLB configuration synchroniza-
tion, see “Controller Groups and GSLB Synchronization” on page 17.
Configure Health Monitors

It is recommended that you configure health monitors for the local DNS server to be proxied and also
for the GSLB services to be load balanced. Use a DNS health monitor for the local DNS server. You also
can use a Layer 3 health monitor to check the IP reachability of the server.
For the GSLB service, use health monitors for the application types of the services. For example, for an
HTTP service, use an HTTP health monitor. If the Health-Check metric is enabled in the GSLB policy, the
metric will use the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure health monitors on the site
SLB devices. Configure the health monitors for the proxied DNS server and the GSLB services on the
GSLB ACOS device. Configure the health monitors for real servers and their services on the site ACOS
devices.
Weighted-IP
Weighted-IP – Service IP addresses with higher administratively assigned weights are used more often
than service IP addresses with lower weights.
The Weighted-IP metric skews selection toward specific IP addresses. GSLB selects higher-weighted IP
addresses more often than lower-weighted IP addresses.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
Weighted-Site
Weighted-Site – Sites with higher administratively assigned weights are used more often than sites
with lower weights. The Weighted-Site metric skews selection toward specific sites. GSLB selects
higher-weighted sites more often than lower-weighted sites.
page 75
FeedbackFF
e
Example: if there are two sites (A and B), and A has weight 2 whereas B has weight 4, GSLB will select
site B twice as often as site A. Specifically, GSLB will select site B the first 4 times, and will then select
site A the next 2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the next 2 times,
then B is chosen the next 4 times, and so on.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
Session Capacity
Session Capacity – Sites with more available sessions based on respective maximum Session-Capac-
ity are preferred.
Active Servers
Active Servers – Sites with the most currently active servers are preferred.
Active-Round Delay Time (aRDT)

The Active-Round Delay Time (aRDT) metric prefer sites with faster round-delay-times for DNS queries
and replies between a site ACOS device and the GSLB local DNS.
aRDT measures the round-delay-time for a DNS query and reply between a site ACOS device and the
GSLB local DNS. You can configure aRDT to take a single sample or periodic samples.
The aRDT metric uses the following options, which are configurable on a global basis:
• Domain – Specifies the query domain. To measure the active round-delay-time (aRDT) for a cli-
ent, the site ACOS device sends queries for the domain name to a client’s local DNS. An aRDT
sample consists of the time between when the site ACOS device sends a query and when it
receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name that is likely
to be in the cache of each client’s local DNS. The default domain name is “google.com”.
The ACOS device averages multiple aRDT samples together to calculate the aRDT measurement
for a client. (See the description of Track below.)
• Interval – Specifies the number of seconds between queries. You can specify 1-16383 seconds.
The default is 1.
• Retry – Specifies the number of times GSLB will resend a query if there is no response. You can
specify 0-16. The default is 3.
• Sleep – Specifies the number of seconds GSLB stops tracking aRDT data for a client after a
query fails. You can specify 1-300 seconds. The default is 3.
page 76
Feedback
Metric Descriptions
• Timeout – Specifies the number of milliseconds GSLB will wait for a reply before resending a
query. You can specify 1-16383 milliseconds (ms). The default is 3000 ms.
• Track – Specifies the number of seconds during which the ACOS device collects samples for a
client. The samples collected during the track time are averaged together, and the averaged value
is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The default is
60 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT
measurements is 10 minutes by default and is configurable on individual sites, using the aRDT
aging-time command.
To configure global aRDT options, use the gslb active-rdt command (See “gslb active-rdt” on
page 162.)
Default Settings
When you enable aRDT, a site ACOS device sends some DNS requests to the GSLB domain’s local DNS.
The GSLB ACOS device then averages the aRDT times of 5 samples.
Single Sample (Single Shot)

To take a single sample and use that sample indefinitely, use the single-shot option. This option
instructs each site ACOS device to send a single DNS query to the GSLB local DNS.
The single-shot option is useful if you do not want to frequently update the aRDT measurements. For
example, if the GSLB domain's clients tend to remain logged on for long periods of time, using the sin-
gle-shot option ensures that clients are not frequently sent to differing sites based on aRDT measure-
ments.
The single-shot has the following additional options:
• timeout – Specifies the number of seconds each site ACOS device should wait for the DNS reply.
If the reply does not arrive within the specified timeout, the site becomes ineligible for selection,
in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. The
default is 3 seconds.
• skip – Specifies the number of site ACOS devices that can exceed their single-shot timeouts,
without the aRDT metric itself being skipped by the GSLB ACOS device during site selection. You
can skip from 1-31 sites. The default is 3.
Multiple Samples
To periodically retake aRDT samples, do not use the single-shot option. In this case, the ACOS device
uses the averaged aRDT value based on the number of samples measured for the intervals.
page 77
FeedbackFF
e
For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average
over the last 3 samples, collected in 5-second intervals. If you configure single-shot instead, a single
sample is taken.
The number of samples can be 1-8. The default is 5 samples.
Store-By
By default, the GSLB ACOS device stores one aRDT measurement per site SLB device. Optionally, you
can configure the GSLB ACOS device to store one measurement per geo-location instead. This option
is configurable on individual GSLB sites. (See “Changing aRDT Settings for a Site” on page 79.)
Tolerance
Default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are
within 10 percent, GSLB ACOS device considers the sites to be equal in terms of aRDT. You can adjust
the tolerance to any value from 0-100 percent.
Enabling aRDT
Enabling aRDT (CLI)
Enter the active-rdt command (See “active-rdt” on page 197.) at the configuration level for the GSLB
policy:
If you omit all the options, the site ACOS device send DNS requests to the GSLB domain’s local DNS.
The GSLB ACOS device averages the aRDT times of the samples. The aRDT measurements are regu-
larly updated. You can use the samples option to change the number of samples to 1-8.
To enable single-shot aRDT instead, use the single-shot option. You also can use the skip and time-
out options.
Enabling aRDT (CLI Examples)
These commands access the configuration level for GSLB policy “gslbp2” and enable the aRDT metric,
using default settings:
ACOS(config)# gslb policy gslbp2

ACOS(config-policy:gslbp2)# active-rdt enable
ACOS(config-policy:gslbp2)#
These commands access the configuration level for GSLB policy “gslbp3” and enable the aRDT metric,
using single-shot.
ACOS(config)# gslb policy gslbp3

ACOS(config-policy:gslbp3)# active-rdt single-shot
ACOS(config-policy:gslbp3)# active-rdt skip 3
page 78
Feedback
Metric Descriptions
ACOS(config-policy:gslbp3)#
In this example, each site ACOS device will send a single DNS query to the GSLB domain’s local DNS,
and wait 3 seconds (the default) for a reply. The site ACOS devices will then send their aRDT measure-
ments to the GSLB ACOS device. However, if more than 3 site ACOS devices fail to send their aRDT
measurements to the GSLB ACOS device, the ACOS device will not use the aRDT metric.
Changing aRDT Settings for a Site

You can adjust the following aRDT settings on individual sites:
• aging-time – Specifies the maximum amount of time a stored aRDT result can be used. You can
specify 1-60 minutes. The default is 10 minutes.
• bind-geoloc – Stores the aRDT measurements on a per geo-location basis. Without this option,
the measurements are stored on a per site-SLB device basis.
• ignore-count – Specifies the ignore count if aRDT is out of range. You can specify 1-15. The
default is 5.
• ipv6-mask – Specifies the client IPv6 mask length, 1-128. The default is 128.
• limit – Specifies the limit. You can specify 1-16383. The default is 16383 milliseconds.
• mask – Based on the subnet mask or mask length, the entry can be a host address or a subnet
address. The default is 32.
• range-factor – Specifies the maximum percentage a new aRDT measurement can differ from the
previous measurement. If the new measurement differs from the previous measurement by
more than the allowed percentage, the new measurement is discarded and the previous mea-
surement is used again.
For example, if the range-factor is set to 25 (the default), a new measurement that has a value
from 75% to 125% of the previous value can be used. A measurement that is less than 75% or
more than 125% of the previous measurement can not be used.
You can specify 1-1000. The default is 25.
• smooth-factor – Blends the new measurement with the previous one, to smoothen the measure-
ments.
For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used,
along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of
the new measurement is used, along with 50% of the previous measurement.
Changing aRDT Settings for a Site (CLI)
Use the active-rdt command sat the configuration level for the site:
page 79
FeedbackFF
e
Excluding a Set of IP Addresses from aRDT Polling
Excluding a Set of IP Addresses from aRDT Polling (CLI)
Use an IP list to exclude a set of IP addresses from aRDT polling. You can configure an IP list in either
of the following ways:
• Use a text editor on a PC or use the ACOS GUI to configure a black/white list, then load the entries
from the black/white list into an IP list.
• Use this command to configure individual IP list entries.
To configure an IP list using the CLI, use the gslb ip-list command at the global configuration level of
the CLI:
The command changes the CLI to the configuration level for the list, where the ip command is avail-
able. This command creates an IP entry in the list. Based on the subnet mask or mask length, the entry
can be a host address or a subnet address.
This load command loads the entries from a black/white list into the IP list.
To use the IP list to specify the IP addresses to exclude from aRDT data collection, use the active-rdt
ignore-id command at the configuration level for the GSLB policy:
GSLB Controller-Based Metrics

The device typically relies on GSLB site-based metrics, where the controller obtains metrics from site
devices. GSLB Controller-Based metrics enable each GSLB controller to directly measure active-round
delay time (aRDT or RDT) metric information as derived from its queries to the local DNS (LDNS) server
and, optionally, the site GSLB devices. The device can be configured to calculate the response delay
time by using ICMP packets through the gslb active-rdt icmp command.
Network topologies often include site devices that either require NAT to access local DNS servers or
are isolated from the servers by firewalls. GSLB controllers cannot obtain valid site-based metrics from
site devices in these topologies.
The GSLB controllers must be members of a GSLB Controller group, which is a data structure that syn-
chronizes communications and designates a Master Controller among the members. The A10 GLOBAL
SERVER LOAD BALANCING GUIDE describes the function and implementation of GSLB Controller
groups.
GSLB Controller based metrics are not supported in IPv6 or L3V partition configurations.
Each location includes a GSLB controller that can access the client LDNS and its local site devices.
Each GSLB Controller only queries its local site device and the originating LDNS server to derive the
RDT metrics. The controllers send the metrics to the GSLB Master Controller. By default, the metric is
based on the response time between the controller and the LDNS server. An option is available that
adds the response time between the controller and site device to the controller-LDNS response time.
page 80
Feedback
Metric Descriptions
Configuring GSLB Controller-Based Metrics (CLI Example)
These commands implement GSLB Controller-Based metrics. See “Configuring GSLB Controller-Based
Metrics” on page 156. for the GUI implementation.
ACOS(config)# hostname ACOS-1

ACOS-1(config)# gslb service-ip NYE 10.1.1.10
ACOS-1(config-service-ip:NYE)# port 80 tcp
ACOS-1(config-service-ip:NYE-port:...)# exit
ACOS-1(config-service-ip:NYE)# exit
ACOS-1(config)# gslb service-ip WASHOE 20.1.1.20
ACOS-1(config-service-ip:WASHOE)# port 80 tcp
ACOS-1(config-service-ip:WASHOE-port...)# exit
ACOS-1(config-service-ip:WASHOE)# exit
These commands bind controllers to the GSLB sites (ACOS-1 to ELY and ACOS-2 to RENO).
ACOS-1(config)# gslb site ELY

ACOS-1(config-gslb site:ELY)# controller ACOS-1
ACOS-1(config-gslb site:ELY)# slb-dev d1 10.1.1.1
ACOS-1(config-gslb site:ELY-slb dev:d1)# vip-server NYE
ACOS-1(config-gslb site:ELY-slb dev:d1)# exit
ACOS-1(config-gslb site:ELY)# exit
ACOS-1(config)# gslb site RENO
ACOS-1(config-gslb site:RENO)# controller ACOS-2
ACOS-1(config-gslb site:RENO)# slb-dev d2 20.1.1.1
ACOS-1(config-gslb site:RENO-slb dev:d2)# vip-server WASHOE
ACOS-1(config-gslb site:RENO-slb dev:d2)# exit
ACOS-1(config-gslb site:RENO)#
These commands implement controller-based metrics on the GLSB policy named RHOMBUS
ACOS-1(config)# gslb policy RHOMBUS

ACOS-1(config-policy:RHOMBUS)# no round-robin
ACOS-1(config-policy:RHOMBUS)# dns active-only
ACOS-1(config-policy:RHOMBUS)# dns selected-only
ACOS-1(config-policy:RHOMBUS)# dns server
ACOS-1(config-policy:RHOMBUS)# active-rdt enable
ACOS-1(config-policy:RHOMBUS)# active-rdt controller
ACOS-1(config-policy:RHOMBUS)# active-rdt proto-rdt-enable
ACOS-1(config-policy:RHOMBUS)# exit
These commands enable controller-based metrics by applying the GSLB policy.
ACOS-1(config)# gslb zone a10-black.com

ACOS-1(config-zone:a10-black.com)# policy RHOMBUS
ACOS-1(config-zone:a10-black.com)# service 80 www
page 81
FeedbackFF
e
ACOS-1(config-zone:a10-black.com-service:www)# dns-a-record NYE static

ACOS-1(config-zone:a10-black.com-service:www)# dns-a-record WASHOE static
ACOS-1(config-zone:a10-black.com-service:www)# exit
ACOS-1(config-zone:a10-black.com)# exit
These commands enable the GSLB controller and configures the GSLB group.
ACOS-1(config)# gslb group g1

ACOS-1(config-group:g1)# enable
ACOS-1(config-group:g1)# primary 20.20.1.1
ACOS-1(config-group:g1)# gslb protocol enable controller
ACOS-1(config)#
Geographic
Geographic – Services located within the client’s geographic region are preferred.
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients.
For example, if a domain is served by sites in both the USA and Asia, you can configure GSLB to favor
the USA site for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
• Leave the Geographic GSLB metric enabled; it is enabled by default.
• Load geo-location data. You can load geo-location data from a file or manually configure individ-
ual geo-location mappings.
Loading geo-location data from a file is simpler than manually configuring geo-location mappings,
especially if you have more than a few GSLB sites.
The ACOS software includes an Internet Assigned Numbers Authority (IANA) database. The IANA data-
base contains the geographic locations of the IP address ranges and subnets assigned by the IANA.
The IANA database is loaded on the ACOS device, and it is enabled by default.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a Canonical Name (CNAME)
record instead of an Address record in DNS replies to clients. A CNAME record maps a domain name to
an alias for that domain. For example, you can associate the following aliases with the domain “exam-
ple.com”:
page 82
Feedback
Metric Descriptions
• www.example.co.cn
• mail.example.com
• ftp.example.com
Each of the aliases in the list above can be associated with a different geo-location:
If a client’s IP address is within the geo-location that is associated with www.1.example.com, then GSLB
places a CNAME record for www.1.example.com in the DNS reply to that client.
To configure CNAME support:
• Configure geo-location as described above.
• In the GSLB policy, enable the following DNS options:
• dns cname-detect (enabled by default)

• dns geoloc-alias
• For individual services in the zone, configure the aliases and associate them with geo-locations.
Connection Load
Connection-Load – Sites that are not exceeding their thresholds for new connections are preferred.
Num Session
Num-Session – Sites that are not exceeding available Session-Capacity threshold compared to other
sites are treated as having the same preference.
Admin Preference
Admin-Preference – The site with the highest administratively set preference is selected.
BW Cost
The BW-Cost metric selects sites based on bandwidth utilization on the site ACOS links.
page 83
FeedbackFF
e
To compare sites based on bandwidth utilization, the GSLB ACOS device sends SNMP GET requests
for a specified MIB interface object, such as ifInOctets, to each site.
• If the SNMP object value is less than or equal to the site’s configured bandwidth limit, the site is
eligible for selection.
• If the SNMP object value is greater than the bandwidth limit configured for the site, then the site
is ineligible.
The GSLB ACOS device sends the SNMP requests at regular intervals. Once a site is ineligible, the site
can become eligible again at the next interval if the utilization is below the configured limit minus the
threshold percentage.
To use the BW-Cost metric, an SNMP template must be configured and bound to each site. The GSLB
SNMP template specifies the SNMP version and other information necessary to access the SNMP
agent on the site ACOS device, and the Object Identifier (OID) of the MIB object to request.
In addition, the following BW-Cost parameters must be configured on each site:
• Bandwidth limit – The bandwidth limit specifies the maximum value of the requested MIB object
for the site to be eligible for selection.
• Bandwidth threshold – For a site to regain eligibility when BW-Cost is being compared, the SNMP
object’s value must be below the threshold-percentage of the limit value.
For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must
be 72,000 or less, for the site to become eligible again based on bandwidth cost. Once a site again
becomes eligible, the SNMP object’s value is again allowed to increase up to the bandwidth limit
value (80,000 in this example).
Configuring Bandwidth Cost (Process)

To use the BW-Cost metric:
1. On the site ACOS devices, configure and enable SNMP.

2. On the GSLB ACOS device:
a. Configure a GSLB SNMP template.
b. Add the template to the GSLB site configuration.
c. Optionally, set the bandwidth limit and threshold on the site. By default, the bandwidth limit is
not set (unlimited).
Enable the BW-Cost metric in the GSLB policy. By default, the BW-Cost metric is disabled.
page 84
Feedback
Metric Descriptions
Configuring Bandwidth Cost (CLI)
Configuring a GSLB SNMP Template (CLI)
The gslb template snmp command configures a GSLB SNMP template. This command adds the tem-
plate and changes the CLI to the configuration level for the template, where the following template-
related commands are available:
The version command specifies the SNMP version running on the site ACOS device.
The host command specifies the IP address of the site ACOS device.
The oid command specifies the interface MIB object to query on the site ACOS device. If the object is
part of a table, append the table index to the end of the OID. Otherwise, the ACOS device will return an
error.
The community command (SNMPv1 / SNMPv2c) specifies the community string required for authenti-
cation.
The username command (SNMPv3) specifies the SNMPv3 username required for access to the SNMP
agent on the site ACOS device.
The security-level command specifies the SNMPv3 security level
• no-auth – Authentication is not used and encryption (privacy) is not used. This is the default.
• auth-no-priv – Authentication is used but encryption is not used.
• auth-priv – Both authentication and encryption are used.
The auth-proto and auth-key commands are applicable in auth-no-priv or auth-priv. security
levels. Auth-proto specifies the authentication protocol. Auth-key command specifies the authen-
tication key.
The priv-proto and priv-key commands are applicable for auth-priv. security level. The priv-
proto command specifies the privacy protocol used for encryption. The priv-key command speci-
fies the encryption key.
The context-engine-id command specifies the SNMPv3 protocol engine ID running on the site ACOS
device. The context-name command specifies an SNMPv3 collection of management information
objects accessible by an SNMP entity. The security-engine-id command specifies the ID of the
SNMPv3 security engine running on the site ACOS device.
The interface command specifies the SNMP interface ID.
The interval command specifies the amount of time between each SNMP GET to the site ACOS
devices.
The port command specifies the port where site ACOS devices listen for SNMP requests from the
GSLB ACOS device.
page 85
FeedbackFF
e
To apply a GSLB SNMP template to a GSLB site, use the template command at the configuration level
for the site:
To configure the bandwidth limit and threshold on a site, use the bw-cost limit command at the site’s
configuration level
To enable the bandwidth cost metric in a GSLB policy, use the bw-cost command at the configuration
level for the policy:
Use the show gslb site command to display BW-Cost data for a site.
Configuring SNMPv2c (CLI Example)
The following commands configure a GSLB SNMP template for SNMPv2c:
ACOS(config)# gslb template snmp snmp-1

ACOS(config-snmp:snmp-1)# version v2c
ACOS(config-snmp:snmp-1)# host 192.168.214.214
ACOS(config-snmp:snmp-1)# oid .1.3.6.1.2.1.2.2.1.16.12
ACOS(config-snmp:snmp-1)# community public
ACOS(config-snmp:snmp-1)# exit
ACOS(config)#
The following commands apply the SNMP template to a site and set the bandwidth limit and threshold:
ACOS(config)# gslb site usa

ACOS(config-gslb site:usa)# template snmp-1
ACOS(config-gslb site:usa)# bw-cost limit 100000 threshold 90
ACOS(config-gslb site:usa)# exit
ACOS(config)#
The following commands enable the BW-Cost metric in the GSLB policy:
ACOS(config)# gslb policy pol1

ACOS(config-policy:pol1)# bw-cost fail-break
ACOS(config-policy:pol1)# exit
ACOS(config)#
The following command displays BW-Cost data for the site:
ACOS# show gslb site usa bw-cost

U = Usable, TI = Time Interval
USGN = Unsigned, SN64 = Unsigned 64
CNTR = Counter, CT64 = Counter 64
Site Template Current Highest Limit U Type Len Value TI
--------------------------------------------------------------------------------
usa snmp-1 31091 142596 100000 Y CNTR 4 3355957308 3
ACOS#
page 86
Feedback
Metric Descriptions
Configuring SNMPv3 (CLI Example)
The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentica-
tion and encryption are both used.

ACOS(config-snmp:snmp-2)# security-level auth-priv
ACOS(config-snmp:snmp-2)# username read
ACOS(config-snmp:snmp-2)# priv-proto des
ACOS(config-snmp:snmp-2)# auth-key 12345678
ACOS(config-snmp:snmp-2)# priv-key 12345678
ACOS(config-snmp:snmp-2)#
Least-Response
Least-Response – Service IP addresses with the fewest hits are preferred.
Admin-IP
Admin-IP – Sites are preferred based on administratively assigned weight.
Round-Robin
Round-Robin – Sites are selected in sequential order.
The ACOS device uses Round-Robin as a tie-breaker to select a site. This is true even if the Round-
Robin metric is disabled in the GSLB policy.
Alias-Admin-Preference
The Alias-Admin-Preference metric selects the DNS CNAME record with the highest administratively
set preference. This metric is similar to the Admin-Preference metric, but applies only to DNS CNAME
records.
The Alias Admin Preference metric, which selects the DNS CNAME record with the highest administra-
tively set preference, can be used in DNS Proxy or DNS Server mode. Similarly, the Weighted Alias met-
ric, which expresses a preference for higher-weighted CNAME records, can be used in DNS Proxy or
DNS Server mode.
Some additional policy options are required in either mode.
page 87
FeedbackFF
e
• DNS proxy – Enable the geoloc-alias option. After GSLB retrieves the DNS response from the
DNS answer, GSLB selects a DNS A record using IP metrics, and then tries to insert the DNS
CNAME record into the answer based on geo-location settings. While inserting the CNAME
record, if the Alias metrics are enabled, GSLB may remove some CNAME records and related ser-
vice IPs.
• DNS server – If applicable, enable the backup-alias option. If there is no DNS A record to return,
GSLB tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled,
GSLB may remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the service.
Configuring Alias Admin Preference

To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, assign an administrative preference to the DNS
CNAME record for the service.
2. At the configuration level for the GSLB policy:
• Enable the Alias Admin Preference metric.
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
Configuring Alias Admin Preference (CLI)

1. To assign an administrative preference to the DNS CNAME record for a service, use the admin-
preference command (See “gslb zone” on page 187.) at the service configuration level.
2. To enable the Alias Admin Preference metric, use the alias-admin-preference command (See
“alias-admin-preference” on page 202.) at the policy configuration level
Weighted-Alias
The Weighted-Alias metric evaluates CNAME records. CNAME records with higher weight values have
preference over CNAME records with lower weight values. This metric is similar to Weighted-IP, but
applies only to DNS CNAME records.
page 88
Feedback
Metric Descriptions
Configuring Weighted Alias

To configure the Weighted Alias metric:
1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the
service.
• Enable the Weighted Alias metric.
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
Configuring Weighted Alias (CLI)

1. To assign a weight to the DNS CNAME record for a service, use the weight command (See “gslb
zone” on page 187.) at the service configuration level.
2. To enable the Weighted Alias metric, use the weighted-alias command (See “weighted-alias” on
page 245.) at the policy configuration level.
page 89
FeedbackFF
e
page 90
DNS Options
This chapter describes available DNS options. These section describe DNS options and their imple-
mentation.
• “DNS Options Preference” on page 91
• “Append NS Records in DNS Authority Section” on page 91
• “Support for DNS TXT Records” on page 92
• “Support for DNS CNAME Records” on page 93
• “DNS Option Descriptions” on page 94
DNS Options Preference

If more than one of the following options are enabled, GSLB uses them in the order listed
1. DNS sticky (See “DNS Sticky” on page 112.)

2. DNS server (See “DNS Server” on page 112.)
3. DNS cache (See “DNS Cache” on page 98.)
4. DNS proxy (See “DNS Proxy” on page 110.)
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically
enabled when you configure the DNS proxy as part of GSLB configuration.
The site address selected by the first option that is applicable to the client and requested service is
used.
Append NS Records in DNS Authority Section

GSLB supports name server (NS) records in the Authority Section of the DNS response. When this fea-
ture is enabled, the GSLB ACOS device (running in server mode) will include all NS records in the
Authority Section of the DNS response that is sent to the client. By providing additional NS information,
this feature can be helpful if one or more of the name servers becomes unavailable.
Feedback page 91
FeedbackFF
Support for DNS TXT Records FFee
e
To append all Name Server (NS) Resource Records (RR) in the Authority Section of a DNS reply from a
GSLB ACOS device in server mode, use the fdns server authoritative ns-list command at the gslb
policy configuration level.
Support for DNS TXT Records

The TXT record is a type of DNS resource record, similar to an A record or a CNAME record, but it has
typically been used to carry machine-readable data, opportunistic encryption, Sender Policy Framework
(SPF), Domain Keys, and DNS-SD. (Refer to RFC 1464 for further details on uses for TXT resource
records.)
GSLB supports the ability to use DNS TXT resource records for the following purposes:
• Perform Add/Delete/Find operations, based on a DNS TXT record
• Support multiple DNS TXT records for each service
• Carry multiple pieces of DNS TXT data within one TXT record
• Support DNS TXT/ANY query in server mode
• Support GSLB debug functions
The maximum length of a DNS TXT record data is 2048 characters.
Configuring DNS TXT Records

The dns server txt command configures the device to use DNS TXT resource records to carry
multiple pieces of DNS TXT data within one TXT record,
Then use the dns-txt-record command at the service config level within a GSLB zone:
The ACOS device has a special handler that enables you to enter non-printable characters that the CLI
does not support.
Displaying DNS TXT Records

To display the DNS TXT Records, use the show gslb service dns-txt-record command:
To display the DNS TXT switch, use the show gslb policy command:
page 92
Feedback
Support for DNS CNAME Records
Support for DNS CNAME Records

This feature enhances GSLB to reply to GSLB DNS requests with load-balanced CNAMEs records.
When the feature is enabled, a CNAME record is associated with a hostname server through a policy
assignment. The ACOS device can then monitor the record’s status through a port-level or server-level
health check.
The feature is defined on a GSLB policy basis. When the policy is assigned to a GSLB zone, the feature
is implemented for DNS server CNAME records that are managed within the zone
Configuring DNS CNAME Load Balancing (CLI)

The following configuration implements the DNS CNAME records feature.
1. This code associates a pre-configured Health Monitors (HMONITOR-1) to DNS servers accessed
from the GSLB zone. This code does not include the configuration of the HMONITOR-1 Health
Monitor.
ACOS(config)# slb server s1 www1.example.com
ACOS(config-real server)# health-check HMONITOR-1
ACOS(config)# slb server s2 www2.example.com
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check HMONITOR-1
ACOS(config-real server-node port)# exit
2. This code configures the policy for replying to CNAME records. The other policy commands filter
CNAME records that are DOWN and enable the return of a single CNAME record.
ACOS(config)# gslb policy OXYGEN

ACOS(config-policy:OXYGEN)# dns server cname
ACOS(config-policy:OXYGEN)# dns active-only
ACOS(config-policy:OXYGEN)# dns selected-only 1
ACOS(config-policy:OXYGEN)# exit
3. This code implements the CNAME reply policy to the zone that accesses the DNS servers.
ACOS(config)# gslb zone a10africa.com

ACOS(config-zone:a10africa.com)# policy OXYGEN
ACOS(config-zone:a10africa.com)# service 80 www
ACOS(config-zone:a10africa.com-service:www)# dns-cname-record www1.example.com
ACOS(config-zone:a10africa.com-service:www)# dns-cname-record www2.example.com
ACOS(config-zone:a10africa.com-service:www)# exit
ACOS(config-zone:a10africa.com)# exit
page 93
FeedbackFF
DNS Option Descriptions FFee
e
DNS Option Descriptions

DNS options provide additional control over the IP addresses that are listed in DNS replies to clients.
The following DNS options can be set in GSLB policies
• DNS action (See “DNS Action” on page 95.)
• DNS active-only (See “DNS Active-only” on page 95.)
• DNS addition-mx (See “DNS Addition-MX” on page 96.)
• DNS auto-map (See “DNS Auto-Mapping” on page 96.)
• DNS backup-alias (See “DNS Backup Alias” on page 97.)
• DNS backup-server (See “DNS Backup Server mode” on page 98.)
• DNS cache (See “DNS Cache” on page 98.)
• DNS cname-detect (See “DNS CNAME detect” on page 99.)
• DNS delegation (See “DNS Sub-zone Delegation” on page 99.)
• DNS external-ip (See “DNS External-IP” on page 104.)
• DNS external-soa (See “DNS External-SOA” on page 104.)
• DNS geoloc-action (See “DNS Geoloc-Action” on page 104.)
• DNS geoloc-alias (See “DNS Geoloc-Alias” on page 105.)
• DNS geoloc-policy (See “DNS Geoloc-Policy” on page 105.)
• DNS hint (See “Hints in DNS Responses” on page 105.)
• DNS ip-replace (See “DNS IP-Replace” on page 106.)
• DNS ipv6 (See “DNS IPv6” on page 106.)
• DNS logging (See “DNS Logging” on page 106.)
• DNS Proxy (See “DNS Proxy” on page 110.)
• DNS proxy block (See “DNS Proxy Block” on page 110.)
• DNS selected-only (See “DNS Selected-only” on page 112.)
• DNS server (See “DNS Server” on page 112.)
• DNS sticky (See “DNS Sticky” on page 112.)
• DNS ttl – (See “DNS TTL Override” on page 112.)
The cname-detect and external-ip options are enabled by default. All the other DNS options are dis-
abled by default.
page 94
Feedback
DNS Action
The DNS action option enables GSLB to perform DNS actions specified in the service configurations.
The dns action command enables the active-only fail-safe option and returns a list of server IP
addresses for failed servers (See “dns action” on page 207.).
DNS Active-only
By default, if all of the servers failed to pass the health check, then the GSLB controller would return an
empty list to the client, rather than sending the list of IP addresses for the servers that had failed the
health check.
You can configure the ACOS device to send the list of IP addresses (associated with servers that failed
their health checks) back to the client. The feature can be enabled using the new dns active-only metric
option.
In association with this feature, you can also designate one or more backup servers, and the IP
addresses for these servers will be sent to the client in the event that all of the primary servers have
failed. This behavior requires that you enable the dns backup-server feature within the GSLB policy, and
that you specify the backup servers within the DNS A-record for the GSLB zone service.
To summarize, there are now two options:
• active-only fail-safe – A list of IP addresses for the servers that failed the health check are sent
back to the client.
• backup-server – Designate one or more backup servers that can be returned to the client if the
primaries should fail.
Configuring DNS Active-Only (CLI)

The dns active-only fail-safe command enables the active-only fail-safe option and returns a list of
server IP addresses for failed servers (See “dns active-only” on page 207.).
These commands enable the DNS active-only fail-safe option within a GSLB policy, so a list of IP
addresses are sent to the client for the servers that fail the health check.

ACOS(config-policy:default)# dns active-only fail-safe
ACOS(config-policy:default)# exit
page 95
FeedbackFF
e
DNS Addition-MX
The DNS Addition-MX option appends MX records in the Additional section in replies for A records,
when the device is configured for DNS proxy or cache mode. (See “dns addition-mx” on page 209.).
DNS Auto-Mapping
An ACOS device acting as a GSLB controller can retrieve the data needed to build the DNS system by
automatically returning DNS records by name. This GSLB Auto-Mapping feature reduces the required
amount of DNS management work when deploying GSLB.
Auto Mapping Details
• This feature only works with GSLB wildcard service.
• There is no L3V support for SLB server or SLB virtual server.
• Names exceeding 20 characters must be changed to DNS domain, with labels separated by the '.'
character.
With, GSLB Auto-mapping, the ACOS device automatically creates the service by taking the name of a
system resource, or "module", and appending it to the front of a zone to create the service name (DNS
name).
Once the servers and other network devices have been configured with basic information, auto-
mapping enables the GSLB protocol to support DNS queries for the following modules (or system
resources):
• SLB server
• SLB virtual server
• SLB device
• GSLB site
• GSLB service-IP
• GSLB Group
• Hostname
Configuring Auto-Mapping (CLI)

Configuring DNS Auto-mapping requires the following steps:
1. Configure DNS Auto-mapping at the zone level or system level.

2. Enable DNS Auto-mapping the zone and/or system level.
page 96
Feedback
Configure DNS Auto-mapping at the System Level (CLI)
By default, system auto-mapping is disabled until you configure the modules. However, after system
auto-mapping has been configured, the query name is the object’s name.
The gslb system auto-map module command (global configuration level) configures auto-mapping.
By default, all modules are enabled in the policy.
Configure DNS Auto-mapping at the Zone Level (CLI)
The dns auto-map command (See “dns auto-map” on page 209. ) configures auto-mapping for a zone
level. This command enables creation of A and AAAA records for IP resources configured on the ACOS
device. This option is useful for auto-mapping VIP addresses to service-IP addresses.
To receive a DNS response, the query name is in this format: <obj-name>.<zone-name>
Example: ,For a real server of us-svr1, and wildcard zone of example.com, the query name should be us-
svr1.example.com
Configuring Auto-Mapping (CLI Example)
The following example configures a VIP called “WWW” at IP 192.168.1.100.
ACOS(config)# slb virtual-server WWW 192.168.1.100

ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit
Next, the commands below configure a GSLB policy “auto-map”, for the zone “example.com”. A wild-
card service IP is used. If a client sends a query for a host within the “example.com” zone (for example,
an ACOS with the name "sj-acos"), then the full service name is “sj-acos.example.com”., and the GSLB
protocol will respond to the client’s query by providing the management IP address and the IP address
for the inbound data interface.
ACOS(config)# gslb policy auto-map

ACOS(config-policy:auto-map)# dns auto-map
ACOS(config-policy:auto-map)# gslb zone example.com
ACOS(config-zone:example.com)# service 80 *
ACOS(config-zone:example.com-service:*)# policy auto-map
DNS Backup Alias

The DNS dns backup-alias option returns the alias CNAME record configured for the service when
GSLB does not receive an answer to a query for the service and no active DNS server exists. This option
is valid in server mode or proxy mode.
page 97
FeedbackFF
e
The dns backup-alias command (See “dns backup-alias” on page 210. ) configures the DNS backup-
alias option.
DNS Backup Server mode

The DNS backup-server option designates one or more backup servers that can be returned to the
client if the primaries should fail. To designate one or more backup servers to be returned to the client if
the primary servers fail, do the following:
1. Use the dns backup-server command (See “dns backup-server” on page 212. )to enable the
backup server mode within the GSLB policy:
2. Specify the backup servers in the dns-a-record within the GSLB zone service with the dns-a-record
(See “gslb zone” on page 187. ) command.
Configuring Backup Server Mode (CLI Example)

The commands below are used within a GSLB policy to specify that a backup server at IP
192.168.123.1 will be returned to the client, should the primary servers fail.

ACOS(config-policy:default)# dns backup-server
ACOS(config)# gslb zone z1
ACOS(config-zone:z1)# service 80 http
ACOS(config-zone:z1-service:http)# dns-a-record 192.168.123.1 as-backup
ACOS(config-zone:z1-service:http)# exit
ACOS(config-zone:z1)# exit
DNS Cache
The DNS Cache option enables the GSLB ACOS device to cache DNS replies. The ACOS device uses
information in the cached DNS entries to reply to subsequent client requests, as opposed to sending a
new DNS request for every client query.
When this option is enabled, the ACOS device caches a DNS reply for the duration of the TTL in the
reply when the aging time parameter is set to zero. To override the entry TTL, set the cache aging time
to a value greater than zero.
The dns cache command (See “dns cache” on page 213. ) configures the DNS cache option.
page 98
Feedback
DNS CNAME detect

The DNS CNAME detect option enables CNAME response mode. When the ACOS device is in CNAME
response mode, it applies the zone and service policy to the CNAME record instead of applying it to the
address record. When CNAME response mode is disabled, the zone and service policy is applied to the
address record.
The dns cache command (See “dns cname-detect” on page 214. ) configures the DNS cname-detect
option.
DNS Sub-zone Delegation

GSLB sub-zone delegation allows you to delegate authority or responsibility for a portion of the DNS
name space from the parent domain to a separate sub-domain which may reside on one or more
remote servers and may be managed by someone other than the network administrator who is respon-
sible for the parent zone.
By delegating responsibility for a sub-zone (or “sub-domain”), you are effectively dividing up the name
space. This division allows for partitioning the responsibility for the DNS name space management.
For example, assume a San Jose-based company is expanding rapidly and decides to open an office in
New York for its finance division. With the additional traffic generated by client DNS resolvers on the
East Coast, the parent domain, (“example.com”) may no longer suffice. In this case, it might be helpful
to add a separate sub-zone (“finance.example.com”) for the New York office. Such a scenario is shown
in Figure 6 on page 100.
page 99
FeedbackFF
e
FIGURE 6 Name space for finance division is delegated as new sub-zone
Figure 6 shows the root zone at the top of the DNS hierarchy. The figure also illustrates the following
important points:
• The next level down are the Top Level Domains (TLDs), or the DNS servers responsible for man-
aging the resource records for the “.com”, “.org” and other domains.
• The parent zone is located beneath the TLDs. It is at this level within the DNS structure that the
organization’s main domain (“example.com”) is located.
• A separate sub-zone (“finance.example.com”), representing the New York office, has been dele-
gated from the parent zone.
As this hypothetical sub-zone is branched off of the parent domain, it might be helpful to delegate
responsibility for managing this new sub-zone to an IT administrator who is also located in New York.
Keep in mind that during the process of delegating authority for any sub-zone, an NS record must be
added to the zone file within the authoritative name server for the parent zone. This must be done so
that other DNS servers and clients will recognize the new server as being authoritative for the particular
delegated sub-zone.
Details:
• Sub-zone delegation is enabled within a GSLB policy and applied at the zone level.
• When delegating a sub-zone, the GSLB ACOS device must be in server mode. The feature will not
work with the GSLB ACOS device in proxy mode.
• Once a sub-zone has been delegated from the parent zone, client resolvers will send a query for
the NS record, and the response from the GSLB ACOS device will have the NS record in the
Authority section and the IP address in the Additional section of the full DNS response.
page 100
Feedback
The ACOS device supports configuration of glue records. A glue record can be configured to prevent
circular dependencies, which can occur if the name server is located in a sub-zone of the parent
domain. Such a scenario can make it impossible for the client resolver to locate the IP for the name
server, because it is located within a sub-zone of the parent domain. Configuring a glue record elimi-
nates this problem by providing an address record that appears in the Additional section of the full DNS
response, and this enables the client to find the name server.
The dns delegation command (See “dns delegation” on page 215. ) enables DNS subzone delegation.
Configuring DNS Sub-Zone Delegation (CLI Example #1)

The following command configures the GSLB policy, and places the GSLB ACOS device in server mode.
The delegation command, which is also applied at the DNS level, enables the sub-zone delegation.
ACOS(config)# gslb policy delegate-1

ACOS(config-policy:delegate-1)# dns server
ACOS(config-policy:delegate-1)# dns delegation
ACOS(config-policy:delegate-1)# exit
The following command creates the sub-zone to be delegated. Note that this also requires the configu-
ration of a wildcard service.
ACOS(config)# gslb zone sub.example.com

ACOS(config-zone:sub.example.com)# service 80 *
ACOS(config-zone:sub.example.com-service:*)# exit
ACOS(config-zone:sub.example.com)# exit
Alternatively, use these commands (instead of the previous gslb zone command block) to have the fea-
ture support DNSSEC by removing the “sub.” from the zone config. See the DDoS Mitigation Guide (for
ADC) for information about DNS Security Extensions (DNSSEC).

ACOS(config-zone:example.com)# service 80 *.sub
ACOS(config-zone:example.com-service:*.sub)# exit
The following command creates the NS record in the GSLB policy:
ACOS(config-zone:example.com)# dns-ns-record ns.finance.example.com
This command applies the delegation policy (delegate-1) at the zone level for the service group level:
ACOS(config-zone:example.com)# policy delegate-1
Configuring DNS Sub-Zone Delegation (CLI Example #2)

The following command configures the GSLB service IP “ns-ip-1” at IP 172.16.11.211 and disables the
health check at the service IP level and at port 53 for UDP.
ACOS(config)# gslb service-ip ns-ip-1 172.16.11.211
page 101
FeedbackFF
e
ACOS(config-service-ip:ns-ip-1)# health-check-protocol-disable
ACOS(config-service-ip:ns-ip-1)# health-check-disable
ACOS(config-service-ip:ns-ip-1)# port 53 udp
ACOS(config-service-ip:ns-ip-1-port:udp)# health-check-protocol-disable
ACOS(config-service-ip:ns-ip-1-port:udp)# health-check-disable
ACOS(config-service-ip:ns-ip-1-port:udp)# exit
ACOS(config-service-ip:ns-ip-1)# exit
The following command configures the GSLB service IP “dc1-vip” at IP 10.10.10.10 and disables the
health check at the service IP level and at port 80 for TCP.
ACOS(config)# gslb service-ip dc1-vip 10.10.10.10

ACOS(config-service-ip:dc1-vip)# health-check-protocol-disable
ACOS(config-service-ip:dc1-vip)# health-check-disable
ACOS(config-service-ip:dc1-vip)# port 80 tcp
ACOS(config-service-ip:dc1-vip-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:dc1-vip-port:tcp)# health-check-disable
ACOS(config-service-ip:dc1-vip-port:tcp)# exit
ACOS(config-service-ip:dc1-vip)# exit
The following command configures the GSLB service IP “ns-ip-1” at IP 172.16.10.203 and disables the
health check at the service IP level and at port 80 for TCP.
ACOS(config)# gslb service-ip dc2-vip 172.16.10.203

ACOS(config-service-ip:dc2-vip)# health-check-protocol-disable
ACOS(config-service-ip:dc2-vip)# health-check-disable
ACOS(config-service-ip:dc2-vip)# port 80 tcp
ACOS(config-service-ip:dc2-vip-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:dc2-vip-port:tcp)# health-check-disable
ACOS(config-service-ip:dc2-vip-port:tcp)# exit
ACOS(config-service-ip:dc2-vip)# exit
The following commands configure a GSLB site called “dc1”. The site has an ACOS device, “dc1-acos”
at IP 10.10.10.50.
ACOS(config)# gslb site dc1

ACOS(config-gslb site:dc1)# slb-dev dc1-acos 10.10.10.50
ACOS(config-gslb site:dc1-slb dev:dc1-acos)# vip-server dc1-vip
ACOS(config-gslb site:dc1-slb dev:dc1-acos)# exit
ACOS(config-gslb site:dc1)# exit
The following commands configure a GSLB site called “dc2”. The site has an ACOS device, “dc2-acos”
at IP 172.16.10.50.

ACOS(config-gslb site:dc2)# slb-dev dc2-acos 172.16.10.50
ACOS(config-gslb site:dc2-slb dev:dc2-acos)# vip-server dc2-vip
page 102
Feedback
ACOS(config-gslb site:dc2-slb dev:dc2-acos)# exit

The following commands configure a GSLB site called “dc5”. The site has an ACOS device, “dc5-ax” at
IP 172.16.11.50.

ACOS(config-gslb site:dc5)# slb-dev dc5-ax 172.16.11.50
ACOS(config-gslb site:dc5-slb dev:dc5-ax)# vip-server ns-ip-1
ACOS(config-gslb site:dc5-slb dev:dc5-ax)# exit
The following commands configure three GSLB policies: (1) the default GSLB policy, (2) GSLB policy “5”
(for delegation), and (3) GSLB policy “dns-server”. The ACOS delegates authority for the sub-domain
“sub.sub.example.com.jp” to nameserver "ns01.sub.sub.example.com.jp".

ACOS(config)# gslb policy 5
ACOS(config-policy:5)# dns delegation
ACOS(config-policy:5)# dns server
ACOS(config-policy:5)# exit
ACOS(config)# gslb policy dns-server
ACOS(config-policy:dns-server)# dns server
ACOS(config-policy:dns-server)# exit
The following commands create the GSLB zone “sub.sub.example.com.jp” and creates a wildcard ser-
vice within the zone. The GSLB policy “5”, created above, is assigned to the wildcard service, and an NS
record is created for the name server, “ns01.sub.sub.example.com.jp”.
ACOS(config)# gslb zone sub.sub.example.com.jp

ACOS(config-zone:sub.sub.example.)# service 80 *
ACOS(config-zone:sub.sub.example.-servic...)# policy 5
ACOS(config-zone:sub.sub.example.-servic...)# dns-ns-record ns01.sub.sub.example.com.jp
ACOS(config-zone:sub.sub.example.-servic...)# exit
The following commands are used within the same GSLB zone “sub.sub.example.com.jp” to creates a
service for port 53 called “ns01”. The GSLB policy “dns-server”, created above, is assigned to the ser-
vice, and an A record is created for “ns-ip-1” to return the associated Service-IP if the DNS is in server
mode.
ACOS(config-zone:sub.sub.example.)# service 53 ns01

ACOS(config-zone:sub.sub.example.-service...)# policy dns-server
ACOS(config-zone:sub.sub.example.-service...)# dns-a-record ns-ip-1 static
ACOS(config-zone:sub.sub.example.-service...)# exit
ACOS(config-zone:sub.sub.example.)# exit
page 103
FeedbackFF
e
The following commands creates the GSLB zone “sub.example.com.jp” and enables the http service.
Then, the policy “dns-server” is bound and A records are create for “dc1-vip” and “dc2-vip”.
ACOS(config)# gslb zone sub.example.com.jp

ACOS(config-zone:sub.example.com.)# service 80 www
ACOS(config-zone:sub.example.com.-service...)# policy dns-server
ACOS(config-zone:sub.example.com.-service...)# dns-a-record dc1-vip static
ACOS(config-zone:sub.example.com.-service...)# dns-a-record dc2-vip static
ACOS(config-zone:sub.example.com.-service...)# exit
ACOS(config-zone:sub.example.com.)# exit
The following command enables the GSLB and makes this ACOS device the GSLB controller.
DNS External-IP
The DNS external-ip option configures the device to return the external IP address configured for a ser-
vice IP. If this option is disabled, the internal address is returned instead.
The dns external-ip command (See “dns external-ip” on page 216.) configures the DNS external-ip
option.
DNS External-SOA
The DNS external-soa option replaces the internal SOA record with an external SOA record to prevent
external clients from gaining information that should only be available to internal clients. If this option
is disabled, the internal address is returned.
The dns external-soa command (See “dns external-soa” on page 217.) configures the DNS external-
soa option.
DNS Geoloc-Action
The DNS geoloc-action option performs the DNS traffic handling action specified for the client’s geo-
location. The action is specified as part of service configuration in a zone.
The dns geoloc-action command (See “dns geoloc-action” on page 218.) configures the DNS geoloc-
action option.
page 104
Feedback
DNS Geoloc-Alias
The DNS geoloc-alias option replaces the IP address with its alias configured on the GSLB ACOS
device.
The dns geoloc-alias command (See “dns geoloc-alias” on page 219.) configures the DNS geoloc-
alias option.
DNS Geoloc-Policy
The DNS geoloc-policy option returns the alias name configured for the client’s geo-location.
The dns geoloc-policy command (See “dns geoloc-policy” on page 220.) configures the DNS geoloc-
policy option.
Hints in DNS Responses

By default, the ACOS device places hints in the Additional Section of the DNS response. Hints are A or
AAAA records that are sent in the response to a client’s DNS request. These records provide a mapping
between the host names and IP addresses.
You can disable the appearance of hints in a DNS response. In addition, you also can determine where
in the DNS response the hints will appear.
Hints can appear in the following sections of a DNS response:
• None – Does not append hints in the DNS response
• Additional – Appends hints in the Additional Section (default)
• Answer – Appends hints in the Answer Section
This option applies to the following record types:
• NS
• MX
• SRV
Configuring DNS Response Hints (CLI)

The dns hint command (See “dns hint” on page 221.) specifies the Hint Record (or Glue Record) that
appears in DNS replies sent from the GSLB ACOS device to a client’s DNS request.
page 105
FeedbackFF
e
These commands configure the ACOS device to include the Hint Record in the Answer Section of the
DNS response. One possible use is when the local DNS server has trouble parsing the Additional Sec-
tion that appears in a full DNS reply.

ACOS(config-policy:default)# dns hint answer
DNS IP-Replace
The DNS ip-replace option replaces the IP addresses with the set of addresses administratively
assigned to the service in the zone configuration.
The dns ip-replace command (See “dns ip-replace” on page 222.) configures the DNS external-soa
option.
DNS IPv6
DNS ipv6 options enables support for IPv6 AAAA records.
• The dns ipv6 mapping command (See “dns ipv6 mapping” on page 223.) specifies the ACOS
device response to IPv6 DNS query.
• The dns ipv6 max command (See “dns ipv6 mix” on page 224.) configures the ACOS device to
return AAAA and A records in the same response.
• The dns ipv6 smart command (See “dns ipv6 smart” on page 225.) enables IPv6 return by query
type.
DNS Logging
The following output options for GSLB logging are supported:
• Log only to the ACOS device’s local logging buffer.
• Log only to remote log servers.
Logging only to remote log servers is useful for deployments that experience high volumes of GSLB
DNS traffic. Sending the logs for this activity to a group of remote servers prevents these messages
from flooding the ACOS device’s log.
• Logging only to remote log servers applies specifically to GSLB DNS logging, configurable glob-
ally and in individual GSLB policies.
• Logging templates are included in HA or VRRP-A configuration synchronization. They are not
included in GSLB synchronization among GSLB groups.
page 106
Feedback
Enabling DNS Logging for a GSLB Policy (Process)

To enable DNS logging for a GSLB policy:
1. Configure a logging group and logging template, if not already configured. Logging groups also are
supported in previous releases. Beginning in ACOS 2.7.2-P2, you also can use logging groups for
GSLB. You can configure the logging group to receive log traffic over TCP or UDP, depending on
which Layer 4 protocol the servers use to receive log traffic.
2. In the GSLB policy, enable DNS logging and specify the SLB logging group to use. By specifying a
logging group, you enable remote logging and disable local logging, for GSLB DNS events.
Enabling DNS Logging for a GSLB Policy (CLI Example)

The following commands create a simple GSLB configuration that uses remote logging for DNS events
handled by GSLB. In this simple deployment, client DNS requests for the IP address of “www.exam-
ple.com” always receive the same IP address (192.1.1.190) in the DNS response from GSLB.
The policy in this example is set to run GSLB in DNS server mode. Logging of GSLB DNS events to
remote logging servers also is supported for proxy mode. The syntax for the logging portion of the con-
figuration is the same.
Logging Group Configuration (CLI Example)
These commands configure the logging group, which consist of the logging server, service group, and
logging template.
ACOS(config)# slb server log-s1 10.1.1.20

ACOS(config-real server)# port 1514 tcp
ACOS(config-real server-node port)# exit
ACOS(config)# slb service-group log tcp
ACOS(config-slb svc group)# member log-s1 1514
ACOS(config-slb svc group-member:1514)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template logging log
ACOS(config-logging)# service-group log
ACOS(config-logging)# exit
GSLB Configuration (CLI Example)
These commands configure the DNS VIP that will intercept UDP DNS requests from clients:
ACOS(config)# slb virtual-server vip 10.1.1.190

ACOS(config-slb vserver)# port 53 udp
ACOS(config-slb vserver-vport)# gslb-enable
page 107
FeedbackFF
e
These commands configure the service-IP and the site. This is the site that GSLB helps clients reach.
The site SLB device that is load-balancing the server (192.1.1.190) is a Thunder device (192.1.1.100).
The site SLB device’s configuration is not shown.
ACOS(config)# gslb service-ip gs3 192.1.1.190

ACOS(config-service-ip:gs3)# port 80 tcp
ACOS(config-service-ip:gs3-port:tcp)# exit
ACOS(config-service-ip:gs3)# exit
ACOS(config)# gslb site ssl
ACOS(config-gslb site:ssl)# slb-dev thunder 192.1.1.100
ACOS(config-gslb site:ssl-slb dev:thunder)# vip-server gs3
ACOS(config-gslb site:ssl-slb dev:thunder)# exit
ACOS(config-gslb site:ssl)# exit
The following commands configure the GSLB policy. The dns logging both template log command
enables logging of DNS events to remote logging servers and disables logging of the events to the local
buffer.
ACOS(config)# gslb policy p1

ACOS(config-policy:p1)# dns server
ACOS(config-policy:p1)# dns logging both template log
ACOS(config-policy:p1)# exit
These commands configure the zone, “example.com” and service, “www”. For this service, a static DNS
Address (A) record is configured. Based on this configuration, GSLB responds to client queries for
www.example.com with the IP address of service-IP “gs3”.

ACOS(config-zone:example.com)# policy p1
ACOS(config-zone:example.com-service:www)# dns-a-record gs3 static
ACOS(config-zone:example.com)# exit
GSLB DNS Log Messages Sent to Remote Log Server

The following messages are sent to the remote logging server to indicate a DSN query from a client for
www.example.com, and the response sent to the client:
May 30 17:22:16 10.1.1.180 QUERY Fwd 10.1.1.190 10.1.1.68 www.example.com A 43617

May 30 17:22:16 10.1.1.180 RESP Server 10.1.1.190 10.1.1.68 www.example.com A 43617 0 0 1
[A,1,10,4,192.1.1.190]
page 108
Feedback
Query Log
The first message logs the DNS query message intercepted by ACOS and forwarded to the GSLB DNS
server. The message provides the following details:
• May 30 17:22:16 10.1.1.180 – Timestamp indicating the system time on the ACOS device when
GSLB generated the message.
• QUERY – Type of DNS message.
• Fwd 10.1.1.190 – VIP address of the GSLB DNS server to which ACOS forwarded the request.
• If GSLB is running in DNS server mode, this is the GSBL DNS VIP configured on the same
device.
• If GSLB is running in DNS proxy mode, this is the IP address of the external DNS server bound to
by the DNS VIP.
• 10.1.1.68 – Client IP address (local DNS).
• www.example.com – The host for which the client is requesting the IP address.
• A – The type of query. In this example, this is a query for an IPv6 address (A).
• 43617 – DNS transaction ID.
Response Log
The second message logs the response to the client’s DNS query.
• May 30 17:22:16 10.1.1.180 – Message timestamp.
• RESP – Type of message, in this case a DNS Response.
• Server – GSLB DNS mode, Proxy or Server.
• 10.1.1.190 – VIP address of the GSLB DNS server from which the response is sent.
• 10.1.1.68 – Client IP address (local DNS).
• www.example.com – The host for which the client is requesting the IP address.
• A – Type of record in the response. In this case, the response includes an IPv4 address record.
• 43617 – DNS transaction ID.
• 0 0 1 – Shows the following information:
• GSLB error code (Code 0 indicates success.)

• DNS reply code in header
• Answer count
• [A,1,10,4,192.1.1.190] – Content of the answer:
• A – Record type
page 109
FeedbackFF
e
• 1 – Class type
• 10 – TTL
• 4 – Data length
• 192.1.1.190 – DNS VIP address of the GSLB DNS server (or proxy, if proxy mode is used)
DNS Proxy
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically
enabled when you configure the DNS proxy as part of GSLB configuration.
DNS Proxy Block

DNS Proxy Block enables an ACOS device to block DNS client queries from being sent to an internal
DNS server. The ACOS device must be in GSLB proxy mode for the feature to work.
The DNS Proxy Block feature can be used to block DNS queries based on DNS query type, DNS query
number, or by specifying a range of numbers.
The feature can be used to block the following well-known DNS types:
• A (type 1)
• AAAA (type 28)
• CNAME (type 5)
• MX (type 15)
• NS (type 2)
• PTR (type 12)
• SOA (type 6)
• SRV (type 33)
• TXT (type 16)
After specifying the type of DNS query to be blocked, select an action to perform on the selected DNS
query type, for example, drop or reject.
When selecting an action to perform on a query type, keep in mind the following caveats:
• Selecting a DNS query type without specifying the action will cause the default action to be
applied to the selected query type. The default action is “drop”.
page 110
Feedback
• Selecting an action without specifying the query type will cause the feature to essentially remain
disabled. If no query type has been identified, then no action is applied, even if an action has been
specified.
Implementing this feature may reduce the amount of traffic sent to back-end DNS servers. This can
increase efficiency by reducing the burden on those servers. This feature may also be desirable in situ-
ations where resource records reside on a DNS server that is accessible to both internal and external
clients. In such situations where the same DNS server is being accessed by both internal and external
clients, the DNS Proxy Block feature helps prevent sensitive resource records on an internal DNS server
from being leaked to external clients.
• The GSLB ACOS device must be operating in proxy mode to support the DNS Proxy Block feature.
• The feature is configured within the GSLB policy and is applied at the zone and service levels.
• Multiple query types can be specified, but only one action can be applied to those query types.
Therefore, the first bullet below would be an acceptable configuration, but the second bullet
would not:
• Reject both SRV and CNAME query types (OK)
• Reject SRV but drop CNAME query types (Not OK)
Configuring GSLB DNS Proxy Block (CLI)

• The dns proxy block command (See “dns proxy block <query>” on page 227.) programs the
ACOS device to block DNS queries from being sent to an internal DNS server.
• The dns proxy block command (See “dns proxy block <type>” on page 228. ) to block a specified
type of DNS queries.
• The dns proxy block command (See “dns proxy block action” on page 229. ) specifies the ACOS
device method of handling blocked DNS queries.
The following example shows the commands used to create a GSLB policy, enable the DNS Proxy
Block feature for A records, and then applies the policy to the zone called “example.com” for the service
http.
ACOS(config)# gslb policy pol-1

ACOS(config-policy:pol-1)# dns proxy block a
ACOS(config-policy:pol-1)# exit
ACOS(config-zone:example.com)# policy pol-1
page 111
FeedbackFF
e
DNS Selected-only
The DNS selected-only option configures the device to return only the selected IP addresses.
The dns selected-only command (See “dns selected-only” on page 230. ) enables return of only
selected IP addresses. The command specifies a limit of records that can be returned after a record is
selected. When the number of records exceed the configured value, GSLB ignores this configuration.
DNS Server
The DNS Server options enables the GSLB ACOS device to act as a DNS server for specific service IPs
in the GSLB zone. When this setting is enabled, the ACOS device responds directly to address queries
for specific service IP addresses in the GSLB zone. The ACOS device still forwards other types of que-
ries to the DNS server.
In DNS Server mode, the dns cname-detect command is not required. When a client requests a config-
ured alias name, GSLB applies the policy to the CNAME records. The dns server command is not valid
with the dns ip-replace command. They are mutually exclusive.
DNS Server mode requires the enalbing of the static option on the individual service IP. (To configure
the service IP addresses, use the service-ip command at the configuration level for the service.
The dns server command (See “dns server” on page 231. ) configures the DNS external-ip option.
DNS Sticky
The DNS Sticky options sends the same service IP address to a client for all requests from that client
for the service address.
The dns sticky command (See “dns sticky” on page 233. ) programs the device to send the same ser-
vice IP address to a client for all requests from that client for the service address. Sticky DNS ensures
that, during the aging-time, a client is always directed to the same site.
DNS TTL Override

GSLB ensures that DNS replies to clients contain the optimal set of IP addresses based on current net-
work conditions. However, if the DNS TTL value assigned to the Address records is long, the local DNS
servers used by clients might cache the replies for a long time and send those stale replies to clients.
Thus, even though the GSLB ACOS device has current information, clients might receive outdated infor-
mation.
To ensure that the clients’ local DNS servers do not cache the DNS replies for too long, you can config-
ure the GSLB ACOS device to override the TTL values of the Address records in the DNS replies before
sending the replies to clients.
page 112
Feedback
The TTL of the DNS reply can be overridden in two different places in the GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used.
2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zone’s TTL
setting is used.
By default, the TTL override is not set in either of these places.
In DNS server mode, the DNS response from the ACOS device includes an IP TTL (maximum number of
Layer 3 hops), with a default value equal to 255. This IP TTL can be configured using the following CLI
command: gslb system ip-ttl.
The dns ttl command (See “dns ttl” on page 235. ) programs the ACOS device to change the TTL of
each DNS record contained in DNS replies received from the DNS for which the ACOS device is a proxy.
page 113
FeedbackFF
e
page 114
Geo Location Mappings
You can configure geo-location mappings manually or by loading the mappings from a file. Configuring
the geo-location mappings manually might not be practical, unless you have only a few sites.
The geo-location configuration options are described in detail below. To skip the descriptions and go
directly to configuration instructions, see one of the following sections. Each section provides the pro-
cedure for one of the approaches to configuring geo-location mappings.
• “Loading or Configuring Geo-Location Mappings” on page 115
• “Manually Configuring Geo-Location Mappings” on page 119
• “Geo-location Overlap” on page 120
• “Geo-location-based Access Control” on page 122
Loading or Configuring Geo-Location Mappings
Geo-Location Database Files

You can load the geo-location database (which contains the geo-location mappings) from one of the
following types of files:
• Internet Assigned Numbers Authority (IANA) database – The IANA database contains geo-
graphic locations of IP address ranges and subnets assigned by the IANA. This database is
loaded by default.
• Custom database in CSV format – You can load a custom geo-location database from a file in
comma-separated-values (CSV) format. However, before loading the file, you must first configure
a CSV template on the ACOS device because the data in the file is formatted by the template.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address or IP range.
• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.
• If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-
location in the loaded geo-location database.
Feedback page 115

FeedbackFF
Loading or Configuring Geo-Location Mappings FFee
e
• If a service-ip cannot be mapped to a geo-location, GSLB maps the site ACOS device to a geo-
location.
If more than one geo-location matches a client’s IP address, the most specific match is used. For
example, if a client is in the same city as a site ACOS, that site will be preferred. If the client and site are
in the same state but in different cities, the site in that state will be preferred.
Only one database can be active. If you load more than one database, the most-recently loaded one
becomes the active one, and the older database is no longer used. Data from the older database is not
merged into the new database. Using the “load” command to load a new database will synchronize the
start-up configuration among all GSLB group members.
There is full parity in the synchronization, so the process works in reverse also. Unloading a geo-loca-
tion database from a configuration, or deleting a geo-location database, will remove that database from
all GSLB group members.
Example Database File

An example of a database file is shown below. Each paragraph is actually a single line in the file, but
they are displayed here in multiple lines due to the limited width of the page. (Note that lines in the data-
base file should not have spaces between the paragraphs. This was done to improve readability.)
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHU-

SETTS", "COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
"1159364096","1159364351","US","UNITED STATES","NA","NORTH AMERICA","","","","ENVIRONMEN-

TAL COMPLIANCE SERVICE","SILVER","","32.0708","-100.682"

SETTS", "MLS PROPERTY INFORMATION NETWORK","SHREWSBURY","WORCESTER","42.2959","-71.7134"
...
The example above shows how the CSV file appears when displayed in a text editor. If the same data
were displayed in a spreadsheet application, it would appear like Figure 7 below.
FIGURE 7 CSV File in Spreadsheet Application
The database file can contain more types of information (fields, or columns) than are required for the
GSLB database. When you load the CSV file into the geo-location database, the CSV template on the
ACOS device filters the file to extract the required data, while ignoring the rest of the data. In the exam-
page 116
Feedback
Loading or Configuring Geo-Location Mappings
ple below, only the fields shown in bold type will be extracted and placed into the geo-location data-
base:

SETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
These fields contain the following information:
From IP address (starting IP address in range), To IP address (ending IP address in range,

or subnet mask), Continent, Country
The IP addresses in this example are in bin4 format. Dotted decimal format (for example: 69.26.125.0)
is also supported. If you use bin4 format, the ACOS device automatically converts the addresses into
dotted decimal format when you load the database into GSLB.
Converting IP Addresses into bin4 Format

If you want to use bin4 format in the CSV file, here is how to convert an IP address from dotted-decimal
format to bin4 format:
1. Convert each node into Hex.

2. Convert the resulting Hex number into decimal.
3. Enter the decimal number into the database file.
Here is an example for IP address 192.0.2.18, the first IP address in the example CSV file:
Dotted Decimal Hex of Each Node Combined Hex Decimal

192.0.2.18 C0.00.02.12 C0000212 3221226002
CSV File Field Delimiters

CSV file fields must be separated by a delimiter. By default, the ACOS device interprets commas as
delimiters. When configuring a CSV template on the ACOS device, the delimiter can be set to any valid
ASCII character.
Creating and Loading a Custom Geo-Location Database

To create and load a custom geo-location database:
1. Prepare the database file. (This step requires an application that can save to text for CSV format,
and it cannot be performed on the ACOS device.)
2. Configure a CSV template on the ACOS device. The CSV template specifies the field positions (or
columns) in the database that should be extracted, such as IP address and location information.
3. Import the CSV file onto the ACOS device.
page 117
FeedbackFF
Loading or Configuring Geo-Location Mappings FFee
e
4. Load the CSV file.

5. Display the geo-location database.
Configuring the CSV Template

On the ACOS device, you must configure a CSV template for the database file. When you load the file
into GSLB, the ACOS device uses the template to extract the data and load it into the GSLB database.
1. Use the gslb template csv command to create the template.

2. Use the field command to identify the field positions for the geo-location data:
3. If the CSV file does not use commas to delimit fields, use the delimiter command to specify the
delimiter.
Importing the CSV File

To import the CSV file onto the ACOS device, use the import geo-location command at the Privileged
EXEC or global configuration level of the CLI:
You can enter the entire URL on the command line or press Enter to display a prompt for each part of
the URL.If you enter the entire URL and a password is required, you will still be prompted for the pass-
word. To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• disk:path
• sftp://[user@]host/file
(For information about the use-mgmt-port option, see the “Using the Management Interface as the
Source for Management Traffic” chapter in the System Configuration and Administration Guide.)
Loading the CSV File Data into the Geo-Location Database

To load the CSV file, use the gslb geo-location command at the global configuration level of the CLI:
Use the file name you specified when you imported the CSV file, and the name of the CSV template to
be used for extracting data from the file.
To display information about CSV files as they are being loaded, use the show gslb geo-location com-
mand:
page 118
Feedback
Manually Configuring Geo-Location Mappings
Manually Configuring Geo-Location Mappings

To manually configure a geo-location mapping:
1. Configure each geographic location (geo-location) as a named range of client IP addresses. You
can configure geo-locations globally and within individual GSLB policies.
To configure a geo-location, use the gslb geo-location command at the global configuration level
or at the configuration level for the GSLB policy:
2. Associate a site with a geo-location name, using the geo-location command at the configuration
level for the site:
If you configure geo-locations globally and at the configuration level for individual sites, and a client IP
address matches both a globally configured geo-location and a geo-location configured on a site, the
globally configured geo-location is used by default. To configure the GSLB ACOS device to use geo-
locations configured on individual sites instead, use the geo-location match-first policy command at
the configuration level for the policy.
Displaying the Geo-Location Database

To display the geo-location database, use the show gslb geo-location command:
To search for an entry in the geo-location database that is based on client IP address, use the show
gslb geo-location command:
The commands in this example load a custom geo-location database from a CSV file called “test.csv”,
and then display the database. The test.csv file is shown in “Example Database File” on page 116.
First, the following commands configure the CSV template:
ACOS(config)# gslb template csv test1-template

ACOS(config-gslb template csv)# field 1 ip-from
ACOS(config-gslb template csv)# field 2 ip-to-mask
ACOS(config-gslb template csv)# field 5 continent
ACOS(config-gslb template csv)# field 3 country
ACOS(config-gslb template csv)# exit
The following command imports the file onto the ACOS device:
ACOS(config)# import geo-location test1.csv ftp://1.0.0.100/BaseConfig/Test1.csv

User name []?admin2
Password []?*******
Done.
The following commands initiate loading the data from the CSV file into the geo-location database, and
display the status of the load operation:
page 119
FeedbackFF
Geo-location Overlap FFee
e
ACOS(config)# gslb system geo-location load test1.csv test1-template

ACOS(config)# show gslb geo-location file
Per = Percentage of loading, Err/W = Error or Warning
T = T(Template)/B(Built-in)
Filename T Template Per Lines Success Err/W

--------------------------------------------------------------------------------
iana* B 100% 77 77 0
test1.csv T test1-template 100% 5 5 0
ACOS(config)#
The following command displays the geo-location database extracted from the CSV file.
ACOS(config)# show gslb geo-location db NA

Last = Last Matched Client, Hits = Count of Client matched
Sub = Count of Sub Geo-location
T = Type, P-Name = Policy name
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)/B(built-in)
Geo-location: NA
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 1 G
ACOS(config)#
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the “match best” instead of
searching the database using the “match first” algorithm. This behavior may be helpful if you suspect
that more than one host has been mapped to a single public IP address.
Geo-location Databases Background

When configuring GSLB on the ACOS device, a geo-location file containing mappings between geo-
graphic regions and IP addresses is imported onto the ACOS device. For example, the IANA database is
pre-installed on the ACOS device prior to shipping, and it contains thousands of entries mapping geo-
graphic regions to IP address ranges.
page 120
Feedback
Geo-location Overlap
In addition, third-party companies sell geo-location databases, and some of these databases may con-
tain millions of mappings between geographic regions and ranges of IP addresses. As with the IANA
database files, these files can also be imported into the ACOS device’s global database.
Geo-location information can also be manually configured on the ACOS device at the GSLB policy level.
A GSLB policy is typically created for each GSLB zone, so you could, for example, have separate zones
for a company that has offices in New York and San Jose. Each of these GSLB zones might have its
own geo-location file, with each file containing highly granular information that maps IP addresses and
local regions.
When configuring geo-location for a GSLB zone, you will need to use the match first command to
decide whether to search the Global database (containing the IANA file) or if you would prefer to search
the GSLB Policy database.
The match first command determines which of the two geo-location databases will be used to parse
incoming DNS requests from clients. That is, it allows you to decide whether the Global database or
GSLB Policy database will be searched.
Once this configuration decision has been made, then the next thing that you need to do is decide if you
want to enable the geo-location overlap command.
The geo-location overlap command is disabled by default because it tends to tax the ACOS processors.
The default behavior for the ACOS device is to use the match first algorithm (not to be confused with
the match first option described above), is to scan the geo-location database for the first IP address
that matches the client’s Source IP.
In contrast, the geo-location overlap option uses match best algorithm, meaning the entire geo-location
file must be scanned in order to locate the optimal response to send back to the client. This is very
demanding on the ACOS CPU.
When to Use Geo-Location Overlap

The geo-location overlap option is recommended for situations in which the public IP address is not
unique and the same IP address may be associated with different hosts. While it is unlikely that the
IANA geo-location file would contain such errors, the Internet is a dynamic place and information can
become stale and/or inaccurate. In particular, this situation might happen if users are careless about
the way they manually add IP addresses to the GSLB policies. A user might have many GSLB zones and
each zone might have many geo-location files, so it is possible that some IP address ranges may over-
lap.
For example, if a company has a site in New York and San Jose:
• New York IP range is 1.1.1.1 – 1.1.1.9
• San Jose IP range is 1.1.1.1 – 1.1.1.3
In this situation, there exists an overlap in the IP address from 1.1.1.1 to 1.1.1.3.
page 121
FeedbackFF
Geo-location-based Access Control FFee
e
To remedy this confusing situation, one can enable the geo-location overlap option to cause the ACOS
device to search the geo-location database for the match best (or longest matching IP address).
However, if the geo-location overlap option is disabled, then the ACOS device will revert to its default
behavior, which is to use the match first algorithm to check the client’s IP address against the database
and then use the first IP address-region mapping discovered when parsing the database.
If you believe your manually-configured geo-location databases may have two or more domains tied to
the same IP address, you can use the geo-location-match overlap command at the GSLB policy con-
figuration level of the CLI to enable geo-location overlap.
The following command enables geo-location overlap at the GSLB policy level. The overlap option is
used to enable match best behavior for the geo-location database within the default GSLB policy. By
enabling this behavior, the match first algorithm will not be used, and instead the ACOS device will
attempt to find the best match by searching for the longest string that matches the source IP address
in the client’s request.

ACOS(config-gslb policy)# geo-location-match overlap policy
ACOS(config-gslb policy)# exit
Geo-location-based Access Control

You can control access to a VIP based on the geo-location of the client. You can configure the ACOS
device to perform one of the following actions for traffic from a client, depending on the location of the
client:
• Drop the traffic
• Reset the connection
• Send the traffic to a specific service group (if configured using a black/white list)
The ACOS device determines a client’s location by looking up the client’s subnet in the geo-location
database used by Global Server Load Balancing (GSLB).
This feature requires you to load a geo-location database, but does not require any other configuration
of GSLB. Instead, SLB features are used along with the IANA database. The ACOS system image
includes the Internet Assigned Numbers Authority (IANA) database. By default, the IANA database is
not loaded but you can easily load it, as described in the configuration procedure later in this section.
Using a Class List

This section show how to configure geo-location-based VIP access using a class list.
page 122
Feedback
Geo-location-based VIP access works only if the class list is imported as a file. The CLI does not sup-
port configuration of class-list entries for this application.
Class List Example

Use the 'class-list geo-class' to define class list maps client geo-locations to limit IDs (LIDs), which
specify the maximum number of concurrent connections allowed for clients in the geo-locations.
class-list geo-class
L US 1
L US.CA 2
L US.CA.SJ 3
The following commands import the class list onto the ACOS device, configure a policy template, and
bind the template to a virtual port. The connection limits specified in the policy template apply to clients
who send requests to the virtual port.
This example assumes the following:
• default geo-location database (iana) is already loaded (“gslb system geo-location load” on
page 183).
• the c-share class list was previously created
ACOS(config)# slb template policy pclass

ACOS(config-policy)# class-list c-share
ACOS(config-policy-class-list:c-share)# lid 1
ACOS(config-policy-class-list:c-share-li...)# conn-limit 4
ACOS(config-policy-class-list:c-share-li...)# exit
ACOS(config-policy-class-list:c-share)# exit
ACOS(config-policy)# geo-location overlap
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server vip1 10.1.1.155
ACOS(config-slb vserver-vport)# template policy pclass
The show slb geo-location statistics command verifies operation of the policy.
page 123
FeedbackFF
e
Using a Black/White List

To configure geo-location-based access control for a VIP:
1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly
into the GUI. If you configure the list using a text editor, import the list onto the ACOS device.
2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and
the actions to perform for the group IDs in the list.
3. Load a geo-location database, if one is not already loaded.
4. Apply the policy template to the virtual port for which you want to control access.
Configuring the Black/White List

You can configure black/white lists in either of the following ways:
• Remote option – Use a text editor on a PC, then import the list onto the ACOS device.
• Local option – Enter the black/white list directly into a management GUI window.
With either method, the syntax is the same. The black/white list must be a text file that contains entries
(rows) in the following format:
L "geo-location" group-id #conn-limit
The “L” indicates that the client’s location will be determined using information in the geo-location data-
base.
The geo-location is the string in the geo-location database that is mapped to the client’s IP address; for
example, “US”, “US.CA”, or “US.CA.SanJose”.
The group-id is a number from 1 to 31 that identifies a group of clients (geo-locations) in the list. The
default group ID is 0, which means no group is assigned. On the ACOS device, the group ID specifies
the action to perform on client traffic.
The #conn-limit specifies the maximum number of concurrent connections allowed from a client. The #
is required only if you do not specify a group ID. The connection limit is optional. For simplicity, the
examples in this section do not specify a connection limit.
Here is a simple example of a black/white list for this feature:
L "US" 1
L "US.CA" 2
L "JP" 3
1. Import a black/white list onto the ACOS device with the bw-list command.
2. To configure a PBSLB template, use the slb template policy commands:
page 124
Feedback
The command creates the template and changes the CLI to the configuration for the template,
where the bw-list name and bw-list id PBSLB-related commands are available.
3. Load a geo-location database with the gslb system geo-location load command.
4. To apply a policy template to a virtual port, use the template policy command in configuration
mode
Displaying and Clearing SLB Geo-Location Information

To display SLB geo-location information, use the show slb geo-location command.
To clear SLB geo-location statistics, use the clear slb geo-location command.
Black/White List Example

The following commands configure a policy template named “geoloc” and add a black/white list to it.
The template is configured to drop traffic from clients in the geo-location mapped to group 1 in the list.
The black/white list can either be imported or by selecting ADC >> BW-Lists in the GUI. Refer to the
DDos Mitigation Guide (DMG) for additional information about black/white lists.
ACOS(config)# slb template policy geoloc

ACOS(config-policy)# bw-list name geolist
ACOS(config-policy)# bw-list id 1 drop
ACOS(config-policy)# exit
The following commands apply the policy template to port 80 on virtual server “vip1”:
ACOS(config)# slb virtual-server vip1

ACOS(config-slb vserver-vport)# template policy geoloc
ACOS(config-slb vserver-vport)# show slb geo-location
M = Matched or Level, ID = Group ID

Conn = Connection number, Last = Last Matched IP
v = Exact Match, x = Fail
Virtual Port: vip/80, geolist
--------------------------------------------------------------------------------
Max Depth: 1
Success: 1
Geo-location M ID Permit Deny Conn Last
--------------------------------------------------------------------------------
US x 1 0 0 0
--------------------------------------------------------------------------------
Total: 1
page 125
FeedbackFF
e
Full-Domain Checking
By default, when a client requests a connection, the ACOS device checks the connection count only for
the specific geo-location level of the client. If the connection limit for that specific geo-location level has
not been reached, then the client’s connection is permitted. Likewise, the permit counter is incremented
only for that specific geo-location level.
Table 1 shows an example set of geo-location connection limits and current connections.
TABLE 1 Geo-location connection limit example

Geo-location Connection Limit Current Connections
US 100 100
US.CA 50 37
US.CA.SanJose 20 19
Using the default behavior, the connection request from the client at US.CA.SanJose is allowed even
though CA has reached its connection limit. Likewise, a connection request from a client at US.CA is
allowed. However, a connection request from a client whose location match is simply “US” is denied.
After these three clients are permitted or denied, connection permit and deny counters are updated.
• US – Deny counter is incremented by 1.
• US.CA – Permit counter is incremented by 1.
• US.CA.SanJose – Permit counter is incremented by 1.
Configuring Full-Domain Checking

When full-domain checking is enabled, the ACOS device checks the current connection count not only
for the client’s specific geo-location, but for all geo-locations higher up in the domain tree.
Based on full-domain checking, all three connection requests from the clients in the example above are
denied. This is because the US domain has reached its connection limit. Likewise, the counters for each
domain are updated as follows:
• US – Deny counter is incremented by 1.
• US.CA – Deny counter is incremented by 1.
To enable full-domain checking for geo-location-based connection limiting, use the geo-location
full-domain-tree command at the configuration level for the PBSLB template.
It is recommended to enable or disable this option before enabling GSLB. Changing the state of this
option while GSLB is running can cause the related statistics counters to be incorrect.
page 126
Feedback
Enabling PBSLB Statistics Counter Sharing

Statistic counters can be shared by all virtual servers and virtual ports using a PBSLB template. This
option causes the following counters to be shared by virtual servers and virtual ports using the tem-
plate:
• Permit
• Deny
• Connection number
• Connection limit
To enable the share option, use the geo-location share command at the configuration level for the
PBSLB policy template. It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the related statistics counters to be
incorrect.
page 127
FeedbackFF
e
page 128
Gateway Health Monitoring
To simplify health monitoring of a GSLB site, you can use a gateway health check. A gateway health
check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. If a site’s gateway
router fails a health check, it is likely that none of the services at the site can be reached. GSLB stops
using the site until it begins to pass gateway health checks again.
In most cases, an ICMP health check is sufficient; use the default ICMP health check or configure a
custom one. For more detailed health analysis, use an external health check. For example, use a script
to get SNMP information from the gateway, and base the gateway’s health status on the retrieved
information.
Health-Check Precedence
Health checking for a GSLB service can be performed at the following levels.
1. Gateway health check

2. Port health check
3. IP health check (Layer 3 health check of service IP)
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor config-
uration includes health monitors in GSLB group synchronizations. For GSLB configuration synchroniza-
tion, “GSLB Synchronization” on page 18.
If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health
check is successful, then the port health check can be used to check the status of the ports (assuming
ports have been configured on the service IP). Otherwise, if no service ports are configured on the ser-
vice IP, then the Layer 3 health check of the service IP is used.
Sections in this chapter include:
• “Configuring Gateway Health Checking for GSLB Sites” on page 130
• “Site with Single Gateway Link” on page 131
• “Site with Multiple Gateway Links” on page 132
• “Multiple-Port Health Monitoring” on page 133
Feedback page 129

FeedbackFF
Configuring Gateway Health Checking for GSLB Sites FFee
e
Configuring Gateway Health Checking for GSLB Sites

To configure gateway health checking for a GSLB site:
1. Configure the health monitor, unless you plan to use the default ICMP health monitor.
2. On the SLB device at the site, create an SLB real server configuration with the gateway router’s IP
address. If you configured a custom health check, make sure to apply it to the real server.
3. On the GSLB controller, specify the site’s gateway IP address in the SLB-device configuration for
the site.
Sites with Multiple Gateway Links

For sites with multiple gateways, create a separate real server for each gateway on the site ACOS
device. On the GSLB controller, create a separate SLB-device configuration for each gateway (real
server). In each SLB-device configuration, specify only service IPs that can be reached by the gateway
defined by the SLB device.
For a service IP that can be reached on any of multiple links, create a separate SLB-device configura-
tion, without using the gateway option. The gateway health status for this SLB-device will be Down only
if all the gateway health checks performed for the other SLB-device configurations for the site fail.
1. On the site ACOS device – To create the gateway router, use the slb server command at the global
configuration level of the CLI on the site ACOS device:
To use the default Layer 3 health monitor, no further configuration is needed on the site ACOS
device. When using a custom ICMP monitor, configure the monitor, then use the health-check
command at the configuration level for the real server (gateway):
2. On the GSLB controller — To specify the site’s gateway IP address, use the gateway command at
the configuration level for the SLB device, within the site configuration:
Disabling a Gateway Health-Check

On the GSLB controller, you can disable gateway health checking at the SLB-device or service configu-
ration level. This does not affect health checks configured for individual virtual servers and service
ports at the site.
To disable gateway health checking at the SLB-device configuration level, use the no gateway health-
check command. After entering this command, the SLB device stops accepting gateway status infor-
mation.
page 130
Feedback
Site with Single Gateway Link
Displaying the Health Status of a Site Gateway

To display the health status for a site gateway, use the show gslb slb-device command:
Site with Single Gateway Link

On the site ACOS device, this command configures a real server for the gateway. The default ICMP
health method is used.
Site-ACOS(config)# slb server acos-site 1.1.1.1

Site-ACOS(config-real server)# exit
On the GSLB controller, the following commands enable gateway health checking for site device “site-
acos”:
GSLB-ACOS(config)# gslb site remote

GSLB-ACOS(config-gslb site:remote)# slb-dev site-acos 10.1.1.1
GSLB-ACOS(config-gslb site:remote-slb dev:site...)# gateway 1.1.1.1
GSLB-ACOS(config-gslb site:remote-slb dev:site...)# exit
GSLB-ACOS(config-gslb site:remote)# exit
The following command displays the gateway health status for GSLB sites:
GSLB-ACOS(config)# show gslb slb-device

Attrs = Attributes, APF = Administrative Preference
Sesn-Num/Uzn = Number/Utilization of Available Sessions
GW = Gateway Status, IPCnt = Count of Service-IPs
P = GSLB Protocol, L = Local Protocol
Device IP Attrs APF Sesn-Num Uzn GW IPCnt
--------------------------------------------------------------------------------
local:self 127.0.0.1 100 0 0% 0
local:self2 127.0.0.1 100 0 0% 0
local:self3 127.0.0.1 100 0 0% 2
remote:site-acos 10.1.1.1 100 0 0% UP 0
GSLB-ACOS(config)#
In this example, the gateway health status for SLB-device configuration “site-acos” on the “remote” site
is Up.
page 131
FeedbackFF
Site with Multiple Gateway Links FFee
e
Site with Multiple Gateway Links

On the site ACOS device, the following commands configure real servers for each of two gateway links.
The default ICMP health method is used for each link.
Site-ACOS(config)# slb server gate-1 2.2.2.1

Site-ACOS(config)# slb server gate-2 3.3.3.1
Site-ACOS(config)#
On the GSLB controller, these commands enable gateway health checking for each of the site’s links. A
unique SLB-device name is used for each link, even though both links are for the same SLB device
(20.1.1.1).
GSLB-ACOS(config)# gslb site remote-line1

GSLB-ACOS(config-gslb site:remote-line1)# slb-dev site-acos-lnk1 20.1.1.1
GSLB-ACOS(config-gslb site:remote-line1-slb de...)# gateway 2.2.2.1
GSLB-ACOS(config-gslb site:remote-line1-slb de...)# exit
GSLB-ACOS(config-gslb site:remote-line1)# exit
GSLB-ACOS(config)# gslb site remote-line2
GSLB-ACOS(config-gslb site:remote-line2)# slb-dev site-acos-lnk2 20.1.1.1
GSLB-ACOS(config-gslb site:remote-line2-slb de...)# gateway 3.3.3.1
GSLB-ACOS(config-gslb site:remote-line2-slb de...)# exit
GSLB-ACOS(config-gslb site:remote-line2)# exit
If the same services can be reached through either link, an additional SLB-device configuration is
required:
GSLB-ACOS(config)# gslb site remote-link-both

GSLB-ACOS(config-gslb site:remote-link-both)# slb-dev site-acos-lnkboth 20.1.1.1
GSLB-ACOS(config-gslb site:remote-link-both-sl...)# exit
GSLB-ACOS(config-gslb site:remote-link-both)# exit
No gateway is specified in the SLB-device configuration. The gateway health status will be Up unless
the health checks for 2.2.2.1 and 3.3.3.1 both fail.
page 132
Feedback
Multiple-Port Health Monitoring
Multiple-Port Health Monitoring

GSLB supports multiple-port health checks for service IPs. When using multiple-port health check for a
service IP, the service IP is marked Up if any port passes the health check; all ports are not required to
pass the health check.
Default Health Monitors
The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default
health monitor for a service port is the default TCP or UDP monitor, depending on the transport proto-
col.
By default, if the GSLB protocol is enabled and can reach the service, health checking is performed over
the GSLB protocol. Otherwise, health checking is performed using standard network traffic instead.
Optionally, you can disable use of the GSLB protocol for health checking, on individual service-IPs.
To configure a multiple-port health check, use the health-check-port command at the configuration
level for the service IP. You can specify up to 64 ports.
Applying a health monitor is required only if you do not plan to use the default health monitors. (See
“Default Health Monitors” on page 133.)
The following commands apply a custom HTTP health monitor to service IP “gslb-srvc2”. The com-
mands utilize a health monitor (http) whose configuration is not included in the example.
ACOS(config)# gslb service-ip gslb-srvc2 192.168.20.99

ACOS(config-service-ip:gslb-srvc2)# port 80 tcp
ACOS(config-service-ip:gslb-srvc2-port:tcp)# health-check http
ACOS(config-service-ip:gslb-srvc2-port:tcp)# exit
ACOS(config-service-ip:gslb-srvc2)# exit
The following commands enable a multi-port health check for the HTTP service “www” on service IP
“gslb-srvc2” in GSLB zone “abc.com”:
ACOS(config)# gslb zone abc.com

ACOS(config-zone:abc.com)# service 15 www
ACOS(config-zone:abc.com-service:www)# health-check-port 80
ACOS(config-zone:abc.com-service:www)# exit
page 133
FeedbackFF
Multiple-Port Health Monitoring FFee
e
ACOS(config-zone:abc.com)# service 15 www

ACOS(config)# exit
page 134
Application Groups
Site persistence With Per-VIP Failover Granularity

Service groups can be configured for persistence and dependency when clients request different ser-
vices, such as POP, IMAP, and SMTP. With site persistence, requests for different services from the
same client will be directed to the same server site. Configuring dependency creates failover grouping.
When one service is down on a site, the site is flagged as down for all services.
When persistence is enabled, ACOS ensures that requests for different services are sent to the same
site.You configure application groups so that certain services are grouped together. When a client
requests those services, they are always directed to the same site. For example, if a user requests the
WWW service, and then later requests the Secure WWW service, then persistence ensures that both
requests go to the same site.
Configuring dependency ensures that when one service is down on a site, ACOS marks all services as
unusable for that site. Client traffic is then redirected to a site where persistence can be maintained for
all services. For example, a service group may consistent of email protocols. If POP service is down,
then all other services, such as IMAP and SMTP, are also marked as down.
Persistence and dependency can be configured individually or together. In both cases, a service should
be configured in only one service-group.
Configuring Persistence and Dependency

To configure GSLB application groups with persistence and failover dependency, do the following:
1. Configure the virtual servers or services with the appropriate port and protocol.
2. Define the GSLB data centers or sites.
a. Configure the devices in the data centers, as well as the virtual servers or services in the data
centers.
3. Configure the applications and logical components in the system, such as the FQDN.
4. Group the defined applications together and then enable persistence and dependency.
To configure GSLB application groups with persistence and failover dependency, enter the following
commands at the GSLB service-group configuration level:
persistent site
dependency site
Feedback page 135

FeedbackFF
Site persistence With Per-VIP Failover Granularity FFee
e
The “persistent site” command can specify an IPv4 mask, IPv6 mask length, or aging-time that deter-
mines the period after which persistence is no longer maintained to a server when there is no traffic
from the client (default aging-time is 5 minutes). Aging time is refreshed when the site receives a
request from the client.
This example configures two GSLB sites, one for New York and one for San Francisco. These sites will
support the WWW and Secure WWW applications. Persistence and dependency are configured for
these GSLB sites.
1. These commands configure GSLB data centers in New York and San Francisco. The virtual serv-
ers are grouped into data centers. Each data center has four servers with port 80 configured (vip1
- vip4), and four servers with port 443 configured (vip5 - vip8). The sites reference the servers
through GSLB service-ip assignments that are not included in the example (See “gslb service-ip” on
page 174.).
ACOS(config)# gslb site NY

ACOS(config-gslb site:NY)# slb-dev NY-slb-device1 11.11.11.11
ACOS(config-gslb site:NY-slb dev:NY-slb-d...)# vip-server vip1
ACOS(config-gslb site:NY-slb dev:NY-slb-d...)# exit
ACOS(config-gslb site:NY)# exit
ACOS(config)# gslb site SF
ACOS(config-gslb site:SF)# slb-dev SF-slb-device1 12.12.12.12
ACOS(config-gslb site:SF-slb dev:SF-slb-d...)# vip-server vip3
ACOS(config-gslb site:SF-slb dev:SF-slb-d...)# exit
ACOS(config-gslb site:SF)# exit
2. These commands define the www.example.com and secure.example.com FQDNs. They assign
the WWW service to virtual servers 1 through 4, and the Secure WWW service to virtual servers 5
through 8.

ACOS(config-zone:example.com-service:www)# dns-a-record vip1 static
ACOS(config-zone:example.com)# service 443 secure
ACOS(config-zone:example.com-service:sec...)# dns-a-record vip5 static
page 136
Feedback
Site persistence With Per-VIP Failover Granularity

ACOS(config-zone:example.com-service:sec...)# exit
ACOS(config-zone:example.com))# exit
3. The next commands group the applications (WWW and Secure WWW) together and configure
dependency for failover grouping, as well as persistence with an aging-time of 10 minutes.
ACOS(config)# gslb service-group website

ACOS(config-svc group:website)# member www.example.com
ACOS(config-svc group:website)# member secure.example.com
ACOS(config-svc group:website)# persistent site aging-time 10
ACOS(config-svc group:website)# dependency site
ACOS(config-svc group:website)# exit
page 137
FeedbackFF
Site persistence With Per-VIP Failover Granularity FFee
e
page 138
Configuring GSLB through the GUI
This chapter provides configuration examples for Global Server Load Balancing (GSLB). These exam-
ples implement a basic GSLB deployment. The examples assume that the default GSLB policy is used,
without any changes to the policy settings.
Steps consist of an action and the resulting GUI response. For example, the following line instructs the
user to select ADC >> SLB from the main menu, which opens the SLB Virtual Server Roster panel in the
GUI:
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
This chapter contains the following GUI examples:
• “GSLB Proxy Mode (Scenario 1)” on page 139
• “GSLB Server Mode Group (Scenario 2)” on page 144
• “GSLB Controllers and Devices (Scenario 3)” on page 148
• “Configuring GSLB Controller-Based Metrics” on page 156
GSLB Proxy Mode (Scenario 1)

See “Scenario 1: GSLB Proxy Mode” on page 27. for the description and equivalent CLI implementation.
1. “Changing the Hostname” on page 139

2. “Creating the VIP” on page 140
3. “Configuring GSLB Service IP (LANE)” on page 141
4. “Configuring GSLB Service IP (BENTON)” on page 141
5. “Configuring GSLB Sites (EUGENE and CORVALLIS)” on page 142
6. “Configuring GSLB Policy (HELIUM)” on page 142
7. “Creating GSLB FQDN (www.a10-brown.com)” on page 142
8. “Creating GSLB FQDN (mail.a10-brown.com)” on page 143
9. “Configuring GSLB FQDN DNS Records (www.a10-brown.com)” on page 143
Changing the Hostname
1. Select System >> Settings (primary menu) Open Access Control panel
Feedback page 139

FeedbackFF
GSLB Proxy Mode (Scenario 1) FFee
e
2. Select DNS (secondary menu Open Configure DNS panel

3. Data Entry: Open Configure DNS panel
Hostname: ACOS-1
Click Update DNS button
4. Click Update DNS button GUI displays success message
Creating the VIP
Creating the SLB Servers.
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-11
Host: 10.10.0.53
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
Port Number: 53
Protocol: TCP
Click Create button Return to S:B Servers Roster
Creating the SLB Service Group.
1. Select Service Groups (secondary menu) Open Service Groups roster

2. Click Create button Open Create Service Group panel
3. Data Entry: Create Service Group panel
Name: DNS-GP1
Protocol: TCP
Member section: Click Create button Open Create Member panel
4. Data Entry: Create Member panel
Choose Creation Type: (Existing Server) Existing Server
Server: (drop down) ACOS-11
Port: 53
Click Create button Returns to Update Service Group panel
Creating the SLB Virtual Server.
1. Select Virtual-Servers (secondary menu) Open SLB Virtual Servers roster

2. Click Create button Open SLB Create Virtual Server panel
3. Data Entry: SLB Create Virtual Server panel
page 140
Feedback
Name: DNS1
IP Address: 10.10.0.100
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
4. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GRP1
5. Expand General Fields section
6. Data Entry: General Fields section
GSLB Enable: (checkbox) select
7. Click Create button Return to SLB Update Virtual Server panel
8. Click Update button Return to SLB Virtual Servers roster
Configuring GSLB Service IP (LANE)
1. Select GSLB >> Service IPs Open GSLB Service IP Roster

2. Click Create button Open GSLB Create Service IP panel
3. Data Entry: GSLB Create Service IP panel
Service IP Name: LANE
IP Address: 10.10.1.58
Service IP Ports section: Click Create buttonOpens GSLB Create Service IPs Ports panel
4. Data Entry: GSLB Create Service IPs Ports panel
Port: 80
Protocol: TCP
Click Create button Return to GSLB Create Service IPs panel
5. Service IP Ports section: Click Create buttonOpens GSLB Create Service IPs Ports panel
6. Data Entry: Create Service IPs panel
Port: 25
Protocol: TCP
7. Click Update button Return to GSLB Service IP Roster
Configuring GSLB Service IP (BENTON)

2. Data Entry: Create Service IP panel
Service IP Name: BENTON
3. Data Entry: Create Service IPs Ports panel
page 141
FeedbackFF
GSLB Proxy Mode (Scenario 1) FFee
e
Port: 80
Protocol: TCP
4. Click Create button Opens GSLB Create Service IPs Ports panel
Port: 25
Protocol: TCP
Configuring GSLB Sites (EUGENE and CORVALLIS)
1. Select GSLB >> Sites Open GSLB Sites Roster

2. Click Create button Open GSLB Create Sites panel
3. Data Entry: GSLB Sites panel
Name: EUGENE
IP Server (drop down): LANE – Click Add button
4. Click Create button Returns to GSLB Sites Roster
Name: CORVALLIS
IP Server (drop down): BENTON – Click Add button
Configuring GSLB Policy (HELIUM)
1. Select GSLB >> Policies Opens GSLB Policies Roster

2. Click Create button Opens GSLB Create Policies panel
3. Data Entry: GSLB Create Policies panel
Name: HELIUM
4. Expand DNS Options section
Server Mode: (checkbox) de-select
6. Click Create button Returns to GSLB Policies Roster
Creating GSLB FQDN (www.a10-brown.com)
1. Select GSLB >> FQDN Opens GSLB FQDNs Roster
page 142
Feedback
2. Click Create button Opens GSLB Create FQDNs panel

3. Data Entry: GSLB Create FQDNs panel
GSLB Zone: a10-brown.com
Service: www
Zone Policy: (drop down) HELIUM
Port: 80
4. Click Create button Returns to GSLB FQDNs Roster
Creating GSLB FQDN (mail.a10-brown.com)

Existing Zone: a10-brown.com
Service: mail
Port: 25
Configuring GSLB FQDN DNS Records (www.a10-brown.com)
1. Expand a10-brown.com (zone column) Reveals FQDNs for a10-brown.com zone

2. Click Edit text on www.a10-brown.com Opens GSLB Update FQDNs panel
3. DNS Records section: Click Create button Opens GSLB Create DNS Record panel
4. Data Entry: GSLB Create DNS Record panel
Record Type: (Drop-Down) Service A
Service IP Name: (Drop-Down) LANE
Static: (checkbox) select
5. Click Create button Returns to GSLB Update FQDNs panel
Service IP Name: (Drop-Down) BENTON
8. Click Create button Returns to Update GSLB FQDNs Roster
9. Click Update button Returns to GSLB FQDNs Roster
Configuring GSLB FQDN DNS Records (mail.a10-brown.com)
1. Expand a10-brown.com (zone column) Reveals FQDNs for a10-brown.com zone

2. Click Edit text on mail.a10-brown.com Opens GSLB Update FQDNs panel
page 143
FeedbackFF
GSLB Server Mode Group (Scenario 2) FFee
e
Record Type: (Drop-Down) SERVICE A
Service IP Name: (Drop-Down) LANE
Service IP Name: (Drop-Down) BENTON
GSLB Server Mode Group (Scenario 2)

See “Scenario 2: GSLB Server Mode” on page 30. for the description and equivalent CLI implementation.

3. “Configuring GSLB Service IP (PIERCE)” on page 145
4. “Configuring GSLB Service IP (KING)” on page 146
5. “Configuring GSLB Sites (TACOMA and BELLEVUE)” on page 146
6. “Configuring GSLB Policy (BORON)” on page 146
7. “Creating GSLB FQDN (www.a10-blue.com)” on page 147
8. “Creating GSLB FQDN (mail.a10-blue.com)” on page 147
9. “Configuring GSLB FQDN DNS Records (www.a10-blue.com)” on page 147
10.“Configuring GSLB FQDN DNS Records (mail.a10-blue.com)” on page 148
Hostname: ACOS-2
page 144
Feedback
Creating the VIP
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC
Configuration Guide.
Name: DNS2
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GROUP
Configuring GSLB Service IP (PIERCE)

3. Data Entry: GSLB Create Service IPs panel
Service IP Name: PIERCE
Port: 80
Protocol: TCP
Port: 25
Protocol: TCP
page 145
FeedbackFF
GSLB Server Mode Group (Scenario 2) FFee
e

Configuring GSLB Service IP (KING)

Service IP Name: KING
Port: 80
Protocol: TCP
Port: 25
Protocol: TCP
Configuring GSLB Sites (TACOMA and BELLEVUE)

Name: TACOMA
IP Server (drop down): PIERCE – Click Add button
Name: BELLEVUE
IP Server (drop down): KING – Click Add button
Configuring GSLB Policy (BORON)

page 146
Feedback

Name: BORON
Server Mode: (checkbox) select
Authoritative Mode: (checkbox) select
Creating GSLB FQDN (www.a10-blue.com)

GSLB Zone: a10-blue.com
Service: www
Zone Policy: (drop down) BORON
Port: 80
Creating GSLB FQDN (mail.a10-blue.com)

Existing Zone: (drop down) a10-blue.com
Service: mail
Port: 25
Configuring GSLB FQDN DNS Records (www.a10-blue.com)
1. Expand a10-blue.com (zone column) Reveals FQDNs for a10-blue.com zone

2. Click Edit text on www.a10-blue.com Opens GSLB Update FQDNs panel
Service IP Name: (Drop-Down) PIERCE
page 147
FeedbackFF
GSLB Controllers and Devices (Scenario 3) FFee
e

Service IP Name: (Drop-Down) KING
8. Click Create button Returns to Update GSLB FQDNs Roster
Configuring GSLB FQDN DNS Records (mail.a10-blue.com)
1. Expand a10-blue.com (zone column) Reveals FQDNs for a10-blue.com zone

2. Click Edit text on mail.a10-blue.com Opens GSLB Update FQDNs panel
Service IP Name: (Drop-Down) PIERCE
Service IP Name: (Drop-Down) KING
GSLB Controllers and Devices (Scenario 3)

See “Scenario 3: GSLB Controllers and Site Devices” on page 33. for the scenario description and equiv-
alent CLI implementation.

3. “Configuring GSLB Service IP (PIMA)” on page 150
4. “Configuring GSLB Service IP (COCONINO)” on page 150
5. “Configuring GSLB Sites (TUCSON and FLAGSTAFF)” on page 151
6. “Configuring GSLB Policy (SODIUM)” on page 151
7. “Creating GSLB FQDN (www.a10-black.com)” on page 151
page 148
Feedback
8. “Creating GSLB FQDN (mail.a10-black.com)” on page 152

9. “Configuring GSLB FQDN DNS Records (www.a10-black.com)” on page 152
10.“Configuring GSLB FQDN DNS Records (mail.a10-black.com)” on page 152
11.“Enabling the GSLB Protocol” on page 153
12.“Device ACOS-31: Changing the Hostname” on page 153
13.“Device ACOS-31: Creating the VIP” on page 153
14.“Device ACOS-31: Enabling the GSLB Protocol” on page 154
15.“Device ACOS-32: Changing the Hostname” on page 155
16.“Device ACOS-32: Creating the VIP” on page 155
17.“Device ACOS-32: Enabling the GSLB Protocol” on page 156
Hostname: ACOS-3
Creating the VIP
Name: DNS3
Protocol: dns-tcp
Port: 53
page 149
FeedbackFF
e

Configuring GSLB Service IP (PIMA)

3. Data Entry: GSLB Create Service IPs panel
Service IP Name: PIMA
Port: 80
Protocol: TCP
Port: 25
Protocol: TCP
Configuring GSLB Service IP (COCONINO)

Service IP Name: COCONINO
Port: 80
Protocol: TCP
4. Click Create button Opens GSLB Create Service IPs Ports panel
Port: 25
Protocol: TCP
page 150
Feedback
Configuring GSLB Sites (TUCSON and FLAGSTAFF)

Name: TUCSON
4. SLB Devices section: Click Create button Open Create SLB Device pane
5. Data Entry: Create SLB Device panel
Device Name: ACOS-31
IP Address 10.30.0.131
VIP Server LIst: (drop down) PIMA – Click Add button
Click Create button Returns to GSLB Sites Roster
Name: FLAGSTAFF
8. SLB Devices section: Click Create button Open Create SLB Device pane
9. Data Entry: Create SLB Device panel
Device Name: ACOS-32
IP Address 10.30.0.132
VIP Server LIst: (drop down) COCONINO – Click Add button
Click Create button Returns to GSLB Sites Roster
10.Click Create button Returns to GSLB Sites Roster
Configuring GSLB Policy (SODIUM)

Name: SODIUM
Authoritative Mode: (checkbox) select
Click Create button Returns to GSLB Policies Roster
Creating GSLB FQDN (www.a10-black.com)

page 151
FeedbackFF
e

GSLB Zone: a10-black.com
Service: www
Zone Policy: (drop down) SODIUM
Port: 80
Click Create button Returns to GSLB FQDNs Roster
Creating GSLB FQDN (mail.a10-black.com)

Existing Zone: (drop down) a10-black.com
Service: mail
Port: 25
Configuring GSLB FQDN DNS Records (www.a10-black.com)
1. Expand a10-black.com (zone column) Reveals FQDNs for a10-black.com zone

2. Click Edit text on www.a10-black.com Opens GSLB Update FQDNs panel
Service IP Name: (Drop-Down) PIMA
Click Create button Returns to GSLB Update FQDNs panel
Service IP Name: (Drop-Down) COCONINO
Click Create button Returns to Update GSLB FQDNs Roster
Configuring GSLB FQDN DNS Records (mail.a10-black.com)
1. Expand a10-black.com (zone column) Reveals FQDNs for a10-black.com zone

2. Click Edit text on mail.a10-black.com Opens GSLB Update FQDNs panel
page 152
Feedback
Service IP Name: (Drop-Down) PIMA

Click Create button Returns to GSLB Update FQDNs panel
Service IP Name: (Drop-Down) COCONINO
Click Create button Returns to GSLB FQDNs Roster
Enabling the GSLB Protocol
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
4. Click Update GSLB Global Protocol button
Device ACOS-31: Changing the Hostname
Hostname: ACOS-31
Device ACOS-31: Creating the VIP
Creating the SLB Server
Name: ACOS-31P
Host: 10.1.1.58
page 153
FeedbackFF
e
Port Number: 53
Protocol: TCP
Click Create button
Creating the SLB Service Group

Name: DNS-31P
Protocol: TCP
Choose Creation Type: (Radio button) Existing Server
Server: (drop down) ACOS-31P
Port: 53
Creating the SLB Virtual Server

Name: DNS-31
IP Address: 10.40.0.141
Protocol: dns-tcp
Port: 53
Device ACOS-31: Enabling the GSLB Protocol
page 154
Feedback

Enable as site device: (checkbox) select
Device ACOS-32: Changing the Hostname
Hostname: ACOS-32
Device ACOS-32: Creating the VIP
Creating the SLB Server
Name: ACOS-32P
Host: 10.1.2.68
Port Number: 53
Protocol: TCP
Click Create button
Creating the SLB Service Group

Name: DNS-32P
Protocol: TCP
page 155
FeedbackFF
Configuring GSLB Controller-Based Metrics FFee
e

Choose Creation Type: (Radio button) Existing Server
Server: (drop down) ACOS-32P
Port: 53
Creating the SLB Virtual Server

Name: DNS-32
IP Address: 10.40.0.142
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-32P
Device ACOS-32: Enabling the GSLB Protocol
Enable as site device: (checkbox) select
Configuring GSLB Controller-Based Metrics

See “Configuring GSLB Controller-Based Metrics (CLI Example)” on page 81. for the scenario descrip-
tion and equivalent CLI implementation.
page 156
Feedback
2. “Configuring GSLB Service IPs (NYE and WASHOE)” on page 157

3. “Configuring GSLB Sites (ELY and RENO)” on page 158
4. “Configuring GSLB Policy (RHOMBUS)” on page 158
5. “Creating GSLB FQDN (www.a10-lime.com)” on page 158
6. “Configuring GSLB FQDN (www.a0-black.com)” on page 159
7. “Enabling the GSLB Protocol” on page 159
1. Select System >> Settings (prmary menu) Open Access Control panel
Hostname: ACOS-1
Configuring GSLB Service IPs (NYE and WASHOE)

Service IP Name: NYE
Port: 80
Protocol: TCP
Service IP Name: WASHOE
Port: 80
Protocol: TCP
page 157
FeedbackFF
e
Configuring GSLB Sites (ELY and RENO)

Name: ELY
IP Server (drop down): NYE – Click Add button
Name: RENO
IP Server (drop down): WASHOE – Click Add button
Configuring GSLB Policy (RHOMBUS)

Name: default
Round Robin: (checkbox) de-select
Metrics – Active RDT: (checkbox) select
4. Expand Active RDT section
5. Data Entry: Active RDT section
Controller: (checkbox) select
Enable RDT to Controller: (checkbox) select
Only Keep Active Servers: (checkbox) select
Only Keep Selected Servers: (checkbox) select
Answer Number: 1
Creating GSLB FQDN (www.a10-lime.com)
page 158
Feedback

GSLB Zone: a10-lime.com
Service: www
Zone Policy: (drop down) RHOMBUS
Port: 80
Configuring GSLB FQDN (www.a0-black.com)
1. Expand a10-lime.com (zone column) Reveals FQDNs for a10-lime.com zone

2. Click Edit text on www.a10-lime.com Opens GSLB Update FQDNs panel
Service IP Name: (Drop-Down) NYE
Service IP Name: (Drop-Down) WASHOE
Enabling the GSLB Protocol
2. Select Protocol (secondary menu) Opens GSLB Update Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
page 159
FeedbackFF
e
page 160
GSLB CLI Command Reference
This chapter lists the CLI commands for Global Server Load Balancing (GSLB). The commands are
organized into the following sections:
• “Main Configuration Commands” on page 161
• “Policy Configuration Commands” on page 195
• “Show Commands” on page 249
• “Clear Command” on page 278
Main Configuration Commands

The commands in this section configure GSLB parameters. In some cases, the commands create a
GSLB configuration item and change the CLI to the configuration level for that item.
• delete geo-location
• gslb active-rdt
• gslb dns action
• gslb dns logging
• gslb geo-location
• gslb group
• gslb ip-list
• gslb policy
• gslb protocol
• gslb protocol limit
• gslb service-group
• gslb service-ip
• gslb site
• gslb system age-interval
• gslb system auto-map module
Feedback page 161

FeedbackFF
Main Configuration Commands FFee
e
• gslb system auto-map ttl
• gslb system geo-location load
• gslb system ip-ttl
• gslb system wait
• gslb template csv
• gslb template snmp
• gslb zone
• import geo-location
delete geo-location
Description Delete or replace a custom geo-location database from the ACOS device.
Syntax delete geo-location {all | file-name}
Parameter Description
all Deletes all manually configured geo-locations from the configu-
ration.
file-name Delete the specified geo-location from the configuration.
Default N/A
Usage This command is available only if you have already imported a geo-location
database file.
Mode Global configuration mode
gslb active-rdt
Description Configure global aRDT settings.
Syntax [no] gslb active-rdt

{
domain domain-name |
icmp
interval seconds |
port portnum |
retry num |
sleep seconds |
timeout ms |
page 162
Feedback
track seconds
}
domain Specifies the query domain. To measure the active-Round Delay Time (aRDT) for a cli-
domain-name ent, the site ACOS device sends queries for the domain name to a client’s local DNS.
An aRDT sample consists of the time between when the site ACOS device sends a
query and when it receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name
that is likely to be in the cache of each client’s local DNS.
The ACOS device averages multiple aRDT samples together to calculate the aRDT
measurement for a client. (See the description of track below.)
The default domain is google.com.

icmp Programs the device to use ICMP packets, instead of DNS requests, to calculate
response delay time.
interval seconds Specifies the number of seconds between queries. You can specify 1-16383 seconds.
The default interval is 1 second.

port portnum Specifies the port. You can specify ports 0-65535.
The default port is 0.

retry num Specifies the number of times GSLB will resend a query if there is no response. You
can specify 0-16.
The default is 3.
sleep seconds Specifies the number of seconds GSLB stops tracking aRDT data for a client after a
query fails. You can specify 1-300 seconds.
The default is 3 seconds.

timeout ms Specifies the number of milliseconds GSLB will wait for a reply before resending a
query. You can specify 1-16383 ms.
The default is 3000 ms.

track seconds Specifies the number of seconds during which the ACOS device collects samples for a
client. The samples collected during the track time are averaged together, and the
averaged value is used as the aRDT measurement for the client. You can specify 3-
16383 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for aver-
aged aRDT measurements is 10 minutes by default and is configurable on individual
sites, using the active-rdt aging-time command in GSLB site configuration mode.
Default See descriptions.
page 163
FeedbackFF
e
gslb dns action

Description Globally drop or reject DNS queries from the local DNS server.
Syntax gslb dns action {drop | ignore | none | reject}

no gslb dns action
drop Drops DNS queries that do not match any zone service.
ignore Ignores DNS queries that do not match any zone service.
none No action (default)
reject Rejects DNS queries that do not match any zone service, and
returns the “Refused” message in replies.
Default No action (gslb dns action none)
gslb dns logging

Description Globally set DNS logging parameters. When this option is enabled, the GSLB
DNS log messages appear in the ACOS log.
For more information, see “DNS Logging” on page 106.

Syntax gslb dns logging {
both [template template-name] |
query [template template-name] |
response [template template-name] |
none
}
no gslb dns logging
both [template template-name] Log both the DNS query and response.
query [template template-name] Log only the DNS query.
response [template template-name] Log only the DNS response.
none Do not log any DNS messages.
Default Disabled ( gslb dns logging none)
page 164
Feedback
gslb geo-location
Description Configure a global geographic location by assigning a location name to a cli-
ent IP address range. GSLB forwards client requests from addresses within
the specified IP address range to the GSLB site that serves the location.
Syntax [no] gslb geo-location location-name
location-name Name of location. Use a period between string labels (ranges). Each range can con-
tain up to 15 alphanumeric characters. Entire name can contain up to 127 charac-
ters.
Example: Asia.japan.123456789.xyz
ACOS device can perform a partial match on geo-locations. Example: if IP 1.1.1.1

belongs to “Asia.japan”, but only “Asia” is configured, the ACOS device still selects
the proper site.
The command changes the CLI to the configuration level for the location,
where the following location-related commands are available:
Command Description
[no] ip start-ip-addr Beginning IPv4 address for the range.
{mask ip-mask | end-ip-addr}
• mask ip-mask - Network mask
• end-ip-addr - Ending IP address of the range
[no] ipv6 start-ipv6-addr Beginning IPv6 address for the range.
{mask ipv6-mask | end-ipv6-addr}
• mask ipv6-mask - Network mask
• end-ipv6-addr - Ending IP address of range
Default N/A
Usage Geographic location can be configured in a GSLB policy, which specifies

using either the globally configured geographic location or the policy-config-
ured location. (See “geo-location” on page 238 and “geo-location-match” on
page 239.)
Use manually configured geo-location mappings or load a mappings

database, as described in “gslb system geo-location load” on page 183.
• If you manually map a geo-location to an GSLB site, GSLB uses the map-
ping.
• If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location data-
base.
page 165
FeedbackFF
e
• If a service-ip cannot be mapped to a geo-location, GSLB maps the site

ACOS device to a geo-location.
Example This example configures geographic location “US.CA.SanJose” for IP

address range 100.1.1.1 through 100.1.1.125:
ACOS(config)# gslb geo-location US.CA.SanJose

ACOS(config-geo-location:US.CA.SanJose)# ip 100.1.1.1 100.1.1.125
ACOS(config-geo-location:US.CA.SanJose)#
gslb group
Description Configure GSLB group settings. GSLB controllers within a GSLB group auto-
matically synchronize GSLB configuration information and data.
Syntax [no] gslb group {default | group-name}
The command changes the CLI to the configuration level for the group,
where the following group-related commands are available:
Other available commands are common to all CLI configuration levels. See
the CLI Reference.
Command Description
[no] auto-map [option] Automatically creates IP-to-name mappings for resources within the zone. The
option can be one of the following:
• data-interface
• learn
• mgmt-interface
• primary
• smart
This is disabled by default.
This option is applicable only to GSLB zones that use wildcard service names
[no] config-anywhere Allows GSLB to be configured on any group member, without restricting the
changes to the master controller.

[no] config-merge If this option is used and the current GSLB controller has the highest priority of
all group members, then this current controller will attempt to retrieve the config
file from the master GSLB controller before assuming control.

[no] config-save Enables automatic configuration save on this GSLB group member when the
configuration is saved on the group master.
This is enabled by defaul.t
page 166
Feedback
Command Description
[no] dns-discover Discover member via DNS protocol. When this option is used, you do not need to
configure a primary IP address, because GSLB will send a DNS query (based on
the group name) to discover other group members.
For example, if group name is “group.example.com” then GSLB will send the DNS
discover query with domain name “group.example.com”.
This is disabled by defaul.t

[no] enable Activates the ACOS device’s membership in the GSLB controller group.
This is disabled by defaul.t

[no] learn Enables the ACOS device to learn the IP addresses of other group members from
the group’s primary controllers.
This is enabled by defaul.t

[no] primary ipaddr Specifies the IP address of another group member, to be a primary member.
After the GSLB process starts on an ACOS device, the device joins the controller
group by connecting to the primary group members to exchange group manage-
ment traffic.
You can specify up to 15 primary members. Enter the command separately for
each member.
This is not set by default.

[no] priority num Specifies the priority of the ACOS device to become the master for the group.
You can specify 1-255.
The default is 100.

[no] standalone Run GSLB Group in standalone mode.

[no] suffix name This option allows you to configure the DNS suffix that will be used for dns-dis-
covery. You can specify the suffix (or name) that GSLB will append to the domain
name when sending the dns-discover query. For example, if the group name is
“group” and the suffix is “example.com”, then the concatenated strings are sent
in the DNS discovery query as “group.example.com”.
page 167
FeedbackFF
e
gslb health monitor

Description Configure a health check that is synchronized across all GSLB group mem-
bers. See the “health monitor” command in Command Line Interface Refer-
ence.
Syntax [no] gslb health monitor monitor-name

[interval seconds]
[retry number]
[timeout seconds]
[up-retry number]
Mode Except for the gslb keyword in front of the command, the syntax is the same
as the health monitor command at the global configuration level for the CLI.
For information about the options, see the CLI Reference.
gslb ip-list
Description Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
Syntax [no] gslb ip-list list-name
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
(The other commands are common to all CLI configuration levels. See the
CLI Reference.)
[no] ip ipaddr Creates an IP entry in the list. Based on the subnet mask or mask
[subnet-mask | /mask-length] length, the entry can be a host address or a subnet address. The id
id group-id option adds the entry to a group. The group-id can be 0-31.
[no] load bwlist-name Loads the entries from a black/white list into the IP list.
Default None
Usage You can configure an IP list in either of the following ways:

• Use a text editor on a PC or use the ACOS GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
• Use this command to configure individual IP list entries.
Example The following commands configure a GSLB IP list and use the list to exclude
IP addresses from aRDT data collection:
ACOS(config)# gslb ip-list iplist1

ACOS(config-gslb ip-list)# ip 192.168.1.0 /24 id 3
page 168
Feedback

ACOS(config-gslb ip-list)# exit
ACOS(config-gslb policy)# ip-list iplist1
ACOS(config-gslb policy)# active-rdt ignore-id 3
gslb policy
Description Configure a GSLB policy.
Syntax [no] gslb policy {default | policy-name}
default The default GSLB policy included in the software.
policy-name Name of the policy, up to 63 alphanumeric characters.
This command changes the CLI to the configuration level for the specified
GSLB policy. For information about the commands available at the GSLB
policy level, see “Policy Configuration Commands” on page 195.
Default N/A
Example The following example creates a GSLB policy called “gslb-policy2”:
ACOS(config)# gslb policy gslb-policy2

ACOS(config-policy:gslb-policy2)#
page 169
FeedbackFF
e
gslb protocol
Description Enable the GSLB protocol or set protocol options.
Syntax [no] gslb protocol

{
auto-detect |
enable {controller | device} |
limit option |
ping [site | ip-addr] |
status-interval seconds |
use-mgmt-port
}
auto-detect Enables auto-detection.

enable Enables the GSLB protocol:
{controller | device}
• controller – Use this option on the ACOS device on which GSLB is config-
ured.
• device – Use this option on the ACOS devices that are SLB devices at the
GSLB sites.
limit option See “gslb protocol limit” on page 171.
ping Test GSLB connectivity from the GSLB ACOS device to a site ACOS device.
[site | ip-addr]
• site - GSLB site name of the site ACOS device.
• ip-addr - The IP address of the site ACOS device.

status-interval seconds Changes the number of seconds between GSLB status messages. You can
specify 1-1800 seconds.

use-mgmt-port Use the management route table instead of the data route table.
NOTE: For the limit options, see “gslb protocol limit” on page 171.
Usage The GSLB protocol uses port 4149 and is registered on this port for both TCP
and UDP.
ACOS devices use the GSLB protocol for GSLB management traffic. The
protocol must be enabled on the GSLB controller, and it is recommended
(but not required) that you enable the protocol on the site ACOS devices.
page 170
Feedback
The following GSLB policy metrics require the protocol to be enabled on both
the site ACOS devices as well as the GSLB controller:
• Session-Capacity
• aRDT
• Connection-Load
• Num-Session
The GSLB protocol is also required for the Health-Check metric, if the default
health checks are used. If you modify the health checks, the GSLB protocol is
not required.
Example The following command enables the GSLB protocol on a GSLB device:
Example The following command enables the GSLB protocol on a site device:
ACOS(config)# gslb protocol enable device
gslb protocol limit

Description Change aRDT message limits.
Syntax [no] gslb protocol limit

{
ardt-query num-msgs |
ardt-response num-msgs |
ardt-session num-sessions |
conn-response num-msgs |
message num-msgs |
response num-msgs
}
ardt-query Limits the number of aRDT Query messages (0-1000000).
The default is 200 query messages.

ardt-response Limits the number of aRDT Response Messages (0-
1000000).
The default is 1000 response messages.

ardt-session Limits the number of aRDT sessions (0-1000000)
The default is 32768 sessions.

conn-response Limits the number Connection Load Response Messages
(0-1000000).
By default no limit is set.
page 171
FeedbackFF
e
message Limits the number of messages (0-1000000).
The default is 10000 (ten thousand) messages.

response Limits the number of Response Messages (0-1000000).
The default is 3600 response messages.
page 172
Feedback
gslb service-group
Description Configure an FQDN group.
Syntax [no] gslb service-group group-name
This command creates the group and changes the CLI to the configuration
level for it. At this level, the following commands are available:.
[no] dependency site All services become unavailable on the site when one service
goes down. Facilitates traffic redirection to a site that can
maintain persistence for all services. Default setting is dis-
abled.
Only valid when persistent site is enabled.

[no] disable Disables all FQDN members.
[no] disable-site site-name Disables the given site name in the service-group.
[no] persistent site [AGE][V4][V6] Enables site persistence for the configuration mode service
group. Parameter options include:
• AGE – Specifies enforcement period. Valid options include:
• <no parameter> – default period of five minutes.
• aging-time <1-65535> – specifies period (minutes)
• V4 – Specifies IPv4 mask. Valid formats include:
• <no parameter> – IPv4 mask of /32.
• /nn – specifes IPv4 mask length
• A.B.C.D – must specify valid IPv4 mask
• V6 – Specifies IPv6 mask length. Valid formats include:
• <no parameter> – default IPv6 mask of 128.
• ipv6-mask <1-128> – specifies IPv6 mask length

[no] member service-name.zone-name Adds the specified service, in FQDN format.
Example These commands 1) create an FQDN; 2) create an FQDN group called

“example-group”; and 3) adds the FQDN for GSLB services to the group:

ACOS(config-zone:example.com)# exit
ACOS(config)# gslb service-group example-group
ACOS(config-svc group:example-group)# member www.example.com
ACOS(config-svc group:example-group)# member www1.example.com
page 173
FeedbackFF
e
ACOS(config-svc group:example-group)#
gslb service-ip
Description Configure a service IP, which can be a virtual server’s or real server’s IP
address.
Syntax [no] gslb service-ip service-name [ipaddr]
service-name Name of the service, up to 63 alphanumeric characters.
ipaddr IP address of the virtual server or real server. You can specify an IPv4 or IPv6
address.
(If you are changing the configuration of a GSLB service that is already config-
ured, this parameter is not required.)
service, where the following GSLB-related commands are available:
Command Description
disable Disables GSLB for the service IP address.
enable Enables GSLB for the service IP address.
[no] external-ip ipaddr Assigns an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be
reached from outside the internal network.
[no] health-check monitor-name Configures service IP monitoring. If you enter the command
with no options, the default Layer 3 health monitor (ICMP ping)
is used.
• monitor-name – The service is checked using the specified

Layer 3, 4 or 7 health monitor.
[no] health-check-disable Disables the health-check monitor.
[no] health-check-protocol-disable Disables the GSLB protocol health monitor.
[no] ipv6 ipv6-addr Maps the specified IPv6 address to an IPv4 service IP. This
option also requires IPv6 DNS AAAA support to be enabled in
the GSLB policy. (See the ipv6-mapping option in “DNS IPv6” on
page 106.)
page 174
Feedback
Command Description
[no] port num {tcp | udp} Adds service port to service IP. Changes CLI to configuration
level for specified service port, where these commands are
available:
• disable – Disables GSLB for service port.
• enable – Enables GSLB for service port.
• [no] health-check [monitor-name] – Enables health

monitoring for the service port. If you do not specify a health
monitor, the default health monitor is used. (See “Usage”
below.)
• [no] health-check-disable – Enables or disables health

monitoring for service port.
• [no] health-check-follow-port – Specify the port to fol-

low for health status. The port cannot follow itself or use port
0.
• [no] health-check-protocol-disable – Disable the GSLB

protocol health monitor for the port.
Default No services are configured by default. When you configure a service, the ser-
vice is enabled by default, and the default port is 80. The default health mon-
itor for a service is the default Layer 3 health monitor (ICMP ping). The
default health monitor for a service port is the default TCP or UDP monitor,
depending on the transport protocol. (For more on health checking, see
“Usage” below.)
Usage If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), health checks are performed within the
GSLB protocol.
If you use a custom health monitor, or explicitly apply the default Layer 3
health monitor to the service, the GSLB protocol is not used for any of the
health checks.
If you use a custom health monitor for a service port, the port number
specified in the service configuration is used instead of the port number
specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
• active-rdt
• ip-list
• dns external-ip
• dns ipv6 mapping
• geo-location
page 175
FeedbackFF
e
Example The following example creates a GSLB service IP address named “gslb-
srvc2” with IP address 192.160.20.99:
ACOS(config)# gslb service-ip gslb-srvc2 192.168.20.99

ACOS(config-service-ip:gslb-srvc2)#
page 176
Feedback
gslb site
Description Configure a GSLB site.
Syntax [no] gslb site site-name
Replace site-name with the name for the site (1-63 characters).
page 177
FeedbackFF
e
site, where the following site-related commands are available:
Command Description
[no] active-rdt option Configures options for the aRDT metric:
• aging-time minutes –Specifies the maximum amount of time a stored

aRDT result can be used. You can specify 1-15360 minutes. The default is 10
minutes.
(“No” form of command is not available).
• bind-geoloc – Stores the aRDT measurements on a per geo-location basis.

Without this option, the measurements are stored on a per site-SLB device
basis.
• ignore-count num – Specifies the ignore count if aRDT is out of range. You
can specify 1-15. The default is 5.
• limit num – Specifies the maximum aRDT allowed for the site. If the aRDT
measurement for a site exceeds the configured limit, GSLB does not eliminate
the site. Instead, GSLB moves to the next metric in the policy. You can specify
1-16383 milliseconds (ms). The default is 16383. (“No” form of command is
not available).
• mask {/mask-length | mask-ipaddr} – Specifies the IPv4 client subnet

mask length. The default mask length is 32. (“No” form of command is not
available).
• range-factor num – Specifies the maximum percentage a new aRDT mea-

surement can differ from the previous measurement. If the new measurement
differs from the previous measurement by more than the allowed percentage,
the new measurement is discarded and the previous measurement is used
again.
For example, if the range-factor is set to 25 (the default), a new measurement

that has a value from 75% to 125% of the previous value can be used. Mea-
surements is less than 75% or more than 125% of the previous measurement
can not be used.
• smooth-factor num – Blends the new measurement with the previous one,
to smoothen the measurements.
For example, if the smooth-factor is set to 10 (the default), 10% of the new
measurement is used, along with 90% of the previous measurement. Similarly,
if the smooth-factor is set to 50, 50% of the new measurement is used, along
with 50% of the previous measurement.
You can specify 1-100. The default is 10. (“No” form of command is not avail-
able).
(For information about the aRDT metric, see “active-rdt” on page 197.)
[no] auto-map Enables DNS auto-mapping for site resources.
page 178
Feedback
Command Description
[no] bw-cost options Configures options for the BW-Cost metric:
• limit num– Specifies the maximum amount the SNMP object queried by the
GSLB ACOS device can increase since the previous query, in order for the site
to remain eligible for selection. You can specify 0-2147483647. There is no
default.
If a site becomes ineligible due to being over the limit, the percentage parame-
ter is used. In order to become eligible for selection again, the site’s limit value
must not exceed
limit*threshold-percentage.
threshold percentage – For a site to regain eligibility when BW-Cost is

being compared, the SNMP object’s value must be below the threshold-per-
centage of the limit value. You can specify 0-100. There is no default.
For example, if the limit value is 80,000 and the threshold is 90 percent, then
the limit value must be 72,000 or less, in order for the site to become eligible
again based. Once a site again becomes eligible, the SNMP object’s value is
again allowed to increase up to the bandwidth limit (80,000 in this example).
(For information about the BW-Cost metric, see “bw-cost” on page 203.)
[no] controller This command binds the specified controller to the configuration mode GSLB
domain-name site in support of GSLB controller-based metrics.
• domain-name – ACOS hostname of local controller for the GSLB site.
There is no default.
[no] disable Disables all servers in the GSLB site.
[no] geo-location Associates this site with a specific geographic location. (To configure a location,
location-name use the gslb geo-location command.)
[no] ip-server Associates a real server with this site.
service-ip
• service-ip –Specify the real server name.
Generally, virtual servers rather than real servers are associated with a site. To
associate a virtual server with a site, use vip-server option of the slb-dev
command.
page 179
FeedbackFF
e
Command Description
[no] slb-dev Specifies the device that provides SLB for the site. The IP address must be
device-name reachable by the GSLB controller when GSLB protocol is enabled. This com-
[ip-addr] mand changes the CLI to the slb-dev configuration level where the following
commands are available:
• admin-preference num – Assigns a preference value to the SLB device. If the

Admin-Preference metric is enabled in the policy and all metrics before this
one result in a tie, the SLB device with the highest Admin-Preference value is
preferred. You can specify from 0 – 255. The default is 100.
• auto-detect {ip | port | ip-and-port | disabled} – Enables DNS

auto detect at service IP level, port level, or both. You can also disable auto-
detect.
• [no] auto-map – Enables DNS auto-mapping for this site.
• [no] gateway ipaddr – Specifies the gateway the SLB device will use to
reach the GSLB local DNS for collecting aRDT measurements.
• gateway health-check – Enables gateway health checking. A gateway

health check is a Layer 3 health check (ping) sent to the gateway router for an
SLB site. This option is enabled by default.
• gateway health-check-disable – Disables gateway health checking. Gate-

way health check is enabled by default.
• max-client num – Specifies the maximum number of clients for which the
GSLB ACOS device (controller) saves data such as aRDT measurements for
each of the clients. You can specify 1-2147483647. The default is 32768.
• [no] proto-aging-fast – This option enables a quick refresh of data sent

from a site ACOS device to the ACOS controller by “aging out” data from a site
ACOS device. This can be used to obtain fresh health status information from
a site ACOS. For example, when a virtual server is deleted from a site-ACOS
device, but this information could not be sent to the ACOS controller, then the
status in the controller will continue to appear as "UP" for a long time until it is
aged out. The "proto-aging-fast" command forces the GSLB controller to start
aging the health status immediately after receiving updated information from
a site ACOS.
• proto-aging-time seconds – If communication between a site ACOS

device and the GSLB controller is interrupted, then the data for that site will
become stale. The GSLB controller can continue to rely upon this old informa-
tion, but after some time, the old data for the site must be purged. The lifespan
of this old data is the sum of the time set using the gslb protocol status-inter-
val command, plus the time you set using this proto-aging-time option. The
default value is 60 seconds. You can specify from 1 to 65535 seconds.
• [no] proto-compatible – Enables GSLB protocol compatibility between a

controller running 2.6.1 or later and a site ACOS device running 2.4.x. This
option is disabled by default.
• [no] vip-server {name | ipaddr} – Maps this SLB site to a globally con-
figured GSLB service IP address. If you use the name option, the name must
be the name of a configured service IP. (To configure the service IP, use the
gslb service-ip command. See “gslb service-ip” on page 174.)
[no] template Binds a template to the site. To use the BW-Cost metric, use this option to bind a
template-name GSLB SNMP template to the site.
page 180
Feedback
Command Description
[no] weight num Assigns a weight to the site. If the Weighted-Site metric is enabled in the policy
and all metrics before Weighted-Site result in a tie, the site with the highest
weight is preferred. The weight can be from 1 – 100. The default is 1.
Example The following example creates a site named “NY-site” and adds SLB ACOS
device “site-acos-1” with IP address 10.10.10.10 to the site:
ACOS(config)# gslb site NY-site

ACOS(config-gslb site:NY-site)# slb-dev site-acos-1 10.10.10.10
ACOS(config-gslb site:NY-site-slb dev:sit...)#
gslb system age-interval

Description Set the age interval for runtime GSLB statistics.
Syntax gslb system age-interval seconds

no gslb system age-interval
Replace seconds with the desired age interval (0-120 seconds).
Default 10 seconds
gslb system auto-map module

Description Enable auto-mapping of IP address to resource name.
page 181
FeedbackFF
e
Syntax gslb system auto-map module resource-type

no gslb system auto-map module
resource-type Enables DNS auto-mapping for the specified resource type. When auto-mapping is
enabled, ACOS can respond to DNS queries for resources of the specified type that are
within the GSLB zone. The resource-type option can be one of the following:
• gslb-group – Enables auto-mapping for GSLB groups.
• gslb-service-ip – Enables auto-mapping for service-IPs.
• gslb-site – Enables auto-mapping for GSLB sites.
• hostname – Enables auto-mapping for the ACOS device hostname.
• slb-device – Enables auto-mapping for SLB devices.
• slb-server – Enables auto-mapping for real server names.
• slb-virtual-server – Enables auto-mapping for virtual server names.
Default Disabled
Usage See “Configuring Auto-Mapping (CLI)” on page 96.
gslb system auto-map ttl

Description Configure the TTL for DNS A or AAAA records created by the auto-mapping
feature.
Syntax gslb system auto-map ttl seconds
no gslb system auto-map ttl
Replace seconds with the maximum number of seconds for which an A or

AAAA record created by auto-mapping is valid. You can specify 1-65535
seconds.
Default 300 seconds
page 182
Feedback
gslb system geo-location load

Description Load a geo-location database into GSLB. Using a geo-location database is
an alternative to manually configuring each geo-location separately.
Syntax [no] gslb system geo-location load

{iana | file-name csv-template-name}
iana Loads the Internet Assigned Numbers Authority (IANA) database. The
IANA database contains the geographic locations of the IP address
ranges and subnets assigned by the IANA. The IANA database is
included in the ACOS system software. The IANA geo-location data-
base is loaded by default.
file-name csv-template-name Loads a custom database. You can load a custom geo-location data-
base from a file in comma-separated-values (CSV) format. This option
requires configuration of a CSV template on the ACOS device. When
you load the CSV file, the data is formatted based on the template. (To
configure a CSV template, see “gslb template csv” on page 184.).
Usage You can load more than one database. The geo-location match command
determines the IP address used when databases contain overlapping
addresses.
Example The following command loads the IANA database:
ACOS(config)# gslb system geo-location load iana
Example The following command loads geo-location data from a CSV file:
ACOS(config)# gslb system geo-location load test1.csv test1-template
gslb system ip-ttl

Description Change the IP Time-to-Live (TTL) in DNS replies to clients.
Syntax gslb system ip-ttl num

no gslb system ip-ttl
Replace num with the desired TTL value (0-255).
Default 0
Usage This option applies only to DNS server mode. The option does not apply to
DNS proxy mode.
The TTL value is used in all replies, regardless of the client’s original TTL.
page 183
FeedbackFF
e
gslb system wait

Description Delay startup of GSLB following startup of the ACOS device.
Syntax gslb system wait seconds

no gslb system wait
Replace seconds with the desired startup delay interval (0-16384 seconds).
Default 0 seconds (no delay)
gslb template csv

Description Configure a template for extracting geo-location data from an imported CSV
file.
Syntax [no] gslb template csv template-name
Replace template-name with the name of the template (1-63 characters).

template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See the
CLI Reference.)
[no] delimiter Specifies the character used in the file to delimit fields. You can type the
{character | ASCII-code} character or enter its decimal ASCII code (0-255).
[no] field num type-of-data The num option specifies the field position within the CSV file. You can
specify from 1-64. The following options specify the type of geo-location
that is located in the field position:
• ip-from – Specifies beginning IP address in range or subnet.
• ip-to-mask – Specifies ending IP address in range or subnet mask.
• continent – Specifies continent location of IP address range or sub-

net.
• country – Specifies country location of IP address range or subnet.
• state – Specifies state location of IP address range or subnet.
• city – Specifies city location of IP address range or subnet.

[no] ipv6-enable Support IPv6 IP ranges.
Default There is no default CSV template. When you configure one, the field loca-
tions are not set. The default delimiter character is a comma ( , ).
page 184
Feedback
Usage To load a geo-location data file and use the CSV template to extract the data,
see “gslb system geo-location load” on page 183.
Example The following commands configure a CSV template called “test1-tmplte”:
ACOS(config)# gslb template csv test1-tmplte

ACOS(config-csv:test1-tmplte)# field 1 ip-from
ACOS(config-csv:test1-tmplte)# field 2 ip-to-mask
ACOS(config-csv:test1-tmplte)# field 5 continent
ACOS(config-csv:test1-tmplte)# field 3 country
gslb template snmp

Description Configure an SNMP template to query data for use by the BW-Cost metric.
Syntax [no] gslb template snmp template-name
Replace template-name with the name of the template (1-63 characters).
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See the CLI Reference.)
[no] auth-key string Specifies the authentication key. The key string can be 1-127 characters
long. This command is applicable if the security level is auth-no-priv
or auth-priv.
[no] auth-proto {sha | md5} Specifies the authentication protocol. This command is applicable if the
security level is auth-no-priv or auth-priv.
[no] community community- For SNMPv1 or v2c, specifies the community string required for authen-
string tication.
[no] context-engine-id id Specifies the ID of the SNMPv3 protocol engine running on the site
ACOS device.
[no] context-name id Specifies an SNMPv3 collection of management information objects
accessible by an SNMP entity.
[no] host {name | ipaddr} Specifies the IP address of the site ACOS device.
[no] interface id Specifies the SNMP interface ID. 0-2147483647
[no] interval seconds Specifies the amount of time between each SNMP GET to the site ACOS
devices. You can specify 1-999 seconds. The default is 3.
[no] oid oid-value Specifies the interface MIB object to query on the site ACOS device.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the ACOS device will return an error.
page 185
FeedbackFF
e
[no] port portnum Specifies the protocol port on which the site ACOS devices listen for the
SNMP requests from the GSLB ACOS device. You can specify 1-65535.
The default is 161.
[no] priv-key string Specifies the encryption key. The key string can be 1-127 characters
long. This command is applicable only if the security level is auth-priv.
[no] priv-proto {aes | des} Specifies the privacy protocol used for encryption. This command is
applicable only if the security level is auth-priv.
[no] security-engine-id id Specifies the ID of the SNMPv3 security engine running on the site
ACOS device. For each command, the ID is a string 1-127 characters
long.
[no] security-level Specifies the SNMPv3 security level:
{no-auth |
auth-no-priv | • no-auth – Authentication is not used and encryption (privacy) is not
auth-priv} used. This is the default.
• auth-no-priv – Authentication is used but encryption is not used.
• auth-priv – Both authentication and encryption are used.

[no] username name Specifies the SNMPv3 username required for access to the SNMP
agent on the site ACOS device.
[no] version {v1 | v2c | v3} Specifies the SNMP version running on the site ACOS device.
Default See above.
Usage The community command applies only to SNMPv1 or v2c. Most of the other
commands, with the exception of the version, interval, port, and interface
commands, apply to SNMPv3.
You can not delete an SNMP template if the template is in use by a site. To
delete a template, first remove it from all site configurations that are using it.
Example The following commands configure a GSLB SNMP template for SNMPv2c:

ACOS(config-snmp:snmp-1)# version v2c
ACOS(config-snmp:snmp-1)# community public
ACOS(config-snmp:snmp-1)# exit
Example The following commands configure a GSLB SNMP template for SNMPv3. In
this example, authentication and encryption are both used.

ACOS(config-snmp:snmp-2)# security-level auth-priv
page 186
Feedback

ACOS(config-snmp:snmp-2)# username read
ACOS(config-snmp:snmp-2)# priv-proto des
ACOS(config-snmp:snmp-2)# auth-key 12345678
ACOS(config-snmp:snmp-2)# priv-key 12345678
gslb zone
Description Configure a GSLB zone, which identifies the top-level name for the services
load balanced by GSLB.
Syntax [no] gslb zone zone-name
Replace zone-name with the name of the zone, up to 127 alphanumeric

characters, or * (wildcard character matching on all zone names).
You can use lower case characters and upper case characters. However,
since Internet domain names are case-insensitive, the ACOS device
internally converts all upper case characters in GSLB zone names to lower
case.
NOTE: DNSSEC is not supported for GSLB wildcard zones.
zone, where the following zone-related commands are available:
Command Description
[no] disable Disables all services in the GSLB zone.
[no] dns-mx-record name Configures a DNS Mail Exchange (MX) record for the zone. The name is the
priority [ttl num] fully-qualified domain name of the mail server for the zone.
If more than one MX record is configured for the same zone, the priority speci-
fies the order in which the mail server should attempt to deliver mail to the MX
hosts. The MX with the lowest priority value has the highest priority and is
tried first. The priority can be 0-65535. There is no default.
MX records configured on a zone are used only for services on which MX

records are not configured.
NOTES:
If you want the GSLB ACOS device to return the IP address of the mail service
in response to MX requests, you must configure Address records for the mail
service.
Optionally, you can configure the Time-to-Live in seconds. The range is from
0-2147483647 seconds.
[no] dns-ns-record Configures a DNS name server record for the specified domain.
domain-name [ttl num]
Optionally, you can configure the Time-to-Live in seconds. The range is from
0-2147483647 seconds.
page 187
FeedbackFF
e
Command Description
[no] dns-soa-record Configures a DNS start of authority (SOA) record for the GSLB zone.
[external]
dns-server-name • external - causes the ACOS device to replace the internal SOA record with
mailbox-name an external SOA record when a request is received from an external client.
[expire seconds] This prevents external clients from gaining access to internal information.
[refresh seconds] The feature must also be enabled in the GSLB policy.
[retry seconds]
[serial num] • refresh - specifies the number of seconds other DNS servers wait before
[ttl seconds] requesting updated information for the GSLB zone. The retry option speci-
fies how many seconds other DNS servers wait before resending a refresh
request, if GSLB does not respond to the previous request. The expire
option specifies how many seconds GSLB can remain unresponsive to a
refresh request before the other DNS server drops responding to queries for
the zone.
• serial - specifies the initial serial number of the SOA record. This number
is automatically incremented each time a change occurs to any records in
the zone file. You can specify a serial number from 0-2147483647. The
default is based on the current system time on the GSLB ACOS device when
you create the SOA record.
• ttl - specifies the number of seconds GSLB will cache and reuse negative
replies (NXDOMAIN messages). A negative reply is an error message indi-
cating that a requested domain does not exist.
NOTES:
The ttl option is equivalent to the “minimum” option in BIND 9.
[no] policy policy-name Applies the specified GSLB policy to the zone. You can specify “default” for the
GSLB policy name, if you have not configured another policy and applied it to
the zone. The GSLB policy applied to the zone is also applied to the services in
that zone.
page 188
Feedback
Command Description
[no] service port Adds a service to the zone. The port option specifies the service port and can
[service-name] be a port number from 0 to 65534. The service-name can be 1-63 alphanu-
meric characters or * (wildcard character matching on all service names).
For the same reason described for zone names, the ACOS device converts all
upper case characters in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service,
where the following GSLB-related commands are available:
• action action-type – Specifies the action to perform for DNS traffic:
• drop – Drops DNS queries from the local DNS server.
• forward {both | query | response} – Forwards requests or queries,

as follows:
•forward both – Forwards queries to the Authoritative DNS server, and

forwards responses to the local DNS server.
•forward query – Forwards queries to the Authoritative DNS server, but

does not forward responses to the local DNS server.
•forward response – Forwards responses to the local DNS server, but

does not forward queries to the Authoritative DNS server.
• ignore – Ignores the request.
• reject – Rejects DNS queries from the local DNS server and returns the
“Refused” message in replies.
NOTE: Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level for
the policy. See “DNS Action” on page 95.
page 189
FeedbackFF
e
Command Description
[no] service port GSLB-related commands are available:
[service-name]
(cont.)
• disable – Disables all services in the GSLB zone.
• dns-a-record {service-name | ip service-ipaddr}

{as-backup | as-replace | no-resp | static | ttl num |
weight num} – Configures a DNS Address (A) record for the service, for
use with the DNS replace-ip option in the GSLB policy. (See “DNS IP-
Replace” on page 106.)
•as-backup – This option is used to specify the backup servers in the

dns-a-record within the GSLB zone. These are the servers that will be
returned to the client if the primary servers fail and backup server mode
is enabled.
•as-replace – This option is used with the ip-replace option in the pol-
icy. When both options are set (as-replace here and ip-replace in
the policy), the client receives only the IP address set here by service-
ip.
•disable – Disables DNS records for this service in the zone.
•no-resp – Prevents the IP address for this site from being included in
DNS replies to clients.
•static – This option is used with the dns server option in the policy.
When both options are set (static here and dns server in the policy),
the GSLB ACOS device acts as the DNS server for the IP address set
here by service-ip.
•ttl num – Assigns a TTL to the service, 0-2147483647. By default, the

TTL of the zone is used. This option can be used with the dns server
option in the policy, or with DNS proxy mode enabled in the policy. The
default TTL is 0 seconds.
•weight num – Assigns a weight to the service. If the Weighted-IP metric

is enabled in the policy and all metrics before Weighted-IP result in a tie,
the service on the site with the highest weight is selected. The weight
can be 1-100. By default, the weight is not set.
NOTE: The no-resp option is not valid with the static or as-replace
option. If you use no-resp, you cannot use static or as-replace.
page 190
Feedback
Command Description
[no] service port • dns-cname-record alias [alias ...] [as-backup]
[service-name] [admin-preference num] [weight num] – Configures DNS Canonical
Name (CNAME) records for the service.
(cont.)
•as-backup – Specifies that the record is a backup record.
•admin-preference num – Specify the administrative preference. If

using the Alias Admin Preference metric, then the DNS CNAME record
with the highest administratively set preference is selected. Default is
100.
•weight num – Specify the weight. If using the Weighted Alias metric,
then the DNS CNAME record with the highest weight is selected.
Default is 1.
• dns-mx-record name priority [ttl num] – Configures a DNS Mail

Exchange (MX) record for the service. The name is the fully-qualified
domain name of the mail server for the service. If more than MX record is
configured for the same service, the priority specifies the order in
which the mail server should attempt to deliver mail to the MX hosts. The
MX record with the lowest priority number has the highest priority and is
tried first. The priority can be 0-65535. There is no default. The default
TTL is 0 seconds.
NOTE: If you want the GSLB ACOS device to return the IP address of the mail
service in response to MX requests, you must configure A records for the mail
service.
• dns-ns-record domain-name [ttl num] – Configures a DNS name

server record. To use the as-backup option, you also must use the dns
backup-alias command in the policy. (See “DNS Backup Alias” on
page 97.) The default TTL is 0 seconds.
• dns-ptr-record domain-name [ttl num] – Configures a DNS pointer

record. The default TTL is 0 seconds.
• dns-srv-record domain-name port portnum priority

[weight num] [ttl num] – Configures a DNS service record.
The port portnum specifies the protocol port to return to the client, and
can be 0-65534. There is no default. You must specify a port.
The priority can be 0-65535. There is no default.
The weight num specifies the weight and can be 0-65535. The default is
10.
The ttl specifies the time-to-live for the DNS record in second. Typically
DNS records take 24-48 hours to propagate. The default TTL is 0 sec-
onds.
page 191
FeedbackFF
e
Command Description
[no] service port • dns-txt-record obj-name txt-data [ttl num] – Enables use of
[service-name] DNS TXT resource records to carry multiple pieces of DNS TXT data
within one TXT record.
(cont).
The obj-name specifies the text data’s object name, in order to avoid long
URLs of aXPAPI.
The txt-data is the DNS TXXT data that you want inputted in the TXT
record.
The ttl specifies the time-to-live for the DNS record in second. Typically
DNS records take 24-48 hours to propagate. The default TTL is 0 sec-
onds.
NOTE: The ACOS device has a special handler that enables you to enter
non-printable characters that the CLI does not support.
NOTE: This option also requires the dns server txt command at the
configuration level for the GSLB policy.
• geo-location location-name - Configures geo-location settings. The loca-

tion must already be configured. (See “gslb geo-location” on page 165.)
Entering this command takes you to the GSLB Zone Service Geo-location config-
uration level, where the following commands are available:
•action action – Specifies the action to perform for DNS traffic. The
action options are the same as those for the action command
described above. Another action possible is allow, which allows que-
ries from this geo-location.
•alias url – Maps an alias configured with the alias option (see
above) to the specified location for this service.
•policy policy-name – Applies the specified GSLB to clients from the

geo-location.
• health-check-gateway enable – Enable service’s health-check gate-

way.
• health-check-gateway disable – Disable service’s health-check

gateway.
• health-check-port portnum – Specify the port for the health check for
the service. Use multiple statements to configure more than one port.
• policy policy-name – Applies the specified GSLB policy to the service.

If the service policy is the default policy, then the service will automati-
cally inherit the policy configured for the overall GSLB Zone. Any non-
default policy configured for the service specifically will be honored over
the GSLB Zone policy.
[no] template dnssec Binds a DNSSEC template to the zone.
template-name
page 192
Feedback
Command Description
[no] ttl seconds Changes the TTL of each DNS record contained in DNS replies received from
the DNS for which the ACOS Series is a proxy, for this zone. You can specify
from 0 to 1000000000 (one billion) seconds. This TTL setting overrides the
TTL setting in the GSLB policy. The default is 10.
The TTL of the DNS reply can be overridden in two different places in the
GSLB configuration: (1) If a GSLB policy is assigned to the individual service,
then the TTL from that policy is used. (2) If no policy is assigned to the individ-
ual service, but the TTL is set in the zone, then the zone’s TTL setting is used.
(This is the level set by the ttl command shown earlier this section.)
[no] use-server-ttl Use the configured service Time-to-Live.
Default Default settings are described above, where applicable.
Example The following example creates a zone named “acos-gslb-zone”:
ACOS(config)# gslb zone acos-gslb-zone

ACOS(config-zone:acos-gslb-zone)#
Example The following example uses the wildcard character at the end of the gslb
zone command. This has the result of identifying all GSLB zones so that the
next line of the configuration creates a positive match on all DNS domains
that have the prefix of “www”.
ACOS(config)# gslb zone *

ACOS(config-zone *)# service 80 www
Example The following commands create a default GSLB policy and then specify that
a backup server at IP 10.10.2.1 will be returned to the client if the primary
servers fail.

ACOS(config-policy:default)# dns backup-server
ACOS(config)# gslb zone z1
ACOS(config-zone:z1)# service 80 http
ACOS(config-zone:z1-service:http)# dns-a-record 10.10.2.1 as-backup
ACOS(config-zone:z1-service:http)# exit
ACOS(config-zone:z1)# exit
ACOS(config)#
page 193
FeedbackFF
e
import geo-location
Description Imports new geo-location database CSV files into an ACOS device.
Syntax import geo-location file-name [overwrite] [use-mgmt-port] url
The overwrite option overwrite the existing geo-location file under that
name with the new geo-location file that is being imported.
Default If no database is loaded, the default is a pre-loaded IANA database.
Mode Global configuration mode.
Usage This command imports a geo-location database, saved as a CSV file, into an
ACOS device and allows for periodic synchronization of the database across
all GSLB group members. This command only imports a database; it does
not load the database into the ACOS starting configuration. To load the data-
base file, see “gslb system geo-location load” on page 183.
Example The following command imports a geo-location database CSV file and con-
figures ACOS to periodically check for updates once a day:
ACOS(config)# import geo-location test1.csv ftp://192.168.1.100

User name []?admin2
Password []?*********
File name [/]?test1.csv
page 194
Feedback
Policy Configuration Commands

The commands in this section configure GSLB policies. The CLI changes to this level when you enter
the gslb policy policy-name command from the global Config level:

ACOS(config-policy:pol1)#
The following commands are available:
• active-rdt
• active-servers
• active-servers-enable
• admin-ip
• admin-ip-enable
• admin-preference
• alias-admin-preference
• auto-map
• bw-cost
• bw-cost-enable
• capacity
• connection-load
• dns action
• dns active-only
• dns addition-mx
• dns auto-map
• dns backup-alias
• dns backup-server
• dns cache
• dns cname-detect
• dns delegation
• dns external-ip
• dns external-soa
page 195
FeedbackFF
Policy Configuration Commands FFee
e
• dns geoloc-action
• dns geoloc-alias
• dns geoloc-policy
• dns hint
• dns ip-replace
• dns ipv6 mapping
• dns ipv6 mix
• dns ipv6 smart
• dns logging
• dns proxy block <query>
• dns proxy block <type>
• dns proxy block action
• dns selected-only
• dns server
• dns sticky
• dns ttl
• edns client-subnet geographic
• geo-location
• geo-location-match
• geographic
• health-check
• ip-list
• least-response
• metric-fail-break
• metric-force-check
• metric-order
• num-session
• num-session-enable
• round-robin
page 196
Feedback
• weighted-alias
• weighted-ip
• weighted-ip-enable
• weighted-site
• weighted-site-enable
active-rdt
Description Configure the active-Round Delay Time (aRDT) metric.
aRDT measures the round-delay-time for a DNS query and reply between a
site ACOS device and the GSLB local DNS.
Syntax [no] active-rdt
{
controller |
difference num |
enable |
fail-break |
ignore-id group-id |
keep-tracking |
limit ms |
proto-rdt-enable |
samples num-samples |
single-shot |
skip count |
timeout seconds |
tolerance num-percentage
}
controller This command enables GSLB Controller-based metrics on the device.
GSLB Controller based metrics are not supported in IPv6 or L3V partition config-
urations.

difference num Number from 0 to 16383 specifying the round-delay-time difference.
The default is 0.
enable Enable active-Round Delay Time for the given policy.
page 197
FeedbackFF
e
fail-break Enables GSLB to stop if the configured aRDT limit in a policy is reached. The fail-
break action depends on whether the GSLB controller is running in server mode
or proxy mode:
• Server mode: If a backup-alias is configured, the GSLB controller returns the

backup-alias to the client; otherwise, the controller returns a blank response
error to the client.
• Proxy mode: If a backup-alias is configured, the GSLB controller returns the

backup-alias to the client; otherwise, the controller returns the response from
the back-end DNS server.
Notes:
• To configure the aRDT limit, use the limit option (describe below).
• To configure GSLB to return a CNAME record as a backup, enable the backup-

alias option using the dns backup-alias command at the configuration level
for the policy. To configure the backup alias for a service within a zone, use
the following command at the configuration level for the service:
dns-cname-record alias-name as-backup
ignore-id group-id Excludes the IP addresses in the specified IP list from aRDT data collection.
Specify an ID from 0-31. (To configure an IP list, see “gslb ip-list” on page 168.)

keep-tracking Continues tracking of aRDT for clients after the track time expires. By default,
GSLB stops collecting aRDT samples for a client (stops tracking the client) after
the time has exceeded the number of seconds specified by the global aRDT
track setting.

limit ms Specifies the aRDT limit for the policy. This option is useful for applying site
selection based on aRDT limits and geo-location. This option is required if you
plan to use the DNS geoloc-policy option. You can specify 1-16383 ms.
To configure aRDT limit by geo-location:
• 1. Enable the active-rdt bind-geoloc option on each GSLB site.
• 2. Enable the dns geoloc-policy option in the default GSLB policy, and enable
the active-rdt option in the policies for geo-locations. If applicable, config-
ure the aRDT limit.
• 3. On the service within the zone, enable the geo-location option and specify
the GSLB policy to use for that location.
The default limit is 16383 ms.

proto-rdt-enable his command configures GSLB controller-based metrics to includes both
response times between 1) the controller and the originating LDNS server; and 2)
the controller and the site device. When this option is disabled, the metric
includes only the response time between the controller and the originating LDNS
server.
page 198
Feedback
samples num-samples Number from 1 to 8 specifying the number of samples to collect.
The default is 5.
single-shot Collects a single sample only.
skip count When single-shot is configured, this option determines the number of site ACOS
devices that can exceed their single-shot timeouts, without the aRDT metric
itself being skipped by the GSLB ACOS device during site selection. You can skip
from 1-31 sites.
This is disabled by default; multiple samples are taken at regular intervals. When
enabled, the default skip is 3.
timeout seconds When single-shot is configured, this option determines the number of seconds
each site ACOS device should wait for the DNS reply. If the reply does not arrive
within the specified timeout, the site becomes ineligible for selection, in cases
where selection is based on the aRDT metric. You can specify 1-255 seconds.
The default timeout is 3 seconds.

tolerance percentage Specifies how much the aRDT values must differ in order for GSLB to prefer one
geo-location or site over another based on aRDT.
The default is 10 percent.
Default Disabled. When you enable the aRDT metric, it has the default settings
described in the table above.
Mode GSLB Policy
Usage This metric requires the GSLB protocol to be enabled both on the GSLB con-
troller and on the site ACOS devices.
active-servers
Description Configure the Active-Servers metric, which prefers the VIP with the highest
number of active servers.
Active-servers is a measure of the number of active real servers bound to a

virtual port residing on a GSLB site.
page 199
FeedbackFF
e
Syntax [no] active-servers fail-break
fail-break Enables GSLB to stop if the number of active servers for all ser-
vices is 0. The fail-break action depends on whether the GSLB
controller is running in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the GSLB con-

troller returns the backup-alias to the client; otherwise, the
controller returns a SERVFAIL error to the client.
• Proxy mode: If a backup-alias is configured, the GSLB con-

troller returns the backup-alias to the client; otherwise, the
controller returns the response from the back-end DNS
server.
NOTE: Use the active-servers-enable command to enable or disable select-

ing the service-IP with the highest number of active servers.
Default Disabled
Mode GSLB Policy
Usage Use this command to eliminate inactive real servers from being eligible for
selection.
Example The following example enables the Active-Servers metric:

ACOS(config-policy:pol1)# active-servers-enable
ACOS(config-policy:pol1)# active-servers fail-break
active-servers-enable
Description Enable or disable selecting the service-IP with the highest number of active
servers:
Syntax [no] active-servers-enable
Default Disabled by default
Mode GSLB Policy
Example The following example enables the Active-Servers metric:

ACOS(config-policy:pol1)# active-servers-enable
ACOS(config-policy:pol1)# active-servers fail-break
page 200
Feedback
admin-ip
Description Allows you to assign administrative weights to IP addresses.
Syntax [no] admin-ip top-only
The top-only parameter selects only the top prioritized record.
NOTE: To configure GSLB to return only the top prioritized IP address in

query responses, also enable the dns selected-only option.
Use admin-ip-enable command to enable or disable admin IP prioriti-

zation.
Default Disabled
Mode GSLB Policy
Usage The prioritized list is sent to the next metric for further evaluation. If admin-ip
is the last metric, the prioritized list is sent to the client. To configure the list
of admin-preferred addresses for a service, use the admin-ip command at
the service configuration level for the GSLB zone. See “gslb zone” on
page 187.
admin-ip-enable
Description Enable or disable admin IP prioritization.
Syntax [no] admin-ip-enable
Default Disabled.
Mode GSLB Policy
admin-preference
Description Enable or disable the Admin-Preference metric, which prefers the site whose
SLB device has the highest administratively set weight.
Syntax [no] admin-preference
Default Disabled
Mode GSLB Policy
page 201
FeedbackFF
e
Usage To set the GSLB Admin-Preference value for a site, use the admin-preference
command at the configuration level for the SLB device within the site. (See
“gslb site” on page 177.)
Example The following command enables the Admin-Preference metric:

ACOS(config-policy:pol1)# admin-preference
alias-admin-preference
Description Enable or disable the Alias Admin Preference metric, which selects the DNS
CNAME record with the highest administratively set preference. This metric
is similar to the Admin Preference metric, but applies only to DNS CNAME
records.
Syntax [no] alias-admin-preference
Default Disabled
Mode GSLB Policy
Usage Metric order does not apply to this metric. When enabled, this metric always
has high priority.
To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, use the admin-prefer-
ence preference command to assign an administrative preference to
the DNS CNAME record for the service. (See “gslb service-ip” on
page 174.)
• Use the alias-admin-preference command to enable the Alias
Admin Preference metric.
• Enable one or both of the following DNS options, as applicable to
your deployment (See “Alias-Admin-Preference” on page 87):
•DNS backup-alias
•DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See “gslb service-ip” on page 174.)
page 202
Feedback
auto-map
Description Enable auto-mapping of the specified resource type within the policy.
Syntax [no] auto-map [module-disable resource-type | ttl num]
module-disable Specify what resource-types you want to disable auto-map-
resource-type ping for. For more information, see “gslb system auto-map
module” on page 181.
By default, all modules have Auto Map M.

ttl num Specify a Time-to-Live for auto-mapping. The default is 300
seconds. You can specify from 1-65535 seconds. For more
information, see “gslb system auto-map ttl” on page 182.
The default TTL is 300 seconds.
Mode GSLB Policy
bw-cost
Description Configure the BW-Cost metric. This mechanism queries the bandwidth utili-
zation of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost fail-break
The bandwidth cost fail-break enables GSLB to stop if the current BW-Cost
value is over the limit. The fail-break action depends on whether the GSLB
controller is running in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the GSLB controller returns

the backup-alias to the client; otherwise, the controller returns a SERV-
FAIL error to the client.
• Proxy mode: If a backup-alias is configured, the GSLB controller returns
the backup-alias to the client; otherwise, the controller returns the
response from the back-end DNS server.
NOTE: Use the bw-cost-enable command to enable selection of the site with
the smallest bandwidth cost.
Default Disabled
Mode GSLB Policy
Example The following command enables the BW-Cost metric:
page 203
FeedbackFF
e

ACOS(config-policy:pol1)# bw-cost-enable
bw-cost-enable
Description Enable selection of the site with the smallest bandwidth cost.
Syntax [no] bw-cost-enable
Default Disabled.
Mode GSLB Policy
Example The following command enables the BW-Cost metric:

ACOS(config-policy:pol1)# bw-cost-enable
capacity
Description Configure the TCP/UDP Session-Capacity metric. This mechanism provides
a way to shift load away from a site before the site becomes congested.
Example:
Site A’s maximum session capacity is 800,000 and Site B’s maximum
session capacity is 500,000. If the Session-Capacity threshold is set to 90,
then for Site A the capacity threshold is 90% of 800,000, which is 720,000.
Likewise, the capacity threshold for Site B is 90% of 500,000, which is
450,000.
page 204
Feedback
Syntax [no] capacity {enable | fail-break | threshold percentage}
enable Enables selection of the service-IP with the highest
available connection capacity.
fail-break Enables GSLB to stop if the session utilization on all
site SLB devices is over the threshold. The fail-
break action depends on whether the GSLB control-
ler is running in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the

GSLB controller returns the backup-alias to the
client; otherwise, the controller returns a SERV-
FAIL error to the client.
• Proxy mode: If a backup-alias is configured, the

GSLB controller returns the backup-alias to the
client; otherwise, the controller returns the
response from the back-end DNS server.
threshold percentage Number from 0 to 100 specifying the maximum
percentage of a site ACOS device session table that
can be used. If the session table utilization is
greater than the specified percentage, the GSLB
controller prefers other sites over this site.
The default threshold is 90 percent.
Default Disabled. See descriptions for default values when the capacity metric is
enabled.
Mode GSLB Policy
troller and on the site ACOS devices.
Example The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:

ACOS(config-policy:pol1)# capacity enable
page 205
FeedbackFF
e
connection-load
Description Configure the Connection-Load metric, which prefers sites that have not
exceeded their thresholds for new connections.
Syntax [no] connection-load

{
enable |
fail-break |
limit number-of-connections |
samples number-of-samples interval seconds
}
enable Enables the Connection-Load metric.
fail-break Enables GSLB to stop if the connection load for all sites is over the limit. Fail-
break action depends on whether the GSLB controller runs in proxy mode or
server mode:
• Server mode: If a backup-alias is configured, the GSLB controller returns the

backup-alias to the client; otherwise, the controller returns a SERVFAIL error.
• Proxy mode: If a backup-alias is configured, the GSLB controller returns the

backup-alias to the client; otherwise, the controller returns the response from
the back-end DNS server.
limit number-of-con- Number that specifies the maximum average number of new connections per
nections second the site ACOS device can have. You can specify from 1 to 999999999
(999,999,999).
The default limit is not set (unlimited).

samples number-of- Number of samples for the SLB device (the site ACOS device) to collect, and the
samples interval sec- number of seconds between each sample. You can specify 1-8 samples and an
onds interval of 1-60 seconds.
The default number of samples is 5, and the default interval is 5 seconds.
Default Disabled. See descriptions for default values when the Connection-Load
metric is enabled.
Mode GSLB Policy
Usage This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site ACOS device itself allows.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site ACOS devices.
Example The following command sets the connection load limit to 1000 new connec-
tions:
ACOS(config-policy:pol1)# gslb policy pol1

ACOS(config-policy:pol1)# connection-load limit 1000
page 206
Feedback
dns action
Description The dns action command enables GSLB to perform the DNS actions speci-
fied in the service configurations.
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See “gslb zone” on
page 187.
The no dns action command restores the default value
Syntax dns action

no dns action
Default Disabled
Mode GSLB Policy Configuration Mode (gslb policy)
Example This command enables GSLB to perform the DNS actions specified in ser-
vice configurations.

ACOS(config-policy:oxygen)# dns action
ACOS(config-policy:oxygen)# show run | sec gslb
gslb policy oxygen
dns action
ACOS(config-policy:oxygen)#
dns active-only
Description The dns active-only command removes IP addresses from DNS replies
when those addresses fail health checks. If none of the IP addresses in the
DNS reply pass the health check, the ACOS device does not use this metric,
because it results in an empty address list.
The fail-safe option returns a list of server IP addresses for failed servers
to the client. Without this option, IP addresses of failed servers are omitted
from the reply.
The no dns active-only command restores the default mode of disabling
the removal of IP addresses that fail health checks from DNS replies.
page 207
FeedbackFF
e
Syntax dns active-only [MODE]

no dns active-only [MODE]
MODE Specifies the information returned to the client. Valid options
include:
• <no parameter> omits IP addresses of failed servers from

reply
• fail-safe includes IP addresses of failed servers in client
reply.
Default Disabled.
Example This command programs the ACOS device to remove IP address from DNS
of device that fail health check. The address of failed devices are not
returned to the client.

ACOS(config-policy:OXYGEN)# dns active-only
ACOS(config-policy:OXYGEN)# show run | sec gslb
gslb policy OXYGEN
dns active-only
ACOS(config-policy:OXYGEN)#
Example This command programs the ACOS device to remove IP address from DNS
of device that fail health check and returns the address list of failed devices
to the client.
ACOS(config-policy:OXYGEN)# dns active-only fail-safe

gslb policy OXYGEN
dns active-only fail-safe
Example This command sets the ACOS device to ignore health check failure in its
DNS replies.
ACOS(config-policy:OXYGEN)# no dns active-only fail-safe

gslb policy OXYGEN
page 208
Feedback
dns addition-mx
Description The dns addition-mx command programs the ACOS device to append MX
records in the additional section of replies for A records when the device is
configured for DNS proxy or cache mode.
The no dns addition-mx command restores the default behavior of not

appending the MX records.
Syntax dns addition-mx

no dns addition-mx
Default Disabled
Example This command programs the ACOS device to append MX records to the
additional section of replies for A records.

ACOS(config-policy:OXYGEN)# dns addition-mx
gslb policy OXYGEN
dns addition-mx
Example The command resets the ACOS device default of not appending MX records.
ACOS(config-policy:OXYGEN)# no dns addition-mx

gslb policy OXYGEN
dns auto-map
Description The dns auto-map command enables the automatic creation of A and
AAAA records for IP resources configured on the ACOS device.
The no dns auto-map command disables automatic creation of A and

AAAA records.
Syntax dns auto-map

no dns auto-map
Default Disabled
Example The following command enables the automatic creation of A and AAAA
records for IP resources configured on the ACOS device.
page 209
FeedbackFF
e

ACOS(config-policy:OXYGEN)# dns auto-map
gslb policy OXYGEN
dns auto-map
Example The command disables the automatic creation of A and AAAA records.
ACOS(config-policy:OXYGEN)# no dns auto-map

gslb policy OXYGEN
dns backup-alias
Description The dns backup-alias command returns the alias CNAME record config-
ured for the service, if GSLB does not receive an answer to a query for the
service and no active DNS server exists. This option is valid in server mode
or proxy mode.
To configure the backup alias for a service within a zone, use the dns-cname-
record command at the configuration level for the service.
The no dns backup-alias command restores the default of not returning

the alias CNAME record.
Syntax dns backup-alias

no dns backup-alias
Default Disabled.
Example This command configures the ACOS device to return the alias CNAME
record configured for the service when GSLB does not receive an answer to
a query for the service when no active DNS server exists.

ACOS(config-policy:OXYGEN)# dns backup-alias
gslb policy OXYGEN
dns backup-alias
Example This command configures the ACOS device to not return the alias CNAME
record configured for the service when GSLB does not receive an answer to
a query for the service when no active DNS server exists.
page 210
Feedback
ACOS(config-policy:OXYGEN)# no dns backup-alias

gslb policy OXYGEN
page 211
FeedbackFF
e
dns backup-server
Description The dns backup-server command designates one or more backup servers
that can be returned to the client if the primaries should fail.
The no dns backup-server command removes the designation.
Syntax dns backup-server

no dns backup-server
Default Disabled.
Example This command designates the ACOS device as a backup server that can be
returned to the client if the primaries should fail.:

ACOS(config-policy:OXYGEN)# dns backup-server
gslb policy OXYGEN
dns backup-server
Example This command removes the backup server designation.
ACOS(config-policy:OXYGEN)# no dns backup-server

gslb policy OXYGEN
page 212
Feedback
dns cache
Description The dns cache command enables the GSLB ACOS device to cache DNS
replies. The ACOS device uses information in the cached DNS entries to reply
to subsequent client requests, as opposed to sending a new DNS request for
every client query.
When this option is enabled, the ACOS device caches a DNS reply for the
duration of the TTL in the reply when the aging time parameter is set to zero.
To override the entry TTL, set the cache aging time to a value greater than
zero.
The no dns cache command disables the GSLB ACOS device from caching
DNS replies.
Syntax dns cache [DURATION]

no dns cache
DURATION Specifies site location mode. Valid options include
• <no parameter> cache period is specified in DNS reply

• aging-time 0 cache period is specified in DNS reply
• aging-time period cache period (seconds)
Value ranges from 1 to 1000000000 (one billion)
Default Disabled.
Example The following command enables the caching of DNS replies and set the TTL
to the period specified in the reply.

ACOS(config-policy:OXYGEN)# dns cache
gslb policy OXYGEN
dns cache
Example This command sets the TTL to 30 minutes.
ACOS(config-policy:OXYGEN)# dns cache aging-time 1800

gslb policy OXYGEN
dns cache aging-time 1800
page 213
FeedbackFF
e
Example This command resets the TTL to the period set to the period specified in the
reply.
ACOS(config-policy:OXYGEN)# dns cache aging-time 0

gslb policy OXYGEN
dns cache
Example The command disables the GSLB ACOS device from caching DNS replies.
ACOS(config-policy:OXYGEN)# no dns cache

gslb policy OXYGEN
dns cname-detect
Description The dns cname-detect command enables CNAME response mode. When
the ACOS device is in CNAME response mode, it applies the zone and service
policy to the CNAME record instead of applying it to the address record.
When CNAME response mode is disabled, the zone and service policy is
applied to the address record. Executing this command restores the CNAME
response mode setting of enabled.
The no dns cname-detect command disables CNAME response mode on

the ACOS device.
Syntax dns cname-detect

no dns cname-detect
Default Enabled
Example This command disables CNAME response mode.

ACOS(config-policy:OXYGEN)# no dns cname-detect
gslb policy OXYGEN
no dns cname-detect
Example This command enables CNAME response mode.
ACOS(config-policy:OXYGEN)# dns cname-detect

gslb policy OXYGEN
page 214
Feedback
dns delegation
Description The dns delegation command enables sub-zone delegation mode. When in
sub-zone delegation mode, the device delegates authority or responsibility
for a portion of the DNS name space from the parent domain to a separate
sub-domain which may reside on one or more remote servers and may be
managed by someone other than the network administrator who is responsi-
ble for the parent zone. (see “DNS Sub-zone Delegation” on page 99.)
The no dns delegation command disables sub-zone delegation mode.
Syntax dns delegation

no dns delegation
Default Disabled.
Example These commands enable sub-zone delegation mode.

ACOS(config-policy:OXYGEN)# dns delegation
gslb policy OXYGEN
dns delegation
Example These command disables sub-zone delegation mode.
ACOS(config-policy:OXYGEN)# no dns delegation

gslb policy OXYGEN
page 215
FeedbackFF
e
dns external-ip
Description The dns external-ip command returns the external IP address configured
for a service IP. If this option is disabled, the internal address is returned
instead..
The external IP address must be configured on the service IP. Use the
external-ip command at the configuration level for the service IP.
The no dns external-ip command disables the option of returning the

external IP address configured for a service IP.
Syntax dns external-ip
no dns external-ip
Default Enabled.
Example These commands disable the option of returning the external IP address
configured for a service IP address.

ACOS(config-policy:OXYGEN)# no dns external-ip
gslb policy OXYGEN
no dns external-ip
Example These commands enable the option of returning the external IP address con-
figured for a service IP address.
ACOS(config-policy:OXYGEN)# dns external-ip

gslb policy OXYGEN
page 216
Feedback
dns external-soa
Description The dns external-soa command programs the ACOS device to replace the
internal SOA record with an external SOA record, preventing external clients
from gaining accessing internal information.
The external SOA record must be configured in the GSLB zone. (Use the
external-soa record command at the GSLB zone configuration level.)
The no dns external-soa command disables this option. When this option
is disabled, the internal address is returned.
Syntax dns external-soa
no dns external-soa
Default Disabled.
Example These commands programs the ACOS device to replace the internal SOA
record with an external SOA record.

ACOS(config-policy:OXYGEN)# dns external-soa
gslb policy OXYGEN
dns external-soa
Example This command programs the ACOS device to return the internal address..
ACOS(config-policy:OXYGEN)# no dns external-soa

gslb policy OXYGEN
page 217
FeedbackFF
e
dns geoloc-action
Description The dns geoloc-action command programs the ACOS device to perform
the DNS traffic handling action specified for the client’s geo-location. The
action is specified as part of service configuration in a zone.
To configure the DNS action for a service, use the geo-location location-
name action-type command at the configuration level for the service. See
“gslb zone” on page 187.
The no dns geoloc-action command restores the default value, where the
ACOS device does not performing the DNS traffic handling action.
Syntax dns geoloc-action
no dns geoloc-action
Default Default.
Example These commands programs the ACOS device to perform the DNS traffic
handling action specified for the client’s geo-location.

ACOS(config-policy:OXYGEN)# dns geoloc-action
gslb policy OXYGEN
dns geoloc-action
Example This command programs the ACOS device to not perform the DNS traffic
handling action specified for the client’s geo-location.
ACOS(config-policy:OXYGEN)# no dns geoloc-action

gslb policy OXYGEN
page 218
Feedback
dns geoloc-alias
Description The dns geoloc-alias command configures the ACOS device to return the
alias name configured for the client’s geo-location.
The no dns geoloc-alias command configures the ACOS device to not

return alias name configured for the client’s geo-location.
Syntax dns geoloc-alias

no dns geoloc-alias
Default Disabled.
Example These commands configure the ACOS device to return the alias name con-
figured for the client’s geo-location.

ACOS(config-policy:OXYGEN)# dns geoloc-alias
gslb policy OXYGEN
dns geoloc-alias
Example This command programs the ACOS device to not return alias name config-
ured for the client’s geo-location.
ACOS(config-policy:OXYGEN)# no dns geoloc-alias

gslb policy OXYGEN
page 219
FeedbackFF
e
dns geoloc-policy
Description The dns geoloc-policy command configures the ACOS device to use the
GSLB policy assigned to the client’s geo-location.
The no dns geoloc-policy command configures the ACOS device to not

use the GSLB policy assigned to the client’s geo-location.
Syntax dns geoloc-policy

no dns geoloc-policy
Default Disabled.
Description These commands configure the ACOS device to use the GSLB policy
assigned to the client’s geo-location.
Example The no dns geoloc-policy command configures the ACOS device to not
use the GSLB policy assigned to the client’s geo-location.

ACOS(config-policy:OXYGEN)# dns geoloc-policy
gslb policy OXYGEN
dns geoloc-policy
Example This command configures the ACOS device to not use the GSLB policy
assigned to the client’s geo-location.
ACOS(config-policy:OXYGEN)# no dns geoloc-policy

gslb policy OXYGEN
page 220
Feedback
dns hint
Description The dns hint command manages the appearance of hints that appear in the
Additional Section of DNS responses. Hints are A or AAAA records that are
sent in the response to a client’s DNS request. These records provide a map-
ping between the host names and IP addresses.
The hint option applies to the following record types: NS, MX, and SRV.
The no dns action command restores the default value of appending hints
in the Additional section, which is equivalent to the addition option.
Syntax dns hint LOCATION

no dns hint
LOCATION Specifies the section where hints are appended. Options include:
• addition Appends hints in the Additional Section (default).

• answer Appends hints in the Answer Section.
• none Does not append hints in the DNS response.
Default Hints are enabled and appended in the Additional section..
Example These commands configure the ACOS device to append hints in the Answer
section of the DNS response.

ACOS(config-policy:OXYGEN)# dns hint answer
gslb policy OXYGEN
dns hint answer
Example This command configure the ACOS device to not append hints to the DNS
response.
ACOS(config-policy:OXYGEN)# dns hint none

gslb policy OXYGEN
dns hint none
Example This command configures the ACOS device to append hints in the Answer
section of the DNS response.
ACOS(config-policy:OXYGEN)# dns hint addition
page 221
FeedbackFF
e

gslb policy OXYGEN
dns ip-replace
Description The dns ip-replace command configures the ACOS device to replace the IP
addresses in DNS replies with the service IP addresses configured for the
service.
To configure the service IP addresses, use the service-ip command at the

configuration level for the service. See “gslb zone” on page 187.
The no dns ip-replace command restores the ACOS default behavior of
not replacing the IP addresses in DNS replies with the service IP addresses
configured for the service.
Syntax dns ip-replace

no dns ip-replace
Default Disabled.
Example These commands configure the ACOS device to replace the IP addresses in
DNS replies with the service IP addresses configured for the service.

ACOS(config-policy:OXYGEN)# dns ip-replace
gslb policy OXYGEN
dns ip-replace
Example This command restores the ACOS default behavior of not replacing the IP
addresses in DNS replies with the service IP addresses configured for the
service.
ACOS(config-policy:OXYGEN)# no dns ip-replace

gslb policy OXYGEN
page 222
Feedback
dns ipv6 mapping

Description The dns ipv6 mapping command specifies the ACOS device response to
IPv6 DNS query. You can enable one of these options.
• addition – Append AAAA records in the DNS Addition section of replies.
• answer – Append AAAA records in the DNS Answer section of replies.
• exclusive – Replace A records (IPv4 address records) with AAAA
records.
• replace – Reply with AAAA records only.
The dns ipv6 mapping command restores the default behavior of not
using AAAA records to respond to IPv6DNS queries.
ACTION Specifies response actions to IPv6 DNS queries. Valid options
include:
• addition – Append AAAA records in DNS Addition section of

replies.
• answer – Append AAAA records in the DNS Answer section of
replies.
• exclusive – Replace A records (IPv4 address) with AAAA
records.
• replace – Reply with AAAA records only.
Syntax dns ipv6 mapping ACTION

no dns ipv6 mapping
Default Disabled.
Example These commands program the ACOS device to append AAAA records in the
DNS Addition section of replies to IPv6 DNS queries.

ACOS(config-policy:OXYGEN)# dns ipv6 mapping addition
gslb policy OXYGEN
dns ipv6 mapping addition
Example This command programs the ACOS device to append AAAA records in the
DNS Answer section of replies to IPv6 DNS queries.
ACOS(config-policy:OXYGEN)# dns ipv6 mapping answer

gslb policy OXYGEN
dns ipv6 mapping answer
page 223
FeedbackFF
e
Example This command programs the ACOS device to replace A record with AAAA
records in response to IPv6 DNS queries.
ACOS(config-policy:OXYGEN)# dns ipv6 mapping exclusive

gslb policy OXYGEN
dns ipv6 mapping exclusive
Example This command programs the ACOS device to use AAAA records only in
response to IPv6 DNS queries.
ACOS(config-policy:OXYGEN)# dns ipv6 mapping replace

gslb policy OXYGEN
dns ipv6 mapping replace
Example This command programs the ACOS device to not use AAAA records respond
to IPv6 DNS queries.
ACOS(config-policy:OXYGEN)# no dns ipv6 mapping

gslb policy OXYGEN
dns ipv6 mix

Description The dns ipv6 mix command configures the ACOS device to return AAAA
and A records in the same response.
The no dns ipv6 mix command disables the ability to return AAAA and A
records in the same response.
Syntax dns ipv6 mix

no dns ipv6 mix
Default Disabled
Example These commands configure the ACOS device to return AAAA and A records
in the same response.

ACOS(config-policy:OXYGEN)# dns ipv6 mix
page 224
Feedback
gslb policy OXYGEN

dns ipv6 mix
Example This command disables the ability to return AAAA and A records in the same
response.
ACOS(config-policy:OXYGEN)# no dns ipv6 mix

gslb policy OXYGEN
dns ipv6 smart

Description The dns ipv6 smart command enables IPv6 return by query type.
• IPv4 to IPv6 mapping: an A query (IPv4) returns an A record
• IPv6 to IPv4 mapping: an AAAA query (IPv6) returns an AAAA record.
The dns ipv6 smart command disables smart mode.
Syntax dns ipv6 smart

no dns ipv6 smart
Default Default.
Example These commands enables IPv6 return by query type.

ACOS(config-policy:OXYGEN)# dns ipv6 smart
gslb policy OXYGEN
dns ipv6 smart
Example This command disables DNS IPv6 smart mode.
ACOS(config-policy:OXYGEN)# no dns ipv6 smart

gslb policy OXYGEN
page 225
FeedbackFF
e
dns logging
Description The dns logging command enables DNS logging and specifies the mes-
sages that are logged.
The no dns logging command disables DNS logging.
Syntax dns logging MESSAGE

no dns logging
MESSAGE Specifies the information returned to the client. Valid options
include:
• query Query messages are logged.

• response Response messages are logged
• both Query and response messages are logged
• none Neither messages are logged
Example These commands enable DNS logging of neither query nor response mes-
sages.

ACOS(config-policy:OXYGEN)# dns logging none
gslb policy OXYGEN
dns logging none
Example This command enables DNS logging of query messages
ACOS(config-policy:OXYGEN)# dns logging query

gslb policy OXYGEN
dns logging query
Example This command enables DNS logging of response messages.
ACOS(config-policy:OXYGEN)# dns logging response

gslb policy OXYGEN
dns logging response
page 226
Feedback
Example This command enables DNS logging of response and query messages.
ACOS(config-policy:OXYGEN)# dns logging both

gslb policy OXYGEN
dns logging both
Example This command disables DNS logging.
ACOS(config-policy:OXYGEN)# no dns logging

gslb policy OXYGEN
dns proxy block <query>

Description The dns proxy block <query> command programs the ACOS device to
block DNS queries from being sent to an internal DNS server. The ACOS
device must be in GSLB proxy mode for the feature to work. The command
lists the records that are blocked.
The no dns proxy block <query> command removes the ACOS device’s
DNS query block. The command requires a record list identical to the list of
records currently blocked.
Syntax dns proxy block ATTRIBUTE_1 [ATTRIBUTE_2 ... ATTRIBUTE_n]

no dns proxy block ATTRIBUTES
ATTRIBUTE_X Specifies information returned to the client. The command must
list at least one attribute and may include more than one.
Options include:
• a
• aaaa
• mx
• ns
• srv
• cname
• ptr
• soa
• txt
Default Disabled.
page 227
FeedbackFF
e
Example These commands program the ACOS device to block DNS queries with A
and AAAA records.

ACOS(config-policy:OXYGEN)# dns proxy block a aaaa
gslb policy OXYGEN
dns proxy block a aaaa
Example This command attempts to remove A records from the list of DNS queries
the ACOS device is programmed to block.
ACOS(config-policy:OXYGEN)# no dns proxy block a

Field value does not match (field: a).
Example This command removes the DNS query capacity of the ACOS device.
ACOS(config-policy:OXYGEN)# no dns proxy block a aaaa

dns proxy block <type>

Description The dns proxy block <type>command programs the ACOS device to block
a specified type of DNS queries. The command specifies the type, by num-
ber, of query being blocked. The device can utilize multiple command. Each
command lists either a single type or a number range corresponding to mul-
tiple types.
page 228
Feedback
The no dns proxy block <type> command restores the delivery of the
specified DNS queries.
Syntax dns proxy block TYPE-LIST

no dns proxy block TYPE-LIST
TYPE-LIST Specifies the information returned to the client. Valid options
include:
• <1-255> Specifies a single type

• range <1-255> Specifies a single element range of types
• range <1-255> to <1-255> Specifies a range of types
Example These commands block DNS queries of type 56, 58, and 60-69.

ACOS(config-policy:OXYGEN)# dns proxy block 56
ACOS(config-policy:OXYGEN)# dns proxy block 58
ACOS(config-policy:OXYGEN)# dns proxy block range 60 to 69
gslb policy OXYGEN
dns proxy block range 60 to 69
dns proxy block 56
dns proxy block 58
Example This command removes the types 63 to 67 from the DNS query block.
ACOS(config-policy:OXYGEN)# no dns proxy block range 63 to 67

gslb policy OXYGEN
dns proxy block 56
dns proxy block 58
dns proxy block action

Description The dns proxy block action command specifies the ACOS device method
of handling blocked DNS queries.
page 229
FeedbackFF
e
The no dns proxy block action command restores the default value.
Syntax dns proxy block action DISPOSITION

no dns proxy block action
DISPOSITION Specifies the information returned to the client. Valid options
include:
• drop
• reject
• ignore
Example These commands

ACOS(config-policy:OXYGEN)# dns proxy block action drop
gslb policy OXYGEN
dns proxy block action drop
Example This command

ACOS(config-policy:OXYGEN)# dns proxy block action reject
gslb policy OXYGEN
dns proxy block action reject

ACOS(config-policy:OXYGEN)# dns proxy block action ignore
gslb policy OXYGEN
dns proxy block action ignore

ACOS(config-policy:OXYGEN)# no dns proxy block action
gslb policy OXYGEN
dns selected-only
Description The dns selected-only command enables return of only selected IP
addresses. The command specifies a limit of records that can be returned
page 230
Feedback
after a record is selected. When the number of records exceed the config-
ured value, GSLB ignores this configuration.
The no dns selected-only command disables the return of selected IP

addresses.
Syntax dns selected-only [num-record]

no dns selected-only [num-record]
num-record Specifies the limit of records that are returned. Valid options
include:
• <no parameter> – enables return of all selected records

• <1-128> – specifies number of records
Default Disabled.
Example These commands enable the return of 32 records after receiving a query
from a selected IP address.

ACOS(config-policy:OXYGEN)# dns selected-only 32
gslb policy OXYGEN
dns selected-only 32
Example This command disables the return of records.
ACOS(config-policy:OXYGEN)# no dns selected-only 32

gslb policy OXYGEN
dns server
Description The dns server command enables a GSLB ACOS device to act as a DNS
server for specific service IPs in the GSLB zone. When this setting is enabled,
the device responds directly to address queries for specific service IP
addresses in the GSLB zone. The ACOS device still forwards other types of
queries to the DNS server.
When using this command, the dns cname-detect command is not required.
When a client requests a configured alias name, GSLB applies the policy to
the CNAME records. The server option is not valid with the ip-replace
option. They are mutually exclusive.
page 231
FeedbackFF
e
When using this command, you also must enable the static option on the
individual service IP. (To configure the service IP addresses, use the
service-ip command at the configuration level for the service. See “gslb
zone” on page 187.)
The no dns server command disables the GSLB ACOS device from acting
as a DNS server for specific service IPs in the GSLB zone.
Syntax dns server RECORD_1 [RECORD_2 ... RECORD_N]

no dns server
RECORD_X Specifies the limit of records that are returned. Valid options include:
• addition-mx – Enables ACOS device to provide the A record containing

the mail server’s IP address in the Additional section, when the device is
configured for DNS server mode.
• any – Enables ACOS device to provide all resource records that are avail-
able, when the ACOS device is configured for DNS server mode. When a
client issues a type “ANY” request (which is actually a pseudo resource
record that is expressed by the wildcard code “*”), then the ACOS device
includes all RR information it has available.
• authoritative – Makes the ACOS device the authoritative DNS server
for the GSLB zone, for service IPs in which static is enabled. If omitted,the
ACOS device is a non-authoritative DNS server for the zone domain.
• cname – Allows ACOS device to respond to inbound GSLB DNS requests
that have load-balanced CNAME records.
• ns [auto-ns] – Provides name server record. The auto-ns option

causes the policy to provide A records for NS records automatically.
• ptr [auto-ptr] – Provides the pointer record. The auto-ptr option
causes the policy to provide pointer records automatically.
• full-list – Appends all A records in the Authoritative section.
• mx – Provides MX record in Answer section, and A record for mail server
in Additional section, when device is configured for DNS server mode.
• ns-list – This option appends all Name Server (NS) Resource Records
(RR) in the Authority section of DNS replies.
• ptr [auto-ptr] – Provides the pointer record. The auto-ptr option
causes the policy to provide pointer records automatically.
• sec – Provides DNSSEC support
• srv – Provides the service record.
• txt – Provides the service record. TXT resource records can be used to
carry multiple pieces of DNS TXT data within a single record.
Default Disabled
Example The following command modifies the policy to program the ACOS device to
act as a DNS server for mail server and name server records.

ACOS(config-policy:OXYGEN)# dns server ns addition-mx auto-ns
page 232
Feedback

gslb policy OXYGEN
dns server addition-mx ns auto-ns
Example These commands disables the DNS server function on devices upon which
the policy is applied.
ACOS(config-policy:OXYGEN)# no dns server

gslb policy OXYGEN
dns sticky
Description The dns sticky command programs device to send the same service IP
address to a client for all requests from that client for the service address.
Sticky DNS ensures that, during the aging-time, a client is always directed to
the same site.
The prefix length options adjusts the granularity of the feature. The default
prefix length (32 for IPv4, 128 for IPv6) causes the ACOS device to maintain
separate stickiness information for each local DNS server. For example, if
two clients use DNS 10.10.10.25 as their local DNS server, and two other
clients use DNS 10.20.20.99 as their local DNS server, the ACOS maintains
separate stickiness information for each set of clients, by maintaining
separate stickiness information for each of the local DNS servers.
When the sticky option is enabled, the sticky time must be at least as long
as the zone TTL as defined by the ttl command at the zone configuration
level. (“gslb zone” on page 187.)
The no dns sticky command restores the default value
Syntax dns sticky [MASK-V4] [MASK-V6] [DURATION]

no dns sticky [MASK-V4] [MASK-V6] [DURATION]
MASK-V4 Specifies the IPv4 mask size. Valid options include:
• <no parameter> IPv4 mask size of 32

• /<1-32> Specifies IPv4mask size
• dotted decimal notation Must be valid mask value.
page 233
FeedbackFF
e
MASK-V6 Specifies the IPv6 mask size. Valid options include:
• <no parameter> equivalent to ipv6-mask 128

• ipv6-mask <1-128>
DURATION Specifies duration limit for returning record. Valid options
include:
• <no parameter> equivalent to aging-time 5

• aging-time <1-65535>
Default Disabled.
When the option is enabled, the default prefix is /32, the default aging time is
5 minutes, and the default IPv6 mask length is 128.
Usage If more than one of the following options are enabled, GSLB uses them in the
order listed:
1. sticky
2. server
3. cache
4. proxy (The command does not have a separately configurable “proxy”
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
The site address selected by the first option that is applicable to the client
and requested service is used.
Example These commands enables DNS sticky and establishes default values for
aging time and the masks.
ACOS(config)# gslb policy NEON

ACOS(config-policy:NEON)# dns sticky
ACOS(config-policy:NEON)# show run | sec gslb
gslb policy NEON
dns sticky
ACOS(config-policy:NEON)#
Example This command configures non-default values for the aging time and masks.
ACOS(config-policy:NEON)# dns sticky /30 aging-time 15 ipv6-mask 124

gslb policy NEON
dns sticky /30 ipv6-mask 124 aging-time 15
Example This command modifies IPv4 mask size without changing the other parame-
ters.
page 234
Feedback
ACOS(config-policy:NEON)# dns sticky /24 aging-time 15 ipv6-mask 124

gslb policy NEON
dns sticky /24 ipv6-mask 124 aging-time 15
Example This command explicitly changes the parameter values to their defaults.
ACOS(config-policy:NEON)# dns sticky /32 ipv6-mask 128 aging-time 5

gslb policy NEON
dns sticky
Example This command disables DNS sticky
ACOS(config-policy:NEON)# no dns sticky

gslb policy NEON
dns ttl
Description The dns ttl command programs the ACOS device to change the TTL of each
DNS record in DNS replies received from the DNS for which the device is a
proxy.
The dns use-server-ttl command programs the device to use the time-to-
live value in the DNS server response instead of replacing it with a specified
value.
The no dns ttl and no dns use-server-ttl command restores the default
value of 10 seconds. The latter command is available only when dns use-
server-ttl is configured.
Syntax dns ttl DURATION

dns use-server-ttl
page 235
FeedbackFF
e
no dns ttl
dns use-server-ttl
DURATION Specifies the new TTL value (seconds). Value ranges from 0 to 1000000000 (one
billion).
Default 10 seconds.
Example These commands program the device to change TTL for DNS replies to 30
secs.

ACOS(config-policy:OXYGEN)# dns ttl 30
gslb policy OXYGEN
dns ttl 30
Example This command programs the device to use TTL from DNS records in DNS
replies.
ACOS(config-policy:OXYGEN)# dns use-server-ttl

gslb policy OXYGEN
dns use-server-ttl
Example This command programs the device to change TTL for DNS replies to 10
seconds.
ACOS(config-policy:OXYGEN)# no dns ttl

gslb policy OXYGEN
edns client-subnet geographic

Description Use the EDNS-Client-Subnet field for GSLB geo-location metric.
For DNS queries, not all requests use a third-party resolver that is in close
topographical proximity to themselves. Some recursive resolvers use an
extra EDNS field in DNS messages to forward details about where a network
query is coming from. ACOS can read the extra EDNS-Client-Subnet field and
provide more specific topological geo-location features for DNS queries in
GSLB.
page 236
Feedback
When enabled, the information in the EDNS-Client-Subnet field will be

checked against the configured geo-location database first. If the extra field
contains no information, then ACOS will check the source IP of the recursive
DNS server against the configured geo-location database in order to perform
GSLB geo-location metric. As back-end servers can also generate an OPT
resource record, ACOS can read EDNS-Client-Subnet fields from responses
as well.
ACOS uses ENDS-Client-Subnet in GSLB server mode. Proxy mode is not
supported.
Syntax [no] edns client-subnet geographic
Default Disabled.
Mode GSLB Policy
Usage This command allows ACOS to read the extra field in DNS messages, and to
provide more specific topological geo-location features for DNS queries,
based on the client’s subnet. The information in the EDNS field is checked
against configured geo-location databases first.
Example This example configures a device to read EDNS-Client-Subnet field in DNS

queries. In the example, if client traffic comes in with a source IP
11.11.11.11, but the EDNS-Client-Subnet is 10.10.10.10, the DNS A record
vs1 is selected because the client’s EDNS-Client-Subnet corresponds to the
geo-location of site1. The EDNS-Client-Subnet 10.10.10.10 will be used for
all geo-location metric features.
These commands configure two user-defined geo-locations.

ACOS(config)# gslb geo-location site1
ACOS(config-geo-location:site1)# ip 10.10.10.10 mask /24
ACOS(config-geo-location:site1)# exit
ACOS(config)# gslb geo-location site2
ACOS(config-geo-location:site2)# ip 11.11.11.11 mask /32
ACOS(config-geo-location:site2)# exit
The following commands configure example GSLB sites and their respective
geo-locations and SLB servers with virtual servers.
ACOS(config)# gslb site usa
ACOS(config-gslb site:usa)# geo-location site1
ACOS(config-gslb site:usa)# slb-dev acos1 10.10.10.10
ACOS(config-gslb site:usa-slb dev:acos1)# vip-server vs1
ACOS(config-gslb site:usa-slb dev:acos1)# exit
ACOS(config-gslb site:usa)# exit
ACOS(config)# gslb site china
ACOS(config-gslb site:china)# geo-location site2
ACOS(config-gslb site:china)# slb-dev acos2 200.20.20.20
page 237
FeedbackFF
e
ACOS(config-gslb site:china-slb dev:acos2)# vip-server vs2

ACOS(config-gslb site:china-slb dev:acos2)# exit
ACOS(config-gslb site:china)# exit
These commands configure an example GSLB policy related to DNS traffic.

ACOS(config)# gslb policy dns
ACOS(config-policy:dns)# dns selected-only
ACOS(config-policy:dns)# dns server authoritative
ACOS(config-policy:dns)# edns client-subnet geographic
ACOS(config-policy:dns)# exit
The following commands configure an example GSLB zone for

example.com.
ACOS(config-zone:example.com)# policy dns
ACOS(config-zone:example.com)# service 80 http
ACOS(config-zone:example.com-service:http)# exit
ACOS(config-zone:example.com-service:www)# dns-a-record vs1 static
ACOS(config-zone:example.com-service:www)# dns-a-record vs2 static
geo-location
Description Configure a geographic location. GSLB forwards client requests from IP
addresses within the location’s range to the GSLB site that serves the loca-
tion.
Syntax [no] geo-location location-name
This command takes you to the geo-location configuration level within a

GSLB policy, where the following options are available:
Command Description
ip start-ipv4-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv4-mask | end-ipv4-addr} address for an IPv4 address range.
ipv6 start-ipv6-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv6-mask | end-ipv6-addr} address for an IPv6 address range.
Default None.
Mode GSLB Policy
Usage To prefer the location configured with this command over a globally config-
ured location, use the gslb policy geo-location match-first policy com-
mand. (See “geo-location-match” on page 239.)
page 238
Feedback
Example The following example configures geographic location “CN.BeiJing” for IP

address range 200.1.1.1 through 200.1.1.253:

ACOS(config-policy:pol1)# geo-location CN.Beijing
ACOS((config-policy:pol1-geo-location:CN.B...)# ip 200.1.1.1 200.1.1.253
geo-location-match
Description Configure the policy to prefer either the globally configured geo-location or
the one configured in this policy. If a client IP address matches the IP ranges
in a globally configured location and in a location configured in this policy,
the geo-location match-first command specifies which matching geo-
location to use.
Syntax [no] geo-location-match

{match-first {global | policy} | overlap [global | policy]}
match-first {global | policy} Configure policy to prefer either the globally configured geo-location
or the one configured in the policy. If a client IP address matches IP
ranges in a globally configured location and in a location configured
in the policy, the command specifies the geo-location that is used.
• global - GSLB prefers globally configured locations.
• policy - GSLB prefers locations configured in this policy.
The default is global.

overlap [global | policy] Enabled overlap matching mode. If there are overlapping addresses
in the geo-location database, use this option to enable the ACOS
device to find the most precise match.
• global - GSLB prefers globally configured locations.
• policy - GSLB prefers locations configured in this policy..
The default is global.
Mode GSLB Policy
Usage If you suspect a public IP address in your domain is not unique and the same
IP address may be associated with different hosts, you can enable the geo-
location overlap option. This causes the ACOS device to search the geo-loca-
tion database for the match best (or longest matching IP address). Other-
wise, the ACOS device will use its default behavior, which is to scan the
specified geo-location database using the “match first” algorithm, which
page 239
FeedbackFF
e
uses the first IP address-region mapping discovered. (See “Geo-location

Overlap” on page 120.)
Example The following command configures the GSLB controller to prefer locations
configured in this policy:

ACOS(config-policy:pol1)# geo-location-match match-first policy
geographic
Description Enable or disable the Geographic metric. The Geographic metric prefers
sites that are within the geographic location of the client.
Syntax [no] geographic
Default Enabled
Mode GSLB Policy
Usage You must configure the geographic location, by configuring a geo-location

name, then assigning the geo-location to a GSLB site. To configure a geo-
location, assign a client IP address range to a location name. (See “gslb geo-
location” on page 165 and “geo-location” on page 238.) To assign the geo-
location to a site, use the geo-location command at the site configuration
level. (See “gslb site” on page 177.)
Example The following command disables the Geographic metric:

ACOS(config-policy:pol1)# no geographic
health-check
Description Enable or disable the Health-Check metric. The Health-Check metric prefers
sites that pass their health checks.
Syntax [no] health-check
Default Enabled
Mode GSLB Policy
troller and site ACOS devices, if the default health checks are used on the ser-
vice IPs.
If you use a custom health monitor, or you explicitly apply the default Layer 3
health monitor to the service, the GSLB protocol is not used for any of the
page 240
Feedback
health checks. In this case, the GSLB protocol is not required to be enabled
on the site ACOS devices, although use of the protocol is still recommended.
Example The following command disables the Health-Check metric:

ACOS(config-policy:pol1)# no health-check
ip-list
Description Use an IP list to exclude a set of IP addresses from aRDT polling.
Syntax [no] ip-list list-name
Default None
Usage To configure an IP list, see “gslb ip-list” on page 168.
Example The following commands configure a GSLB IP list and use the list to exclude
IP addresses from an RDT data collection:
ACOS(config)# gslb ip-list iplist1

ACOS(config-ip list:iplist1)# ip 192.168.1.0 /24 id 3
ACOS(config-ip list:iplist1)# exit
ACOS(config-policy:pol1)# ip-list iplist1
ACOS(config-policy:pol1)# active-rdt ignore-id 3
least-response
Description Enable or disable the Least-Response metric, which prefers VIPs that have
the fewest hits.
Syntax [no] least-response
Default Disabled
Mode GSLB Policy
Example The following command enables the Least-Response metric:

ACOS(config-policy:pol1)# least-response
page 241
FeedbackFF
e
metric-fail-break
Description Enable GSLB to stop if there are no valid service IPs.
Syntax [no] metric-fail-break
Default Disabled
Mode GSLB Policy
metric-force-check
Description Force the GSLB controller to always check all metrics in the policy.
Syntax [no] metric-force-check
Default By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
Mode GSLB Policy
metric-order
Description Configure the order in which the GSLB metrics in this policy are used.
Syntax [no] metric-order metric [metric ...]
metric [metric ...] One or more of the following metrics:
active-rdt
active-servers
admin-ip
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
num-session
weighted-ip
weighted-site
Default By default, metrics are used in the following order:

1. Health-Check
2. Weighted-IP
3. Weighted-Site
page 242
Feedback
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10.Admin-Preference
11.BW-Cost
12.Least-Response
13.Admin-IP
The Health-Check, Geographic, and Round-Robin metrics are enabled by

default. The Round-Robin metric does not appear in the list above because
this is the metric of last resort.
Mode GSLB Policy
Usage The first metric you specify with this command becomes the primary metric.
If you specify additional parameters, they are used in the priority you specify.
All remaining metrics are prioritized to follow the metrics you specify.
The GSLB Controller uses each metric, in the order specified, to compare the
IP addresses returned in DNS replies to clients. If a metric is disabled, the
metric order does not change. The GSLB Controller skips the metric and
continues to the next enabled metric.
The Round-Robin metric can not be re-ordered.
To display the metric order used in a policy, see “show gslb policy” on
page 260.
num-session
Description Configure the Num-Session metric, which evaluates a site based on availa-
ble session capacity and tolerance threshold compared to another site. Sites
that are at or below their thresholds of current available sessions are pre-
ferred over sites that are above their thresholds.
When dealing with smaller base numbers, a small fluctuation in the number
of available sessions can cause flapping from one site to another. Thus,
when configuring sites with smaller capacities, it is recommended to use a
larger tolerance number to prevent frequent flapping between preferred
sites.
Example Site A has 800,000 sessions available and Site B has 600,000 sessions avail-
able. If Num-Session is enabled, then Site A is preferred because it has a
larger number of available sessions than site B.
page 243
FeedbackFF
e
If the tolerance option is enabled (with a default value of 10 percent), and if

Site A has 800,000 sessions available and Site B has 600,000 sessions
available, then Site A will continue to be preferred until Site B’s available
sessions exceed Site A’s available sessions by more than 10 percent. In this
case, Site A will remain the preferred site until Site B’s available sessions
exceed 800,000 by more than ten percent (or 80,000 sessions). If Site A’s
available sessions remain constant, and Site B’s available sessions increase
to the point that they exceed 880,000 sessions, the Site B would become the
preferred site.
Syntax num-session tolerance num
The tolerance number is a number from 0 to 100 specifying the percentage

by which the number of available sessions on site SLB devices can differ
without causing the Num-Session metric to select one site device over
another.
The num-session tolerance command has no negative form. To reset the

Num-Session tolerance back to default, enter the following command, which
changes the Num-Session tolerance back to the default percentage:
num-session tolerance 10
NOTE: Use the num-session-enable command to enable or disable the

Num-Session metric.
Default Disabled.
The default tolerance is 10 percent.
Mode GSLB Policy
Usage The GSLB ACOS device considers site SLB devices to be equal if the differ-
ence in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differ-
ences in available sessions do not cause frequent, unnecessary, changes in
site preference.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site ACOS devices.
Example The following command changes the available-session tolerance threshold

to 70 percent:

ACOS(config-policy:pol1)# num-session-enable
ACOS(config-policy:pol1)# num-session tolerance 70
page 244
Feedback
num-session-enable
Description Enable or disable the Num-Session metric.
Syntax [no] num-session-enable
Default Disabled
Mode GSLB Policy
Example The following command changes the available-session tolerance threshold

to 70 percent:

ACOS(config-policy:pol1)# num-session-enable
ACOS(config-policy:pol1)# num-session tolerance 70
round-robin
Description Configure the Round-Robin metric, which selects sites in sequential order.
Syntax [no] round-robin
Default Enabled
Mode GSLB Policy
Usage The ACOS device uses Round-Robin to select a site at the end of the policy
parameters evaluation. This is true even if the Round-Robin metric is disa-
bled in the GSLB policy.
Example The following command disables the Round-Robin metric:

ACOS(config-policy:pol1)# no round-robin
weighted-alias
Description Enable the Weighted Alias metric, which prefers CNAME records with higher
weight values over CNAME records with lower weight values. This metric is
similar to Weighted-IP, but applies only to DNS CNAME records.
Syntax [no] weighted-alias
Default Disabled
Mode GSLB Policy
page 245
FeedbackFF
e
Usage Metric order does not apply to this metric.
To configure the Weighted Alias metric:

1. At the configuration level for the GSLB service, use the weight command
to assign a weight to the DNS CNAME record for the service. (See “gslb
service-ip” on page 174.)
2. At the configuration level for the GSLB policy: (See “Weighted-Alias” on
page 88.)
• Enable the Weighted Alias metric.
• Enable one or both of the following DNS options, as applicable to
your deployment:
•DNS backup-alias
•DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See “gslb service-ip” on page 174.)
weighted-ip
Description Configure the Weighted-IP metric, which uses service IP addresses with
higher weight values more often than addresses with lower weight values.
Syntax [no] weighted-ip total-hits
The total-hits option will send requests to the service IP addresses that
have fewer hits first. After all service IP addresses have the same number of
hits, GSLB sends requests based on weight. This option is disabled by
default.
Use the weighted-ip-enable command to enable selection of the Service-Ip
by weighted preference.
Default Disabled
Mode GSLB Policy
Usage As a simple example, assume that the Weighted-IP metric is the only ena-
bled metric, or at least always ends up being used as the tie breaker. The
total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP
address 10.10.10.2 has weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so
on, (4 to 10.10.10.1, then 2 to 10.10.10.2).
Here is an example using the same two servers and weights, with the total-
hits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and
IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4
requests go to 10.10.10.2, then the requests are distributed according to
weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,
page 246
Feedback
and so on. To display the total hits for a service IP address, use the show
gslb service-ip command. (See “gslb service-ip” on page 174.)
To assign a weight to a service IP address, use the following command at

the configuration level for the zone service:
dns-a-record name weight num
Example The following command disables the Weighted-IP metric:

ACOS(config-policy:pol1)# no weighted-ip-enable
weighted-ip-enable
Description Enable selection of the Service-Ip by weighted preference.
Syntax [no] weighted-ip-enable
Default Disabled
Mode GSLB Policy
Example The following command disables the Weighted-IP metric:

ACOS(config-policy:pol1)# no weighted-ip-enable
weighted-site
Description Configure the Weighted-Site metric, which uses sites with higher weight val-
ues more often than sites with lower weight values.
Syntax [no] weighted-site total-hits
The total-hits option will send requests to the service IP addresses that
have fewer hits first. After all service IP addresses have the same number of
hits, GSLB sends requests based on weight. This option is disabled by
default.
Use weighted-site-enable command to enable selection of the Service-IP by

weighted preference.
Default Disabled. When Weighted-Site metric is enabled, default weight of each site
is 1.
Mode GSLB Policy
Usage As a simple example, assume that the Weighted-Site metric is the only ena-
bled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
page 247
FeedbackFF
e
first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to

A, then 2 to B).
This example uses the same two sites and weights, with the total-hits
option enabled: Site A has weight 4 with total hits 8; site B has weight 2 with
total hits 0. In this case, the first 4 requests go to site B, then requests are
sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
To assign weight to a site, use the weight command.
Example The following command disables the Weighted-Site metric:

ACOS(config-policy:pol1)# no weighted-site-enable
weighted-site-enable
Description Enable selection of the Service-IP by weighted preference.
Syntax [no] weighted-site-enable
Default Disabled
Mode GSLB Policy
Example The following command disables the Weighted-Site metric:

ACOS(config-policy:pol1)# no weighted-site-enable
page 248
Feedback
Show Commands
Show Commands
This section describes the GSLB show commands.
• show gslb cache
• show gslb config
• show gslb fqdn
• show gslb geo-location
• show gslb group
• show gslb ip-list
• show gslb memory
• show gslb policy
• show gslb protocol
• show gslb rdt
• show gslb samples conn
• show gslb samples conn-load
• show gslb samples rdt
• show gslb service
• show gslb service-group
• show gslb service-ip
• show gslb service-port
• show gslb session
• show gslb site
• show gslb slb-device
• show gslb state
• show gslb statistics
• show gslb zone
page 249
FeedbackFF
Show Commands FFee
e
show gslb cache

Description Show the DNS messages cached on the GSLB ACOS device. The GSLB
ACOS device caches DNS replies if either of the following GSLB policy
options are enabled:
• DNS caching
• aRDT metric (if the single-shot option is used)
Syntax show gslb cache

[match domain-name]
[service-name ...]
[zone zone-name]
match domain-name Displays cached DNS messages for the matched
domain.
service-name Displays cached DNS messages for the specified
service.
zone zone-name Displays cached DNS messages for the specified
zone.
Mode All
Example The following command displays cached DNS messages for service
“www.testme.com:http”:
ACOS# show gslb cache www.testme.com:http

QD = Question Records, AN = Answer Records
NS = Authority Records, AR = Additional Records
Flag = DNS Flag, Len = Cache Length
A = Authoritative Answer, D = Recursion Desired
R = Recursion Available
Zone: testme.com
Service Alias Len TTL Flag QD AN NS AR
---------------------------------------------------------------------------
www.testme.com:http 96 3055 DR 1 4 0 0
The following table describes the fields in the command output.
Field Description
Zone GSLB zone name.
Service GSLB service.
Alias Alias, if configured, that maps to the DNS Canonical Name
(CNAME) for the service.
page 250
Feedback
Show Commands
Field Description
Len Length of the DNS message, in bytes.
TTL Number of seconds for which the cached message is still valid.
show gslb config

Description Show the GSLB configuration commands that are in the running-config.
Syntax show gslb config

[
active-rdt |
dns |
geo-location |
group |
ip-list |
policy |
protocol |
service-group |
service-ip |
site |
system
template |
view |
zone
]
Mode All
Usage The show gslb config command can be used in shared partitions, L3V parti-
tions, and GSLB view.
When used in shared partitions
When used within a shared partition, the show gslb config command can
include the following:
• active-rdt: Show GSLB aRDT configuration

• dns: Show GSLB global DNS configuration
• geo-location: Show GSLB global geo-location configuration
• group: Show GSLB group configuration
• ip-list: Show GSLB IP list configuration
• policy: Show GSLB policy configuration
• protocol: Show GSLB protocol configuration
• service-group: Show GSLB service-group configuration
• service-ip: Show GSLB service-ip configuration
• site: Show GSLB site configuration
• system: Show GSLB system options
• template: Show GSLB template configuration
• view: Show GSLB view
• zone: Show GSLB zone configuration
page 251
FeedbackFF
Show Commands FFee
e
When used in L3V partitions
When used within a L3V partition, the show gslb config command can
include the following:
• group: Show GSLB Group configuration

• service-ip: Show GSLB service-IP configuration
NOTE: When the show gslb config command is used within a L3V partition,
the following command completions are not supported: active-rdt,
dns, geo-location, protocol, system, and view.
When used in gslb-view
When used in gslb-view, the show gslb config command can include the
following:
• group: Show GSLB Group configuration
NOTE: When the show gslb config command is used in gslb-view, the fol-
lowing command completions are not supported: active-rdt, dns,
geo-location, protocol, service-ip, system, and view.
Details about L3V Deployments
When using the new show gslb config command filters in L3V partitions,
only the following command completions are supported: group, ip-list, policy,
service-ip, site, template, and zone.
The following show gslb config command options are not supported in L3V
deployments, and by extension, not supported by the new gslb show
command enhancements: active-rdt, dns, geo-location, protocol, system and
view.
CLI Example
• Show gslb config zone
page 252
Feedback
Show Commands
• Show gslb config site zone

• Show gslb config service-ip zone | include aaa
Show gslb config for gslb-view
The command syntax when used within gslb-view is as follows:

show gslb config
[
group |
ip-list |
policy |
service-ip |
site |
template |
zone |
common filters(| include xxx)
]
show gslb fqdn

Description Show GSLB statistics using a Fully Qualified Domain Name (FQDN).
Syntax show gslb fqdn domain-name [domain-name ... ]

[
cache |
dns-a-record |
dns-cname-record |
dns-mx-record |
dns-ns-record |
dns-ptr-record |
dns-srv-record |
dns-txt-record |
session
]
Mode All
page 253
FeedbackFF
Show Commands FFee
e
show gslb geo-location

Description Show the status of GSLB geo-location mappings.
Syntax show gslb geo-location

{
[db [geo-location-name]
[[statistics] ip-range range-start range-end]
[[statistics] depth num]
[[statistics] directory num]
[[statistics] top num [percent [global]]]
[statistics]]
[file [file-name]]
[ip ipaddr [statistics] [policy policy-name]]
[ipv6 ipv6addr [statistics] [policy policy-name]]

[rdt
[active [geo-location-name ...]
[site site-name] [depth num]]
db [options] Displays the geo-location database. If you specify a geo-location name, only the
entries for that geo-location are shown. Otherwise, entries for all geo-locations
are shown.
• ip-range – Displays entries for the specified IP address range.
• depth num – Specifies how many nodes within the geo-location data tree to
display. For example, to display only continent and country entries and hide
individual state and city entries, specify depth 2. By default, the full tree (all
nodes) is displayed.
• directory num – Displays entries for the specific geo-location database

directory.
• top num [percent [global]] – Display the top statistics for the selected
geo-location database.
• statistics – Displays client statistics for the specified geo-location.

file Displays the geo-location database files on the ACOS device, and their load sta-
[file-name] tus. (Data from a geo-location database file does not enter the geo-location data-
base until you load the file. See “gslb system geo-location load” on page 183.)
ip ipaddr Displays geo-location database entries for the specified IP address.
• policy policy-name – Filter output by policy.

ipv6 ipv6addr Displays geo-location database entries for the specified IPv6 address.
• policy policy-name – Filter output by policy.
page 254
Feedback
Show Commands
rdt [options] Displays aRDT data for geo-locations. You can use the following options:
• active – Displays data for aRDT.
• geo-location-name – Displays aRDT data only for the specified GSLB geo-
location.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to
display. For example, to display only continent and country entries and hide
individual state and city entries, specify depth 2.
By default, the full tree (all nodes) is displayed.
Mode All
Usage The matched client IP address and the hits counter indicate the working sta-
tus of the geo-location configuration.
Example The following command shows the status of a geo-location db named “pc”:
ACOS# show gslb geo-location db arin

Sub = Count of Sub Geo-location
T = Type, P-Name = Policy name
M(manually config)/B(built-in)
Geo-location: arin
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 21 G
ACOS#
Field Description
Geo-location Name of the geo-location.
From Beginning address in the address range assigned to the geo-
location.
To Ending address in the address range assigned to the geo-loca-
tion.
Last Client IP address that most recently matched the geo-location. If
the value is “empty”, no client addresses have matched.
Hits Total number of client IP addresses that have matched the geo-
location.
page 255
FeedbackFF
Show Commands FFee
e
Field Description
Sub Number of sublocations within the geo-location. For example, if
you configure the following geo-locations, geo-location “pc” has
two sublocations, “pc.office” and “pc.lab”.
geo-location pc 10.1.0.0 mask /16
geo-location pc.office 10.1.1.0 mask /24
geo-location pc.lab 10.1.2.0 mask /24

T Type of geo-location:
• G – The geo-location is configured at the global level in the

ACOS device configuration.
• P – The geo-location is configured within a GSLB policy.

P-Name Name of the GSLB policy where the geo-location is configured.
Example The following command shows the load status information for a geo-loca-
tion database file:
ACOS(config)# show gslb geo-location file test1

T = T(Template)/B(Built-in), Per = Percentage of loading
Filename T Template Per Lines Success Error
------------------------------------------------------------------------------
test1 T t1 98% 11 10 0
Example The following command displays entries in the geo-location database:
ACOS(config)# show gslb geo-location db

T = Type, Sub = Count of Sub Geo-location
M(manually config)
Global
Name From To/Mask Last Hits Sub T
------------------------------------------------------------------------------
NA (empty) (empty) (empty) 0 1 G
Geo-location: NA, Global

------------------------------------------------------------------------------
US (empty) (empty) (empty) 0 10 GS
page 256
Feedback
Show Commands
Geo-location: NA.US, Global

------------------------------------------------------------------------------
69.26.125.0 69.26.125.255 (empty) 0 0 GR
69.26.126.0 69.26.126.255 (empty) 0 0 GR
69.26.127.0 69.26.127.255 (empty) 0 0 GR
...
show gslb group

Description Show information for GSLB controller groups.
Syntax show gslb group

[brief | group-name [...] [statistics] | statistics]
Mode All
Example The following commands add a GSLB controller to the default GSLB group,
enable the device’s membership in the group, and display group information:
ACOS(config)# gslb group default

ACOS(config-gslb group)# enable
ACOS(config-gslb group)# show gslb group brief
Name Pri Attrs Master Member
------------------------------------------------------------------------------
default 255 L* local 2
Field Description
Name Name of the GSLB controller group.
Pri Priority of the master controller.
page 257
FeedbackFF
Show Commands FFee
e
Field Description
Attrs GSLB group attributes of this member:
• D – Member is disabled.
• L – Group learning is enabled on this member.
• P – Member’s connection with this member (the member on

which you enter the show gslb group command) is pas-
sive.
The group connection between any two controller group

members is a client-server connection. The group member
that initiates the connection is the client, and has the pas-
sive side of the connection. The other member is the server.
• * – Member is the current master for the group.
NOTE: Attributes are displayed only when at least two group

members are connected.
Master IP address of the current master for the group.
Member Number of GSLB controllers in the group. This number
includes all configured group members and all learned group
members.
ACOS(config-gslb group)# show gslb group

Group: default, Master: 192.168.101.72
Member Sys-ID Pri Attrs Status Address
--------------------------------------------------------------------------------
local 825b1429 100 L OK
192.168.1.131 941a1229 100 Synced
192.168.1.132 ab301229 100 P Synced
Field Description
Member GSLB controllers currently in the group.
The “local” member is the GSLB controller on which you entered this show command.
ID Group member ID assigned by the controller group feature.
Pri Priority of the GSLB controller.
page 258
Feedback
Show Commands
Field Description
Attrs GSLB group attributes of the member:
• D – Member is disabled.
• L – Group learning is enabled on this member.
• P – Member’s connection with this member (the member on which you enter the show gslb
group command) is passive.
The group connection between any two controller group members is a client-server connec-
tion. The group member that initiates the connection is the client, and has the passive side of
the connection. The other member is the server.
• * – Member is the current master for the group.
Note: Attributes are displayed only when at least two group members are connected.
Status When the GSLB group is starting up, this column shows the protocol status. After the group is
established, this column shows the group status.
Protocol status:
• Idle
• Active
• OpenSent
• OpenConfirm
• Established
Group status of the member:
• Ready
• FullSync/MasterSync
• Synced
Note: If the group status of the member is OK, this ACOS device (the one on which you entered
the command) knows of the member, but no connection between this ACOS device and the
member is required.
page 259
FeedbackFF
Show Commands FFee
e
show gslb ip-list

Description Display information for GSLB IP lists.
Syntax show gslb ip-list

[brief | list-name | id num | ip ipaddr | statistics]
Mode All
show gslb memory

Description Display memory allocation information for GSLB.
Syntax show gslb memory [mem-loc-id [...]] [interval seconds]
Mode All
show gslb policy

Description Show GSLB metric settings for GSLB policies.
Syntax show gslb policy [policy-name]
Mode All
Field Description
Policy name Name of the GSLB policy.
Type Name of the GSLB metric.
MO For GSLB metrics, indicates the order in which the metrics are
used.
Option Metric or option name.
En-Value For metric, indicates whether they are enabled (yes or no). For
options, indicates the value.
Description Description of the metric or option.
page 260
Feedback
Show Commands
show gslb protocol

Description Show the status of the GSLB protocol on the GSLB ACOS device and the SLB
devices (site ACOS device).
Syntax show gslb protocol [[geo-location-name] port portnum]
Mode All
Example The following command shows GSLB protocol status information on an

ACOS device acting as a GSLB controller:
ACOS# show gslb protocol
GSLB site: aapg

slb-dev: acos (127.0.0.1) Established
Session ID: 26702
Connection succeeded: 1 |Connection failed: 0
Open packet sent: 1 |Open packet received: 1
Open session succeeded: 1 |Open session failed: 0
Sessions Dropped: 0 |Update packet received: 34411
Keepalive packet sent: 1408 |Keepalive packet received: 1407
Notify packet sent: 0 |Notify packet received: 0
Message Header Error: 0
GSLB site: abc

slb-dev: acos1 (127.0.0.2) Established
Session ID: 65410
Connection succeeded: 1 |Connection failed: 0
Open session succeeded: 1 |Open session failed: 0
Sessions Dropped: 0 |Update packet received: 34411
...
page 261
FeedbackFF
Show Commands FFee
e
show gslb rdt

Description Show aRDT data.
Syntax show gslb rdt
[geo-location
[slb-device
[ip ipaddr [...]]] |
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-loca-
tion.
• depth num – Specifies how many nodes within the geo-location data tree to dis-
play. For example, to display only continent and country entries and hide individual
state and city entries, specify depth 2.

slb-device Displays aRDT data based on SLB device. Optional parameter includes:
• device-name – Displays aRDT data only for the specified device.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
Mode All
Usage All of the options except local-info are applicable when you enter the com-
mand on a GSLB ACOS device. To display local aRDT data on a site ACOS
device, enter the command on the site ACOS device and use the local-info
option.
Example Here is an example of the output for this command when entered on the
GSLB ACOS device:
ACOS# show gslb rdt

TTL = Time to live(Unit: min), T = Type, A(active)
Device: site1/remote
page 262
Feedback
Show Commands
IP TTL T| 1 2 3 4 5 6 7 8
------------------------------------------------------------------------------
10.10.10.2 10 A| 0 0 0 0 0 0 0 0
20.20.20.21 10 A| 41 40 29 46 38 42 34 30
192.168.217.1 10 A| 38 54 46 50 43 38
192.168.217.11 10 A| 41 40 29 46 38 42 34 30
Device: site2/local
IP TTL T| 1 2 3 4 5 6 7 8
------------------------------------------------------------------------------
10.10.10.2 10 A| 35 52 35 40 54 56 44 48
20.20.20.21 10 A| 20 20 16 16 20 16 20 18
192.168.217.1 10 A| 16 44 20 16 20 18
192.168.217.11 10 A| 20 20 16 16 20 16 20 18
T = Type: A(active), TS = Time Stamp(unit: min)
Geo-location Site T RDT TS

------------------------------------------------------------------------------
cn.sh site1 A 38 10
site2 A 18 10
cn.bj site1 A 30 10
site2 A 18 10
jp site1 A 30 10
site2 A 18 10
us site1 A 0 10
site2 A 48 10
This example shows the default display (with no additional options). The TTL
results are organized by site ACOS device, then by geo-location.
Field Description
Device Site ACOS device.
IP IP address at the other end of the aRDT exchange.
TTL Time-to-live for the Active-TT entry.
T RDT type, which can be A (aRDT).
1-8 Individual aRDT measurements (in units of seconds).
Geo-location Geo-location name for which aRDT measurements have been
taken.
Site GSLB site name within the geo-location.
T RDT type. (See descriptions above.)
page 263
FeedbackFF
Show Commands FFee
e
Field Description
RDT Individual aRDT measurements (in units of seconds).
TS System time stamp of the aRDT measurement.
show gslb samples conn

Description Show the number of connections that are currently on a virtual port.
Syntax show gslb samples conn

[service-name | vipaddr]
[port port-num]
[range range-start range-end]
service-name | vipaddr Specifies the service name or service IP.
port-num Specifies the virtual port.
range-start Specifies the range start.
range Collects samples only for the specified range of ser-
range-start range-end vice port numbers.
Mode All
Usage The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See “gslb
protocol” on page 170.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
If you disable the GSLB protocol, the data is cleared.
Example The following example shows connection activity for virtual port 80 on vir-
tual server “china”.
ACOS# show gslb samples conn china 80

0 | 1 2 3 4 5 6 7
----------------------------------------------------------------------------
1 | 15000 25000 35000 45000 55000 65000 75000
2 | 85000 95000 105000
show gslb samples conn-load

Description Show the number of connections on each virtual server.
page 264
Feedback
Show Commands
Syntax show gslb samples conn-load num-samples interval

[service-name | vipaddr]
[port-num]
num-samples Number of connection-load samples to collect and display.
num-samples Number of seconds to wait between collection of each
sample.
service-name | Collects samples only for the specified service IP.
vipaddr
port-num Collects samples only for the specified service port num-
ber.
Mode All
Example The following command shows 5 connection-load samples, collected at 5-

second intervals:
ACOS# show gslb samples conn-load 5 5

ip1:80, average is: 36
| 1 2 3 4 5 6 7
----------------------------------------------------------------------------
1 | 0 0 11 1 168

| 1 2 3 4 5 6 7
----------------------------------------------------------------------------
1 | 0 0 22 2 168

| 1 2 3 4 5 6 7
----------------------------------------------------------------------------
1 | 120 0 0 0 180

| 1 2 3 4 5 6 7
----------------------------------------------------------------------------
1 | 240 0 0 0 192
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). Services are listed by service IP and
service port.
In each section, the numbers across the top are column numbers. The
numbers along the leftmost column are row numbers. The other numbers
are the actual connection load data. For example, for ip1:80 (service port 80
page 265
FeedbackFF
Show Commands FFee
e
on service IP “ip1”), there were no connections during the first or second data
samples, and 11 connections during the third sample.
show gslb samples rdt

Description Show the aRDT between the GSLB ACOS device and a client.
Syntax show gslb samples rdt
[geo-location
[slb-device
[device-name] [ip A.B.C.D ...]]
[controller
[device-name] [ip A.B.C.D ...]]
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-loca-
tion.
• depth num – Specifies how many nodes within the geo-location data tree to dis-
play. For example, to display only continent and country entries and hide individual
state and city entries, specify depth 2.

slb-device Displays aRDT data based on SLB device. Optional parameter includes:
Mode All
Usage Eight aRDT samples are displayed for each device. Times are shown in 10-
millisecond (ms) increments. In the example below, the first aRDT time for
Device1 is 50 ms.
If you disable the GSLB protocol, the data is cleared.
page 266
Feedback
Show Commands
show gslb service

Description Show the configuration information for services.
Syntax show gslb service

{cache | dns-a-record | dns-cname-record |
dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record |
dns-txt-record | session}
[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
cache Displays service information in the GSLB DNS
cache.
dns-a-record Displays Address records for GSLB services.
dns-cname-record Displays CNAME records for GSLB services.
dns-mx-record Displays MX records for GSLB services.
dns-ns-record Displays name server records for GSLB services.
dns-ptr-record Displays pointer records for GSLB services.
dns-srv-record Displays service records for GSLB services.
dns-txt-record Displays service records for GSLB services.
session Displays current GSLB sessions for services.
service-name Specifies a service name.
zone zone-name Specifies a zone name.
ip ipaddr Specifies a client host or subnet address. (This
{subnet-mask | option applies only to the session option.)
/mask-length}
Mode All
Example The following example shows CNAME information for zone “example.com”:
ACOS# show gslb service dns-cname-record example.com

Zone: example.com
Alias = Alias Name, Geoloc = Geo-location
G-Geoloc = Matched Global Geo-location
P-Geoloc = Matched Policy Geo-location
Service Alias Geoloc G-Geoloc P-Geoloc
------------------------------------------------------------------------------
http:www http.example.com pc1 (empty) (empty)
ftp:ftp ftpp.example.com pc1 (empty) pc1
page 267
FeedbackFF
Show Commands FFee
e
show gslb service-group

Description Show FQDN group information.
Syntax show gslb service-group group-name

[
cache |
dns-a-record |
dns-cname-record |
dns-mx-record |
dns-ns-record |
dns-ptr-record |
dns-srv-record |
dns-txt-record |
session [ip ipaddr | ipv6 ipv6addr] |
site-stat
]
Mode All
show gslb service-ip

Description Shows information for a GSLB service.
Syntax show gslb service-ip

{service-name | vipaddr | local-info | statistics}
service-name | vipaddr Specifies the service name or VIP address.
local-info Shows local SLB virtual-server information.
statistics Shows GSLB statistics for the service-IP.
Example The following command shows information for the “beijing” service:
ACOS# show gslb service-ip beijing

V = Is Virtual server, E = Enabled
P-Cnt = Count of Service Ports
Service-IP IP V E State P-Cnt Hits
-------------------------------------------------------------------
:Device1:beijing 2.1.1.10 Y Y UP 3 0
Field Description
Service-IP Device name and service IP name.
IP IP address of the service.
V Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
page 268
Feedback
Show Commands
Field Description
E Indicates whether the service IP is enabled.
State Indicates the service IP state: UP or DOWN.
P-Cnt Number of service ports on the service IP.
Hits Number of times the service IP has been selected.
show gslb service-port

Description Show information about the GSLB service ports configured on the sites.
Syntax show gslb service-port [local-info]
The local-info parameter displays local SLB virtual-port information.
Mode All
Example The following command shows information about all the configured GSLB
service ports.
ACOS# show gslb service-port

Attrs = Attributes, A-Svr = Active Real Servers
Cur-Conn = Current Connections
D = Disabled, P = GSLB Protocol, L = Local Protocol
T = TCP, M = Manually Health check, * = Dynamic
Service-Port Attrs State Act-Svrs Curr-Conn
-------------------------------------------------------------------
10.77.27.222:80 L DOWN 0 0
10.10.10.1:80 DOWN 0 0
67.67.6.84:80 UP 1 0
67.67.6.82:21 UP 1 0
192.168.100.6:80 DOWN 0 0
Field Description
Service-Port Service IP address and service port number.
Attrs Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
State Indicates the service state: IP or DOWN.
Act-Svrs Number of active real servers for the service.
Curr-Conn Current number of connections to the service.
page 269
FeedbackFF
Show Commands FFee
e
show gslb session

Description Show cached GSLB policy selections.
Selections are cached on a zone:service basis. While a cached GSLB policy

selection is valid (that is, before it ages out), the cached selection is used for
subsequent requests from the same client for the same zone and service.
Syntax show gslb session
[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
[ipv6 ipv6addr {subnet-mask | /mask-length}]
[match domain-name]
service-name Specifies a service name.
ip ipaddr {subnet-mask Specifies a client host or subnet address.
| /mask-length}
match Specifies a domain name to match to when display-
ing session information.
zone zone-name Specifies a zone name.
Mode All
show gslb site

Description Show GSLB site information.
Syntax show gslb site [site-name ...] [bw-cost] [statistics]
site-name Displays information only for the specified site.
bw-cost Displays BW-Cost information.
statistics Displays statistics.
Mode All
Example The following command shows information for GSLB site “Site1”:
ACOS# show gslb site Site1

Site Device/server VIP Vport State Hits
-------------------------------------------------------------------
Site1 Device1 (device) 2.1.1.10 Up 0
1.2.2.2 21 Up
23 Up
page 270
Feedback
Show Commands
80 Up
2.1.1.11 Up 0
21 Up
80 Up
2.1.1.12 Up 0
21 Up
23 Up
80 Up
serverB (server) Up 0
3.1.1.10 80 Up
Field Description
Site GSLB site name.
Device/ Device name and device IP address or real server name and real
server server IP address.
VIP Virtual IP address for the service.
Vport Virtual port number.
State Virtual port state.
Hits Number of times the service IP was selected.
The following table describes the fields in the command output when the bw-
cost option is used.
Field Description
Template SNMP template name.
Current Current value of the SNMP object used for measurement.
Highest Highest value of the SNMP object used for measurement.
Limit Limit configured for the BW-Cost metric.
U Indicates whether the site is usable, based on the BW-Cost mea-
surement.
Type Data type of the SNMP object.
Len Data length of the SNMP object.
Value Value of the SNMP object.
TI Time interval between measurements.
Example The following command shows GSLB site statistics:
page 271
FeedbackFF
Show Commands FFee
e
ACOS# show gslb site statistics

Site Hits Last
-------------------------------------------------------------------
site1 14 2.1.1.10
site2 0 (empty)
site3 0 (empty)
site4 0 (empty)
The following table describes the fields in the command output when the
statistics option is used.
Field Description
Hits Number of times the site was selected.
Last Site that was most recently selected.
show gslb slb-device

Description Show information about an SLB device used by GSLB.
Syntax show gslb slb-device
[
device-name |
local-info |
rdt active [device-name ... | ip ipaddr ...]
]
device-name Displays information only for the specified SLB device.
local-info Displays local SLB device information on a site SLB device.
rdt options Displays aRDT data based on SLB device. Optional parameter includes:
Mode All
Example The following command shows information about SLB device “Device1”:
ACOS# show gslb slb-device Device1
page 272
Feedback
Show Commands
APF = Administrative Preference, Sub-Cnt = Count of Service-

IPs
Sesn-Uzn = Session Utilization
Sesn-Num = Number of Available Sessions
Device IP APF Sesn-Uzn Sesn-Num Sub-
Cnt
-------------------------------------------------------------------
-----------
site1:Device1 1.2.2.2 200 0% 0 3
Field Description
Device Site name and device name.
IP SLB device’s IP address.
APF Administrative preference for the device.
Sesn-Uzn Current session utilization on the device.
Sesn-Num Number of sessions available on the device.
Sub-Cnt Number of service IPs on the device.
show gslb state

Description Show GSLB state information collected by GSLB debugging.
Syntax show gslb state
Mode All
Usage To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example The following commands enable GSBL debugging with retention of state
information, and initiate display of the state information:
site-acos-1(config)# debug gslb state

site-acos-1(config)# show gslb state
show gslb statistics

Description Show statistics for the GSLB protocol, for sites, or for zones.
Syntax show gslb statistics {message | site | zone}
Mode All
page 273
FeedbackFF
Show Commands FFee
e
Usage The show gslb statistics message command shows the same output as
the show gslb protocol command. Similarly, the show gslb statistics
site command shows the same output as the show gslb site statistics
command, and the show gslb statistics zone command shows the same
output as the show gslb zone statistics command.
Example The following command shows statistics for the GSLB protocol:
ACOS# show gslb statistics message

GSLB site: site1
slb-dev: remote (20.20.20.2) Established
Session ID: 40576
Connection success: 4 |Connection failure: 0
Open session success: 1 |Open session failure: 3
Dropped sessions: 0 |Update packet received: 5101
Message Header Error: 0 | 0
GSLB site: site2

slb-dev: local (192.168.217.2) Established
Session ID: 104
Open session success: 1 |Open session failure: 0
Dropped sessions: 0 |Update packet received: 22
GSLB controller: 192.168.217.2 Established

Session ID: 104
Open Sent 1 |Open session failure: 0
Dropped sessions: 0 |Update packet sent: 22
page 274
Feedback
Show Commands
show gslb zone

Description Show GSLB zone information.
Syntax show gslb zone [zone-name]

[dns-info] [dns-mx-record] [dns-ns-record] [dns-soa-record]
[site]
[statistics]
zone-name Displays information only for the specified zone.
dns-info Displays the DNS information for the zone.
dns-mx-record Displays the MX records for the zone(s).
dns-ns-record Displays the name server records for the zone(s).
dns-soa-record Displays the start-of-authority records for the
zone(s).
site Displays statistics for the zone(s) by related site.
statistics Displays statistics for the zone(s).
Mode All
page 275
FeedbackFF
Show Commands FFee
e
Example The following example shows information for zone “example.com”:
ACOS# show gslb zone 123.com

Zone Service Policy TTL
------------------------------------------------------------------------------
example.com www 20
http:www www 20
ftp:ftp ftp 30
Field Description
Zone Zone name.
Service Service type and service name.
Policy GSLB policy name.
TTL DNS TTL value set by GSLB in DNS replies to queries for the zone
address.
Example The following command shows MX records for zones:
ACOS# show gslb zone dns-mx-record

Pri = Priority, Last = Last Server
Owner MX-Record Pri Hits Last
-------------------------------------------------------------------
-----------
mail.abc.com:smtp mail1.abc.com 0 0
mail2.xyz.com 10
Field Description
Owner Zone and service name to which the MX record belongs.
MX-Record Name of the MX record.
Pri Priority (preference) set for the MX record.
Hits Number of times the record has been used.
Last Most recent time the record was used.
page 276
Feedback
Show Commands
Example The following command shows GSLB zone statistics:
ACOS(config-gslb zone-gslb service)# show gslb zone example.com statistics

GSLB Zone example.com:
Total Number of Services configured: 1
Rcv-query = Received Query, Sent-resp = Sent Response
M-Proxy = Proxy Mode, M-Cache = Cache Mode
M-Svr = Server Mode, M-Sticky = Sticky Mode
M-Backup = Backup Mode
Service Rcv-query Sent-resp M-Proxy M-Cache M-Svr M-Sticky M-Backup
--------------------------------------------------------------------------------
http:www 0 0 0 0 0 12 0
Total 0 0 0 0 0 12 0
Field Description
GSLB Zone Zone name.
Total Number of Services configured Number of GSLB services configured for the zone.
Service Service type and service name.
Rcv-query Number of DNS queries received for the service.
Sent-resp Number of DNS replies sent to clients for the service.
M-Proxy Number of DNS replies sent to clients by the ACOS device as a DNS
proxy for the service.
M-Cache Number of cached DNS replies sent to clients by the ACOS device for
the service. (applies only if the DNS cache option is enabled in the pol-
icy.)
M-Svr Number of DNS replies sent to clients by the ACOS device as a DNS
server for the service. (This statistic applies only if the DNS server
option is enabled in the policy.)
M-Sticky Number of DNS replies sent to clients by the ACOS device to keep the
clients on the same site. (This statistic applies only if the DNS sticky
option is enabled in the policy.)
M-Backup Number of DNS replies sent to clients by the ACOS device using a
backup record.
page 277
FeedbackFF
Clear Command FFee
e
Clear Command
The following GSLB clear command is available:
• clear gslb
clear gslb
Description Clear statistics or reset functions. Sub-command parameters are required
for specific sub-commands.
Syntax clear gslb {options}
Options Description
all Clears all GSLB statistics.
cache Clears the GSLB DNS cache.
debug Clears debug statistics.
fqdn Clears FQDN statistics.
geo-location Clears geo-location statistics.
group Clears GSLB group statistics.
ip-list Clears IP-list statistics.
memory Clears memory statistics.
protocol Clears GSLB protocol statistics.
rdt Clears RDT samples.
samples Clears aRDT samples.
server Clears server statistics.
service Clears service statistics.
service-group Clears service group statistics
service-group-session Clears service-group-session statistics
session Clears GSLB sessions.
site Clears site statistics.
slb-device Clears SLB device samples.
statistics options Clears message, site, or zone statistics.
zone Clears zone statistics.
page 278
page 279
CONTACT US
2 a10networks.com/contact
ACOS 4.1.1-P11 GLOBAL SERVER LOAD BALANCING GUIDE 29 MAY 2019

A10 4.1.1-P11 GSLB

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 4.1.1-P11 GSLB

Uploaded by

Copyright:

Available Formats

ACOS 4.1.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

GSLB Introduction ...................................................................................................................... 11

GSLB Deployment Options ......................................................................................................... 13

GSLB Implementation Examples ................................................................................................ 25

Configuring VRRP Interface on vBlade ........................................................................................... 49

GSLB Elements ........................................................................................................................... 61

GSLB Metrics ............................................................................................................................. 71

Changing aRDT Settings for a Site .................................................................................................. 79

DNS Options ............................................................................................................................... 91

DNS Geoloc-Action ..................................................................................................................................104

Geo Location Mappings ........................................................................................................... 115

Gateway Health Monitoring ...................................................................................................... 129

Application Groups ................................................................................................................... 135

Configuring GSLB through the GUI ........................................................................................... 139

GSLB CLI Command Reference ................................................................................................ 161

Policy Configuration Commands...................................................................................... 195

About this Manual

Audience and Prerequisites

• GSLB Introduction – Provides a brief description of GSLB and this manual.

• GSLB Elements – Describes basic GSLB data structures

• GSLB Metrics – Describes GSLB metrics.

• Gateway Health Monitoring – Describes GSLB health monitoring.

• Application Groups – Describes site persistence and dependence in Application Groups.

GSLB Deployment Options

• “DNS-Based GSLB Protocol” on page 13

• “GSLB Deployment Modes” on page 15

• “Controller Groups and GSLB Synchronization” on page 17

• “Partition-specific Group Management” on page 22

• “Cloud-based Computing Solution” on page 22

DNS-Based GSLB Protocol

• “GSLB Overview” on page 13

• “GSLB Controller and Devices” on page 14

• “Configuring the GSLB Controller” on page 14

• “Configuring GSLB Site ACOS Devices” on page 15

GSLB provides the following advantages:

• Optimize multi-site deployments

• Maximize network access speed

GSLB is disabled by default and requires proper configuration to operate.

GSLB Controller and Devices

• Virtual IP addresses & active servers

• Active-Round Delay Time (aRDT)

• Site session capacity statistics

• Number of active sessions

Configuring the GSLB Controller

Configuring GSLB Site ACOS Devices

To configure GSLB on the site ACOS devices:

1. Configure SLB on the device.

GSLB Deployment Modes

ACOS(config)# gslb policy kaibab

2. Configure a DNS port on the server (port command).

7. Add the DNS port (port command)

Controller Groups and GSLB Synchronization

GSLB Controller Groups

Election of the Master Controller

• Sites, including SLB-device parameters

• Zones, including services

• GSLB policies (only those that are used by services)

• SLB information for DNS proxy

• GSLB protocol settings

• Health Monitors (if configured using the GSLB option)

The following items are not synchronized:

• Black/white list files