Professional Documents
Culture Documents
A10 4.1.1-P11 GSLB
A10 4.1.1-P11 GSLB
1-P11
Global Server Load Balancing Guide
for A10 Thunder® Series and AX™ Series
29 May 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any
means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
page 3
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 4
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 5
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 6
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 7
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 8
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
metric-fail-break .........................................................................................................................242
metric-force-check .....................................................................................................................242
metric-order .................................................................................................................................242
num-session ................................................................................................................................243
num-session-enable ..................................................................................................................245
round-robin ..................................................................................................................................245
weighted-alias ............................................................................................................................. 245
weighted-ip ..................................................................................................................................246
weighted-ip-enable ..................................................................................................................... 247
weighted-site ............................................................................................................................... 247
weighted-site-enable .................................................................................................................248
Show Commands .............................................................................................................. 249
show gslb cache .........................................................................................................................250
show gslb config ........................................................................................................................251
show gslb fqdn ...........................................................................................................................253
show gslb geo-location .............................................................................................................254
show gslb group .........................................................................................................................257
show gslb ip-list ..........................................................................................................................260
show gslb memory ....................................................................................................................260
show gslb policy .........................................................................................................................260
show gslb protocol ....................................................................................................................261
show gslb rdt .............................................................................................................................. 262
show gslb samples conn ..........................................................................................................264
show gslb samples conn-load .................................................................................................264
show gslb samples rdt .............................................................................................................. 266
show gslb service .......................................................................................................................267
show gslb service-group ...........................................................................................................268
show gslb service-ip ..................................................................................................................268
show gslb service-port ..............................................................................................................269
show gslb session .....................................................................................................................270
show gslb site .............................................................................................................................270
show gslb slb-device .................................................................................................................272
show gslb state .......................................................................................................................... 273
show gslb statistics ................................................................................................................... 273
show gslb zone ........................................................................................................................... 275
Clear Command ................................................................................................................. 278
clear gslb ......................................................................................................................................278
page 9
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Contents
page 10
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
GSLB Introduction
Global Server Load Balancing (GLSB) refers to load balancing applications that direct users to multiple
data center sites. Each site consists of server farms that provide users with fast response time and
sufficient redundancy to protect against the failure of a complete data center. Each GSLB implementa-
tion falls under one of these categories:
• DNS-Based GSLB: Domain Name System technology is utilized to extend load balance globally
• IP-Based GSLB: Route health injection advertises VIP availability throughout the network.
The A10 implementation of GSLB extends load balancing to a global geographic scale by offering a
choice of DNS Proxy or DNS Server methods. A10 GSLB adds a layer of availability and performance to
applications with minimal impact to existing DNS architectures while allowing the selection of the most
appropriate method for a network environment:
• Proxy Mode: The ACOS device acts as proxy for an external DNS server. The device can update
A and AAAA records in response to client requests and forwards requests for all other record
types to the external DNS server.
• Server Mode: The ACOS device directly responds to queries for specific service IP addresses in
the GSLB zone while forwarding other query types to the DNS server). In server mode, the device
can reply with A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS
device attempts proxy mode.
The device can be configured to use only DNS server mode for all replies. If the configuration does
not contain the applicable DNS record, the controller responds with a server failure message if is
not managing the FQDN.
The final chapter includes a description of commands available in the ACOS command line interface.
Feedback page 11
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
About this Manual FFee
e
including routing and load balancing, is assumed. While some examples include Server Load Balancing
(SLB) instructions, the reader is assumed to have a basic understanding of A10 system administration
and Server Load Balancing (SLB) concepts and procedures. A10 manuals that provide information con-
cerning these topics include the “System Configuration and Administration Guide”, the “Application
Delivery and Server Load Balancing Guide”, and the “Command Line Interface Reference for ADC”.
Manual Structure
The GSLB Guide includes the following chapters:
• GSLB Deployment Options – Describes controllers and devices; proxy and server modes; config-
uration synchronization; and usage within A10 partitions and aVCS environments.
• GSLB Implementation Examples – Provides several GSLB configuration examples.
• DNS Options – Describes DNS options supported by the device that complement the GSLB
implementation.
• Geo Location Mappings – Describes loading geo-locations: manually or by loading from a file.
• Configuring GSLB through the GUI – Provides GUI steps for many of the processes presented in
the guide.
• GSLB CLI Command Reference – Describes CLI commands that configure GSLB.
page 12
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
This chapter describe the following GSLB Deployment Concepts and Options:
• “aVCS” on page 22
GSLB Overview
DNS-based GSLB uses Domain Name Service (DNS) technology to extend load balancing to a global
scale. Global Server Load Balancing (GSLB) adds intelligence to authoritative DNS servers. The GSLB
controller evaluates DNS replies and directs traffic to the 'best' site by replacing the IP address in the
DNS reply.
• Provide data center failover to minimize downtime and ensure application availability
Feedback page 13
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS-Based GSLB Protocol FFee
e
• Provide faster performance and improved user experience by directing users to the nearest site
• Increase data center efficiency by using flexible policies to distribute traffic to multiple sites
A GSLB controller manages protocol functionalities. The protocol must be enabled on the ACOS
instance or device designated to perform controller functions.
The GSLB controller collects the following information from the accessible site load balancers:
• Connection load
A GSLB Controller Group consists of multiple controllers, within a GSLB zone, whose service IP status
and GSLB configurations are synchronized. GSLB Controller Groups provide redundancy that protects
against the failure of an individual device. The ACOS device can automatically synchronize GSLB
configurations and VIP-server status among multiple GSLB controllers for a GSLB zone. See “Controller
Groups and GSLB Synchronization” on page 17 for more information.
Enabling the protocol on site devices within a GSLB configuration is operational for base configuration.
Specific policy options and the default health checks require the protocol to be enabled.
When running GSLB in server mode, a VIP for the DNS is required; the configuration of a real server or
service group is not required. When running GSLB in proxy mode, the real server and service group are
required along with the VIP.
For additional information on DNS configuration for Server mode and Proxy mode see “DNS Options”
on page 91.
page 14
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Deployment Modes
1. Configure health monitors for the DNS server to proxy and the GSLB services to be load balanced.
2. Configure a GSLB policy as described in “Configuring Policies” on page 66).This can be skipped
when using a default profile.
3. Configure services.
4. Configure sites.
5. Configure a zone.
6. Enable the GSLB protocol for the GSLB controller function (gslb protocol enable controller
command).
See “gslb protocol” on page 170 for a description of gslb protocol commands.
Server Mode
An ACOS device in server mode responds directly to queries for specific service IP addresses in the
GSLB zone; the device still forwards other types of queries to the DNS server. In server mode, the ACOS
device can reply with A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS
device attempts proxy mode.
You can configure GSLB to use only the GSLB DNS server for all replies. When the configuration does
not
contain the applicable DNS record, the controller responds with a server failure message when it does
page 15
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Deployment Modes FFee
e
not
manage the FQDN.
An ACOS device becomes a GSLB ACOS device when you configure GSLB on the device and enable the
GSLB protocol, for the controller function. The GSLB protocol uses port 4149. The protocol is registered
on this port for both TCP and UDP.
The dns server command is a GSLB Policy mode command that enables an ACOS device to act as a
DNS server for specific service IPs in the GSLB zone to which the policy is applied. To configure DNS
server mode on a device, apply a policy with a DNS server command to a zone or service on the device.
Example
This command configures a policy to setup a device as a DNS server to use DNS TXT resource records
to carry multiple pieces of DNS TXT data within one TXT record, then applies the policy to a service.
Proxy Mode
An ACOS device in proxy mode acts as a proxy for an external DNS server. In proxy mode, the ACOS
device updates A and AAAA records in response to client requests and forwards requests for other
record types to the external DNS server. DNS proxy is a DNS virtual service; its configuration is similar
to that of an SLB service.
page 16
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Controller Groups and GSLB Synchronization
By default, a GSLB policy configures the device to act in DNS proxy mode. The no dns server com-
mand disables DNS server mode within a policy where DNS server mode was previously enabled.
These steps describe the DNS proxy configuration process. For a description of SLB commands and
processes, see the “ADC Command Line Interface Reference Guide” and the “Application Delivery and
Server Load Balancing Guide”.
1. Configure a real server for the DNS server to be proxied (slb server command)
“Scenario 1: GSLB Proxy Mode” on page 27 contains a DNS proxy configuration example.
Each group consists of member ACOS devices. Among the members, the group a Master which man-
ages group synchronization. The Master device synchronizes GSLB configurations and VIP-server
status among the GSLB controllers within the group. A group can contain up to 15 members.
On each GSLB controller, the configuration for a GSLB group includes a list of primary group members.
By default, no primary members are defined. Group member addresses, are pushed to the other
devices in the group after they are configured on the Master device. After the GSLB process starts on
page 17
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Controller Groups and GSLB Synchronization FFee
e
an ACOS device, the device joins the controller group by connecting to the primary group members to
exchange group management traffic.
Controller groups provide a learning option that enables an ACOS device to learn IP addresses of
member when they are added to the group. Learning is enabled by default.
This feature is different from the ACOS Series Virtual Chassis System (aVCS) feature. aVCS is used for
multiple ACOS devices that serve as mutual backups within the same LAN.
The master controller and the other controllers periodically send keepalive messages. If the other con-
trollers stop receiving keep-alive messages from the master controller, a new master is elected.
To designate a master controller for the GSLB group, set the priority of the desired ACOS device to a
higher value than the other members. It is recommended that you make GSLB configuration changes
for the group-wide parameters on the master. The group synchronization feature will push your config-
uration to the other group members.
GSLB Synchronization
The master controller synchronizes GSLB configurations and VIP server status among multiple control-
lers in a GSLB group. The master synchronizes the following GSLB configuration items when updating
the configurations on other controllers:
• Service IPs
• Sticky Persistence
page 18
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Controller Groups and GSLB Synchronization
• Geo-location files
The master controller sends the following status information to the other controllers:
• aRDT data
• Device status
Until the configuration synchronization status reaches “FullSync”, GSLB configuration information can
be edited directly on group members that are not the master. When multiple devices are configured
differently, changes on the master overwrite changes on other group members when “FullSync” is
reached.
After the configuration status reaches “FullSync”, by default directly changing the
configuration on a member device is not supported and generates the error message “Operation denied
by Group Master”.
• When a L3V network contains two or more controllers that use the same public NAT address, a
GSLB group accepts only one controller as a group member. The ACOS GSLB controller rejects
subsequent connection requests from the same external IP.
• In VRRP-A deployments for clusters, the GSLB configuration synchronizes with the active
VRRP-A device, which then pushes the GSLB configuration changes to the VRRP-A standby
device.
• Management port and VRRP must be enabled in every device, pointing to its management
device.
• The CLI prompt displays the ACOS device role within the GSLB group. Status indicator can be
either “Master” or “Member”, as shown in these examples:
ACOS-Master(config)#
ACOS-Member(config)#
The group role indicator is disabled with the no terminal gslb-prompt command.
page 19
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Controller Groups and GSLB Synchronization FFee
e
• DNS auto-mapping: Maps group IP resources to IP addresses on the ACOS device. (auto-map)
• DNS suffix: DNS suffix used for DNS discovery. You can specify the suffix (name) that GSLB
appends to the domain name when sending a dns-discover query. For example, for group name
“group” and suffix “example.com”, strings are sent in the DNS discovery query as “group.exam-
ple.com”. (suffix)
• Priority: Value used during master election for the group. Higher priority values are preferred
over lower priority values. For example, priority value 200 is preferred over priority value 100.
(priority)
• Primary controller: IP addresses of the other GSLB controllers to connect to within the group.
You can specify up to 15 IP addresses. (primary)
• Learning: Allows the device to learn the IP addresses of additional group members from primary
controllers (learn).
• Automatic configuration save: Automatically saves the configuration on a group member
when the configuration is saved on the group’s master controller. (config-save)
• Automatic configuration merge following master takeover: Automatically merges the
previous master’s configuration to the new master following takeover of the master role. (con-
fig-merge)
page 20
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Controller Groups and GSLB Synchronization
page 21
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Partition-specific Group Management FFee
e
The following GSLB parameters cannot be configured for individual partitions; they are only configured
globally and are effective within all ACOS device partitions:
• GSLB system-wide settings: gslb system, gslb dns, gslb protocol, and gslb active-rdt
GSLB parameter labels do not span partitions; zones in two partitions cannot use the same zone name.
For each partition, you can create one group, the “partition group”. Only one GSLB Group is supported to
implement mapping. The following synchronization scenario is supported: from shared partition group
to shared partition group. View and inheritance features are not supported in this release.
For additional information about L3V Partitions, see the System Configuration and Administration Guide.
aVCS
Typical aVCS deployments support a virtual chassis with multiple devices. Real-time configuration
synchronization results in virtual chassis devices with identical GSLB configurations. This can result in
multiple GSLB controllers tying for highest priority. In this case, the controller with the highest last 4
bytes in its management interface MAC address is elected group master.
GSLB groups synchronize configuration between ACOS devices. When a group is enabled and the
GSLB configuration can be managed by the GSLB group, aVCSdoes not synchronize the GSLB
configuration to the vBlade. When the vMaster is not the same device as the GSLB group master,
configuring GSLB in a member controller requires enabling the config-anywhere option in the GSLB
group.
page 22
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Cloud-based Computing Solution
used to configure the SLB server (with hostname) as an ip-server or vip-server of a GSLB site. The IP
address that appears in the A record or CNAME record becomes the SLB service-ip.
The feature supports IPv4 resource records and does not support IPv6 records.
The GSLB Cloud Computing Solution may be appropriate when using multiple web-based service pro-
viders to provide server load balancing services. It can allow you to shift from one web-based service
provider to another to use services that cost less or that have better health metrics. When using a
cloud-based SLB service provider for web-based services, the provider sends a CNAME record to
access the cloud servers. The cloud servers can be dynamically imported into the ACOS device via the
CNAME record in order to do GSLB.
The example below shows the generation of dynamic service-ip addresses by hostname via DNS. This
can be accomplished using the following CLI configurations on an ACOS device:
page 23
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Cloud-based Computing Solution FFee
e
page 24
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
Overview
This chapter lists the GSLB configuration steps (“Basic GSLB Configuration” on page 25) and contains
CLI commands that implement several GSLB scenarios.
These scenarios demonstrate this configuration process. Supplemental steps are added to the basic
process for more complex configurations.
1. Create an FQDN string by configuring a zone and the service that corresponds to that string.
2. If a custom policy is required, create a GSLB policy to specify a set of metrics and DNS options.
3. To implement the custom policy, apply it to the zone or individual services.
4. (Optional) Configure an action to perform on DNS queries for the FQDN:
• Forward Response – Forwards responses to local DNS server; does not forward queries to
Authoritative DNS server.
• Forward Both – Forwards queries to Authoritative DNS server; forwards responses to local DNS
server.
• Forward Query – Forwards queries to Authoritative DNS server; does not forward responses to
local DNS server.
Feedback page 25
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Basic GSLB Configuration FFee
e
9. Select a service-IP type. See “Step 1: Select a service-IP type” on page 65.
10.Configure DNS Records. See “Step 2: Configure DNS Records” on page 65.
11.Manually configure Geo-Location entries. See “Step 3: Manually Configure Geo-location Entries (If
Required)” on page 66.
page 26
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 1: GSLB Proxy Mode
These commands create and enable the VIP for GSLB client DNS queries.
Service IP Assignment
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
page 27
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 1: GSLB Proxy Mode FFee
e
GSLB Site
These commands create a GSLB site and binds the virtual servers to the site. (See “Configuring Sites”
on page 63.)
GSLB Policy
These commands create a GSLB policy that, when applied, places the device in proxy mode for the
specified zone. (See “Configuring Policies” on page 66.). By default, policies place a zone in proxy mode.
GSLB Zone
These commands create a GSLB zone and implement two services within the zone. DNS address
records are included for each zone. (See “Creating an FQDN String (Zones and Services)” on page 63.)
page 28
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 1: GSLB Proxy Mode
ACOS-1(config)#
page 29
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 2: GSLB Server Mode FFee
e
These commands create and enable the VIP for GSLB client DNS queries.
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
page 30
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 2: GSLB Server Mode
These commands create two GSLB sites and bind the virtual servers to the sites. (See “Configuring
Sites” on page 63.)
These command create a GSLB policy that, when applied, places the device in server mode for the
specified zone (See “Configuring Policies” on page 66.).
These commands create a GSLB zone and implement two services within the zone. DNS address
records are included for each zone (See “Creating an FQDN String (Zones and Services)” on page 63.).
page 31
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 2: GSLB Server Mode FFee
e
page 32
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 3: GSLB Controllers and Site Devices
See “GSLB Controllers and Devices (Scenario 3)” on page 148. for the GUI implementation.
These commands create and enable the VIP for GSLB client DNS queries.
page 33
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 3: GSLB Controllers and Site Devices FFee
e
ACOS-3(config-service-ip:PIMA-port:tcp)# exit
ACOS-3(config-service-ip:PIMA)# port 25 tcp
ACOS-3(config-service-ip:PIMA-port:tcp)# exit
ACOS-3(config-service-ip:PIMA)# exit
ACOS-3(config)# gslb service-ip COCONINO 10.30.0.132
ACOS-3(config-service-ip:COCONINO)# port 80 tcp
ACOS-3(config-service-ip:COCONINO-port:tcp)# exit
ACOS-3(config-service-ip:COCONINO)# port 25 tcp
ACOS-3(config-service-ip:COCONINO-port:tcp)# exit
ACOS-3(config-service-ip:COCONINO)# exit
For each site SLB device, enter the IP address of the ACOS device that provides SLB at the site. For the
VIP server names, enter the service IP name as previously configured.
These command create a GSLB policy that, when applied, places the device in server mode for the
specified zone.
These commands create a GSLB zone and implement two services within the zone. DNS address
records are included for each zone (See “Creating an FQDN String (Zones and Services)” on page 63.).
page 34
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 3: GSLB Controllers and Site Devices
These commands create and enable the VIP for GSLB client DNS queries on ACOS-31.
These commands create and enable the VIP for GSLB client DNS queries on ACOS-32.
page 35
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 4: Main Campus Basic Configuration FFee
e
• Management IP
• aVCS
• GSLB protocol
The perimeter network or screened subnetwork called DMZ setup, can include the following
configurations:
• VLAN configuration
page 36
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 4: Main Campus Basic Configuration
• Proxy Service-group
• GSLB VIP
• GSLB group
• GSLB sites
• GSLB policy
• GSLB zone
• VLAN configuration
• Proxy service-group
• GSLB VIP
• GSLB group
• GSLB sites
• GSLB policy
• GSLB zone
page 37
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 4: Main Campus Basic Configuration FFee
e
The South Campus can be configured with a similar setup except for the VRRP-A and aVCS
configuration. Other configuration options are user accounts, authentication options, logging, alerts,
and more.
Each ACOS device can be configured with a shared or default screened subnetwork, and an Internal
partition. This will ensure proper segmentation of DMZ and Internal traffic. The Internal partitions can
use the same physical links to the existing switch or firewall infrastructure. The physical interfaces can
be enabled in the shared partition, and then VLANs must be configured in each partition and tagged to
the physical links that have been enabled in the shared partition. Optionally, The DMZ and Internal
partitions can "own" their physical interfaces. For example, this means that if the DMZ partition has
tagged VLANs on Ethernet 1, the Internal partition cannot also tag on Ethernet 1. If this physical port
ownership is desired, the interfaces must be enabled from within the desired partition instead of from
the shared partition.
Example of enabling interfaces in the shared partitions and tagging VLANs in sub-network and Internal
partitions:
ACOS-Active-vMaster# config
ACOS-Active-vMaster(config:1)#int eth 6
ACOS-Active-vMaster(config:1-if:ethernet:6)#enable
This operation applied to device 1
ACOS-Active-vMaster(config:1-if:ethernet:6)#exit
ACOS-Active-vMaster(config:1)#act adfs-internal
Current active partition: adfs-internal
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#vlan 590
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#tagged ethernet 6
This operation applied to device 1
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#exit
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#act adfs-dmz
Current active partition: adfs-dmz
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#vlan 490
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#tagged ethernet 6
This operation applied to device 1
page 38
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
Example of DMZ partition owning Ethernet 6. Internal partition cannot use it now:
ACOS-Active-vMaster# config
-vMaster(config:1)#act adfs-dmz
Current active partition: adfs-dmz
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#int eth 6
This operation applied to device 1
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-if:ethernet:6)#enable
This operation applied to device 1
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-if:ethernet:6)#vlan 490
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#tagged ethernet 6
This operation applied to device 1
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1-vlan:490)#exit
ACOS-Active-vMaster[adfs-dmz-gslb:Master](config:1)#act adfs-internal
Current active partition: adfs-internal
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1)#vlan 590
ACOS-Active-vMaster[adfs-internal-gslb:Master](config:1-vlan:590)#tagged ethernet 6
Interface is owned by another partition.
Use the command 'admin-preference' to always prefer one site over another or by 'admin-ip' to ensure
that any record associated with a service at the preferred site is always selected.
This scenario presents a GSLB Server Active/Standby Mode configuration that includes one A10 device
configured as a GSLB controller and A10 devices configured as GSLB site devices, as depicted in
Figure 3. The configuration requires these steps:
• SLB Setup
• GSLB Setup
• Functionality of Setup
SLB Setup
The SLB configuration setup is as follows:
page 39
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
page 40
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
no terminal auto-size
terminal length 0
!
5. Setup DNS for Virtual IP address. Configure the Internal OpenDNS (10.125.15.121 or
10.125.15.122 or 10.100.2.121 or 10.100.2.122) for adfs.FPA.org. Client queries will be sent to
these addresses.
ip dns primary 10.125.15.121
!
ip dns secondary 10.100.2.122
!
ip dns suffix FPA.org
!
vlan 1/580
tagged ethernet 1
router-interface ve 580
!
vlan 2/580
tagged ethernet 1
router-interface ve 580
!
6. Setup DMZ partition for internal sub-network and implement LLDP on ACOS device.
partition dmz id 10 application-type adc
!
partition inside id 20 application-type adc
!
lldp system-name CCC-MDF-3030S-01
lldp system-description CCC-MDF-3030S-01
lldp enable rx tx
lldp notification interval 30
!
device-context 1
hostname CCC-MDF-3030S-01
!
device-context 2
hostname IST-MDF-3030S-01
!
page 41
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
!
device-context 2
interface management
access-list 5 in
ip address 10.202.1.102 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 10.202.1.1
!
interface ethernet 1/1
enable
!
interface ethernet 1/2
!
interface ethernet 1/3
!
interface ethernet 1/4
!
interface ethernet 1/5
!
interface ethernet 1/6
!
interface ethernet 1/7
!
interface ethernet 1/8
!
interface ethernet 1/9
enable
lldp enable rx tx
lldp notification enable
!
interface ethernet 1/10
!
interface ethernet 1/11
enable
lldp enable rx tx
lldp notification enable
!
interface ethernet 1/12
!
interface ethernet 2/1
enable
!
interface ethernet 2/2
!
interface ethernet 2/3
!
interface ethernet 2/4
page 42
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
!
interface ethernet 2/5
!
interface ethernet 2/6
!
interface ethernet 2/7
!
interface ethernet 2/8
!
interface ethernet 2/9
!
interface ethernet 2/10
!
interface ethernet 2/11
!
interface ethernet 2/12
!
interface ve 1/580
ip address 10.0.0.1 255.255.255.252
!
interface ve 2/580
ip address 10.0.0.2 255.255.255.252
!
vrrp-a vrid 0
device-context 1
blade-parameters
priority 200
device-context 2
blade-parameters
priority 180
!
ip nat alg pptp enable
!
vrrp-a interface ethernet 1/1
vlan 580
!
vrrp-a interface ethernet 2/1
vlan 580
!
logging monitor information
!
logging console information
!
!
page 43
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
2. View the current configuration commit to partition 0 in classical-mode configuration, using the
show running configuration command:
Commit the current configuration commit to partition 0 in classical-mode configuration
!Current configuration: 1650 bytes
!Configuration last updated at 13:58:18 EDT Wed Apr 18 2018
!Configuration last saved at 10:25:02 EDT Wed Apr 18 2018
!
active-partition dmz
!
!
access-list 99 permit any log
!
vlan 1/91
tagged ethernet 9
router-interface ve 91
name dmz
!
vlan 2/91
tagged ethernet 9
router-interface ve 91
name dmz
!
interface ethernet 1/9
enable
!
interface ethernet 2/9
page 44
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
name dmz
enable
!
interface ve 1/91
access-list 99 in
ip address 10.200.240.198 255.255.255.0
!
interface ve 2/91
access-list 99 in
ip address 10.200.240.199 255.255.255.0
!
vrrp-a vrid 0
floating-ip 10.200.240.200
device-context 1
blade-parameters
priority 200
tracking-options
interface ethernet 9 priority-cost 40
gateway 10.200.240.254 priority-cost 40
device-context 2
blade-parameters
priority 180
tracking-options
interface ethernet 9 priority-cost 40
gateway 10.200.240.254 priority-cost 40
!
5. Setup health monitoring and SLB server, service group, and client configurations.
health monitor TCP-80
method tcp port 80
!
health monitor TCP-443
method tcp port 443
!
health monitor gatewayhm1
page 45
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
up-retry 3
interval 2 timeout 1
!
slb template cipher TEMPLATE-CIPHER
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA priority 50
TLS1_ECDHE_RSA_AES_128_SHA priority 80
TLS1_ECDHE_RSA_AES_256_SHA priority 80
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_128_SHA256 priority 70
TLS1_DHE_RSA_AES_256_SHA256 priority 70
!
slb template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
close-notify
version 33 33
use-client-sni
template cipher TEMPLATE-CIPHER
!
slb server CCC-TESTA10-01 10.200.240.31
port 80 tcp
!
slb server CCC-TESTA10-02 10.200.240.32
port 80 tcp
!
slb server FPC-ADFSPROXY01 10.200.240.10
port 443 tcp
!
slb server gateway1 10.200.240.254
health-check gatewayhm1
!
slb service-group CCC-ADFSPROXY tcp
member FPC-ADFSPROXY01 443
!
slb service-group dmz_test tcp
member CCC-TESTA10-01 80
member CCC-TESTA10-02 80
!
slb template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
chain-cert incommon-intermediate-2024
cert adfs.FPA.org-2020
key adfs.FPA.org-2020
template cipher TEMPLATE-CIPHER
disable-sslv3
version 33 33
!
slb template persist cookie TEMPLATE-PERSIST-COOKIE
page 46
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
expire 86400
!
slb template http TEMPLATE-HTTP-X-FORWARDED-FOR
insert-client-ip X-Forwarded-For replace
!
slb template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP
insert-client-ip X-MS-Forwarded-Client-IP
!
slb virtual-server VS-10.200.240.150-53 10.200.240.150
description name "External GSLB"
port 53 udp
gslb-enable
!
8. Associate the main zones or DMZs, DEF and ABC to the GSLB group.
gslb site DEF
page 47
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
page 48
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
page 49
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
priority 200
tracking-options
interface ethernet 11 priority-cost 40
gateway 10.125.14.254 priority-cost 40
device-context 2
blade-parameters
priority 180
tracking-options
interface ethernet 11 priority-cost 40
gateway 10.125.14.254 priority-cost 40
!
ip nat pool SNAT-POOL-INSIDE 10.125.14.50 10.125.14.55 netmask /24 gateway 10.125.14.254
ip-rr
!
device-context 1
ip route 0.0.0.0 /0 10.125.14.254 1 description "default route"
!
device-context 2
ip route 0.0.0.0 /0 10.125.14.254 1 description "default route"
!
health monitor TCP-443
method tcp port 443
!
health monitor gatewayhm1
up-retry 3
interval 2 timeout 1
!
slb template cipher TEMPLATE-CIPHER
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA priority 50
TLS1_ECDHE_RSA_AES_128_SHA priority 80
TLS1_ECDHE_RSA_AES_256_SHA priority 80
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_128_SHA256 priority 70
TLS1_DHE_RSA_AES_256_SHA256 priority 70
!
slb template server-ssl SERVER-SSL-ADFS.FPA.ORG-2020
close-notify
version 33 33
use-client-sni
template cipher TEMPLATE-CIPHER
!
slb server CCC-ADFS01 10.125.15.9
port 443 tcp
!
slb server gateway1 10.125.14.254
health-check gatewayhm1
page 50
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
!
slb service-group CCC-ADFS tcp
member CCC-ADFS01 443
!
slb template client-ssl CLIENT-SSL-ADFS.FPA.ORG-2020
chain-cert incommon-intermediate-2024
cert adfs.FPA.org-2020
key adfs.FPA.org-2020
template cipher TEMPLATE-CIPHER
disable-sslv3
version 33 33
!
slb template persist cookie TEMPLATE-PERSIST-COOKIE
expire 86400
!
slb template http TEMPLATE-HTTP-X-FORWARDED-FOR
insert-client-ip X-Forwarded-For replace
!
slb template http TEMPLATE-HTTP-X-MS-FORWARDED-CLIENT-IP
insert-client-ip X-MS-Forwarded-Client-IP
!
slb virtual-server VS-10.125.14.175-53 10.125.14.175
description "Internal GSLB"
port 53 udp
gslb-enable
!
slb virtual-server VS-10.125.14.224 10.125.14.224
description "ADFS Layer 4 helper"
port 80 http
source-nat pool SNAT-POOL-INSIDE
service-group CCC-ADFS
redirect-to-https
port 443 tcp
source-nat pool SNAT-POOL-INSIDE
service-group CCC-ADFS
!
slb virtual-server VS-10.125.14.225 10.125.14.225
description "ADFS"
port 80 http
source-nat pool SNAT-POOL-INSIDE
service-group CCC-ADFS
redirect-to-https
port 443 https
aflex aFlex-logging_clients
source-nat pool SNAT-POOL-INSIDE
service-group CCC-ADFS
template persist cookie TEMPLATE-PERSIST-COOKIE
page 51
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
GSLB Setup
The GSLB configuration setup is as follows for ADFS with Active site called ABC and Standby site
called DEF.
2. Configure the virtual service IP addresses for GSLB server IP address 71.40.176.225:
!
gslb service-ip VS-10.100.99.201-443 10.100.99.201
external-ip 71.40.181.225
port 443 tcp
3. Configure the default IP addresses for GSLB group with primary service address 10.200.240.200:
!
gslb group default
enable
primary 10.200.240.200
priority 200
4. Setup GSLB for the DEF site. Set active/standby mode on DEF by setting admin-preference
priority:
!
gslb site DEF
admin-preference 180
slb-dev DEF-10.100.99.198-DMZ 10.100.99.198
vip-server VS-10.100.99.201-443
5. Setup GSLB for the ABC site. ABC now has higher admin-preference priority:
!
gslb site ABC
admin-preference 200
slb-dev ABC-10.200.240.200-DMZ 10.200.240.200
vip-server VS-10.200.240.201-443
page 52
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 5: GSLB Server Active/Standby Mode
Functionality of Setup
1. Client is configured to use an OpenDNS Virtual Appliance as primary and secondary DNS server.
a. If ABC is client, then primary is at ABC and secondary is at DEF
b. If DEF is client, then primary is at DEF and secondary is at ABC
2. Configure the Internal OpenDNS (10.125.15.121 or 10.125.15.122 or 10.100.2.121 or
10.100.2.122) for adfs.FPA.org. Client queries will be sent to these addresses.
3. This matches to the OpenDNS internal DNS forward policy. Set the Internal ADC DNS to
(10.120.1.203 or 10.100.2.100).
4. The ADC DNS points to adfs.gslb.FPA.org
a. In the FPA.org forward zone, there are A records for GSLBNS1 and GSLBNS2.
b. GSLB NS1 and GSLB NS2 are the GSLB-enabled VIPs at each site: ABC: GSLB NS1
(10.125.15.150) and DEF: GSLB NS2 (10.100.2.150).
c. Internal AD DNS assigns gslb.FPA.org to NS records GSLB NS1 and GSLB NS2.
page 53
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 5: GSLB Server Active/Standby Mode FFee
e
5. AD DNS follows the Client queries will be sent to these addresses GSLBNS1 or GSLBNS2
d. Geo-locations for ABC and DEF are defined in GSLB policy
• The virtual IP address is returned from the corresponding zone.
e. The DNS query chain uses pseudo round-robin NS server selection.
• The original forwarded query from Open DNS Virtual Active devices is sent to the Internal
ADC DNS Server at ABC or DEF.
• The recursive query from the Internal AD DNS Server at either campus could be sent to
GSLBNS1 or GSLBNS2.
• Thus, the recursive query arriving at either GSLBNS1 or GSLBNS2 could be from either ABC
or DEF; as a result, the AD FS VIP returned to the client could be for ABC or DEF.
6. AD DNS forwards the response to the Open DNS Virtual Active.
7. The Open DNS VA forwards the response to the client. Depending on the response from AD DNS
server, the client establishes an HTTPS connection to the ABC or DEF Internal AD FS VIP.
8. The AD FS VIP source NAT establishes a separate HTTPS connection to the back end AD FS
server. The original client source IP in included in the HTTP header.
9. The AD FS server replies through the VIP source NAT, and the VIP forwards the reply to the client.
The internal client receives the response.
page 54
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 6: GSLB Disaster Recovery Solution
c. GSLB policy always returns the ACOS firewall service proxy VIP, external IP for ABC unless it is
down:
• The ABC ACOS firewall service proxy VIP is 10.200.240.201 with external IP 71.40.176.174
• The DEF AD FS Proxy VIP is 10.100.99.201 with external IP 71.40.181.225
5. GoDaddy forwards the response to the client
6. The client establishes an HTTPS connection to the ABC AD FS Proxy VIP
a. ABC firewall NAT 192.168.1.15:443::10.200.99.150:443
b. DEF firewall NAT 192.167.1.15:443::10.100.99.150:443
7. The ABC AD FS Proxy VIP source NAT establishes a separate HTTPS connection to the AD FS
Proxy. The original client source IP is included in HTTP header
8. The AD FS Proxy connects with the internal AD FS server through a Layer-4 VIP.
a. At ABC, this L4 VIP is 10.125.15.224
b. At DEF, this L4 VIP is 10.100.2.224
c. The AD FS Proxy at each site is configured with a host adfs.FPA.org to the local VIP
d. The VIP does not interact with HTTP or SSL/TLS
e. This is required since the AD FS server uses TLS client authentication to authenticate the AD FS
proxy, and the certificates keys are used frequently.
10.The VIP source NAT connects to the AD FS server. The AD FS server responds to the AD FS proxy
through the VIP source NAT. The AD FS proxy responds to the external client through the ABC AD FS
Proxy VIP source NAT. The external client receives the response.
The fail-over is a transparent process to users connecting to a FQDN serviced by the A10 GSLB
controllers. The GSLB site fail-over process can also be accomplished manually in case of scheduled
site maintenance. The operator can force traffic to an alternate site by a simple procedure.
Concept Topics
The following topic explains the design and prerequisites for a sample ACOS GSLB setup:
page 55
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 6: GSLB Disaster Recovery Solution FFee
e
Task Topics
The task topics provide example site setup configurations for disaster recovery:
• Configuring CLI
• Queries are sent to the local DNS server and the recursive lookup process continues to the root
DNS servers.
• The A10 GSLB controllers communicate using the GLSB protocol for health check monitors to
verify site availability.
• CNAME is used for delegation of the FQDN to the A10 GSLB controllers.
page 56
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 6: GSLB Disaster Recovery Solution
• The Primary or the DR GSLB controller responds to the users with the Primary site HTTP VIP
address if the Primary site is up.
• If the A10 GSLB controllers determine the Primary site is down:
• The A10 GSLB controller responds with the HTTP VIP address of the DR site.
• User traffic is directed to the DR site.
• When the GSLB Protocol determines the Primary site is up:
• Enable the GSLB controller process for the GSLB protocol to exchange site health information.
ACOS(config)# gslb protocol enable controller
• Enable the DNS VIP for a standalone DNS server, configure the port, and enable GSLB.
ACOS(config)# slb virtual-server <name> <IP address>
ACOS(config-slb vserver)# <port <number> < udp>
ACOS (config-slb vserver-vport)# <gslb-enable>
• Configure the Service IP address for each site. This is the SLB VIP address or remote host IP
address the DNS VIP will respond with, to direct traffic to the site. Define the port and protocol.
ACOS(config)# <gslb service-ip <name> <IP address>>
ACOS(config-service-ip:PRI-GSLB-HTTP)# <port <number> <udp or tcp>>
• Configure the GSLB controller for each site. Configure the site parameters and set the adminis-
trative preference to prefer Primary site for all traffic. The default administrative preference value
is 100. Set the active site to a higher administrative value than the default value to prefer traffic
over the DR site. Add the GSLB service VIP address to each site configuration.
ACOS(config)# <gslb site <name>>
ACOS(config-gslb site:name)# <slb-dev <name> <IP address>>
ACOS(config-gslb site:name-slb dev:name)# <admin-preference <0-255>>
ACOS(config-gslb site:name-slb dev:name)# <vip-server <GSLB VIP name>>.
• Configure the GSLB policy to determine how GSLB traffic will be distributed to each site. Enable
the DNS attributes to respond with a single IP and be authoritative for the zone. Enable adminis-
trative-preference and disable round robin based on the active-standby design. Order the metrics
for the desired GSLB behavior.
ACOS(config)# <gslb policy <name>>
ACOS(config-policy:name)# <dns selected-only 1>
ACOS(config-policy:name)# <dns server authoritative>
ACOS(config-policy:name)# <admin-preference>
page 57
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 6: GSLB Disaster Recovery Solution FFee
e
• Enable the zone information for DNS query response for the FQDN zone. Bind the GSLB policy to
the zone configuration. Enter the CNAME if it was used for zone delegation on the A10 GSLB
controllers or enter the zone. Define the service prefix for the FQDN and associated service port.
Configure the DNS A Record for each GSLB VIP address of each site which will return the HTTP
VIP address with the DNS response.
ACOS(config)# <gslb zone <zone name>
ACOS(config-zone:zone-name)# <policy <name>>
ACOS(config-zone:zone-name)# <service <port number> <service prefix for zone>>
ACOS(config-zone:zone-name.-service...)# <dns-a-record <GSLB VIP name> <static>>
Configuring CLI
Configure GSLB with the following steps using the CLI for the illustrated GSLB Disaster Recovery
design. The CNAME, gslb.a10example.com, is used for the zone, www.a10example.com.
page 58
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Scenario 6: GSLB Disaster Recovery Solution
page 59
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Scenario 6: GSLB Disaster Recovery Solution FFee
e
FIGURE 5 GSLB design template configuration for Primary and Disaster Recovery Site
page 60
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
GSLB Elements
This chapter describes the primary structural components of a GSLB Configuration. Sections include:
• Zones – A GSLB zone is a DNS domain for GSLB. An ACOS device can be configured with one or
more GSLB zones.
Example: mydomain.com is a zone.
• Services – A service is an application, such as HTTP or FTP. Each service is given an FQDN with
a zone managed by the GSLB. A zone may include the FQDN of multiple services,
Example: www.mydomain.com is an FQDN where www is the HTTP service.
• Sites – A site is a server farm that is locally managed by an ACOS device that performs load
balancing for the site. Each zone can contain one or more GSLB sites.
• Service-IP – A service-ip identifies a virtual server by its IP address and specifies the port that
hosts the service provided by the server. The service-ip definition can also include health checks
and an external IP address that facilitates access from outside of the internal network.
Feedback page 61
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Elements FFee
e
• Policies – A policy is a data structure that defines a set of metric settings and DNS options. After
a policy is configured, it is applied to a zone or a service level within a zone. Zones and services
use policies to manage client requests by selecting the best site and specifying DNS options for
the request.
GSLB zones can be configured with the same domain on multiple partitions, facilitating independent
policies for internal and external services for a domain. This also allows the same domain to be
configured on different partitions, regardless of the mode each partition is running.
Policies, service groups, and service-IP names can be duplicated in different partitions, but they must
be configured separately in each partition. The default GSLB policy is used globally and can only be
configured in the shared partition. GSLB site configurations are unique and cannot be duplicated in
different partitions.
Example: The zone name “example.com” and service name combine to form the
“www.example.com” FQDN.
You can configure all of a service’s parameters, including its site, service-IP, and zone membership. You
can configure a service and all its required parameters.
An FQDN group combines multiple FQDNs (services) to provide a single point of contact for enabling or
disabling services at multiple levels of granularity.
“Configuring FQDN Service Groups” on page 69 describes the process of configuring FQDN Service
Groups.
page 62
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring GSLB Elements
Configuring a Zone
The gslb zone command places the device in zone configuration mode, which includes a command
that associates a service to the zone. The command creates a zone when it references a zone not yet
configured. See “gslb zone” on page 187..
Example: This command creates a zone named a10-venus.com and places the device in zone
configuration mode.
ACOS(config)# gslb zone a10-venus.com
ACOS(config-zone:a10-venus.com)#
Command are available in service configuration mode to configure a DNS records for the service,
specify DNS traffic actions, enable health check parameters, and configure geo-location settings.
Example: These commands create the www service for the previously created a1-venus.com zone and
configure two DNS Address records for the service. The device remains in a10-venus.com-www service
configuration after the commands.
Configuring Sites
The gslb site command places the device in site configuration mode, which includes commands that
associate real servers and a service to the zone. The command creates a new zone when it references
a zone that is not yet configured. See “gslb site” on page 177.
The ip-server command, available from site configuration mode, associates the real server at the
specified IP address to the configuration mode site. See “[no] ip-server service-ip” on
page 179.
The slb-dev command specifies an access IP address for the site and places the device in slb-dev
configuration mode. Within this mode, commands are available that map virtual servers to the site and
page 63
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Elements FFee
e
specifies access attributes to the device. See “[no] slb-dev device-name [ip-addr]” on
page 180.
The vip-server command adds the GSLB VIP server to the SLB device.
Example 1: This example creates the “oxygen” site and associates the real server at 10.10.1.1 with the
site.
The ip-server command references the name of a previously configured service-ip which, in addi-
tion to the IP address of the real server, defines server implementation parameters within the site.
Example 2: This example creates the “nitrogen” site and associates a virtual server at 10.10.1.5 with the
site. This command includes a command that references an SLB that serves as the virtual server. SLB
configuration is beyond the scope of this manual and covered in the ADC Configuration Guide.
The gslb service-ip command places the device in service-ip configuration mode. The command cre-
ates a service IP when it references one that is not yet configured. See “gslb service-ip” on page 174..
The service-ip label is referenced by sites to associate servers to the site.
• To assign an external IP address to the service, use the external-ip command. An external IP
address is needed if the service IP address is an internal IP address that cannot be reached from
outside the internal network.
• To configure a service port on the service, use the port command.
page 64
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring GSLB Elements
Configure DNS records for the service. GSLB returns these records, when applicable, in response to
DNS requests. You can configure the following types of records:
page 65
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Elements FFee
e
A geo-location maps a range of client IP addresses to a description of the clients’ geographic location.
GSLB includes an IANA geo-location database, which is loaded by default.
Configuring Policies
A policy is a data structure that defines a set of DNS Options and metric settings that zones and ser-
vices use to evaluate each site. For the evaluation of sites, A10 uses a fixed list of site addresses. This
list is constructed based on the original list when a site becomes active. This fixed metric evaluation
function does not do ordering or re-ordering of the original list.
After a policy is configured, it is applied to a zone or a service level within a zone. Zones and services
use policies to manage client requests by selecting the best site and specifying DNS options for the
request.
For a description of GSLB Policies and specific implementation details, See “GSLB Metrics” on page 71.
page 66
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring GSLB Elements
For a description of DNS options and specific implementation details, See “DNS Options” on page 91.
The gslb policy command places the device in policy configuration mode, which includes commands
that associate real servers and a service to the zone. The command creates a zone when it references
a zone that is not yet configured. See “gslb policy” on page 169.
Example: This command creates the kaibab policy and places the device in kaibab policy configuration
mode.
The zone (See “[no] policy policy-name” on page 188.) and zone-service (See “[no] service
port [service-name]” on page 189.) configuration modes include a policy command that applies a
specified policy to the zone or service.
Example: This command applies the kaibab policy on the example.com zone. The policy is referenced
by all services configured on the zone.
Example: This command applies the kaibab policy on the www.example.com service.
Default Policy
In the “default” GSLB policy, the following metrics are enabled by default:
• Health-Check
• Geographic
• Round-Robin
Although the Geographic metric is enabled by default, there are no default geo-location mappings. To
use the Geographic metric, you must load or manually configure geolocation mappings. (See “Loading
or Configuring Geo-Location Mappings”.
GSLB defines a default policy that is used by zones and policy for which a custom policy is not explicitly
assigned. The default policy has default settings and can be modified from policy configuration mode.
The default policy cannot be deleted.
page 67
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Elements FFee
e
Example: This command places the device in default policy configuration mode, where subsequent
commands modify the default policy.
page 68
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring FQDN Service Groups
• Entire FQDN group (all zones in the group, and all their services)
The gslb service-group command places the device in service-group configuration mode. See “gslb
service-group” on page 173.
Example: These commands create an FQDN group called “example-group” and add an FQDN for GSLB
services to it.
page 69
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring FQDN Service Groups FFee
e
page 70
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
GSLB Metrics
GSLB Metrics that are assigned through policies assigned to GSLB sites. This chapter presents these
topics
• “Metrics That Require the GSLB Protocol on Site ACOS Devices” on page 72
To enable a metric, enter the metric name at the configuration level for the policy. For example, to
enable the Admin-Preference metric, enter the following commands:
To disable a GSLB metric, use the “no” form of the metric at the configuration level for the policy. For
example, to disable the Health-Check metric, enter these commands:
Feedback page 71
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Managing GSLB Metrics FFee
e
GSLB does not need to be enabled on the site ACOS devices, but enabling it is recommended to collect
site information that GSLB requires to generate the following metrics:
• Session-capacity
• aRDT
• Connection-Load
• Num-Session
Enabling the GSLB protocol is required when using default health-check methods. However, when you
modify default health checks, the GSLB protocol does not need to be enabled. (See “Health-Check” on
page 74.)
Metric order does not apply to the Alias-Admin-Preference and Weighted-Alias metrics. When enabled,
Alias-Admin-Preference always has high priority.
The metric-order command configures the precedence order of metrics in a GSLB policy (See “metric-
order” on page 242.). The following is the default metric order:
1. Health-Check
2. Weighted-IP
3. Weighted-Site
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10.Admin-Preference
page 72
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Managing GSLB Metrics
11.BW-Cost
12.Least-Response
13.Admin-IP
page 73
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
Metric Descriptions
A GSLB policy consists of one or more metrics. These sections describe GSLB Metrics that are imple-
mented through policies that are applied to zones and services.
• “Health-Check” on page 74
• “Weighted-IP” on page 75
• “Weighted-Site” on page 75
• “Session Capacity” on page 76
• “Active Servers” on page 76
• “Active-Round Delay Time (aRDT)” on page 76
• “Geographic” on page 82
• “Connection Load” on page 83
• “Num Session” on page 83
• “Admin Preference” on page 83
• “BW Cost” on page 83
• “Least-Response” on page 87
• “Admin-IP” on page 87
• “Round-Robin” on page 87
• “Alias-Admin-Preference” on page 87
• “Weighted-Alias” on page 88
Health-Check
The Health-Check metric checks the availability (health) of the real servers and service ports. Sites
whose real servers and service ports respond to the health checks are preferred over sites in which
servers or service ports are unresponsive to the health checks.
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, RADIUS, LDAP,
RTSP, SIP
You can use the default health methods or configure new methods for any of these services.
By default, the GSLB protocol generates its own packets when sending a health check to a service. If
the GSLB protocol cannot reach the service, then another health check is performed using standard
network traffic.
page 74
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
Health-Check Precedence
Health monitoring for a GSLB service can be performed at the following levels and in the following
order:
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor config-
uration includes health monitors in GSLB group synchronizations. For GSLB configuration synchroniza-
tion, see “Controller Groups and GSLB Synchronization” on page 17.
For the GSLB service, use health monitors for the application types of the services. For example, for an
HTTP service, use an HTTP health monitor. If the Health-Check metric is enabled in the GSLB policy, the
metric will use the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure health monitors on the site
SLB devices. Configure the health monitors for the proxied DNS server and the GSLB services on the
GSLB ACOS device. Configure the health monitors for real servers and their services on the site ACOS
devices.
Weighted-IP
Weighted-IP – Service IP addresses with higher administratively assigned weights are used more often
than service IP addresses with lower weights.
The Weighted-IP metric skews selection toward specific IP addresses. GSLB selects higher-weighted IP
addresses more often than lower-weighted IP addresses.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
Weighted-Site
Weighted-Site – Sites with higher administratively assigned weights are used more often than sites
with lower weights. The Weighted-Site metric skews selection toward specific sites. GSLB selects
higher-weighted sites more often than lower-weighted sites.
page 75
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
Example: if there are two sites (A and B), and A has weight 2 whereas B has weight 4, GSLB will select
site B twice as often as site A. Specifically, GSLB will select site B the first 4 times, and will then select
site A the next 2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the next 2 times,
then B is chosen the next 4 times, and so on.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
Session Capacity
Session Capacity – Sites with more available sessions based on respective maximum Session-Capac-
ity are preferred.
Active Servers
Active Servers – Sites with the most currently active servers are preferred.
aRDT measures the round-delay-time for a DNS query and reply between a site ACOS device and the
GSLB local DNS. You can configure aRDT to take a single sample or periodic samples.
The aRDT metric uses the following options, which are configurable on a global basis:
• Domain – Specifies the query domain. To measure the active round-delay-time (aRDT) for a cli-
ent, the site ACOS device sends queries for the domain name to a client’s local DNS. An aRDT
sample consists of the time between when the site ACOS device sends a query and when it
receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name that is likely
to be in the cache of each client’s local DNS. The default domain name is “google.com”.
The ACOS device averages multiple aRDT samples together to calculate the aRDT measurement
for a client. (See the description of Track below.)
• Interval – Specifies the number of seconds between queries. You can specify 1-16383 seconds.
The default is 1.
• Retry – Specifies the number of times GSLB will resend a query if there is no response. You can
specify 0-16. The default is 3.
• Sleep – Specifies the number of seconds GSLB stops tracking aRDT data for a client after a
query fails. You can specify 1-300 seconds. The default is 3.
page 76
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
• Timeout – Specifies the number of milliseconds GSLB will wait for a reply before resending a
query. You can specify 1-16383 milliseconds (ms). The default is 3000 ms.
• Track – Specifies the number of seconds during which the ACOS device collects samples for a
client. The samples collected during the track time are averaged together, and the averaged value
is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The default is
60 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT
measurements is 10 minutes by default and is configurable on individual sites, using the aRDT
aging-time command.
To configure global aRDT options, use the gslb active-rdt command (See “gslb active-rdt” on
page 162.)
Default Settings
When you enable aRDT, a site ACOS device sends some DNS requests to the GSLB domain’s local DNS.
The GSLB ACOS device then averages the aRDT times of 5 samples.
The single-shot option is useful if you do not want to frequently update the aRDT measurements. For
example, if the GSLB domain's clients tend to remain logged on for long periods of time, using the sin-
gle-shot option ensures that clients are not frequently sent to differing sites based on aRDT measure-
ments.
• timeout – Specifies the number of seconds each site ACOS device should wait for the DNS reply.
If the reply does not arrive within the specified timeout, the site becomes ineligible for selection,
in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. The
default is 3 seconds.
• skip – Specifies the number of site ACOS devices that can exceed their single-shot timeouts,
without the aRDT metric itself being skipped by the GSLB ACOS device during site selection. You
can skip from 1-31 sites. The default is 3.
Multiple Samples
To periodically retake aRDT samples, do not use the single-shot option. In this case, the ACOS device
uses the averaged aRDT value based on the number of samples measured for the intervals.
page 77
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average
over the last 3 samples, collected in 5-second intervals. If you configure single-shot instead, a single
sample is taken.
Store-By
By default, the GSLB ACOS device stores one aRDT measurement per site SLB device. Optionally, you
can configure the GSLB ACOS device to store one measurement per geo-location instead. This option
is configurable on individual GSLB sites. (See “Changing aRDT Settings for a Site” on page 79.)
Tolerance
Default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are
within 10 percent, GSLB ACOS device considers the sites to be equal in terms of aRDT. You can adjust
the tolerance to any value from 0-100 percent.
Enabling aRDT
Enter the active-rdt command (See “active-rdt” on page 197.) at the configuration level for the GSLB
policy:
If you omit all the options, the site ACOS device send DNS requests to the GSLB domain’s local DNS.
The GSLB ACOS device averages the aRDT times of the samples. The aRDT measurements are regu-
larly updated. You can use the samples option to change the number of samples to 1-8.
To enable single-shot aRDT instead, use the single-shot option. You also can use the skip and time-
out options.
These commands access the configuration level for GSLB policy “gslbp2” and enable the aRDT metric,
using default settings:
These commands access the configuration level for GSLB policy “gslbp3” and enable the aRDT metric,
using single-shot.
page 78
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
ACOS(config-policy:gslbp3)#
In this example, each site ACOS device will send a single DNS query to the GSLB domain’s local DNS,
and wait 3 seconds (the default) for a reply. The site ACOS devices will then send their aRDT measure-
ments to the GSLB ACOS device. However, if more than 3 site ACOS devices fail to send their aRDT
measurements to the GSLB ACOS device, the ACOS device will not use the aRDT metric.
• aging-time – Specifies the maximum amount of time a stored aRDT result can be used. You can
specify 1-60 minutes. The default is 10 minutes.
• bind-geoloc – Stores the aRDT measurements on a per geo-location basis. Without this option,
the measurements are stored on a per site-SLB device basis.
• ignore-count – Specifies the ignore count if aRDT is out of range. You can specify 1-15. The
default is 5.
• ipv6-mask – Specifies the client IPv6 mask length, 1-128. The default is 128.
• limit – Specifies the limit. You can specify 1-16383. The default is 16383 milliseconds.
• mask – Based on the subnet mask or mask length, the entry can be a host address or a subnet
address. The default is 32.
• range-factor – Specifies the maximum percentage a new aRDT measurement can differ from the
previous measurement. If the new measurement differs from the previous measurement by
more than the allowed percentage, the new measurement is discarded and the previous mea-
surement is used again.
For example, if the range-factor is set to 25 (the default), a new measurement that has a value
from 75% to 125% of the previous value can be used. A measurement that is less than 75% or
more than 125% of the previous measurement can not be used.
You can specify 1-1000. The default is 25.
• smooth-factor – Blends the new measurement with the previous one, to smoothen the measure-
ments.
For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used,
along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of
the new measurement is used, along with 50% of the previous measurement.
You can specify 1-100. The default is 10.
Use the active-rdt command sat the configuration level for the site:
page 79
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
Use an IP list to exclude a set of IP addresses from aRDT polling. You can configure an IP list in either
of the following ways:
• Use a text editor on a PC or use the ACOS GUI to configure a black/white list, then load the entries
from the black/white list into an IP list.
• Use this command to configure individual IP list entries.
To configure an IP list using the CLI, use the gslb ip-list command at the global configuration level of
the CLI:
The command changes the CLI to the configuration level for the list, where the ip command is avail-
able. This command creates an IP entry in the list. Based on the subnet mask or mask length, the entry
can be a host address or a subnet address.
This load command loads the entries from a black/white list into the IP list.
To use the IP list to specify the IP addresses to exclude from aRDT data collection, use the active-rdt
ignore-id command at the configuration level for the GSLB policy:
Network topologies often include site devices that either require NAT to access local DNS servers or
are isolated from the servers by firewalls. GSLB controllers cannot obtain valid site-based metrics from
site devices in these topologies.
The GSLB controllers must be members of a GSLB Controller group, which is a data structure that syn-
chronizes communications and designates a Master Controller among the members. The A10 GLOBAL
SERVER LOAD BALANCING GUIDE describes the function and implementation of GSLB Controller
groups.
GSLB Controller based metrics are not supported in IPv6 or L3V partition configurations.
Each location includes a GSLB controller that can access the client LDNS and its local site devices.
Each GSLB Controller only queries its local site device and the originating LDNS server to derive the
RDT metrics. The controllers send the metrics to the GSLB Master Controller. By default, the metric is
based on the response time between the controller and the LDNS server. An option is available that
adds the response time between the controller and site device to the controller-LDNS response time.
page 80
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
These commands implement GSLB Controller-Based metrics. See “Configuring GSLB Controller-Based
Metrics” on page 156. for the GUI implementation.
These commands bind controllers to the GSLB sites (ACOS-1 to ELY and ACOS-2 to RENO).
These commands implement controller-based metrics on the GLSB policy named RHOMBUS
page 81
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
These commands enable the GSLB controller and configures the GSLB group.
Geographic
Geographic – Services located within the client’s geographic region are preferred.
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients.
For example, if a domain is served by sites in both the USA and Asia, you can configure GSLB to favor
the USA site for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
• Load geo-location data. You can load geo-location data from a file or manually configure individ-
ual geo-location mappings.
Loading geo-location data from a file is simpler than manually configuring geo-location mappings,
especially if you have more than a few GSLB sites.
The ACOS software includes an Internet Assigned Numbers Authority (IANA) database. The IANA data-
base contains the geographic locations of the IP address ranges and subnets assigned by the IANA.
The IANA database is loaded on the ACOS device, and it is enabled by default.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a Canonical Name (CNAME)
record instead of an Address record in DNS replies to clients. A CNAME record maps a domain name to
an alias for that domain. For example, you can associate the following aliases with the domain “exam-
ple.com”:
page 82
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
• www.example.co.cn
• mail.example.com
• ftp.example.com
Each of the aliases in the list above can be associated with a different geo-location:
If a client’s IP address is within the geo-location that is associated with www.1.example.com, then GSLB
places a CNAME record for www.1.example.com in the DNS reply to that client.
Connection Load
Connection-Load – Sites that are not exceeding their thresholds for new connections are preferred.
Num Session
Num-Session – Sites that are not exceeding available Session-Capacity threshold compared to other
sites are treated as having the same preference.
Admin Preference
Admin-Preference – The site with the highest administratively set preference is selected.
BW Cost
The BW-Cost metric selects sites based on bandwidth utilization on the site ACOS links.
page 83
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
To compare sites based on bandwidth utilization, the GSLB ACOS device sends SNMP GET requests
for a specified MIB interface object, such as ifInOctets, to each site.
• If the SNMP object value is less than or equal to the site’s configured bandwidth limit, the site is
eligible for selection.
• If the SNMP object value is greater than the bandwidth limit configured for the site, then the site
is ineligible.
The GSLB ACOS device sends the SNMP requests at regular intervals. Once a site is ineligible, the site
can become eligible again at the next interval if the utilization is below the configured limit minus the
threshold percentage.
To use the BW-Cost metric, an SNMP template must be configured and bound to each site. The GSLB
SNMP template specifies the SNMP version and other information necessary to access the SNMP
agent on the site ACOS device, and the Object Identifier (OID) of the MIB object to request.
• Bandwidth limit – The bandwidth limit specifies the maximum value of the requested MIB object
for the site to be eligible for selection.
• Bandwidth threshold – For a site to regain eligibility when BW-Cost is being compared, the SNMP
object’s value must be below the threshold-percentage of the limit value.
For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must
be 72,000 or less, for the site to become eligible again based on bandwidth cost. Once a site again
becomes eligible, the SNMP object’s value is again allowed to increase up to the bandwidth limit
value (80,000 in this example).
Enable the BW-Cost metric in the GSLB policy. By default, the BW-Cost metric is disabled.
page 84
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
The gslb template snmp command configures a GSLB SNMP template. This command adds the tem-
plate and changes the CLI to the configuration level for the template, where the following template-
related commands are available:
The version command specifies the SNMP version running on the site ACOS device.
The host command specifies the IP address of the site ACOS device.
The oid command specifies the interface MIB object to query on the site ACOS device. If the object is
part of a table, append the table index to the end of the OID. Otherwise, the ACOS device will return an
error.
The community command (SNMPv1 / SNMPv2c) specifies the community string required for authenti-
cation.
The username command (SNMPv3) specifies the SNMPv3 username required for access to the SNMP
agent on the site ACOS device.
• no-auth – Authentication is not used and encryption (privacy) is not used. This is the default.
The auth-proto and auth-key commands are applicable in auth-no-priv or auth-priv. security
levels. Auth-proto specifies the authentication protocol. Auth-key command specifies the authen-
tication key.
The priv-proto and priv-key commands are applicable for auth-priv. security level. The priv-
proto command specifies the privacy protocol used for encryption. The priv-key command speci-
fies the encryption key.
The context-engine-id command specifies the SNMPv3 protocol engine ID running on the site ACOS
device. The context-name command specifies an SNMPv3 collection of management information
objects accessible by an SNMP entity. The security-engine-id command specifies the ID of the
SNMPv3 security engine running on the site ACOS device.
The interval command specifies the amount of time between each SNMP GET to the site ACOS
devices.
The port command specifies the port where site ACOS devices listen for SNMP requests from the
GSLB ACOS device.
page 85
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
To apply a GSLB SNMP template to a GSLB site, use the template command at the configuration level
for the site:
To configure the bandwidth limit and threshold on a site, use the bw-cost limit command at the site’s
configuration level
To enable the bandwidth cost metric in a GSLB policy, use the bw-cost command at the configuration
level for the policy:
Use the show gslb site command to display BW-Cost data for a site.
The following commands apply the SNMP template to a site and set the bandwidth limit and threshold:
The following commands enable the BW-Cost metric in the GSLB policy:
page 86
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentica-
tion and encryption are both used.
Least-Response
Least-Response – Service IP addresses with the fewest hits are preferred.
Admin-IP
Admin-IP – Sites are preferred based on administratively assigned weight.
Round-Robin
Round-Robin – Sites are selected in sequential order.
The ACOS device uses Round-Robin as a tie-breaker to select a site. This is true even if the Round-
Robin metric is disabled in the GSLB policy.
Alias-Admin-Preference
The Alias-Admin-Preference metric selects the DNS CNAME record with the highest administratively
set preference. This metric is similar to the Admin-Preference metric, but applies only to DNS CNAME
records.
The Alias Admin Preference metric, which selects the DNS CNAME record with the highest administra-
tively set preference, can be used in DNS Proxy or DNS Server mode. Similarly, the Weighted Alias met-
ric, which expresses a preference for higher-weighted CNAME records, can be used in DNS Proxy or
DNS Server mode.
page 87
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
• DNS proxy – Enable the geoloc-alias option. After GSLB retrieves the DNS response from the
DNS answer, GSLB selects a DNS A record using IP metrics, and then tries to insert the DNS
CNAME record into the answer based on geo-location settings. While inserting the CNAME
record, if the Alias metrics are enabled, GSLB may remove some CNAME records and related ser-
vice IPs.
• DNS server – If applicable, enable the backup-alias option. If there is no DNS A record to return,
GSLB tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled,
GSLB may remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the service.
1. At the configuration level for the GSLB service, assign an administrative preference to the DNS
CNAME record for the service.
2. At the configuration level for the GSLB policy:
• Enable the Alias Admin Preference metric.
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
2. To enable the Alias Admin Preference metric, use the alias-admin-preference command (See
“alias-admin-preference” on page 202.) at the policy configuration level
Weighted-Alias
The Weighted-Alias metric evaluates CNAME records. CNAME records with higher weight values have
preference over CNAME records with lower weight values. This metric is similar to Weighted-IP, but
applies only to DNS CNAME records.
page 88
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Metric Descriptions
1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the
service.
2. At the configuration level for the GSLB policy:
• Enable the Weighted Alias metric.
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
page 89
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Metric Descriptions FFee
e
page 90
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
DNS Options
This chapter describes available DNS options. These section describe DNS options and their imple-
mentation.
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically
enabled when you configure the DNS proxy as part of GSLB configuration.
The site address selected by the first option that is applicable to the client and requested service is
used.
Feedback page 91
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Support for DNS TXT Records FFee
e
To append all Name Server (NS) Resource Records (RR) in the Authority Section of a DNS reply from a
GSLB ACOS device in server mode, use the fdns server authoritative ns-list command at the gslb
policy configuration level.
GSLB supports the ability to use DNS TXT resource records for the following purposes:
• Carry multiple pieces of DNS TXT data within one TXT record
Then use the dns-txt-record command at the service config level within a GSLB zone:
The ACOS device has a special handler that enables you to enter non-printable characters that the CLI
does not support.
To display the DNS TXT switch, use the show gslb policy command:
page 92
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Support for DNS CNAME Records
The feature is defined on a GSLB policy basis. When the policy is assigned to a GSLB zone, the feature
is implemented for DNS server CNAME records that are managed within the zone
1. This code associates a pre-configured Health Monitors (HMONITOR-1) to DNS servers accessed
from the GSLB zone. This code does not include the configuration of the HMONITOR-1 Health
Monitor.
ACOS(config)# slb server s1 www1.example.com
ACOS(config-real server)# health-check HMONITOR-1
ACOS(config-real server)# exit
ACOS(config)# slb server s2 www2.example.com
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check HMONITOR-1
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
2. This code configures the policy for replying to CNAME records. The other policy commands filter
CNAME records that are DOWN and enable the return of a single CNAME record.
3. This code implements the CNAME reply policy to the zone that accesses the DNS servers.
page 93
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
The cname-detect and external-ip options are enabled by default. All the other DNS options are dis-
abled by default.
page 94
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
DNS Action
The DNS action option enables GSLB to perform DNS actions specified in the service configurations.
The dns action command enables the active-only fail-safe option and returns a list of server IP
addresses for failed servers (See “dns action” on page 207.).
DNS Active-only
By default, if all of the servers failed to pass the health check, then the GSLB controller would return an
empty list to the client, rather than sending the list of IP addresses for the servers that had failed the
health check.
You can configure the ACOS device to send the list of IP addresses (associated with servers that failed
their health checks) back to the client. The feature can be enabled using the new dns active-only metric
option.
In association with this feature, you can also designate one or more backup servers, and the IP
addresses for these servers will be sent to the client in the event that all of the primary servers have
failed. This behavior requires that you enable the dns backup-server feature within the GSLB policy, and
that you specify the backup servers within the DNS A-record for the GSLB zone service.
• active-only fail-safe – A list of IP addresses for the servers that failed the health check are sent
back to the client.
• backup-server – Designate one or more backup servers that can be returned to the client if the
primaries should fail.
These commands enable the DNS active-only fail-safe option within a GSLB policy, so a list of IP
addresses are sent to the client for the servers that fail the health check.
page 95
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
DNS Addition-MX
The DNS Addition-MX option appends MX records in the Additional section in replies for A records,
when the device is configured for DNS proxy or cache mode. (See “dns addition-mx” on page 209.).
DNS Auto-Mapping
An ACOS device acting as a GSLB controller can retrieve the data needed to build the DNS system by
automatically returning DNS records by name. This GSLB Auto-Mapping feature reduces the required
amount of DNS management work when deploying GSLB.
• Names exceeding 20 characters must be changed to DNS domain, with labels separated by the '.'
character.
With, GSLB Auto-mapping, the ACOS device automatically creates the service by taking the name of a
system resource, or "module", and appending it to the front of a zone to create the service name (DNS
name).
Once the servers and other network devices have been configured with basic information, auto-
mapping enables the GSLB protocol to support DNS queries for the following modules (or system
resources):
• SLB server
• SLB device
• GSLB site
• GSLB service-IP
• GSLB Group
• Hostname
page 96
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
By default, system auto-mapping is disabled until you configure the modules. However, after system
auto-mapping has been configured, the query name is the object’s name.
The gslb system auto-map module command (global configuration level) configures auto-mapping.
The dns auto-map command (See “dns auto-map” on page 209. ) configures auto-mapping for a zone
level. This command enables creation of A and AAAA records for IP resources configured on the ACOS
device. This option is useful for auto-mapping VIP addresses to service-IP addresses.
Example: ,For a real server of us-svr1, and wildcard zone of example.com, the query name should be us-
svr1.example.com
Next, the commands below configure a GSLB policy “auto-map”, for the zone “example.com”. A wild-
card service IP is used. If a client sends a query for a host within the “example.com” zone (for example,
an ACOS with the name "sj-acos"), then the full service name is “sj-acos.example.com”., and the GSLB
protocol will respond to the client’s query by providing the management IP address and the IP address
for the inbound data interface.
page 97
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
The dns backup-alias command (See “dns backup-alias” on page 210. ) configures the DNS backup-
alias option.
1. Use the dns backup-server command (See “dns backup-server” on page 212. )to enable the
backup server mode within the GSLB policy:
2. Specify the backup servers in the dns-a-record within the GSLB zone service with the dns-a-record
(See “gslb zone” on page 187. ) command.
DNS Cache
The DNS Cache option enables the GSLB ACOS device to cache DNS replies. The ACOS device uses
information in the cached DNS entries to reply to subsequent client requests, as opposed to sending a
new DNS request for every client query.
When this option is enabled, the ACOS device caches a DNS reply for the duration of the TTL in the
reply when the aging time parameter is set to zero. To override the entry TTL, set the cache aging time
to a value greater than zero.
The dns cache command (See “dns cache” on page 213. ) configures the DNS cache option.
page 98
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
The dns cache command (See “dns cname-detect” on page 214. ) configures the DNS cname-detect
option.
By delegating responsibility for a sub-zone (or “sub-domain”), you are effectively dividing up the name
space. This division allows for partitioning the responsibility for the DNS name space management.
For example, assume a San Jose-based company is expanding rapidly and decides to open an office in
New York for its finance division. With the additional traffic generated by client DNS resolvers on the
East Coast, the parent domain, (“example.com”) may no longer suffice. In this case, it might be helpful
to add a separate sub-zone (“finance.example.com”) for the New York office. Such a scenario is shown
in Figure 6 on page 100.
page 99
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
Figure 6 shows the root zone at the top of the DNS hierarchy. The figure also illustrates the following
important points:
• The next level down are the Top Level Domains (TLDs), or the DNS servers responsible for man-
aging the resource records for the “.com”, “.org” and other domains.
• The parent zone is located beneath the TLDs. It is at this level within the DNS structure that the
organization’s main domain (“example.com”) is located.
• A separate sub-zone (“finance.example.com”), representing the New York office, has been dele-
gated from the parent zone.
As this hypothetical sub-zone is branched off of the parent domain, it might be helpful to delegate
responsibility for managing this new sub-zone to an IT administrator who is also located in New York.
Keep in mind that during the process of delegating authority for any sub-zone, an NS record must be
added to the zone file within the authoritative name server for the parent zone. This must be done so
that other DNS servers and clients will recognize the new server as being authoritative for the particular
delegated sub-zone.
Details:
• Sub-zone delegation is enabled within a GSLB policy and applied at the zone level.
• When delegating a sub-zone, the GSLB ACOS device must be in server mode. The feature will not
work with the GSLB ACOS device in proxy mode.
• Once a sub-zone has been delegated from the parent zone, client resolvers will send a query for
the NS record, and the response from the GSLB ACOS device will have the NS record in the
Authority section and the IP address in the Additional section of the full DNS response.
page 100
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
The ACOS device supports configuration of glue records. A glue record can be configured to prevent
circular dependencies, which can occur if the name server is located in a sub-zone of the parent
domain. Such a scenario can make it impossible for the client resolver to locate the IP for the name
server, because it is located within a sub-zone of the parent domain. Configuring a glue record elimi-
nates this problem by providing an address record that appears in the Additional section of the full DNS
response, and this enables the client to find the name server.
The dns delegation command (See “dns delegation” on page 215. ) enables DNS subzone delegation.
The following command creates the sub-zone to be delegated. Note that this also requires the configu-
ration of a wildcard service.
Alternatively, use these commands (instead of the previous gslb zone command block) to have the fea-
ture support DNSSEC by removing the “sub.” from the zone config. See the DDoS Mitigation Guide (for
ADC) for information about DNS Security Extensions (DNSSEC).
This command applies the delegation policy (delegate-1) at the zone level for the service group level:
page 101
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
ACOS(config-service-ip:ns-ip-1)# health-check-protocol-disable
ACOS(config-service-ip:ns-ip-1)# health-check-disable
ACOS(config-service-ip:ns-ip-1)# port 53 udp
ACOS(config-service-ip:ns-ip-1-port:udp)# health-check-protocol-disable
ACOS(config-service-ip:ns-ip-1-port:udp)# health-check-disable
ACOS(config-service-ip:ns-ip-1-port:udp)# exit
ACOS(config-service-ip:ns-ip-1)# exit
The following command configures the GSLB service IP “dc1-vip” at IP 10.10.10.10 and disables the
health check at the service IP level and at port 80 for TCP.
The following command configures the GSLB service IP “ns-ip-1” at IP 172.16.10.203 and disables the
health check at the service IP level and at port 80 for TCP.
The following commands configure a GSLB site called “dc1”. The site has an ACOS device, “dc1-acos”
at IP 10.10.10.50.
The following commands configure a GSLB site called “dc2”. The site has an ACOS device, “dc2-acos”
at IP 172.16.10.50.
page 102
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
The following commands configure a GSLB site called “dc5”. The site has an ACOS device, “dc5-ax” at
IP 172.16.11.50.
The following commands configure three GSLB policies: (1) the default GSLB policy, (2) GSLB policy “5”
(for delegation), and (3) GSLB policy “dns-server”. The ACOS delegates authority for the sub-domain
“sub.sub.example.com.jp” to nameserver "ns01.sub.sub.example.com.jp".
The following commands create the GSLB zone “sub.sub.example.com.jp” and creates a wildcard ser-
vice within the zone. The GSLB policy “5”, created above, is assigned to the wildcard service, and an NS
record is created for the name server, “ns01.sub.sub.example.com.jp”.
The following commands are used within the same GSLB zone “sub.sub.example.com.jp” to creates a
service for port 53 called “ns01”. The GSLB policy “dns-server”, created above, is assigned to the ser-
vice, and an A record is created for “ns-ip-1” to return the associated Service-IP if the DNS is in server
mode.
page 103
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
The following commands creates the GSLB zone “sub.example.com.jp” and enables the http service.
Then, the policy “dns-server” is bound and A records are create for “dc1-vip” and “dc2-vip”.
The following command enables the GSLB and makes this ACOS device the GSLB controller.
DNS External-IP
The DNS external-ip option configures the device to return the external IP address configured for a ser-
vice IP. If this option is disabled, the internal address is returned instead.
The dns external-ip command (See “dns external-ip” on page 216.) configures the DNS external-ip
option.
DNS External-SOA
The DNS external-soa option replaces the internal SOA record with an external SOA record to prevent
external clients from gaining information that should only be available to internal clients. If this option
is disabled, the internal address is returned.
The dns external-soa command (See “dns external-soa” on page 217.) configures the DNS external-
soa option.
DNS Geoloc-Action
The DNS geoloc-action option performs the DNS traffic handling action specified for the client’s geo-
location. The action is specified as part of service configuration in a zone.
The dns geoloc-action command (See “dns geoloc-action” on page 218.) configures the DNS geoloc-
action option.
page 104
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
DNS Geoloc-Alias
The DNS geoloc-alias option replaces the IP address with its alias configured on the GSLB ACOS
device.
The dns geoloc-alias command (See “dns geoloc-alias” on page 219.) configures the DNS geoloc-
alias option.
DNS Geoloc-Policy
The DNS geoloc-policy option returns the alias name configured for the client’s geo-location.
The dns geoloc-policy command (See “dns geoloc-policy” on page 220.) configures the DNS geoloc-
policy option.
You can disable the appearance of hints in a DNS response. In addition, you also can determine where
in the DNS response the hints will appear.
• NS
• MX
• SRV
page 105
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
These commands configure the ACOS device to include the Hint Record in the Answer Section of the
DNS response. One possible use is when the local DNS server has trouble parsing the Additional Sec-
tion that appears in a full DNS reply.
DNS IP-Replace
The DNS ip-replace option replaces the IP addresses with the set of addresses administratively
assigned to the service in the zone configuration.
The dns ip-replace command (See “dns ip-replace” on page 222.) configures the DNS external-soa
option.
DNS IPv6
DNS ipv6 options enables support for IPv6 AAAA records.
• The dns ipv6 mapping command (See “dns ipv6 mapping” on page 223.) specifies the ACOS
device response to IPv6 DNS query.
• The dns ipv6 max command (See “dns ipv6 mix” on page 224.) configures the ACOS device to
return AAAA and A records in the same response.
• The dns ipv6 smart command (See “dns ipv6 smart” on page 225.) enables IPv6 return by query
type.
DNS Logging
The following output options for GSLB logging are supported:
Logging only to remote log servers is useful for deployments that experience high volumes of GSLB
DNS traffic. Sending the logs for this activity to a group of remote servers prevents these messages
from flooding the ACOS device’s log.
• Logging only to remote log servers applies specifically to GSLB DNS logging, configurable glob-
ally and in individual GSLB policies.
• Logging templates are included in HA or VRRP-A configuration synchronization. They are not
included in GSLB synchronization among GSLB groups.
page 106
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
1. Configure a logging group and logging template, if not already configured. Logging groups also are
supported in previous releases. Beginning in ACOS 2.7.2-P2, you also can use logging groups for
GSLB. You can configure the logging group to receive log traffic over TCP or UDP, depending on
which Layer 4 protocol the servers use to receive log traffic.
2. In the GSLB policy, enable DNS logging and specify the SLB logging group to use. By specifying a
logging group, you enable remote logging and disable local logging, for GSLB DNS events.
The policy in this example is set to run GSLB in DNS server mode. Logging of GSLB DNS events to
remote logging servers also is supported for proxy mode. The syntax for the logging portion of the con-
figuration is the same.
These commands configure the logging group, which consist of the logging server, service group, and
logging template.
These commands configure the DNS VIP that will intercept UDP DNS requests from clients:
page 107
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
These commands configure the service-IP and the site. This is the site that GSLB helps clients reach.
The site SLB device that is load-balancing the server (192.1.1.190) is a Thunder device (192.1.1.100).
The site SLB device’s configuration is not shown.
The following commands configure the GSLB policy. The dns logging both template log command
enables logging of DNS events to remote logging servers and disables logging of the events to the local
buffer.
These commands configure the zone, “example.com” and service, “www”. For this service, a static DNS
Address (A) record is configured. Based on this configuration, GSLB responds to client queries for
www.example.com with the IP address of service-IP “gs3”.
page 108
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
Query Log
The first message logs the DNS query message intercepted by ACOS and forwarded to the GSLB DNS
server. The message provides the following details:
• May 30 17:22:16 10.1.1.180 – Timestamp indicating the system time on the ACOS device when
GSLB generated the message.
• QUERY – Type of DNS message.
• Fwd 10.1.1.190 – VIP address of the GSLB DNS server to which ACOS forwarded the request.
• If GSLB is running in DNS server mode, this is the GSBL DNS VIP configured on the same
device.
• If GSLB is running in DNS proxy mode, this is the IP address of the external DNS server bound to
by the DNS VIP.
• 10.1.1.68 – Client IP address (local DNS).
• www.example.com – The host for which the client is requesting the IP address.
• A – The type of query. In this example, this is a query for an IPv6 address (A).
Response Log
The second message logs the response to the client’s DNS query.
• 10.1.1.190 – VIP address of the GSLB DNS server from which the response is sent.
• www.example.com – The host for which the client is requesting the IP address.
• A – Type of record in the response. In this case, the response includes an IPv4 address record.
• A – Record type
page 109
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
• 1 – Class type
• 10 – TTL
• 4 – Data length
• 192.1.1.190 – DNS VIP address of the GSLB DNS server (or proxy, if proxy mode is used)
DNS Proxy
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically
enabled when you configure the DNS proxy as part of GSLB configuration.
The DNS Proxy Block feature can be used to block DNS queries based on DNS query type, DNS query
number, or by specifying a range of numbers.
The feature can be used to block the following well-known DNS types:
• A (type 1)
• CNAME (type 5)
• MX (type 15)
• NS (type 2)
• SOA (type 6)
After specifying the type of DNS query to be blocked, select an action to perform on the selected DNS
query type, for example, drop or reject.
When selecting an action to perform on a query type, keep in mind the following caveats:
• Selecting a DNS query type without specifying the action will cause the default action to be
applied to the selected query type. The default action is “drop”.
page 110
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
• Selecting an action without specifying the query type will cause the feature to essentially remain
disabled. If no query type has been identified, then no action is applied, even if an action has been
specified.
Implementing this feature may reduce the amount of traffic sent to back-end DNS servers. This can
increase efficiency by reducing the burden on those servers. This feature may also be desirable in situ-
ations where resource records reside on a DNS server that is accessible to both internal and external
clients. In such situations where the same DNS server is being accessed by both internal and external
clients, the DNS Proxy Block feature helps prevent sensitive resource records on an internal DNS server
from being leaked to external clients.
• The GSLB ACOS device must be operating in proxy mode to support the DNS Proxy Block feature.
• The feature is configured within the GSLB policy and is applied at the zone and service levels.
• Multiple query types can be specified, but only one action can be applied to those query types.
Therefore, the first bullet below would be an acceptable configuration, but the second bullet
would not:
• Reject both SRV and CNAME query types (OK)
• Reject SRV but drop CNAME query types (Not OK)
The following example shows the commands used to create a GSLB policy, enable the DNS Proxy
Block feature for A records, and then applies the policy to the zone called “example.com” for the service
http.
page 111
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
DNS Selected-only
The DNS selected-only option configures the device to return only the selected IP addresses.
The dns selected-only command (See “dns selected-only” on page 230. ) enables return of only
selected IP addresses. The command specifies a limit of records that can be returned after a record is
selected. When the number of records exceed the configured value, GSLB ignores this configuration.
DNS Server
The DNS Server options enables the GSLB ACOS device to act as a DNS server for specific service IPs
in the GSLB zone. When this setting is enabled, the ACOS device responds directly to address queries
for specific service IP addresses in the GSLB zone. The ACOS device still forwards other types of que-
ries to the DNS server.
In DNS Server mode, the dns cname-detect command is not required. When a client requests a config-
ured alias name, GSLB applies the policy to the CNAME records. The dns server command is not valid
with the dns ip-replace command. They are mutually exclusive.
DNS Server mode requires the enalbing of the static option on the individual service IP. (To configure
the service IP addresses, use the service-ip command at the configuration level for the service.
The dns server command (See “dns server” on page 231. ) configures the DNS external-ip option.
DNS Sticky
The DNS Sticky options sends the same service IP address to a client for all requests from that client
for the service address.
The dns sticky command (See “dns sticky” on page 233. ) programs the device to send the same ser-
vice IP address to a client for all requests from that client for the service address. Sticky DNS ensures
that, during the aging-time, a client is always directed to the same site.
To ensure that the clients’ local DNS servers do not cache the DNS replies for too long, you can config-
ure the GSLB ACOS device to override the TTL values of the Address records in the DNS replies before
sending the replies to clients.
page 112
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
DNS Option Descriptions
The TTL of the DNS reply can be overridden in two different places in the GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used.
2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zone’s TTL
setting is used.
In DNS server mode, the DNS response from the ACOS device includes an IP TTL (maximum number of
Layer 3 hops), with a default value equal to 255. This IP TTL can be configured using the following CLI
command: gslb system ip-ttl.
The dns ttl command (See “dns ttl” on page 235. ) programs the ACOS device to change the TTL of
each DNS record contained in DNS replies received from the DNS for which the ACOS device is a proxy.
page 113
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
DNS Option Descriptions FFee
e
page 114
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
You can configure geo-location mappings manually or by loading the mappings from a file. Configuring
the geo-location mappings manually might not be practical, unless you have only a few sites.
The geo-location configuration options are described in detail below. To skip the descriptions and go
directly to configuration instructions, see one of the following sections. Each section provides the pro-
cedure for one of the approaches to configuring geo-location mappings.
• Internet Assigned Numbers Authority (IANA) database – The IANA database contains geo-
graphic locations of IP address ranges and subnets assigned by the IANA. This database is
loaded by default.
• Custom database in CSV format – You can load a custom geo-location database from a file in
comma-separated-values (CSV) format. However, before loading the file, you must first configure
a CSV template on the ACOS device because the data in the file is formatted by the template.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address or IP range.
• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.
• If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-
location in the loaded geo-location database.
• If a service-ip cannot be mapped to a geo-location, GSLB maps the site ACOS device to a geo-
location.
If more than one geo-location matches a client’s IP address, the most specific match is used. For
example, if a client is in the same city as a site ACOS, that site will be preferred. If the client and site are
in the same state but in different cities, the site in that state will be preferred.
Only one database can be active. If you load more than one database, the most-recently loaded one
becomes the active one, and the older database is no longer used. Data from the older database is not
merged into the new database. Using the “load” command to load a new database will synchronize the
start-up configuration among all GSLB group members.
There is full parity in the synchronization, so the process works in reverse also. Unloading a geo-loca-
tion database from a configuration, or deleting a geo-location database, will remove that database from
all GSLB group members.
The example above shows how the CSV file appears when displayed in a text editor. If the same data
were displayed in a spreadsheet application, it would appear like Figure 7 below.
The database file can contain more types of information (fields, or columns) than are required for the
GSLB database. When you load the CSV file into the geo-location database, the CSV template on the
ACOS device filters the file to extract the required data, while ignoring the rest of the data. In the exam-
page 116
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Loading or Configuring Geo-Location Mappings
ple below, only the fields shown in bold type will be extracted and placed into the geo-location data-
base:
The IP addresses in this example are in bin4 format. Dotted decimal format (for example: 69.26.125.0)
is also supported. If you use bin4 format, the ACOS device automatically converts the addresses into
dotted decimal format when you load the database into GSLB.
Here is an example for IP address 192.0.2.18, the first IP address in the example CSV file:
1. Prepare the database file. (This step requires an application that can save to text for CSV format,
and it cannot be performed on the ACOS device.)
2. Configure a CSV template on the ACOS device. The CSV template specifies the field positions (or
columns) in the database that should be extracted, such as IP address and location information.
3. Import the CSV file onto the ACOS device.
page 117
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Loading or Configuring Geo-Location Mappings FFee
e
You can enter the entire URL on the command line or press Enter to display a prompt for each part of
the URL.If you enter the entire URL and a password is required, you will still be prompted for the pass-
word. To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• disk:path
• sftp://[user@]host/file
(For information about the use-mgmt-port option, see the “Using the Management Interface as the
Source for Management Traffic” chapter in the System Configuration and Administration Guide.)
Use the file name you specified when you imported the CSV file, and the name of the CSV template to
be used for extracting data from the file.
To display information about CSV files as they are being loaded, use the show gslb geo-location com-
mand:
page 118
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Manually Configuring Geo-Location Mappings
1. Configure each geographic location (geo-location) as a named range of client IP addresses. You
can configure geo-locations globally and within individual GSLB policies.
To configure a geo-location, use the gslb geo-location command at the global configuration level
or at the configuration level for the GSLB policy:
2. Associate a site with a geo-location name, using the geo-location command at the configuration
level for the site:
If you configure geo-locations globally and at the configuration level for individual sites, and a client IP
address matches both a globally configured geo-location and a geo-location configured on a site, the
globally configured geo-location is used by default. To configure the GSLB ACOS device to use geo-
locations configured on individual sites instead, use the geo-location match-first policy command at
the configuration level for the policy.
To search for an entry in the geo-location database that is based on client IP address, use the show
gslb geo-location command:
The commands in this example load a custom geo-location database from a CSV file called “test.csv”,
and then display the database. The test.csv file is shown in “Example Database File” on page 116.
The following command imports the file onto the ACOS device:
The following commands initiate loading the data from the CSV file into the geo-location database, and
display the status of the load operation:
page 119
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Geo-location Overlap FFee
e
ACOS(config)#
The following command displays the geo-location database extracted from the CSV file.
Geo-location: NA
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 1 G
ACOS(config)#
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the “match best” instead of
searching the database using the “match first” algorithm. This behavior may be helpful if you suspect
that more than one host has been mapped to a single public IP address.
page 120
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Geo-location Overlap
In addition, third-party companies sell geo-location databases, and some of these databases may con-
tain millions of mappings between geographic regions and ranges of IP addresses. As with the IANA
database files, these files can also be imported into the ACOS device’s global database.
Geo-location information can also be manually configured on the ACOS device at the GSLB policy level.
A GSLB policy is typically created for each GSLB zone, so you could, for example, have separate zones
for a company that has offices in New York and San Jose. Each of these GSLB zones might have its
own geo-location file, with each file containing highly granular information that maps IP addresses and
local regions.
When configuring geo-location for a GSLB zone, you will need to use the match first command to
decide whether to search the Global database (containing the IANA file) or if you would prefer to search
the GSLB Policy database.
The match first command determines which of the two geo-location databases will be used to parse
incoming DNS requests from clients. That is, it allows you to decide whether the Global database or
GSLB Policy database will be searched.
Once this configuration decision has been made, then the next thing that you need to do is decide if you
want to enable the geo-location overlap command.
The geo-location overlap command is disabled by default because it tends to tax the ACOS processors.
The default behavior for the ACOS device is to use the match first algorithm (not to be confused with
the match first option described above), is to scan the geo-location database for the first IP address
that matches the client’s Source IP.
In contrast, the geo-location overlap option uses match best algorithm, meaning the entire geo-location
file must be scanned in order to locate the optimal response to send back to the client. This is very
demanding on the ACOS CPU.
For example, if a company has a site in New York and San Jose:
In this situation, there exists an overlap in the IP address from 1.1.1.1 to 1.1.1.3.
page 121
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Geo-location-based Access Control FFee
e
To remedy this confusing situation, one can enable the geo-location overlap option to cause the ACOS
device to search the geo-location database for the match best (or longest matching IP address).
However, if the geo-location overlap option is disabled, then the ACOS device will revert to its default
behavior, which is to use the match first algorithm to check the client’s IP address against the database
and then use the first IP address-region mapping discovered when parsing the database.
If you believe your manually-configured geo-location databases may have two or more domains tied to
the same IP address, you can use the geo-location-match overlap command at the GSLB policy con-
figuration level of the CLI to enable geo-location overlap.
The following command enables geo-location overlap at the GSLB policy level. The overlap option is
used to enable match best behavior for the geo-location database within the default GSLB policy. By
enabling this behavior, the match first algorithm will not be used, and instead the ACOS device will
attempt to find the best match by searching for the longest string that matches the source IP address
in the client’s request.
• Send the traffic to a specific service group (if configured using a black/white list)
The ACOS device determines a client’s location by looking up the client’s subnet in the geo-location
database used by Global Server Load Balancing (GSLB).
This feature requires you to load a geo-location database, but does not require any other configuration
of GSLB. Instead, SLB features are used along with the IANA database. The ACOS system image
includes the Internet Assigned Numbers Authority (IANA) database. By default, the IANA database is
not loaded but you can easily load it, as described in the configuration procedure later in this section.
page 122
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Geo-location-based Access Control
Geo-location-based VIP access works only if the class list is imported as a file. The CLI does not sup-
port configuration of class-list entries for this application.
class-list geo-class
L US 1
L US.CA 2
L US.CA.SJ 3
The following commands import the class list onto the ACOS device, configure a policy template, and
bind the template to a virtual port. The connection limits specified in the policy template apply to clients
who send requests to the virtual port.
• default geo-location database (iana) is already loaded (“gslb system geo-location load” on
page 183).
• the c-share class list was previously created
The show slb geo-location statistics command verifies operation of the policy.
page 123
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Geo-location-based Access Control FFee
e
1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly
into the GUI. If you configure the list using a text editor, import the list onto the ACOS device.
2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and
the actions to perform for the group IDs in the list.
3. Load a geo-location database, if one is not already loaded.
4. Apply the policy template to the virtual port for which you want to control access.
• Remote option – Use a text editor on a PC, then import the list onto the ACOS device.
• Local option – Enter the black/white list directly into a management GUI window.
With either method, the syntax is the same. The black/white list must be a text file that contains entries
(rows) in the following format:
The “L” indicates that the client’s location will be determined using information in the geo-location data-
base.
The geo-location is the string in the geo-location database that is mapped to the client’s IP address; for
example, “US”, “US.CA”, or “US.CA.SanJose”.
The group-id is a number from 1 to 31 that identifies a group of clients (geo-locations) in the list. The
default group ID is 0, which means no group is assigned. On the ACOS device, the group ID specifies
the action to perform on client traffic.
The #conn-limit specifies the maximum number of concurrent connections allowed from a client. The #
is required only if you do not specify a group ID. The connection limit is optional. For simplicity, the
examples in this section do not specify a connection limit.
L "US" 1
L "US.CA" 2
L "JP" 3
1. Import a black/white list onto the ACOS device with the bw-list command.
2. To configure a PBSLB template, use the slb template policy commands:
page 124
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Geo-location-based Access Control
The command creates the template and changes the CLI to the configuration for the template,
where the bw-list name and bw-list id PBSLB-related commands are available.
3. Load a geo-location database with the gslb system geo-location load command.
4. To apply a policy template to a virtual port, use the template policy command in configuration
mode
To clear SLB geo-location statistics, use the clear slb geo-location command.
The black/white list can either be imported or by selecting ADC >> BW-Lists in the GUI. Refer to the
DDos Mitigation Guide (DMG) for additional information about black/white lists.
The following commands apply the policy template to port 80 on virtual server “vip1”:
page 125
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Geo-location-based Access Control FFee
e
Full-Domain Checking
By default, when a client requests a connection, the ACOS device checks the connection count only for
the specific geo-location level of the client. If the connection limit for that specific geo-location level has
not been reached, then the client’s connection is permitted. Likewise, the permit counter is incremented
only for that specific geo-location level.
Table 1 shows an example set of geo-location connection limits and current connections.
Using the default behavior, the connection request from the client at US.CA.SanJose is allowed even
though CA has reached its connection limit. Likewise, a connection request from a client at US.CA is
allowed. However, a connection request from a client whose location match is simply “US” is denied.
After these three clients are permitted or denied, connection permit and deny counters are updated.
Based on full-domain checking, all three connection requests from the clients in the example above are
denied. This is because the US domain has reached its connection limit. Likewise, the counters for each
domain are updated as follows:
To enable full-domain checking for geo-location-based connection limiting, use the geo-location
full-domain-tree command at the configuration level for the PBSLB template.
It is recommended to enable or disable this option before enabling GSLB. Changing the state of this
option while GSLB is running can cause the related statistics counters to be incorrect.
page 126
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Geo-location-based Access Control
• Permit
• Deny
• Connection number
• Connection limit
To enable the share option, use the geo-location share command at the configuration level for the
PBSLB policy template. It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the related statistics counters to be
incorrect.
page 127
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Geo-location-based Access Control FFee
e
page 128
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
To simplify health monitoring of a GSLB site, you can use a gateway health check. A gateway health
check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. If a site’s gateway
router fails a health check, it is likely that none of the services at the site can be reached. GSLB stops
using the site until it begins to pass gateway health checks again.
In most cases, an ICMP health check is sufficient; use the default ICMP health check or configure a
custom one. For more detailed health analysis, use an external health check. For example, use a script
to get SNMP information from the gateway, and base the gateway’s health status on the retrieved
information.
Health-Check Precedence
Health checking for a GSLB service can be performed at the following levels.
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor config-
uration includes health monitors in GSLB group synchronizations. For GSLB configuration synchroniza-
tion, “GSLB Synchronization” on page 18.
If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health
check is successful, then the port health check can be used to check the status of the ports (assuming
ports have been configured on the service IP). Otherwise, if no service ports are configured on the ser-
vice IP, then the Layer 3 health check of the service IP is used.
1. Configure the health monitor, unless you plan to use the default ICMP health monitor.
2. On the SLB device at the site, create an SLB real server configuration with the gateway router’s IP
address. If you configured a custom health check, make sure to apply it to the real server.
3. On the GSLB controller, specify the site’s gateway IP address in the SLB-device configuration for
the site.
For a service IP that can be reached on any of multiple links, create a separate SLB-device configura-
tion, without using the gateway option. The gateway health status for this SLB-device will be Down only
if all the gateway health checks performed for the other SLB-device configurations for the site fail.
1. On the site ACOS device – To create the gateway router, use the slb server command at the global
configuration level of the CLI on the site ACOS device:
To use the default Layer 3 health monitor, no further configuration is needed on the site ACOS
device. When using a custom ICMP monitor, configure the monitor, then use the health-check
command at the configuration level for the real server (gateway):
2. On the GSLB controller — To specify the site’s gateway IP address, use the gateway command at
the configuration level for the SLB device, within the site configuration:
To disable gateway health checking at the SLB-device configuration level, use the no gateway health-
check command. After entering this command, the SLB device stops accepting gateway status infor-
mation.
page 130
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Site with Single Gateway Link
On the GSLB controller, the following commands enable gateway health checking for site device “site-
acos”:
The following command displays the gateway health status for GSLB sites:
GSLB-ACOS(config)#
In this example, the gateway health status for SLB-device configuration “site-acos” on the “remote” site
is Up.
page 131
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Site with Multiple Gateway Links FFee
e
On the GSLB controller, these commands enable gateway health checking for each of the site’s links. A
unique SLB-device name is used for each link, even though both links are for the same SLB device
(20.1.1.1).
If the same services can be reached through either link, an additional SLB-device configuration is
required:
No gateway is specified in the SLB-device configuration. The gateway health status will be Up unless
the health checks for 2.2.2.1 and 3.3.3.1 both fail.
page 132
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Multiple-Port Health Monitoring
The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default
health monitor for a service port is the default TCP or UDP monitor, depending on the transport proto-
col.
By default, if the GSLB protocol is enabled and can reach the service, health checking is performed over
the GSLB protocol. Otherwise, health checking is performed using standard network traffic instead.
Optionally, you can disable use of the GSLB protocol for health checking, on individual service-IPs.
To configure a multiple-port health check, use the health-check-port command at the configuration
level for the service IP. You can specify up to 64 ports.
Applying a health monitor is required only if you do not plan to use the default health monitors. (See
“Default Health Monitors” on page 133.)
The following commands apply a custom HTTP health monitor to service IP “gslb-srvc2”. The com-
mands utilize a health monitor (http) whose configuration is not included in the example.
The following commands enable a multi-port health check for the HTTP service “www” on service IP
“gslb-srvc2” in GSLB zone “abc.com”:
page 133
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Multiple-Port Health Monitoring FFee
e
page 134
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
Application Groups
When persistence is enabled, ACOS ensures that requests for different services are sent to the same
site.You configure application groups so that certain services are grouped together. When a client
requests those services, they are always directed to the same site. For example, if a user requests the
WWW service, and then later requests the Secure WWW service, then persistence ensures that both
requests go to the same site.
Configuring dependency ensures that when one service is down on a site, ACOS marks all services as
unusable for that site. Client traffic is then redirected to a site where persistence can be maintained for
all services. For example, a service group may consistent of email protocols. If POP service is down,
then all other services, such as IMAP and SMTP, are also marked as down.
Persistence and dependency can be configured individually or together. In both cases, a service should
be configured in only one service-group.
1. Configure the virtual servers or services with the appropriate port and protocol.
2. Define the GSLB data centers or sites.
a. Configure the devices in the data centers, as well as the virtual servers or services in the data
centers.
3. Configure the applications and logical components in the system, such as the FQDN.
4. Group the defined applications together and then enable persistence and dependency.
To configure GSLB application groups with persistence and failover dependency, enter the following
commands at the GSLB service-group configuration level:
persistent site
dependency site
The “persistent site” command can specify an IPv4 mask, IPv6 mask length, or aging-time that deter-
mines the period after which persistence is no longer maintained to a server when there is no traffic
from the client (default aging-time is 5 minutes). Aging time is refreshed when the site receives a
request from the client.
This example configures two GSLB sites, one for New York and one for San Francisco. These sites will
support the WWW and Secure WWW applications. Persistence and dependency are configured for
these GSLB sites.
1. These commands configure GSLB data centers in New York and San Francisco. The virtual serv-
ers are grouped into data centers. Each data center has four servers with port 80 configured (vip1
- vip4), and four servers with port 443 configured (vip5 - vip8). The sites reference the servers
through GSLB service-ip assignments that are not included in the example (See “gslb service-ip” on
page 174.).
2. These commands define the www.example.com and secure.example.com FQDNs. They assign
the WWW service to virtual servers 1 through 4, and the Secure WWW service to virtual servers 5
through 8.
page 136
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Site persistence With Per-VIP Failover Granularity
3. The next commands group the applications (WWW and Secure WWW) together and configure
dependency for failover grouping, as well as persistence with an aging-time of 10 minutes.
page 137
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Site persistence With Per-VIP Failover Granularity FFee
e
page 138
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
This chapter provides configuration examples for Global Server Load Balancing (GSLB). These exam-
ples implement a basic GSLB deployment. The examples assume that the default GSLB policy is used,
without any changes to the policy settings.
Steps consist of an action and the resulting GUI response. For example, the following line instructs the
user to select ADC >> SLB from the main menu, which opens the SLB Virtual Server Roster panel in the
GUI:
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
1. Select System >> Settings (primary menu) Open Access Control panel
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-11
Host: 10.10.0.53
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
Port Number: 53
Protocol: TCP
Click Create button Return to S:B Servers Roster
page 140
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Proxy Mode (Scenario 1)
Name: DNS1
IP Address: 10.10.0.100
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
4. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GRP1
5. Expand General Fields section
6. Data Entry: General Fields section
GSLB Enable: (checkbox) select
7. Click Create button Return to SLB Update Virtual Server panel
8. Click Update button Return to SLB Virtual Servers roster
page 141
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Proxy Mode (Scenario 1) FFee
e
Port: 80
Protocol: TCP
Click Create button Return to GSLB Create Service IPs panel
4. Click Create button Opens GSLB Create Service IPs Ports panel
5. Service IP Ports section: Click Create buttonOpens GSLB Create Service IPs Ports panel
6. Data Entry: Create Service IPs panel
Port: 25
Protocol: TCP
Click Create button Return to GSLB Create Service IPs panel
7. Click Update button Return to GSLB Service IP Roster
page 142
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Proxy Mode (Scenario 1)
page 143
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Server Mode Group (Scenario 2) FFee
e
3. DNS Records section: Click Create button Opens GSLB Create DNS Record panel
4. Data Entry: GSLB Create DNS Record panel
Record Type: (Drop-Down) SERVICE A
Service IP Name: (Drop-Down) LANE
Static: (checkbox) select
5. Click Create button Returns to GSLB Update FQDNs panel
6. DNS Records section: Click Create button Opens GSLB Create DNS Record panel
7. Data Entry: GSLB Create DNS Record panel
Record Type: (Drop-Down) SERVICE A
Service IP Name: (Drop-Down) BENTON
Static: (checkbox) select
8. Click Create button Returns to GSLB FQDNs Roster
9. Click Update button Returns to GSLB FQDNs Roster
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-2
Click Update DNS button
page 144
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Server Mode Group (Scenario 2)
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC
Configuration Guide.
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
2. Select Virtual-Servers (secondary menu) Open SLB Virtual Servers roster
3. Click Create button Open SLB Create Virtual Server panel
4. Data Entry: SLB Create Virtual Server panel
Name: DNS2
IP Address: 10.20.0.53
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
5. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GROUP
6. Expand General Fields section
7. Data Entry: General Fields section
GSLB Enable: (checkbox) select
8. Click Create button Return to SLB Update Virtual Server panel
9. Click Update button Return to SLB Virtual Servers roster
page 145
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Server Mode Group (Scenario 2) FFee
e
page 146
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Server Mode Group (Scenario 2)
page 147
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Controllers and Devices (Scenario 3) FFee
e
page 148
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Controllers and Devices (Scenario 3)
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-3
Click Update DNS button
4. Click Update DNS button GUI displays success message
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC
Configuration Guide.
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
2. Select Virtual-Servers (secondary menu) Open SLB Virtual Servers roster
3. Click Create button Open SLB Create Virtual Server panel
4. Data Entry: SLB Create Virtual Server panel
Name: DNS3
IP Address: 10.30.0.53
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
5. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GROUP
6. Expand General Fields section
7. Data Entry: General Fields section
GSLB Enable: (checkbox) select
page 149
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Controllers and Devices (Scenario 3) FFee
e
page 150
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Controllers and Devices (Scenario 3)
page 151
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Controllers and Devices (Scenario 3) FFee
e
page 152
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Controllers and Devices (Scenario 3)
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
4. Click Update GSLB Global Protocol button
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-31
Click Update DNS button
4. Click Update DNS button GUI displays success message
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-31P
Host: 10.1.1.58
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
page 153
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
GSLB Controllers and Devices (Scenario 3) FFee
e
Port Number: 53
Protocol: TCP
Click Create button
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
page 154
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
GSLB Controllers and Devices (Scenario 3)
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-32
Click Update DNS button
4. Click Update DNS button GUI displays success message
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC
Configuration Guide.
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-32P
Host: 10.1.2.68
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
Port Number: 53
Protocol: TCP
Click Create button
page 155
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Controller-Based Metrics FFee
e
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as site device: (checkbox) select
4. Click Update GSLB Global Protocol button
page 156
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring GSLB Controller-Based Metrics
1. Select System >> Settings (prmary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-1
IP Address: 10.10.1.58
Click Update DNS button
4. Click Update DNS button GUI displays success message
page 157
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Controller-Based Metrics FFee
e
page 158
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Configuring GSLB Controller-Based Metrics
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol (secondary menu) Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
4. Click Update GSLB Global Protocol button
page 159
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Configuring GSLB Controller-Based Metrics FFee
e
page 160
Feedback ACOS 4.1.1-P11 Global Server Load Balancing Guide
This chapter lists the CLI commands for Global Server Load Balancing (GSLB). The commands are
organized into the following sections:
• delete geo-location
• gslb active-rdt
• gslb geo-location
• gslb group
• gslb ip-list
• gslb policy
• gslb protocol
• gslb service-group
• gslb service-ip
• gslb site
• gslb zone
• import geo-location
delete geo-location
Description Delete or replace a custom geo-location database from the ACOS device.
Parameter Description
all Deletes all manually configured geo-locations from the configu-
ration.
file-name Delete the specified geo-location from the configuration.
Default N/A
Usage This command is available only if you have already imported a geo-location
database file.
gslb active-rdt
Description Configure global aRDT settings.
page 162
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
track seconds
}
Parameter Description
domain Specifies the query domain. To measure the active-Round Delay Time (aRDT) for a cli-
domain-name ent, the site ACOS device sends queries for the domain name to a client’s local DNS.
An aRDT sample consists of the time between when the site ACOS device sends a
query and when it receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name
that is likely to be in the cache of each client’s local DNS.
The ACOS device averages multiple aRDT samples together to calculate the aRDT
measurement for a client. (See the description of track below.)
The default is 3.
sleep seconds Specifies the number of seconds GSLB stops tracking aRDT data for a client after a
query fails. You can specify 1-300 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for aver-
aged aRDT measurements is 10 minutes by default and is configurable on individual
sites, using the active-rdt aging-time command in GSLB site configuration mode.
page 163
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Parameter Description
drop Drops DNS queries that do not match any zone service.
ignore Ignores DNS queries that do not match any zone service.
none No action (default)
reject Rejects DNS queries that do not match any zone service, and
returns the “Refused” message in replies.
Parameter Description
both [template template-name] Log both the DNS query and response.
query [template template-name] Log only the DNS query.
response [template template-name] Log only the DNS response.
none Do not log any DNS messages.
page 164
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
gslb geo-location
Description Configure a global geographic location by assigning a location name to a cli-
ent IP address range. GSLB forwards client requests from addresses within
the specified IP address range to the GSLB site that serves the location.
Parameter Description
location-name Name of location. Use a period between string labels (ranges). Each range can con-
tain up to 15 alphanumeric characters. Entire name can contain up to 127 charac-
ters.
Example: Asia.japan.123456789.xyz
The command changes the CLI to the configuration level for the location,
where the following location-related commands are available:
Command Description
[no] ip start-ip-addr Beginning IPv4 address for the range.
{mask ip-mask | end-ip-addr}
• mask ip-mask - Network mask
• end-ip-addr - Ending IP address of the range
[no] ipv6 start-ipv6-addr Beginning IPv6 address for the range.
{mask ipv6-mask | end-ipv6-addr}
• mask ipv6-mask - Network mask
• end-ipv6-addr - Ending IP address of range
Default N/A
• If you manually map a geo-location to an GSLB site, GSLB uses the map-
ping.
• If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location data-
base.
page 165
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
gslb group
Description Configure GSLB group settings. GSLB controllers within a GSLB group auto-
matically synchronize GSLB configuration information and data.
The command changes the CLI to the configuration level for the group,
where the following group-related commands are available:
Other available commands are common to all CLI configuration levels. See
the CLI Reference.
Command Description
[no] auto-map [option] Automatically creates IP-to-name mappings for resources within the zone. The
option can be one of the following:
• data-interface
• learn
• mgmt-interface
• primary
• smart
This is disabled by default.
This option is applicable only to GSLB zones that use wildcard service names
[no] config-anywhere Allows GSLB to be configured on any group member, without restricting the
changes to the master controller.
page 166
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] dns-discover Discover member via DNS protocol. When this option is used, you do not need to
configure a primary IP address, because GSLB will send a DNS query (based on
the group name) to discover other group members.
For example, if group name is “group.example.com” then GSLB will send the DNS
discover query with domain name “group.example.com”.
You can specify up to 15 primary members. Enter the command separately for
each member.
page 167
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Mode Except for the gslb keyword in front of the command, the syntax is the same
as the health monitor command at the global configuration level for the CLI.
For information about the options, see the CLI Reference.
gslb ip-list
Description Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
Syntax [no] gslb ip-list list-name
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
(The other commands are common to all CLI configuration levels. See the
CLI Reference.)
Parameter Description
[no] ip ipaddr Creates an IP entry in the list. Based on the subnet mask or mask
[subnet-mask | /mask-length] length, the entry can be a host address or a subnet address. The id
id group-id option adds the entry to a group. The group-id can be 0-31.
[no] load bwlist-name Loads the entries from a black/white list into the IP list.
Default None
Example The following commands configure a GSLB IP list and use the list to exclude
IP addresses from aRDT data collection:
page 168
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
gslb policy
Description Configure a GSLB policy.
Parameter Description
default The default GSLB policy included in the software.
policy-name Name of the policy, up to 63 alphanumeric characters.
This command changes the CLI to the configuration level for the specified
GSLB policy. For information about the commands available at the GSLB
policy level, see “Policy Configuration Commands” on page 195.
Default N/A
page 169
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
gslb protocol
Description Enable the GSLB protocol or set protocol options.
Parameter Description
auto-detect Enables auto-detection.
• device – Use this option on the ACOS devices that are SLB devices at the
GSLB sites.
limit option See “gslb protocol limit” on page 171.
ping Test GSLB connectivity from the GSLB ACOS device to a site ACOS device.
[site | ip-addr]
• site - GSLB site name of the site ACOS device.
NOTE: For the limit options, see “gslb protocol limit” on page 171.
Usage The GSLB protocol uses port 4149 and is registered on this port for both TCP
and UDP.
ACOS devices use the GSLB protocol for GSLB management traffic. The
protocol must be enabled on the GSLB controller, and it is recommended
(but not required) that you enable the protocol on the site ACOS devices.
page 170
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
The following GSLB policy metrics require the protocol to be enabled on both
the site ACOS devices as well as the GSLB controller:
• Session-Capacity
• aRDT
• Connection-Load
• Num-Session
The GSLB protocol is also required for the Health-Check metric, if the default
health checks are used. If you modify the health checks, the GSLB protocol is
not required.
Example The following command enables the GSLB protocol on a GSLB device:
Example The following command enables the GSLB protocol on a site device:
Parameter Description
ardt-query Limits the number of aRDT Query messages (0-1000000).
page 171
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Parameter Description
message Limits the number of messages (0-1000000).
page 172
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
gslb service-group
Description Configure an FQDN group.
This command creates the group and changes the CLI to the configuration
level for it. At this level, the following commands are available:.
Parameter Description
[no] dependency site All services become unavailable on the site when one service
goes down. Facilitates traffic redirection to a site that can
maintain persistence for all services. Default setting is dis-
abled.
page 173
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
ACOS(config-svc group:example-group)#
gslb service-ip
Description Configure a service IP, which can be a virtual server’s or real server’s IP
address.
Parameter Description
service-name Name of the service, up to 63 alphanumeric characters.
ipaddr IP address of the virtual server or real server. You can specify an IPv4 or IPv6
address.
(If you are changing the configuration of a GSLB service that is already config-
ured, this parameter is not required.)
This command changes the CLI to the configuration level for the specified
service, where the following GSLB-related commands are available:
Command Description
disable Disables GSLB for the service IP address.
enable Enables GSLB for the service IP address.
[no] external-ip ipaddr Assigns an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be
reached from outside the internal network.
[no] health-check monitor-name Configures service IP monitoring. If you enter the command
with no options, the default Layer 3 health monitor (ICMP ping)
is used.
page 174
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] port num {tcp | udp} Adds service port to service IP. Changes CLI to configuration
level for specified service port, where these commands are
available:
Default No services are configured by default. When you configure a service, the ser-
vice is enabled by default, and the default port is 80. The default health mon-
itor for a service is the default Layer 3 health monitor (ICMP ping). The
default health monitor for a service port is the default TCP or UDP monitor,
depending on the transport protocol. (For more on health checking, see
“Usage” below.)
Usage If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), health checks are performed within the
GSLB protocol.
If you use a custom health monitor, or explicitly apply the default Layer 3
health monitor to the service, the GSLB protocol is not used for any of the
health checks.
If you use a custom health monitor for a service port, the port number
specified in the service configuration is used instead of the port number
specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
• active-rdt
• ip-list
• dns external-ip
• dns ipv6 mapping
• geo-location
page 175
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Example The following example creates a GSLB service IP address named “gslb-
srvc2” with IP address 192.160.20.99:
page 176
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
gslb site
Description Configure a GSLB site.
Replace site-name with the name for the site (1-63 characters).
page 177
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
This command changes the CLI to the configuration level for the specified
site, where the following site-related commands are available:
Command Description
[no] active-rdt option Configures options for the aRDT metric:
• ignore-count num – Specifies the ignore count if aRDT is out of range. You
can specify 1-15. The default is 5.
• limit num – Specifies the maximum aRDT allowed for the site. If the aRDT
measurement for a site exceeds the configured limit, GSLB does not eliminate
the site. Instead, GSLB moves to the next metric in the policy. You can specify
1-16383 milliseconds (ms). The default is 16383. (“No” form of command is
not available).
• smooth-factor num – Blends the new measurement with the previous one,
to smoothen the measurements.
For example, if the smooth-factor is set to 10 (the default), 10% of the new
measurement is used, along with 90% of the previous measurement. Similarly,
if the smooth-factor is set to 50, 50% of the new measurement is used, along
with 50% of the previous measurement.
You can specify 1-100. The default is 10. (“No” form of command is not avail-
able).
(For information about the aRDT metric, see “active-rdt” on page 197.)
[no] auto-map Enables DNS auto-mapping for site resources.
page 178
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] bw-cost options Configures options for the BW-Cost metric:
• limit num– Specifies the maximum amount the SNMP object queried by the
GSLB ACOS device can increase since the previous query, in order for the site
to remain eligible for selection. You can specify 0-2147483647. There is no
default.
If a site becomes ineligible due to being over the limit, the percentage parame-
ter is used. In order to become eligible for selection again, the site’s limit value
must not exceed
limit*threshold-percentage.
For example, if the limit value is 80,000 and the threshold is 90 percent, then
the limit value must be 72,000 or less, in order for the site to become eligible
again based. Once a site again becomes eligible, the SNMP object’s value is
again allowed to increase up to the bandwidth limit (80,000 in this example).
(For information about the BW-Cost metric, see “bw-cost” on page 203.)
[no] controller This command binds the specified controller to the configuration mode GSLB
domain-name site in support of GSLB controller-based metrics.
There is no default.
[no] disable Disables all servers in the GSLB site.
[no] geo-location Associates this site with a specific geographic location. (To configure a location,
location-name use the gslb geo-location command.)
[no] ip-server Associates a real server with this site.
service-ip
• service-ip –Specify the real server name.
Generally, virtual servers rather than real servers are associated with a site. To
associate a virtual server with a site, use vip-server option of the slb-dev
command.
page 179
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Command Description
[no] slb-dev Specifies the device that provides SLB for the site. The IP address must be
device-name reachable by the GSLB controller when GSLB protocol is enabled. This com-
[ip-addr] mand changes the CLI to the slb-dev configuration level where the following
commands are available:
• [no] gateway ipaddr – Specifies the gateway the SLB device will use to
reach the GSLB local DNS for collecting aRDT measurements.
• max-client num – Specifies the maximum number of clients for which the
GSLB ACOS device (controller) saves data such as aRDT measurements for
each of the clients. You can specify 1-2147483647. The default is 32768.
• [no] vip-server {name | ipaddr} – Maps this SLB site to a globally con-
figured GSLB service IP address. If you use the name option, the name must
be the name of a configured service IP. (To configure the service IP, use the
gslb service-ip command. See “gslb service-ip” on page 174.)
[no] template Binds a template to the site. To use the BW-Cost metric, use this option to bind a
template-name GSLB SNMP template to the site.
page 180
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] weight num Assigns a weight to the site. If the Weighted-Site metric is enabled in the policy
and all metrics before Weighted-Site result in a tie, the site with the highest
weight is preferred. The weight can be from 1 – 100. The default is 1.
Example The following example creates a site named “NY-site” and adds SLB ACOS
device “site-acos-1” with IP address 10.10.10.10 to the site:
Default 10 seconds
page 181
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Parameter Description
resource-type Enables DNS auto-mapping for the specified resource type. When auto-mapping is
enabled, ACOS can respond to DNS queries for resources of the specified type that are
within the GSLB zone. The resource-type option can be one of the following:
Default Disabled
page 182
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Parameter Description
iana Loads the Internet Assigned Numbers Authority (IANA) database. The
IANA database contains the geographic locations of the IP address
ranges and subnets assigned by the IANA. The IANA database is
included in the ACOS system software. The IANA geo-location data-
base is loaded by default.
file-name csv-template-name Loads a custom database. You can load a custom geo-location data-
base from a file in comma-separated-values (CSV) format. This option
requires configuration of a CSV template on the ACOS device. When
you load the CSV file, the data is formatted based on the template. (To
configure a CSV template, see “gslb template csv” on page 184.).
Usage You can load more than one database. The geo-location match command
determines the IP address used when databases contain overlapping
addresses.
Example The following command loads geo-location data from a CSV file:
Default 0
Usage This option applies only to DNS server mode. The option does not apply to
DNS proxy mode.
The TTL value is used in all replies, regardless of the client’s original TTL.
page 183
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Replace seconds with the desired startup delay interval (0-16384 seconds).
(The other commands are common to all CLI configuration levels. See the
CLI Reference.)
Parameter Description
[no] delimiter Specifies the character used in the file to delimit fields. You can type the
{character | ASCII-code} character or enter its decimal ASCII code (0-255).
[no] field num type-of-data The num option specifies the field position within the CSV file. You can
specify from 1-64. The following options specify the type of geo-location
that is located in the field position:
Default There is no default CSV template. When you configure one, the field loca-
tions are not set. The default delimiter character is a comma ( , ).
page 184
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Usage To load a geo-location data file and use the CSV template to extract the data,
see “gslb system geo-location load” on page 183.
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See the CLI Reference.)
Parameter Description
[no] auth-key string Specifies the authentication key. The key string can be 1-127 characters
long. This command is applicable if the security level is auth-no-priv
or auth-priv.
[no] auth-proto {sha | md5} Specifies the authentication protocol. This command is applicable if the
security level is auth-no-priv or auth-priv.
[no] community community- For SNMPv1 or v2c, specifies the community string required for authen-
string tication.
[no] context-engine-id id Specifies the ID of the SNMPv3 protocol engine running on the site
ACOS device.
[no] context-name id Specifies an SNMPv3 collection of management information objects
accessible by an SNMP entity.
[no] host {name | ipaddr} Specifies the IP address of the site ACOS device.
[no] interface id Specifies the SNMP interface ID. 0-2147483647
[no] interval seconds Specifies the amount of time between each SNMP GET to the site ACOS
devices. You can specify 1-999 seconds. The default is 3.
[no] oid oid-value Specifies the interface MIB object to query on the site ACOS device.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the ACOS device will return an error.
page 185
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Parameter Description
[no] port portnum Specifies the protocol port on which the site ACOS devices listen for the
SNMP requests from the GSLB ACOS device. You can specify 1-65535.
The default is 161.
[no] priv-key string Specifies the encryption key. The key string can be 1-127 characters
long. This command is applicable only if the security level is auth-priv.
[no] priv-proto {aes | des} Specifies the privacy protocol used for encryption. This command is
applicable only if the security level is auth-priv.
[no] security-engine-id id Specifies the ID of the SNMPv3 security engine running on the site
ACOS device. For each command, the ID is a string 1-127 characters
long.
[no] security-level Specifies the SNMPv3 security level:
{no-auth |
auth-no-priv | • no-auth – Authentication is not used and encryption (privacy) is not
auth-priv} used. This is the default.
Usage The community command applies only to SNMPv1 or v2c. Most of the other
commands, with the exception of the version, interval, port, and interface
commands, apply to SNMPv3.
You can not delete an SNMP template if the template is in use by a site. To
delete a template, first remove it from all site configurations that are using it.
Example The following commands configure a GSLB SNMP template for SNMPv2c:
Example The following commands configure a GSLB SNMP template for SNMPv3. In
this example, authentication and encryption are both used.
page 186
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
gslb zone
Description Configure a GSLB zone, which identifies the top-level name for the services
load balanced by GSLB.
You can use lower case characters and upper case characters. However,
since Internet domain names are case-insensitive, the ACOS device
internally converts all upper case characters in GSLB zone names to lower
case.
This command changes the CLI to the configuration level for the specified
zone, where the following zone-related commands are available:
Command Description
[no] disable Disables all services in the GSLB zone.
[no] dns-mx-record name Configures a DNS Mail Exchange (MX) record for the zone. The name is the
priority [ttl num] fully-qualified domain name of the mail server for the zone.
If more than one MX record is configured for the same zone, the priority speci-
fies the order in which the mail server should attempt to deliver mail to the MX
hosts. The MX with the lowest priority value has the highest priority and is
tried first. The priority can be 0-65535. There is no default.
NOTES:
If you want the GSLB ACOS device to return the IP address of the mail service
in response to MX requests, you must configure Address records for the mail
service.
Optionally, you can configure the Time-to-Live in seconds. The range is from
0-2147483647 seconds.
[no] dns-ns-record Configures a DNS name server record for the specified domain.
domain-name [ttl num]
Optionally, you can configure the Time-to-Live in seconds. The range is from
0-2147483647 seconds.
page 187
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Command Description
[no] dns-soa-record Configures a DNS start of authority (SOA) record for the GSLB zone.
[external]
dns-server-name • external - causes the ACOS device to replace the internal SOA record with
mailbox-name an external SOA record when a request is received from an external client.
[expire seconds] This prevents external clients from gaining access to internal information.
[refresh seconds] The feature must also be enabled in the GSLB policy.
[retry seconds]
[serial num] • refresh - specifies the number of seconds other DNS servers wait before
[ttl seconds] requesting updated information for the GSLB zone. The retry option speci-
fies how many seconds other DNS servers wait before resending a refresh
request, if GSLB does not respond to the previous request. The expire
option specifies how many seconds GSLB can remain unresponsive to a
refresh request before the other DNS server drops responding to queries for
the zone.
• serial - specifies the initial serial number of the SOA record. This number
is automatically incremented each time a change occurs to any records in
the zone file. You can specify a serial number from 0-2147483647. The
default is based on the current system time on the GSLB ACOS device when
you create the SOA record.
• ttl - specifies the number of seconds GSLB will cache and reuse negative
replies (NXDOMAIN messages). A negative reply is an error message indi-
cating that a requested domain does not exist.
NOTES:
The ttl option is equivalent to the “minimum” option in BIND 9.
[no] policy policy-name Applies the specified GSLB policy to the zone. You can specify “default” for the
GSLB policy name, if you have not configured another policy and applied it to
the zone. The GSLB policy applied to the zone is also applied to the services in
that zone.
page 188
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] service port Adds a service to the zone. The port option specifies the service port and can
[service-name] be a port number from 0 to 65534. The service-name can be 1-63 alphanu-
meric characters or * (wildcard character matching on all service names).
For the same reason described for zone names, the ACOS device converts all
upper case characters in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service,
where the following GSLB-related commands are available:
• reject – Rejects DNS queries from the local DNS server and returns the
“Refused” message in replies.
NOTE: Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level for
the policy. See “DNS Action” on page 95.
page 189
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Command Description
[no] service port GSLB-related commands are available:
[service-name]
(cont.)
• disable – Disables all services in the GSLB zone.
•as-replace – This option is used with the ip-replace option in the pol-
icy. When both options are set (as-replace here and ip-replace in
the policy), the client receives only the IP address set here by service-
ip.
•no-resp – Prevents the IP address for this site from being included in
DNS replies to clients.
•static – This option is used with the dns server option in the policy.
When both options are set (static here and dns server in the policy),
the GSLB ACOS device acts as the DNS server for the IP address set
here by service-ip.
NOTE: The no-resp option is not valid with the static or as-replace
option. If you use no-resp, you cannot use static or as-replace.
page 190
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] service port • dns-cname-record alias [alias ...] [as-backup]
[service-name] [admin-preference num] [weight num] – Configures DNS Canonical
Name (CNAME) records for the service.
(cont.)
•as-backup – Specifies that the record is a backup record.
•weight num – Specify the weight. If using the Weighted Alias metric,
then the DNS CNAME record with the highest weight is selected.
Default is 1.
NOTE: If you want the GSLB ACOS device to return the IP address of the mail
service in response to MX requests, you must configure A records for the mail
service.
The port portnum specifies the protocol port to return to the client, and
can be 0-65534. There is no default. You must specify a port.
The weight num specifies the weight and can be 0-65535. The default is
10.
The ttl specifies the time-to-live for the DNS record in second. Typically
DNS records take 24-48 hours to propagate. The default TTL is 0 sec-
onds.
page 191
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
Command Description
[no] service port • dns-txt-record obj-name txt-data [ttl num] – Enables use of
[service-name] DNS TXT resource records to carry multiple pieces of DNS TXT data
within one TXT record.
(cont).
The obj-name specifies the text data’s object name, in order to avoid long
URLs of aXPAPI.
The txt-data is the DNS TXXT data that you want inputted in the TXT
record.
The ttl specifies the time-to-live for the DNS record in second. Typically
DNS records take 24-48 hours to propagate. The default TTL is 0 sec-
onds.
NOTE: The ACOS device has a special handler that enables you to enter
non-printable characters that the CLI does not support.
NOTE: This option also requires the dns server txt command at the
configuration level for the GSLB policy.
•action action – Specifies the action to perform for DNS traffic. The
action options are the same as those for the action command
described above. Another action possible is allow, which allows que-
ries from this geo-location.
•alias url – Maps an alias configured with the alias option (see
above) to the specified location for this service.
• health-check-port portnum – Specify the port for the health check for
the service. Use multiple statements to configure more than one port.
page 192
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Main Configuration Commands
Command Description
[no] ttl seconds Changes the TTL of each DNS record contained in DNS replies received from
the DNS for which the ACOS Series is a proxy, for this zone. You can specify
from 0 to 1000000000 (one billion) seconds. This TTL setting overrides the
TTL setting in the GSLB policy. The default is 10.
The TTL of the DNS reply can be overridden in two different places in the
GSLB configuration: (1) If a GSLB policy is assigned to the individual service,
then the TTL from that policy is used. (2) If no policy is assigned to the individ-
ual service, but the TTL is set in the zone, then the zone’s TTL setting is used.
(This is the level set by the ttl command shown earlier this section.)
[no] use-server-ttl Use the configured service Time-to-Live.
Example The following example uses the wildcard character at the end of the gslb
zone command. This has the result of identifying all GSLB zones so that the
next line of the configuration creates a positive match on all DNS domains
that have the prefix of “www”.
Example The following commands create a default GSLB policy and then specify that
a backup server at IP 10.10.2.1 will be returned to the client if the primary
servers fail.
page 193
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Main Configuration Commands FFee
e
import geo-location
Description Imports new geo-location database CSV files into an ACOS device.
The overwrite option overwrite the existing geo-location file under that
name with the new geo-location file that is being imported.
Usage This command imports a geo-location database, saved as a CSV file, into an
ACOS device and allows for periodic synchronization of the database across
all GSLB group members. This command only imports a database; it does
not load the database into the ACOS starting configuration. To load the data-
base file, see “gslb system geo-location load” on page 183.
Example The following command imports a geo-location database CSV file and con-
figures ACOS to periodically check for updates once a day:
page 194
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
• active-rdt
• active-servers
• active-servers-enable
• admin-ip
• admin-ip-enable
• admin-preference
• alias-admin-preference
• auto-map
• bw-cost
• bw-cost-enable
• capacity
• connection-load
• dns action
• dns active-only
• dns addition-mx
• dns auto-map
• dns backup-alias
• dns backup-server
• dns cache
• dns cname-detect
• dns delegation
• dns external-ip
• dns external-soa
page 195
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
• dns geoloc-action
• dns geoloc-alias
• dns geoloc-policy
• dns hint
• dns ip-replace
• dns logging
• dns selected-only
• dns server
• dns sticky
• dns ttl
• geo-location
• geo-location-match
• geographic
• health-check
• ip-list
• least-response
• metric-fail-break
• metric-force-check
• metric-order
• num-session
• num-session-enable
• round-robin
page 196
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
• weighted-alias
• weighted-ip
• weighted-ip-enable
• weighted-site
• weighted-site-enable
active-rdt
Description Configure the active-Round Delay Time (aRDT) metric.
aRDT measures the round-delay-time for a DNS query and reply between a
site ACOS device and the GSLB local DNS.
Syntax [no] active-rdt
{
controller |
difference num |
enable |
fail-break |
ignore-id group-id |
keep-tracking |
limit ms |
proto-rdt-enable |
samples num-samples |
single-shot |
skip count |
timeout seconds |
tolerance num-percentage
}
Parameter Description
controller This command enables GSLB Controller-based metrics on the device.
GSLB Controller based metrics are not supported in IPv6 or L3V partition config-
urations.
The default is 0.
enable Enable active-Round Delay Time for the given policy.
page 197
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Parameter Description
fail-break Enables GSLB to stop if the configured aRDT limit in a policy is reached. The fail-
break action depends on whether the GSLB controller is running in server mode
or proxy mode:
Notes:
• To configure the aRDT limit, use the limit option (describe below).
• 2. Enable the dns geoloc-policy option in the default GSLB policy, and enable
the active-rdt option in the policies for geo-locations. If applicable, config-
ure the aRDT limit.
• 3. On the service within the zone, enable the geo-location option and specify
the GSLB policy to use for that location.
page 198
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Parameter Description
samples num-samples Number from 1 to 8 specifying the number of samples to collect.
The default is 5.
single-shot Collects a single sample only.
skip count When single-shot is configured, this option determines the number of site ACOS
devices that can exceed their single-shot timeouts, without the aRDT metric
itself being skipped by the GSLB ACOS device during site selection. You can skip
from 1-31 sites.
This is disabled by default; multiple samples are taken at regular intervals. When
enabled, the default skip is 3.
timeout seconds When single-shot is configured, this option determines the number of seconds
each site ACOS device should wait for the DNS reply. If the reply does not arrive
within the specified timeout, the site becomes ineligible for selection, in cases
where selection is based on the aRDT metric. You can specify 1-255 seconds.
Default Disabled. When you enable the aRDT metric, it has the default settings
described in the table above.
Usage This metric requires the GSLB protocol to be enabled both on the GSLB con-
troller and on the site ACOS devices.
active-servers
Description Configure the Active-Servers metric, which prefers the VIP with the highest
number of active servers.
page 199
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Parameter Description
fail-break Enables GSLB to stop if the number of active servers for all ser-
vices is 0. The fail-break action depends on whether the GSLB
controller is running in proxy mode or server mode:
Default Disabled
Usage Use this command to eliminate inactive real servers from being eligible for
selection.
active-servers-enable
Description Enable or disable selecting the service-IP with the highest number of active
servers:
page 200
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
admin-ip
Description Allows you to assign administrative weights to IP addresses.
Default Disabled
Usage The prioritized list is sent to the next metric for further evaluation. If admin-ip
is the last metric, the prioritized list is sent to the client. To configure the list
of admin-preferred addresses for a service, use the admin-ip command at
the service configuration level for the GSLB zone. See “gslb zone” on
page 187.
admin-ip-enable
Description Enable or disable admin IP prioritization.
Syntax [no] admin-ip-enable
Default Disabled.
admin-preference
Description Enable or disable the Admin-Preference metric, which prefers the site whose
SLB device has the highest administratively set weight.
Default Disabled
page 201
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Usage To set the GSLB Admin-Preference value for a site, use the admin-preference
command at the configuration level for the SLB device within the site. (See
“gslb site” on page 177.)
alias-admin-preference
Description Enable or disable the Alias Admin Preference metric, which selects the DNS
CNAME record with the highest administratively set preference. This metric
is similar to the Admin Preference metric, but applies only to DNS CNAME
records.
Default Disabled
Usage Metric order does not apply to this metric. When enabled, this metric always
has high priority.
1. At the configuration level for the GSLB service, use the admin-prefer-
ence preference command to assign an administrative preference to
the DNS CNAME record for the service. (See “gslb service-ip” on
page 174.)
2. At the configuration level for the GSLB policy:
• Use the alias-admin-preference command to enable the Alias
Admin Preference metric.
• Enable one or both of the following DNS options, as applicable to
your deployment (See “Alias-Admin-Preference” on page 87):
•DNS backup-alias
•DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See “gslb service-ip” on page 174.)
page 202
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
auto-map
Description Enable auto-mapping of the specified resource type within the policy.
Parameter Description
module-disable Specify what resource-types you want to disable auto-map-
resource-type ping for. For more information, see “gslb system auto-map
module” on page 181.
bw-cost
Description Configure the BW-Cost metric. This mechanism queries the bandwidth utili-
zation of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost fail-break
The bandwidth cost fail-break enables GSLB to stop if the current BW-Cost
value is over the limit. The fail-break action depends on whether the GSLB
controller is running in proxy mode or server mode:
NOTE: Use the bw-cost-enable command to enable selection of the site with
the smallest bandwidth cost.
Default Disabled
page 203
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
bw-cost-enable
Description Enable selection of the site with the smallest bandwidth cost.
Default Disabled.
capacity
Description Configure the TCP/UDP Session-Capacity metric. This mechanism provides
a way to shift load away from a site before the site becomes congested.
Example:
Site A’s maximum session capacity is 800,000 and Site B’s maximum
session capacity is 500,000. If the Session-Capacity threshold is set to 90,
then for Site A the capacity threshold is 90% of 800,000, which is 720,000.
Likewise, the capacity threshold for Site B is 90% of 500,000, which is
450,000.
page 204
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Parameter Description
enable Enables selection of the service-IP with the highest
available connection capacity.
fail-break Enables GSLB to stop if the session utilization on all
site SLB devices is over the threshold. The fail-
break action depends on whether the GSLB control-
ler is running in proxy mode or server mode:
Default Disabled. See descriptions for default values when the capacity metric is
enabled.
Usage This metric requires the GSLB protocol to be enabled both on the GSLB con-
troller and on the site ACOS devices.
Example The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:
page 205
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
connection-load
Description Configure the Connection-Load metric, which prefers sites that have not
exceeded their thresholds for new connections.
Parameter Description
enable Enables the Connection-Load metric.
fail-break Enables GSLB to stop if the connection load for all sites is over the limit. Fail-
break action depends on whether the GSLB controller runs in proxy mode or
server mode:
Default Disabled. See descriptions for default values when the Connection-Load
metric is enabled.
Usage This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site ACOS device itself allows.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site ACOS devices.
Example The following command sets the connection load limit to 1000 new connec-
tions:
page 206
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns action
Description The dns action command enables GSLB to perform the DNS actions speci-
fied in the service configurations.
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See “gslb zone” on
page 187.
Default Disabled
Example This command enables GSLB to perform the DNS actions specified in ser-
vice configurations.
dns active-only
Description The dns active-only command removes IP addresses from DNS replies
when those addresses fail health checks. If none of the IP addresses in the
DNS reply pass the health check, the ACOS device does not use this metric,
because it results in an empty address list.
The fail-safe option returns a list of server IP addresses for failed servers
to the client. Without this option, IP addresses of failed servers are omitted
from the reply.
The no dns active-only command restores the default mode of disabling
the removal of IP addresses that fail health checks from DNS replies.
page 207
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Parameter Description
MODE Specifies the information returned to the client. Valid options
include:
Default Disabled.
Example This command programs the ACOS device to remove IP address from DNS
of device that fail health check. The address of failed devices are not
returned to the client.
Example This command programs the ACOS device to remove IP address from DNS
of device that fail health check and returns the address list of failed devices
to the client.
Example This command sets the ACOS device to ignore health check failure in its
DNS replies.
page 208
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns addition-mx
Description The dns addition-mx command programs the ACOS device to append MX
records in the additional section of replies for A records when the device is
configured for DNS proxy or cache mode.
Default Disabled
Example This command programs the ACOS device to append MX records to the
additional section of replies for A records.
Example The command resets the ACOS device default of not appending MX records.
dns auto-map
Description The dns auto-map command enables the automatic creation of A and
AAAA records for IP resources configured on the ACOS device.
Default Disabled
Example The following command enables the automatic creation of A and AAAA
records for IP resources configured on the ACOS device.
page 209
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Example The command disables the automatic creation of A and AAAA records.
dns backup-alias
Description The dns backup-alias command returns the alias CNAME record config-
ured for the service, if GSLB does not receive an answer to a query for the
service and no active DNS server exists. This option is valid in server mode
or proxy mode.
To configure the backup alias for a service within a zone, use the dns-cname-
record command at the configuration level for the service.
Default Disabled.
Example This command configures the ACOS device to return the alias CNAME
record configured for the service when GSLB does not receive an answer to
a query for the service when no active DNS server exists.
Example This command configures the ACOS device to not return the alias CNAME
record configured for the service when GSLB does not receive an answer to
a query for the service when no active DNS server exists.
page 210
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
page 211
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns backup-server
Description The dns backup-server command designates one or more backup servers
that can be returned to the client if the primaries should fail.
Default Disabled.
Example This command designates the ACOS device as a backup server that can be
returned to the client if the primaries should fail.:
page 212
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns cache
Description The dns cache command enables the GSLB ACOS device to cache DNS
replies. The ACOS device uses information in the cached DNS entries to reply
to subsequent client requests, as opposed to sending a new DNS request for
every client query.
When this option is enabled, the ACOS device caches a DNS reply for the
duration of the TTL in the reply when the aging time parameter is set to zero.
To override the entry TTL, set the cache aging time to a value greater than
zero.
The no dns cache command disables the GSLB ACOS device from caching
DNS replies.
Parameter Description
DURATION Specifies site location mode. Valid options include
Default Disabled.
Example The following command enables the caching of DNS replies and set the TTL
to the period specified in the reply.
page 213
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Example This command resets the TTL to the period set to the period specified in the
reply.
Example The command disables the GSLB ACOS device from caching DNS replies.
dns cname-detect
Description The dns cname-detect command enables CNAME response mode. When
the ACOS device is in CNAME response mode, it applies the zone and service
policy to the CNAME record instead of applying it to the address record.
When CNAME response mode is disabled, the zone and service policy is
applied to the address record. Executing this command restores the CNAME
response mode setting of enabled.
Default Enabled
page 214
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
ACOS(config-policy:OXYGEN)#
dns delegation
Description The dns delegation command enables sub-zone delegation mode. When in
sub-zone delegation mode, the device delegates authority or responsibility
for a portion of the DNS name space from the parent domain to a separate
sub-domain which may reside on one or more remote servers and may be
managed by someone other than the network administrator who is responsi-
ble for the parent zone. (see “DNS Sub-zone Delegation” on page 99.)
Default Disabled.
page 215
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns external-ip
Description The dns external-ip command returns the external IP address configured
for a service IP. If this option is disabled, the internal address is returned
instead..
The external IP address must be configured on the service IP. Use the
external-ip command at the configuration level for the service IP.
Default Enabled.
Example These commands disable the option of returning the external IP address
configured for a service IP address.
Example These commands enable the option of returning the external IP address con-
figured for a service IP address.
page 216
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns external-soa
Description The dns external-soa command programs the ACOS device to replace the
internal SOA record with an external SOA record, preventing external clients
from gaining accessing internal information.
The external SOA record must be configured in the GSLB zone. (Use the
external-soa record command at the GSLB zone configuration level.)
The no dns external-soa command disables this option. When this option
is disabled, the internal address is returned.
Syntax dns external-soa
no dns external-soa
Default Disabled.
Example These commands programs the ACOS device to replace the internal SOA
record with an external SOA record.
Example This command programs the ACOS device to return the internal address..
page 217
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns geoloc-action
Description The dns geoloc-action command programs the ACOS device to perform
the DNS traffic handling action specified for the client’s geo-location. The
action is specified as part of service configuration in a zone.
To configure the DNS action for a service, use the geo-location location-
name action-type command at the configuration level for the service. See
“gslb zone” on page 187.
The no dns geoloc-action command restores the default value, where the
ACOS device does not performing the DNS traffic handling action.
Syntax dns geoloc-action
no dns geoloc-action
Default Default.
Example These commands programs the ACOS device to perform the DNS traffic
handling action specified for the client’s geo-location.
Example This command programs the ACOS device to not perform the DNS traffic
handling action specified for the client’s geo-location.
page 218
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns geoloc-alias
Description The dns geoloc-alias command configures the ACOS device to return the
alias name configured for the client’s geo-location.
Default Disabled.
Example These commands configure the ACOS device to return the alias name con-
figured for the client’s geo-location.
Example This command programs the ACOS device to not return alias name config-
ured for the client’s geo-location.
page 219
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns geoloc-policy
Description The dns geoloc-policy command configures the ACOS device to use the
GSLB policy assigned to the client’s geo-location.
Default Disabled.
Description These commands configure the ACOS device to use the GSLB policy
assigned to the client’s geo-location.
Example The no dns geoloc-policy command configures the ACOS device to not
use the GSLB policy assigned to the client’s geo-location.
Example This command configures the ACOS device to not use the GSLB policy
assigned to the client’s geo-location.
page 220
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
dns hint
Description The dns hint command manages the appearance of hints that appear in the
Additional Section of DNS responses. Hints are A or AAAA records that are
sent in the response to a client’s DNS request. These records provide a map-
ping between the host names and IP addresses.
The hint option applies to the following record types: NS, MX, and SRV.
The no dns action command restores the default value of appending hints
in the Additional section, which is equivalent to the addition option.
Parameter Description
LOCATION Specifies the section where hints are appended. Options include:
Example These commands configure the ACOS device to append hints in the Answer
section of the DNS response.
Example This command configure the ACOS device to not append hints to the DNS
response.
Example This command configures the ACOS device to append hints in the Answer
section of the DNS response.
page 221
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns ip-replace
Description The dns ip-replace command configures the ACOS device to replace the IP
addresses in DNS replies with the service IP addresses configured for the
service.
Default Disabled.
Example These commands configure the ACOS device to replace the IP addresses in
DNS replies with the service IP addresses configured for the service.
Example This command restores the ACOS default behavior of not replacing the IP
addresses in DNS replies with the service IP addresses configured for the
service.
page 222
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
The dns ipv6 mapping command restores the default behavior of not
using AAAA records to respond to IPv6DNS queries.
Parameter Description
ACTION Specifies response actions to IPv6 DNS queries. Valid options
include:
Default Disabled.
Example These commands program the ACOS device to append AAAA records in the
DNS Addition section of replies to IPv6 DNS queries.
Example This command programs the ACOS device to append AAAA records in the
DNS Answer section of replies to IPv6 DNS queries.
page 223
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
ACOS(config-policy:OXYGEN)#
Example This command programs the ACOS device to replace A record with AAAA
records in response to IPv6 DNS queries.
Example This command programs the ACOS device to use AAAA records only in
response to IPv6 DNS queries.
Example This command programs the ACOS device to not use AAAA records respond
to IPv6 DNS queries.
The no dns ipv6 mix command disables the ability to return AAAA and A
records in the same response.
Default Disabled
Example These commands configure the ACOS device to return AAAA and A records
in the same response.
page 224
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Example This command disables the ability to return AAAA and A records in the same
response.
Default Default.
page 225
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
dns logging
Description The dns logging command enables DNS logging and specifies the mes-
sages that are logged.
Parameter Description
MESSAGE Specifies the information returned to the client. Valid options
include:
Example These commands enable DNS logging of neither query nor response mes-
sages.
page 226
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Example This command enables DNS logging of response and query messages.
The no dns proxy block <query> command removes the ACOS device’s
DNS query block. The command requires a record list identical to the list of
records currently blocked.
Parameter Description
ATTRIBUTE_X Specifies information returned to the client. The command must
list at least one attribute and may include more than one.
Options include:
• a
• aaaa
• mx
• ns
• srv
• cname
• ptr
• soa
• txt
Default Disabled.
page 227
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Example These commands program the ACOS device to block DNS queries with A
and AAAA records.
Example This command attempts to remove A records from the list of DNS queries
the ACOS device is programmed to block.
Example This command removes the DNS query capacity of the ACOS device.
page 228
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
The no dns proxy block <type> command restores the delivery of the
specified DNS queries.
Parameter Description
TYPE-LIST Specifies the information returned to the client. Valid options
include:
Example These commands block DNS queries of type 56, 58, and 60-69.
Example This command removes the types 63 to 67 from the DNS query block.
page 229
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
The no dns proxy block action command restores the default value.
Parameter Description
DISPOSITION Specifies the information returned to the client. Valid options
include:
• drop
• reject
• ignore
dns selected-only
Description The dns selected-only command enables return of only selected IP
addresses. The command specifies a limit of records that can be returned
page 230
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
after a record is selected. When the number of records exceed the config-
ured value, GSLB ignores this configuration.
Parameter Description
num-record Specifies the limit of records that are returned. Valid options
include:
Default Disabled.
Example These commands enable the return of 32 records after receiving a query
from a selected IP address.
dns server
Description The dns server command enables a GSLB ACOS device to act as a DNS
server for specific service IPs in the GSLB zone. When this setting is enabled,
the device responds directly to address queries for specific service IP
addresses in the GSLB zone. The ACOS device still forwards other types of
queries to the DNS server.
When using this command, the dns cname-detect command is not required.
When a client requests a configured alias name, GSLB applies the policy to
the CNAME records. The server option is not valid with the ip-replace
option. They are mutually exclusive.
page 231
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
When using this command, you also must enable the static option on the
individual service IP. (To configure the service IP addresses, use the
service-ip command at the configuration level for the service. See “gslb
zone” on page 187.)
The no dns server command disables the GSLB ACOS device from acting
as a DNS server for specific service IPs in the GSLB zone.
Parameter Description
RECORD_X Specifies the limit of records that are returned. Valid options include:
Default Disabled
Example The following command modifies the policy to program the ACOS device to
act as a DNS server for mail server and name server records.
page 232
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Example These commands disables the DNS server function on devices upon which
the policy is applied.
dns sticky
Description The dns sticky command programs device to send the same service IP
address to a client for all requests from that client for the service address.
Sticky DNS ensures that, during the aging-time, a client is always directed to
the same site.
The prefix length options adjusts the granularity of the feature. The default
prefix length (32 for IPv4, 128 for IPv6) causes the ACOS device to maintain
separate stickiness information for each local DNS server. For example, if
two clients use DNS 10.10.10.25 as their local DNS server, and two other
clients use DNS 10.20.20.99 as their local DNS server, the ACOS maintains
separate stickiness information for each set of clients, by maintaining
separate stickiness information for each of the local DNS servers.
When the sticky option is enabled, the sticky time must be at least as long
as the zone TTL as defined by the ttl command at the zone configuration
level. (“gslb zone” on page 187.)
Parameter Description
MASK-V4 Specifies the IPv4 mask size. Valid options include:
page 233
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Parameter Description
MASK-V6 Specifies the IPv6 mask size. Valid options include:
Default Disabled.
When the option is enabled, the default prefix is /32, the default aging time is
5 minutes, and the default IPv6 mask length is 128.
Usage If more than one of the following options are enabled, GSLB uses them in the
order listed:
1. sticky
2. server
3. cache
4. proxy (The command does not have a separately configurable “proxy”
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
The site address selected by the first option that is applicable to the client
and requested service is used.
Example These commands enables DNS sticky and establishes default values for
aging time and the masks.
Example This command configures non-default values for the aging time and masks.
Example This command modifies IPv4 mask size without changing the other parame-
ters.
page 234
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Example This command explicitly changes the parameter values to their defaults.
dns ttl
Description The dns ttl command programs the ACOS device to change the TTL of each
DNS record in DNS replies received from the DNS for which the device is a
proxy.
The dns use-server-ttl command programs the device to use the time-to-
live value in the DNS server response instead of replacing it with a specified
value.
The no dns ttl and no dns use-server-ttl command restores the default
value of 10 seconds. The latter command is available only when dns use-
server-ttl is configured.
page 235
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
no dns ttl
dns use-server-ttl
Parameter Description
DURATION Specifies the new TTL value (seconds). Value ranges from 0 to 1000000000 (one
billion).
Default 10 seconds.
Example These commands program the device to change TTL for DNS replies to 30
secs.
Example This command programs the device to use TTL from DNS records in DNS
replies.
Example This command programs the device to change TTL for DNS replies to 10
seconds.
For DNS queries, not all requests use a third-party resolver that is in close
topographical proximity to themselves. Some recursive resolvers use an
extra EDNS field in DNS messages to forward details about where a network
query is coming from. ACOS can read the extra EDNS-Client-Subnet field and
provide more specific topological geo-location features for DNS queries in
GSLB.
page 236
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
Default Disabled.
Usage This command allows ACOS to read the extra field in DNS messages, and to
provide more specific topological geo-location features for DNS queries,
based on the client’s subnet. The information in the EDNS field is checked
against configured geo-location databases first.
The following commands configure example GSLB sites and their respective
geo-locations and SLB servers with virtual servers.
ACOS(config)# gslb site usa
ACOS(config-gslb site:usa)# geo-location site1
ACOS(config-gslb site:usa)# slb-dev acos1 10.10.10.10
ACOS(config-gslb site:usa-slb dev:acos1)# vip-server vs1
ACOS(config-gslb site:usa-slb dev:acos1)# exit
ACOS(config-gslb site:usa)# exit
ACOS(config)# gslb site china
ACOS(config-gslb site:china)# geo-location site2
ACOS(config-gslb site:china)# slb-dev acos2 200.20.20.20
page 237
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
geo-location
Description Configure a geographic location. GSLB forwards client requests from IP
addresses within the location’s range to the GSLB site that serves the loca-
tion.
Syntax [no] geo-location location-name
Command Description
ip start-ipv4-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv4-mask | end-ipv4-addr} address for an IPv4 address range.
ipv6 start-ipv6-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv6-mask | end-ipv6-addr} address for an IPv6 address range.
Default None.
Usage To prefer the location configured with this command over a globally config-
ured location, use the gslb policy geo-location match-first policy com-
mand. (See “geo-location-match” on page 239.)
page 238
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
geo-location-match
Description Configure the policy to prefer either the globally configured geo-location or
the one configured in this policy. If a client IP address matches the IP ranges
in a globally configured location and in a location configured in this policy,
the geo-location match-first command specifies which matching geo-
location to use.
Parameter Description
match-first {global | policy} Configure policy to prefer either the globally configured geo-location
or the one configured in the policy. If a client IP address matches IP
ranges in a globally configured location and in a location configured
in the policy, the command specifies the geo-location that is used.
Usage If you suspect a public IP address in your domain is not unique and the same
IP address may be associated with different hosts, you can enable the geo-
location overlap option. This causes the ACOS device to search the geo-loca-
tion database for the match best (or longest matching IP address). Other-
wise, the ACOS device will use its default behavior, which is to scan the
specified geo-location database using the “match first” algorithm, which
page 239
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Example The following command configures the GSLB controller to prefer locations
configured in this policy:
geographic
Description Enable or disable the Geographic metric. The Geographic metric prefers
sites that are within the geographic location of the client.
Default Enabled
health-check
Description Enable or disable the Health-Check metric. The Health-Check metric prefers
sites that pass their health checks.
Default Enabled
Usage This metric requires the GSLB protocol to be enabled both on the GSLB con-
troller and site ACOS devices, if the default health checks are used on the ser-
vice IPs.
If you use a custom health monitor, or you explicitly apply the default Layer 3
health monitor to the service, the GSLB protocol is not used for any of the
page 240
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
health checks. In this case, the GSLB protocol is not required to be enabled
on the site ACOS devices, although use of the protocol is still recommended.
ip-list
Description Use an IP list to exclude a set of IP addresses from aRDT polling.
Default None
Example The following commands configure a GSLB IP list and use the list to exclude
IP addresses from an RDT data collection:
least-response
Description Enable or disable the Least-Response metric, which prefers VIPs that have
the fewest hits.
Default Disabled
page 241
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
metric-fail-break
Description Enable GSLB to stop if there are no valid service IPs.
Default Disabled
metric-force-check
Description Force the GSLB controller to always check all metrics in the policy.
Default By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
metric-order
Description Configure the order in which the GSLB metrics in this policy are used.
Parameter Description
metric [metric ...] One or more of the following metrics:
active-rdt
active-servers
admin-ip
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
num-session
weighted-ip
weighted-site
page 242
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10.Admin-Preference
11.BW-Cost
12.Least-Response
13.Admin-IP
Usage The first metric you specify with this command becomes the primary metric.
If you specify additional parameters, they are used in the priority you specify.
All remaining metrics are prioritized to follow the metrics you specify.
The GSLB Controller uses each metric, in the order specified, to compare the
IP addresses returned in DNS replies to clients. If a metric is disabled, the
metric order does not change. The GSLB Controller skips the metric and
continues to the next enabled metric.
To display the metric order used in a policy, see “show gslb policy” on
page 260.
num-session
Description Configure the Num-Session metric, which evaluates a site based on availa-
ble session capacity and tolerance threshold compared to another site. Sites
that are at or below their thresholds of current available sessions are pre-
ferred over sites that are above their thresholds.
When dealing with smaller base numbers, a small fluctuation in the number
of available sessions can cause flapping from one site to another. Thus,
when configuring sites with smaller capacities, it is recommended to use a
larger tolerance number to prevent frequent flapping between preferred
sites.
Example Site A has 800,000 sessions available and Site B has 600,000 sessions avail-
able. If Num-Session is enabled, then Site A is preferred because it has a
larger number of available sessions than site B.
page 243
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
Default Disabled.
Usage The GSLB ACOS device considers site SLB devices to be equal if the differ-
ence in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differ-
ences in available sessions do not cause frequent, unnecessary, changes in
site preference.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site ACOS devices.
page 244
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
num-session-enable
Description Enable or disable the Num-Session metric.
Default Disabled
round-robin
Description Configure the Round-Robin metric, which selects sites in sequential order.
Syntax [no] round-robin
Default Enabled
Usage The ACOS device uses Round-Robin to select a site at the end of the policy
parameters evaluation. This is true even if the Round-Robin metric is disa-
bled in the GSLB policy.
weighted-alias
Description Enable the Weighted Alias metric, which prefers CNAME records with higher
weight values over CNAME records with lower weight values. This metric is
similar to Weighted-IP, but applies only to DNS CNAME records.
Default Disabled
page 245
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
weighted-ip
Description Configure the Weighted-IP metric, which uses service IP addresses with
higher weight values more often than addresses with lower weight values.
The total-hits option will send requests to the service IP addresses that
have fewer hits first. After all service IP addresses have the same number of
hits, GSLB sends requests based on weight. This option is disabled by
default.
Use the weighted-ip-enable command to enable selection of the Service-Ip
by weighted preference.
Default Disabled
Usage As a simple example, assume that the Weighted-IP metric is the only ena-
bled metric, or at least always ends up being used as the tie breaker. The
total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP
address 10.10.10.2 has weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so
on, (4 to 10.10.10.1, then 2 to 10.10.10.2).
Here is an example using the same two servers and weights, with the total-
hits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and
IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4
requests go to 10.10.10.2, then the requests are distributed according to
weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,
page 246
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Policy Configuration Commands
and so on. To display the total hits for a service IP address, use the show
gslb service-ip command. (See “gslb service-ip” on page 174.)
weighted-ip-enable
Description Enable selection of the Service-Ip by weighted preference.
Default Disabled
weighted-site
Description Configure the Weighted-Site metric, which uses sites with higher weight val-
ues more often than sites with lower weight values.
The total-hits option will send requests to the service IP addresses that
have fewer hits first. After all service IP addresses have the same number of
hits, GSLB sends requests based on weight. This option is disabled by
default.
Default Disabled. When Weighted-Site metric is enabled, default weight of each site
is 1.
Usage As a simple example, assume that the Weighted-Site metric is the only ena-
bled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
page 247
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Policy Configuration Commands FFee
e
This example uses the same two sites and weights, with the total-hits
option enabled: Site A has weight 4 with total hits 8; site B has weight 2 with
total hits 0. In this case, the first 4 requests go to site B, then requests are
sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
weighted-site-enable
Description Enable selection of the Service-IP by weighted preference.
Syntax [no] weighted-site-enable
Default Disabled
page 248
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Show Commands
This section describes the GSLB show commands.
page 249
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Parameter Description
match domain-name Displays cached DNS messages for the matched
domain.
service-name Displays cached DNS messages for the specified
service.
zone zone-name Displays cached DNS messages for the specified
zone.
Mode All
Example The following command displays cached DNS messages for service
“www.testme.com:http”:
Field Description
Zone GSLB zone name.
Service GSLB service.
Alias Alias, if configured, that maps to the DNS Canonical Name
(CNAME) for the service.
page 250
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Field Description
Len Length of the DNS message, in bytes.
TTL Number of seconds for which the cached message is still valid.
Mode All
Usage The show gslb config command can be used in shared partitions, L3V parti-
tions, and GSLB view.
When used within a shared partition, the show gslb config command can
include the following:
page 251
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
When used within a L3V partition, the show gslb config command can
include the following:
NOTE: When the show gslb config command is used within a L3V partition,
the following command completions are not supported: active-rdt,
dns, geo-location, protocol, system, and view.
When used in gslb-view, the show gslb config command can include the
following:
• group: Show GSLB Group configuration
• ip-list: Show GSLB IP list configuration
• policy: Show GSLB policy configuration
• site: Show GSLB site configuration
• template: Show GSLB template configuration
• zone: Show GSLB zone configuration
NOTE: When the show gslb config command is used in gslb-view, the fol-
lowing command completions are not supported: active-rdt, dns,
geo-location, protocol, service-ip, system, and view.
When using the new show gslb config command filters in L3V partitions,
only the following command completions are supported: group, ip-list, policy,
service-ip, site, template, and zone.
The following show gslb config command options are not supported in L3V
deployments, and by extension, not supported by the new gslb show
command enhancements: active-rdt, dns, geo-location, protocol, system and
view.
CLI Example
page 252
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Mode All
page 253
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
[file [file-name]]
Parameter Description
db [options] Displays the geo-location database. If you specify a geo-location name, only the
entries for that geo-location are shown. Otherwise, entries for all geo-locations
are shown.
• depth num – Specifies how many nodes within the geo-location data tree to
display. For example, to display only continent and country entries and hide
individual state and city entries, specify depth 2. By default, the full tree (all
nodes) is displayed.
• top num [percent [global]] – Display the top statistics for the selected
geo-location database.
page 254
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Parameter Description
rdt [options] Displays aRDT data for geo-locations. You can use the following options:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-
location.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to
display. For example, to display only continent and country entries and hide
individual state and city entries, specify depth 2.
Mode All
Usage The matched client IP address and the hits counter indicate the working sta-
tus of the geo-location configuration.
Example The following command shows the status of a geo-location db named “pc”:
Geo-location: arin
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 21 G
ACOS#
Field Description
Geo-location Name of the geo-location.
From Beginning address in the address range assigned to the geo-
location.
To Ending address in the address range assigned to the geo-loca-
tion.
Last Client IP address that most recently matched the geo-location. If
the value is “empty”, no client addresses have matched.
Hits Total number of client IP addresses that have matched the geo-
location.
page 255
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Field Description
Sub Number of sublocations within the geo-location. For example, if
you configure the following geo-locations, geo-location “pc” has
two sublocations, “pc.office” and “pc.lab”.
Example The following command shows the load status information for a geo-loca-
tion database file:
Global
Name From To/Mask Last Hits Sub T
------------------------------------------------------------------------------
NA (empty) (empty) (empty) 0 1 G
page 256
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Mode All
Example The following commands add a GSLB controller to the default GSLB group,
enable the device’s membership in the group, and display group information:
Field Description
Name Name of the GSLB controller group.
Pri Priority of the master controller.
page 257
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Field Description
Attrs GSLB group attributes of this member:
• D – Member is disabled.
Field Description
Member GSLB controllers currently in the group.
The “local” member is the GSLB controller on which you entered this show command.
ID Group member ID assigned by the controller group feature.
Pri Priority of the GSLB controller.
page 258
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Field Description
Attrs GSLB group attributes of the member:
• D – Member is disabled.
• P – Member’s connection with this member (the member on which you enter the show gslb
group command) is passive.
The group connection between any two controller group members is a client-server connec-
tion. The group member that initiates the connection is the client, and has the passive side of
the connection. The other member is the server.
Note: Attributes are displayed only when at least two group members are connected.
Status When the GSLB group is starting up, this column shows the protocol status. After the group is
established, this column shows the group status.
Protocol status:
• Idle
• Active
• OpenSent
• OpenConfirm
• Established
• Ready
• FullSync/MasterSync
• Synced
Note: If the group status of the member is OK, this ACOS device (the one on which you entered
the command) knows of the member, but no connection between this ACOS device and the
member is required.
page 259
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Mode All
Mode All
Mode All
Field Description
Policy name Name of the GSLB policy.
Type Name of the GSLB metric.
MO For GSLB metrics, indicates the order in which the metrics are
used.
Option Metric or option name.
En-Value For metric, indicates whether they are enabled (yes or no). For
options, indicates the value.
Description Description of the metric or option.
page 260
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Mode All
page 261
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
[geo-location
[active [geo-location-name ...]
[site site-name] [depth num]]
[slb-device
[active [geo-location-name ...]
[ip ipaddr [...]]] |
Parameter Description
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-loca-
tion.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to dis-
play. For example, to display only continent and country entries and hide individual
state and city entries, specify depth 2.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
Mode All
Usage All of the options except local-info are applicable when you enter the com-
mand on a GSLB ACOS device. To display local aRDT data on a site ACOS
device, enter the command on the site ACOS device and use the local-info
option.
Example Here is an example of the output for this command when entered on the
GSLB ACOS device:
page 262
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
IP TTL T| 1 2 3 4 5 6 7 8
------------------------------------------------------------------------------
10.10.10.2 10 A| 0 0 0 0 0 0 0 0
20.20.20.21 10 A| 41 40 29 46 38 42 34 30
192.168.217.1 10 A| 38 54 46 50 43 38
192.168.217.11 10 A| 41 40 29 46 38 42 34 30
Device: site2/local
IP TTL T| 1 2 3 4 5 6 7 8
------------------------------------------------------------------------------
10.10.10.2 10 A| 35 52 35 40 54 56 44 48
20.20.20.21 10 A| 20 20 16 16 20 16 20 18
192.168.217.1 10 A| 16 44 20 16 20 18
192.168.217.11 10 A| 20 20 16 16 20 16 20 18
This example shows the default display (with no additional options). The TTL
results are organized by site ACOS device, then by geo-location.
Field Description
Device Site ACOS device.
IP IP address at the other end of the aRDT exchange.
TTL Time-to-live for the Active-TT entry.
T RDT type, which can be A (aRDT).
1-8 Individual aRDT measurements (in units of seconds).
Geo-location Geo-location name for which aRDT measurements have been
taken.
Site GSLB site name within the geo-location.
T RDT type. (See descriptions above.)
page 263
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Field Description
RDT Individual aRDT measurements (in units of seconds).
TS System time stamp of the aRDT measurement.
Parameter Description
service-name | vipaddr Specifies the service name or service IP.
port-num Specifies the virtual port.
range-start Specifies the range start.
range Collects samples only for the specified range of ser-
range-start range-end vice port numbers.
Mode All
Usage The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See “gslb
protocol” on page 170.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
Example The following example shows connection activity for virtual port 80 on vir-
tual server “china”.
page 264
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Parameter Description
num-samples Number of connection-load samples to collect and display.
num-samples Number of seconds to wait between collection of each
sample.
service-name | Collects samples only for the specified service IP.
vipaddr
port-num Collects samples only for the specified service port num-
ber.
Mode All
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). Services are listed by service IP and
service port.
In each section, the numbers across the top are column numbers. The
numbers along the leftmost column are row numbers. The other numbers
are the actual connection load data. For example, for ip1:80 (service port 80
page 265
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
on service IP “ip1”), there were no connections during the first or second data
samples, and 11 connections during the third sample.
[geo-location
[active [geo-location-name ...]
[site site-name] [depth num]]
[slb-device
[active [geo-location-name ...]
[device-name] [ip A.B.C.D ...]]
[controller
[active [geo-location-name ...]
[device-name] [ip A.B.C.D ...]]
Parameter Description
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-loca-
tion.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to dis-
play. For example, to display only continent and country entries and hide individual
state and city entries, specify depth 2.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
Mode All
Usage Eight aRDT samples are displayed for each device. Times are shown in 10-
millisecond (ms) increments. In the example below, the first aRDT time for
Device1 is 50 ms.
page 266
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Parameter Description
cache Displays service information in the GSLB DNS
cache.
dns-a-record Displays Address records for GSLB services.
dns-cname-record Displays CNAME records for GSLB services.
dns-mx-record Displays MX records for GSLB services.
dns-ns-record Displays name server records for GSLB services.
dns-ptr-record Displays pointer records for GSLB services.
dns-srv-record Displays service records for GSLB services.
dns-txt-record Displays service records for GSLB services.
session Displays current GSLB sessions for services.
service-name Specifies a service name.
zone zone-name Specifies a zone name.
ip ipaddr Specifies a client host or subnet address. (This
{subnet-mask | option applies only to the session option.)
/mask-length}
Mode All
Example The following example shows CNAME information for zone “example.com”:
page 267
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Mode All
Parameter Description
service-name | vipaddr Specifies the service name or VIP address.
local-info Shows local SLB virtual-server information.
statistics Shows GSLB statistics for the service-IP.
Example The following command shows information for the “beijing” service:
Field Description
Service-IP Device name and service IP name.
IP IP address of the service.
V Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
page 268
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Field Description
E Indicates whether the service IP is enabled.
State Indicates the service IP state: UP or DOWN.
P-Cnt Number of service ports on the service IP.
Hits Number of times the service IP has been selected.
Mode All
Example The following command shows information about all the configured GSLB
service ports.
Field Description
Service-Port Service IP address and service port number.
Attrs Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
State Indicates the service state: IP or DOWN.
Act-Svrs Number of active real servers for the service.
Curr-Conn Current number of connections to the service.
page 269
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Parameter Description
service-name Specifies a service name.
ip ipaddr {subnet-mask Specifies a client host or subnet address.
| /mask-length}
match Specifies a domain name to match to when display-
ing session information.
zone zone-name Specifies a zone name.
Mode All
Parameter Description
site-name Displays information only for the specified site.
bw-cost Displays BW-Cost information.
statistics Displays statistics.
Mode All
Example The following command shows information for GSLB site “Site1”:
page 270
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
80 Up
2.1.1.11 Up 0
21 Up
80 Up
2.1.1.12 Up 0
21 Up
23 Up
80 Up
serverB (server) Up 0
3.1.1.10 80 Up
Field Description
Site GSLB site name.
Device/ Device name and device IP address or real server name and real
server server IP address.
VIP Virtual IP address for the service.
Vport Virtual port number.
State Virtual port state.
Hits Number of times the service IP was selected.
The following table describes the fields in the command output when the bw-
cost option is used.
Field Description
Site GSLB site name.
Template SNMP template name.
Current Current value of the SNMP object used for measurement.
Highest Highest value of the SNMP object used for measurement.
Limit Limit configured for the BW-Cost metric.
U Indicates whether the site is usable, based on the BW-Cost mea-
surement.
Type Data type of the SNMP object.
Len Data length of the SNMP object.
Value Value of the SNMP object.
TI Time interval between measurements.
page 271
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
The following table describes the fields in the command output when the
statistics option is used.
Field Description
Site GSLB site name.
Hits Number of times the site was selected.
Last Site that was most recently selected.
Parameter Description
device-name Displays information only for the specified SLB device.
local-info Displays local SLB device information on a site SLB device.
rdt options Displays aRDT data based on SLB device. Optional parameter includes:
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
Mode All
Example The following command shows information about SLB device “Device1”:
page 272
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Field Description
Device Site name and device name.
IP SLB device’s IP address.
APF Administrative preference for the device.
Sesn-Uzn Current session utilization on the device.
Sesn-Num Number of sessions available on the device.
Sub-Cnt Number of service IPs on the device.
Mode All
Usage To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example The following commands enable GSBL debugging with retention of state
information, and initiate display of the state information:
Mode All
page 273
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Usage The show gslb statistics message command shows the same output as
the show gslb protocol command. Similarly, the show gslb statistics
site command shows the same output as the show gslb site statistics
command, and the show gslb statistics zone command shows the same
output as the show gslb zone statistics command.
Example The following command shows statistics for the GSLB protocol:
page 274
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Parameter Description
zone-name Displays information only for the specified zone.
dns-info Displays the DNS information for the zone.
dns-mx-record Displays the MX records for the zone(s).
dns-ns-record Displays the name server records for the zone(s).
dns-soa-record Displays the start-of-authority records for the
zone(s).
site Displays statistics for the zone(s) by related site.
statistics Displays statistics for the zone(s).
Mode All
page 275
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Show Commands FFee
e
Field Description
Zone Zone name.
Service Service type and service name.
Policy GSLB policy name.
TTL DNS TTL value set by GSLB in DNS replies to queries for the zone
address.
Field Description
Owner Zone and service name to which the MX record belongs.
MX-Record Name of the MX record.
Pri Priority (preference) set for the MX record.
Hits Number of times the record has been used.
Last Most recent time the record was used.
page 276
ACOS 4.1.1-P11 Global Server Load Balancing Guide
Feedback
Show Commands
Field Description
GSLB Zone Zone name.
Total Number of Services configured Number of GSLB services configured for the zone.
Service Service type and service name.
Rcv-query Number of DNS queries received for the service.
Sent-resp Number of DNS replies sent to clients for the service.
M-Proxy Number of DNS replies sent to clients by the ACOS device as a DNS
proxy for the service.
M-Cache Number of cached DNS replies sent to clients by the ACOS device for
the service. (applies only if the DNS cache option is enabled in the pol-
icy.)
M-Svr Number of DNS replies sent to clients by the ACOS device as a DNS
server for the service. (This statistic applies only if the DNS server
option is enabled in the policy.)
M-Sticky Number of DNS replies sent to clients by the ACOS device to keep the
clients on the same site. (This statistic applies only if the DNS sticky
option is enabled in the policy.)
M-Backup Number of DNS replies sent to clients by the ACOS device using a
backup record.
page 277
ACOS 4.1.1-P11 Global Server Load Balancing Guide
FeedbackFF
Clear Command FFee
e
Clear Command
The following GSLB clear command is available:
• clear gslb
clear gslb
Description Clear statistics or reset functions. Sub-command parameters are required
for specific sub-commands.
Options Description
all Clears all GSLB statistics.
cache Clears the GSLB DNS cache.
debug Clears debug statistics.
fqdn Clears FQDN statistics.
geo-location Clears geo-location statistics.
group Clears GSLB group statistics.
ip-list Clears IP-list statistics.
memory Clears memory statistics.
protocol Clears GSLB protocol statistics.
rdt Clears RDT samples.
samples Clears aRDT samples.
server Clears server statistics.
service Clears service statistics.
service-group Clears service group statistics
service-group-session Clears service-group-session statistics
session Clears GSLB sessions.
site Clears site statistics.
slb-device Clears SLB device samples.
statistics options Clears message, site, or zone statistics.
zone Clears zone statistics.
page 278
ACOS 4.1.1-P11 Global Server Load Balancing Guide
page 279
CONTACT US
2 a10networks.com/contact