AX GSLB Guide v2 7 0-20121010 PDF

GlobalServerLoadBalancingGuide
AX Series Advanced Traffic Manager

Document No.: D-030-01-00-0029
Ver. 2.7.0 10/10/2012
A10 Networks, Inc. 10/10/2012 - All Rights Reserved
Information in this document is subject to change without notice.

Trademarks
A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS,
aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of
their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126, 20120216266,
20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,
20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598,
20070195792, 20070180101
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.
A10 Networks Inc. Software License and End User Agreement

Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to
treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
The information presented in this document describes the specific products noted and does not imply nor grant a guarantee
of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes
to their products and documents at any time and without prior notification.
No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
AX Series - GSLB Configuration Guide

End User License Agreement

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10
NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.
A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT (AX Series) TO YOU
ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU
REPRESENT (COLLECTIVELY, "CUSTOMER") TO THIS AGREEMENT. IF YOU
DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10
NETWORKS IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DO
NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
The following terms of this End User License Agreement ("Agreement") govern Customer's access and use of the Software, except to the extent there is a separate
signed agreement between Customer and A10 Networks governing Customer's use
of the Software
License. Conditioned upon compliance with the terms and conditions of this Agreement, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Networks Inc. ("A10 Networks"), grants to Customer a nonexclusive and
nontransferable license to use for Customer's business purposes the Software and
the Documentation for which Customer has paid all required fees. "Documentation"
means written information (whether contained in user or technical manuals, training
materials, specifications or otherwise) specifically pertaining to the product or products and made available by A10 Networks in any manner (including on CD-Rom, or
on-line).
Unless otherwise expressly provided in the Documentation, Customer shall use the
Software solely as embedded in or for execution on A10 Networks equipment owned
or leased by Customer and used for Customer's business purposes.
General Limitations. This is a license, not a transfer of title, to the Software and
Documentation, and A10 Networks retains ownership of all copies of the Software
and Documentation. Customer acknowledges that the Software and Documentation
contain trade secrets of A10 Networks, its suppliers or licensors, including but not
limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided
under this Agreement, Customer shall have no right, and Customer specifically
agrees not to:
a.
transfer, assign or sublicense its license rights to any other person or entity,
or use the Software on unauthorized or secondhand A10 Networks equipment
b.
make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do
the same
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
3 of 260

c.
reverse engineer or decompile, decrypt, disassemble or otherwise reduce

the Software to human readable form, except to the extent otherwise
expressly permitted under applicable law notwithstanding this restriction
d.
disclose, provide, or otherwise make available trade secrets contained

within the Software and Documentation in any form to any third party without the prior written consent of A10 Networks. Customer shall implement
reasonable security measures to protect such trade secrets.
Software, Upgrades and Additional Products or Copies. For purposes of this

Agreement, "Software" and Products shall include (and the terms and conditions of
this Agreement shall apply to) computer programs, including firmware and hardware, as provided to Customer by A10 Networks or an authorized A10 Networks
reseller, and any upgrades, updates, bug fixes or modified versions thereto (collectively, "Upgrades") or backup copies of the Software licensed or provided to Customer by A10 Networks or an authorized A10 Networks reseller.
OTHER PROVISIONS OF THIS AGREEMENT:
a.
CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL

COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF
ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID
LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES
b.
USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR

WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR
LEASEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE
SOFTWARE WHICH IS BEING UPGRADED
c.
THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
Term and Termination. This Agreement and the license granted herein shall remain
effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination
of this Agreement.
Export. Software and Documentation, including technical data, may be subject to
U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges
that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation.
Trademarks
A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX,
Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered
trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585,
7716378, 7675854, 7647635, 7552126, 20120216266, 20120204236, 20120179770,
20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,
20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101
4 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Limited Warranty
Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS
OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT,
OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE
DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE
PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS
OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
In no event shall A10 Networks or its suppliers' or licensors' liability to Customer,
whether in contract, (including negligence), breach of warranty, or otherwise, exceed
the price paid by Customer for the Software that gave rise to the claim or if the Software is part of another Product, the price paid for such other Product.
Customer agrees that the limitations of liability and disclaimers set forth herein will
apply regardless of whetherCustomer has accepted the Software or any other product or service delivered by A10 Networks. Customer acknowledges and agrees that
A10 Networks has set its prices and entered into this Agreement in reliance upon the
disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the parties (including the risk that a contract
remedy may fail of its essential purpose and cause consequential loss), and that the
same form an essential basis of the bargain between the parties.
The Warranty and the End User License shall be governed by and construed in
accordance with the laws of the State of California, without reference to or application of choice of law rules or principles. If any portion hereof is found to be void or
unenforceable, the remaining provisions of the Agreement shall remain in full force
and effect. This Agreement constitutes the entire and sole agreement between the
parties with respect to the license of the use of A10 Networks Products unless otherwise supersedes by a written signed agreement.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
5 of 260

6 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status
information for Technical Support to use when diagnosing system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. Log into the GUI.
2. On the main page (Monitor Mode > Overview > Summary),
click
. This option downloads a text log file.
3. Email the file as an attachment to support@A10Networks.com.
USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture output generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
7 of 260

4. Enter the show techsupport command.
5. After the command output finishes, save the output in a text file.
6. Email the file as an attachment to support@A10Networks.com.
Note:
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
8 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

About This Document
About This Document

This document describes features of the A10 Networks AX Series /
Application Delivery Controller.
FIGURE 1
AX 5630 (front panel view)
Information is available for AX Series products in the following documents.

These documents are included on the documentation CD shipped with your
AX Series product, and also are available on the A10 Networks support site:
AX Series Installation Guides
AX Series LOM Reference
AX Series System Configuration and Administration Guide
AX Series Application Delivery and Server Load Balancing Guide
AX Series Global Server Load Balancing Guide
AX Series GUI Reference
AX Series CLI Reference
AX Series aRule Reference
AX Series MIB Reference
AX Series aXAPI Reference
Make sure to use the basic deployment instructions in the AX Series Installation Guide for your AX model, and in the AX Series System Configuration
and Administration Guide. Also make sure to set up your devices Lights
Out Management (LOM) interface, if applicable.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
9 of 260

About This Document
Note:
Some guides include GUI configuration examples. In these examples,

some GUI pages may have new options that are not shown in the example
screen images. In these cases, the new options are not applicable to the
examples. For information about any option in the GUI, see the AX Series
GUI Reference or the GUI online help.
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks AX Series products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account and navigate to the following page: Support > AX Series > Technical Library.
http://www.a10networks.com
A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application
Delivery Community (VirtualADC). The VirtualADC is an interactive
forum where you can find detailed information from product specialists.
You also can ask questions and leave comments. To access the VirtualADC,
navigate here:
http://www.a10networks.com/adc/
10 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Contents
Collecting System Information.............................................................................................................. 7
About This Document
Audience................................................................................................................................................ 10
Documentation Updates ...................................................................................................................... 10
A10 Virtual Application Delivery Community..................................................................................... 10
GSLB Overview
17
GSLB Deployment Modes.................................................................................................................... 18

Zones, Services, and Sites .................................................................................................................. 18
GSLB Policy .......................................................................................................................................... 18
Policy Metrics .................................................................................................................................. 19
Health Checks ............................................................................................................................. 21
Geo-Location ............................................................................................................................... 22
DNS Options ............................................................................................................................... 23
Metrics That Require the GSLB Protocol on Site AX Devices .................................................... 26
GSLB Configuration
27
Overview................................................................................................................................................ 27
Configure Health Monitors................................................................................................................... 28
Configure the DNS Proxy..................................................................................................................... 29
Configure a GSLB Policy ..................................................................................................................... 31
Enabling / Disabling Metrics ........................................................................................................... 32
Changing the Metric Order .................................................................................................................. 34
Configuring Active-Round Delay Time ............................................................................................ 35
Configuring BW-Cost Settings ........................................................................................................ 42
How Bandwidth Cost Is Measured .............................................................................................. 42
Configuration Requirements ........................................................................................................ 42
Configuring Bandwidth Cost ........................................................................................................ 43
Configuring Alias Admin Preference ............................................................................................... 47
Configuring Weighted Alias ............................................................................................................ 48
Loading or Configuring Geo-Location Mappings ............................................................................ 49
Geo-location Overlap .................................................................................................................. 57
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
11 of 260

Contents
Configure Services................................................................................................................................61
Gateway Health Monitoring ............................................................................................................ 62
CLI ExampleSite with Single Gateway Link ................................................................................ 65
CLI ExampleSite with Multiple Gateway Links ............................................................................ 65
Multiple-Port Health Monitoring ...................................................................................................... 66
Configure Sites......................................................................................................................................67
Configure a Zone...................................................................................................................................69
Enable the GSLB Protocol....................................................................................................................70
Resetting or Clearing GSLB .................................................................................................................70
Auto-mapping
73
Configuration ............................................................................................................................... 74
Advanced DNS Options
77
DNS Active-only ....................................................................................................................................78

Support for DNS TXT Records .............................................................................................................80
Append All NS Records in DNS Authority Section ............................................................................82
Hints in DNS Responses ......................................................................................................................83
DNS Sub-zone Delegation ....................................................................................................................85
DNS Proxy Block ...................................................................................................................................91
Partition-specific Group Management
97
Implementation Details .........................................................................................................................97
GSLB Configuration Examples
99
CLI Example...........................................................................................................................................99
Configuration on the GSLB AX Device (GSLB Controller) ............................................................. 99
Configuration on Site AX Device AX-A ......................................................................................... 101
Configuration on Site AX Device AX-B ......................................................................................... 101
GUI Example ........................................................................................................................................102
Configuration on the GSLB AX Device (GSLB Controller) ........................................................... 102
Configuration on Site AX Devices ................................................................................................ 112
GSLB Configuration Synchronization
113
Overview ..............................................................................................................................................113
GSLB Group Parameters ....................................................................................................................116
Configuration.......................................................................................................................................117
12 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Contents
Geo-location-based Access Control
121
Using a Class List............................................................................................................................... 121

Using a Black/White List .................................................................................................................... 123
Configuring the Black/White List ................................................................................................... 123
Full-Domain Checking........................................................................................................................ 128
Full-Domain Checking .................................................................................................................. 129
Enabling PBSLB Statistics Counter Sharing ................................................................................. 129
Cloud-based Computing Solution
131
DNSSEC Support
133
Overview.............................................................................................................................................. 133
DNS without Security .................................................................................................................... 134
DNSSEC (DNS with Security) ...................................................................................................... 137
Building the Chain of Trust ........................................................................................................... 140
Performing Key Rollovers ............................................................................................................. 142
ZSK Key Rollovers .................................................................................................................... 143
KSK Key Rollovers .................................................................................................................... 144
Importing and Exporting the Delegation Signature Keyset ........................................................... 145
DNSSEC Templates .................................................................................................................. 146
Configuration ...................................................................................................................................... 148
Configuration Examples .................................................................................................................... 151
CLI Example #1
CLI Example #2
CLI Example #3
CLI Example #4
............................................................................................................................ 151
............................................................................................................................ 151
............................................................................................................................ 152
............................................................................................................................ 152
CLI Command Reference
153
Main Configuration Commands ........................................................................................................ 153

gslb active-rdt ....................................................................................................................................... 153
gslb dns action ..................................................................................................................................... 155
gslb dns logging ................................................................................................................................... 155
gslb geo-location .................................................................................................................................. 156
gslb geo-location delete ....................................................................................................................... 157
gslb geo-location load .......................................................................................................................... 158
gslb group ............................................................................................................................................ 159
gslb ip-list ............................................................................................................................................. 161
gslb ping .............................................................................................................................................. 162
gslb policy ............................................................................................................................................ 163
gslb protocol ........................................................................................................................................ 163
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
13 of 260

Contents
gslb protocol limit ................................................................................................................................. 165
gslb service-ip ...................................................................................................................................... 166
gslb site ............................................................................................................................................... 168
gslb system auto-map module ............................................................................................................. 173
gslb system auto-map ttl ...................................................................................................................... 173
gslb system ip-ttl .................................................................................................................................. 174
gslb system prompt ............................................................................................................................. 174
gslb system reset ................................................................................................................................. 175
gslb system wait .................................................................................................................................. 175
gslb template csv ................................................................................................................................. 175
gslb template snmp ............................................................................................................................. 177
gslb zone ............................................................................................................................................. 180
no gslb all ............................................................................................................................................ 187
Policy Configuration Commands.......................................................................................................188

active-rdt .............................................................................................................................................. 188
active-servers ...................................................................................................................................... 191
admin-ip ............................................................................................................................................... 192
admin-preference ................................................................................................................................ 192
alias-admin-preference ........................................................................................................................ 193
bw-cost ................................................................................................................................................ 193
capacity ............................................................................................................................................... 194
connection-load ................................................................................................................................... 195
dns ....................................................................................................................................................... 197
dnssec key-generate ........................................................................................................................... 207
export dnssec-dnskey .......................................................................................................................... 208
geo-location ......................................................................................................................................... 209
geo-location match-first ....................................................................................................................... 209
geo-location overlap ............................................................................................................................ 210
geographic ........................................................................................................................................... 211
health-check ........................................................................................................................................ 211
import dnssec-dnskey .......................................................................................................................... 212
import dnssec-ds ................................................................................................................................. 213
ip-list .................................................................................................................................................... 214
least-response ..................................................................................................................................... 214
metric-fail-break ................................................................................................................................... 215
metric-force-check ............................................................................................................................... 215
metric-order ......................................................................................................................................... 215
num-session ........................................................................................................................................ 217
round-robin .......................................................................................................................................... 218
weighted-alias ...................................................................................................................................... 218
weighted-ip .......................................................................................................................................... 219
weighted-site ....................................................................................................................................... 220
14 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Contents
Show Commands................................................................................................................................ 222

show gslb cache .................................................................................................................................. 222
show gslb config .................................................................................................................................. 223
show gslb fqdn ..................................................................................................................................... 227
show gslb geo-location ........................................................................................................................ 228
show gslb group ................................................................................................................................... 231
show gslb ip-list .................................................................................................................................... 234
show gslb memory ............................................................................................................................... 234
show gslb policy ................................................................................................................................... 234
show gslb protocol ............................................................................................................................... 236
show gslb rdt ........................................................................................................................................ 237
show gslb samples conn ...................................................................................................................... 239
show gslb samples conn-load .............................................................................................................. 240
show gslb samples rdt ......................................................................................................................... 242
show gslb service ................................................................................................................................. 243
show gslb service-ip ............................................................................................................................. 244
show gslb service-port ......................................................................................................................... 245
show gslb session ................................................................................................................................ 245
show gslb site ...................................................................................................................................... 246
show gslb slb-device ............................................................................................................................ 248
show gslb state .................................................................................................................................... 249
show gslb statistics .............................................................................................................................. 249
show gslb zone .................................................................................................................................... 250
Clear Command .................................................................................................................................. 254

clear ..................................................................................................................................................... 254
DNSSEC Commands .......................................................................................................................... 255

dnssec key-generate ............................................................................................................................ 255
dnssec template ................................................................................................................................... 256
dnssec sign-zone-now ......................................................................................................................... 257
show dnssec template ......................................................................................................................... 258
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
15 of 260

Contents
16 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Overview -
GSLB Overview
This chapter provides an overview of Global Server Load Balancing
(GSLB).
Global Server Load Balancing (GSLB) uses Domain Name Service (DNS)
technology and extends load balancing to global geographic scale.
AX Series GSLB provides the following key advantages:
Protects businesses from down time due to site failures
Ensures business continuity and applications availability
Provides faster performance and improved user experience by directing
users to the nearest site

Increases data center efficiency and provides a better return on invest-
ment by distributing load to multiple sites

Provides flexible policies for selecting fairness and distribution to multi-
ple sites
In AX Release 2.7.0, all AX models and software do not have any code for Passive round trip time (RTT) for the time difference between receiving a TCP SYN
and a TCP ACK for the TCP connection for GSLB. The code was completely
removed starting from 2.7.0 because there was no single customer using this
round trip time capability for GSLB.
In AX Release 2.7.0, the AX implementation of GSLB uses an array of fixed

active IP addresses and the A10 site selection algorithm illustrated below in the
figure, using an innovative method of iterative in-place marking.
All AX models and software do not order the multiple network addresses based
upon a first set of performance metrics from the stored performance metrics nor
do any form of ordering or re-ordering of the network addresses for GSLB.
(See GSLB Policy on page 18.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
17 of 260

GSLB Overview - GSLB Deployment Modes
GSLB Deployment Modes

You can deploy GSLB in proxy mode or server mode.
Proxy mode The AX device acts as a proxy for an external DNS
server. In proxy mode, the AX device can update the A and AAAA
records in its response to client requests, but it forwards requests for all
other record types to the external DNS server.
Server mode The AX device directly responds to queries for specific
service IP addresses in the GSLB zone. (The AX device still forwards

other types of queries to the DNS server.) In server mode, the AX device
can reply with A, AAAA, MX, NS, PTR, SRV and SOA records. For all
other records, the AX device will attempt proxy mode.
Note:
An AX device becomes a GSLB AX device when you configure GSLB

on the device and enable the GSLB protocol, for the controller function.
The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
Zones, Services, and Sites

GSLB operates on zones, services, and sites.
Zones A zone is a DNS domain for GSLB and is called a GSLB zone.
An AX device can be configured with one or more GSLB zones. Each

zone can contain one or more GSLB sites. For example, mydomain.com
is a domain.
Services A service is an application; for example, HTTP or FTP. Each
zone can be configured with one or more services. For example:

www.mydomain.com is a service where www is the http service or an
application.
Sites A site is a server farm that is locally managed by an AX device
that performs Server Load Balancing (SLB) for the site.
GSLB Policy
GSLB by default is not enabled. Use of the feature requires proper configuration. GSLB deals with multiple sites, and each site has unique IP address
or IP addresses.
GSLB uses an array of fixed site IP addresses and the new site selection
algorithm is illustrated below using an innovative method of interactive in-
18 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Overview - GSLB Policy
place marking for selecting sites. GSLB does not order the multiple IP network addresses based on any set of performance metrics, and does not perform any form of ordering/reordering of the IP network addresses.
The following figure illustrates the AX implementation. Each IP address is
associated with a set of parameters. A site selection policy is based on the
evaluation of the policy parameters.
TABLE 1
GSLB site marking sample
Site IP
Metric
Health-check
Geo-location
Admin-preference
Response back
in round robin
Site1-IP
Site2-IP
Site3-IP
M
M
Site4-IP
M
M
M
Site5-IP
Site6-IP
M
M
M
As Site4-IP and Site6-IP are marked at the end of evaluation, these the two addresses will be
selected in round robin manner and that means there is no determination of any single best network address.
Each site IP is tagged with Marked (M) or Un-marked for each evaluated
parameter. The subsequent evaluation of the parameters is performed only
on the previously marked sites and continues until the end of all the parameters in the metric policy regardless of how many sites are remaining as
Marked. In other words, the AX device does not stop the evaluation even if
there is one single site left, and continues with the evaluation until the end
of the user configured metric parameters.
At the end of the evaluation, the responses corresponding to the marked
sites are sent back in a round-robin manner and there is no determination of
any single best network address.
Policy Metrics
A GSLB policy consists of one or more of the following metrics:
1. Health-Check Services that pass health checks are preferred.
2. Weighted-IP Service IP addresses with higher administratively
assigned weights are used more often than service IP addresses with
lower weights. (See Weighted-IP and Weighted-Site on page 21.)
3. Weighted-Site Sites with higher administratively assigned weights are
used more often than sites with lower weights. (See Weighted-IP and
Weighted-Site on page 21.)
4. Session-Capacity Sites with more available sessions based on respective maximum Session-Capacity are preferred.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
19 of 260

5. Active-Servers Sites with the most currently active servers are preferred.
6. Active-Round Delay Time (aRDT) Sites with faster round-delay-times
for DNS queries and replies between a site AX device and the GSLB
local DNS are preferred.
7. Geographic Services located within the clients geographic region are
preferred.
8. Connection-Load Sites that are not exceeding their thresholds for new
connections are preferred.
9. Num-Session Sites that are not exceeding available Session-Capacity
threshold compared to other sites are treated as having the same preference.
10. Admin-Preference The site with the highest administratively set preference is selected.
11. BW-Cost Selects sites based on bandwidth utilization on the site AX
links.
12. Least-Response Service IP addresses with the fewest hits are preferred.
13. Admin-IP Sites are preferred based on administratively assigned
weight.
14. Round-Robin Sites are selected in sequential order. (See TieBreaker on page 21.)
15. Alias-Admin-Preference Selects the DNS CNAME record with the
highest administratively set preference. This metric is similar to the
Admin-Preference metric, but applies only to DNS CNAME records.
16. Weighted-Alias Prefers CNAME records with higher weight values
over CNAME records with lower weight values. This metric is similar
to Weighted-IP, but applies only to DNS CNAME records.
The Health-Check, Geographic, and Round-Robin metrics are enabled by
default. All other metrics are disabled by default.
The metric order and the configuration of each metric are specified in a
GSLB policy. Policies can be applied to GSLB zones and to individual services. The GSLB AX device has a default GSLB policy, named default,
which is automatically applied to a zone or service.
20 of 260
Note:
Metric order does not apply to the Alias-Admin-Preference and

Weighted-Alias metrics. When enabled, Alias-Admin-Preference always
has high priority.
Note:
In AX Release 2.6.0, the ability to configure the passive round-trip time

metric (Passive-RTT) was removed. If a configuration were to contain
any commands related to this deprecated metric, they would never take
effect since there is no way to enable it. In the current release, all referPerformance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

ences to the deprecated Passive-RTT metric have been removed from the
software.
Weighted-IP and Weighted-Site
The Weighted-IP and Weighted-Site metrics allow you to bias selection
toward specific sites or IP addresses. GSLB selects higher-weighted IP
addresses or sites more often than lower-weighted IP addresses or sites.
For example, if there are two sites (A and B), and A has weight 2 whereas B
has weight 4, GSLB will select site B twice as often as site A. Specifically,
GSLB will select site B the first 4 times, and will then select site A the next
2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the
next 2 times, then B is chosen the next 4 times, and so on.
Note:
If DNS caching is used, the cycle starts over if the cache aging timer
expires.
Tie-Breaker
The AX device uses Round-Robin as a tie-breaker to select a site. This is
true even if the Round-Robin metric is disabled in the GSLB policy. (See
Configure a GSLB Policy on page 31.)
Health Checks
The Health-Check metric checks the availability (health) of the real servers
and service ports. Sites whose real servers and service ports respond to the
health checks are preferred over sites in which servers or service ports are
unresponsive to the health checks.
GSLB supports health check methods for the following services:
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP,
POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP
You can use the default health methods or configure new methods for any of
these services.
Note:
By default, the GSLB protocol generates its own packets when sending a
health check to a service. If the GSLB protocol cannot reach the service,
then another health check is performed using standard network traffic.
Health-Check Precedence
Health monitoring for a GSLB service can be performed at the following
levels and in the following order:
1. Gateway health check
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
21 of 260

2. Port health check
3. IP health check (Layer 3 health check of service IP)
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. For example, if a domain is served by sites
in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
Leave the Geographic GSLB metric enabled; it is enabled by default.
Load geo-location data. You can load geo-location data from a file or
manually configure individual geo-location mappings.

Loading geo-location data from a file is simpler than manually configuring
geo-location mappings, especially if you have more than a few GSLB sites.
For more information, see Loading or Configuring Geo-Location Mappings on page 49.
The AX software includes an Internet Assigned Numbers Authority (IANA)
database. The IANA database contains the geographic locations of the IP
address ranges and subnets assigned by the IANA. The IANA database is
loaded on the AX device, and it is enabled by default.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a
Canonical Name (CNAME) record instead of an Address record in DNS
replies to clients. A CNAME record maps a domain name to an alias for that
domain. For example, you can associate the following aliases with the
domain a10.com:
www.a10.co.cn
www.1.a10.com
ftp.a10.com
Each of the aliases in the list above can be associated with a different geolocation:
If a clients IP address is within the geo-location that is associated with
www.1.a10.com, then GSLB places a CNAME record for www.1.a10.com
in the DNS reply to that client.
22 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

To configure CNAME support:
Configure geo-location as described above.
In the GSLB policy, enable the following DNS options:
dns cname-detect (enabled by default)
dns geoloc-alias
For individual services in the zone, configure the aliases and associate
them with geo-locations.

Alias-Admin-preference and Weighted-alias
The Alias Admin Preference metric, which selects the DNS CNAME record
with the highest administratively set preference, can be used in DNS Proxy
or DNS Server mode. Similarly, the Weighted Alias metric, which expresses
a preference for higher-weighted CNAME records, can be used in DNS
Proxy or DNS Server mode.
Some additional policy options are required in either mode.
DNS proxy Enable the geoloc-alias option. After GSLB retrieves the
DNS response from the DNS answer, GSLB selects a DNS A record
using IP metrics, and then tries to insert the DNS CNAME record into
the answer based on geo-location settings. While inserting the CNAME
record, if the Alias metrics are enabled, GSLB may remove some
CNAME records and related service IPs.
DNS server If applicable, enable the backup-alias option. If there is no
DNS A record to return, GSLB tries to insert all backup DNS CNAME
records. During insertion, if Alias metrics are enabled, GSLB may
remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the
service.
DNS Options
DNS options provide additional control over the IP addresses that are listed
in DNS replies to clients.
The following DNS options can be set in GSLB policies:
dns action Enable GSLB to perform DNS actions specified in the ser-
vice configurations.
dns active-only Removes IP addresses for services that did not pass
their health checks.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
23 of 260

dns addition-mx Appends MX records in the Additional section in
replies for A records, when the device is configured for DNS proxy or
cache mode.
dns auto-map Enables creation of A and AAAA records for IP
resources configured on the AX device. For example, this option is useful for auto-mapping VIP addresses to service-IP addresses.
dns backup-alias Returns the alias CNAME record configured for the
service, if GSLB does not receive an answer to a query for the service
and no active DNS server exists. This option is valid in server mode or
proxy mode.
dns backup-server Designates one or more backup servers that can be
returned to the client if the primaries should fail.

dns cache Caches DNS replies and uses them when replying to clients,
instead of sending a new DNS request for every client query.

dns cname-detect Disabling this option skips the Cname response. If
enabled, the GSLB-AX applies the zone and service policy to the
Cname record instead of applying it to the address record.
dns delegation Enables sub-zone delegation. The feature allows you to
delegate authority or responsibility for a portion of the DNS namespace

from the parent domain to a separate sub-domain which may reside on
one or more remote servers and may be managed by someone other than
the network administrator who is responsible for the parent zone.
dns external-ip Returns the external IP address configured for a ser-
vice IP. If this option is disabled, the internal address is returned instead.
dns external-soa Replaces the internal SOA record with an external
SOA record to prevent external clients from gaining information that

should only be available to internal clients. If this option is disabled, the
internal address is returned instead.
dns geoloc-action Performs the DNS traffic handling action specified
for the clients geo-location. The action is specified as part of service

configuration in a zone.
dns geoloc-alias Replaces the IP address with its alias configured on
the GSLB AX Series.

dns geoloc-policy Returns the alias name configured for the clients
geo-location.
dns hint Enables hints, which appear in the Additional Section of the
DNS response. Hints are A or AAAA records that are sent in the
response to a clients DNS request. These records provide a mapping
between the host names and IP addresses.
24 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

dns ip-replace Replaces the IP addresses with the set of addresses
administratively assigned to the service in the zone configuration.

dns ipv6 Enables support for IPv6 AAAA records.
dns logging Configures DNS logging.
dns proxy block Blocks DNS t queries from being sent to an internal
DNS server. The AX device must be in GSLB proxy mode for the feature to work.
dns selected-only Returns only the selected IP addresses.
dns server Enables the GSLB AX device to act as a DNS server, for
specific service IPs in the GSLB zone.

dns sticky Sends the same service IP address to a client for all requests
from that client for the service address.

dns ttl Overrides the TTL set in the DNS reply. (For more information
about this option, see TTL Override on page 25.)

The cname-detect and external-ip options are enabled by default. All the
other DNS options are disabled by default.
Order in Which Sticky, Server, Cache, and Proxy Options Are
Used
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1.
2.
3.
4.
Note:
sticky
server
cache
proxy
GSLB does not have a separately configurable proxy option. The proxy
option is automatically enabled when you configure the DNS proxy as
part of GSLB configuration.
The site address selected by the first option that is applicable to the client
and requested service is used.
TTL Override
GSLB ensures that DNS replies to clients contain the optimal set of IP
addresses based on current network conditions. However, if the DNS TTL
value assigned to the Address records is long, the local DNS servers used by
clients might cache the replies for a long time and send those stale replies to
clients. Thus, even though the GSLB AX device has current information,
clients might receive outdated information.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
25 of 260

To ensure that the clients local DNS servers do not cache the DNS replies
for too long, you can configure the GSLB AX device to override the TTL
values of the Address records in the DNS replies before sending the replies
to clients.
The TTL of the DNS reply can be overridden in two different places in the
GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in
that policy is used.
2. If no policy is assigned to the individual service, but the TTL is set in
the zone, then the zones TTL setting is used.
By default, the TTL override is not set in either of these places.
Note:
In DNS server mode, the DNS response from the AX device includes an
IP TTL (maximum number of Layer 3 hops), with a default value equal to
255. This IP TTL can be configured using the following CLI command:
gslb system ip-ttl.
More Information
See Advanced DNS Options on page 77.
Metrics That Require the GSLB Protocol on Site AX Devices

AX devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on the GSLB controller.
GSLB does not need to be enabled on the site AX devices, but enabling it is
recommended in order to collect site information that is needed for the following metrics:
Session-capacity
aRDT
Connection-Load
Num-Session
Note:
26 of 260
Enabling the GSLB protocol is also required if you are using the default
health-check methods. However, if you modify the default health checks,
then the GSLB protocol does not need to be enabled. (See Health
Checks on page 21.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Overview
GSLB Configuration
This chapter describes the configuration of Global Server Load Balancing
(GSLB).
Overview
Configuration is required on the GSLB AX device (GSLB controller) and
the site AX devices.
Note:
The AX device provides an optional mechanism to automatically synchronize GSLB configurations and service IP status among multiple
GSLB controllers for a GSLB zone. If you plan to use automatic GSLB
configuration synchronization among controllers, first see GSLB Configuration Synchronization on page 113.
Note:
This chapter shows the GUI pages for detailed configuration. The GUI
also provides pages for simple GSLB configuration. Navigate to Config
Mode > Getting Started > GSLB Easy Config. See the online help or
AX Series GUI Reference for information.
Configuration on GSLB Controller
To configure GSLB on the GSLB AX device:
1. Configure health monitors for the DNS server to be proxied and for the
GSLB services to be load balanced.
2. Configure a DNS proxy.
3. Configure a GSLB policy (unless you plan to use the default policy settings, described in GSLB Policy on page 18).
4. Configure services.
5. Configure sites.
6. Configure a zone.
7. Enable the GSLB protocol for the GSLB controller function.
Note:
If you plan to run GSLB in server mode, the proxy DNS server does not
require configuration of a real server or service group. Only the VIP is
required. However, if you plan to run GSLB in proxy mode, the real
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
27 of 260

GSLB Configuration - Configure Health Monitors
server and service group are required along with the VIP. (Server and
proxy mode are configured as DNS options. See DNS Options on
page 23.)
Configuration on Site AX Device
To configure GSLB on the site AX devices:
1. Configure SLB, if not already configured.
2. Enable the GSLB protocol for the GSLB site device function.
Configuration takes place at the following levels:
Global (system-wide on the GSLB AX device)
Zone
Service IP
Site
SLB device
The following sections describe the GSLB configuration steps in the GUI
and in the CLI. Required commands and commonly used options are listed.
For advanced commands and options, see CLI Command Reference on
page 153.
Note:
Each of the following sections shows the CLI and GUI configuration. For
complete configuration examples, see GSLB Configuration Examples
on page 99.
Configure Health Monitors

A10 Networks recommends that you configure health monitors for the local
DNS server to be proxied and also for the GSLB services to be load balanced.
Use a DNS health monitor for the local DNS server. You also can use a
Layer 3 health monitor to check the IP reachability of the server.
For the GSLB service, use health monitors for the application types of the
services. For example, for an HTTP service, use an HTTP health monitor. If
28 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Configure the DNS Proxy
the Health-Check metric is enabled in the GSLB policy, the metric will use
the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure
health monitors on the site SLB devices.
Configure the health monitors for the proxied DNS server and the GSLB
services on the GSLB AX device. Configure the health monitors for real
servers and their services on the site AX devices.
Configuration of health monitors is the same as for standard SLB. There are
no special health monitoring options or requirements for GSLB.
Configure the DNS Proxy

The DNS proxy is a DNS virtual service, and its configuration is therefore
similar to the configuration of an SLB service.
To configure the GSLB DNS proxy, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB.
2. Click DNS Proxy, then click Add.
3. Enter a name for the DNS proxy.
4. Enter the IP address that will be advertised as the authoritative DNS
server for the GSLB zone.
Note:
The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy (below).
5. (Optional) To add this proxy configuration of the DNS server to a High
Availability (HA) group, select the group.
6. In the GSLB Port section, click Add.
7. In the Port field, enter the DNS port number, if not already filled in.
8. In the Service Group field, select create. The Service Group and
Server sections appear.
9. In the Name field, enter a name for the service group.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
29 of 260

GSLB Configuration - Configure the DNS Proxy
10. In the Type drop-down list, select UDP.
11. In the Server section, in the Server drop-down list, enter the IP address
of the DNS server. Enter the real IP address of the DNS server, not the
IP address you are assigning to the DNS proxy.
12. Enter the DNS port number in the Port field and click Add. The server
information appears.
13. Click OK. The GSLB Port section re-appears.
14. Click OK. The Proxy section re-appears.
15. Click OK. The DNS proxy appears in the DNS proxy table.
USING THE CLI

1. To configure a real server for the DNS server to be proxied, use the following commands:
slb server server-name ipaddr
Use this command at the global configuration level of the CLI. The
command creates the proxy and changes the CLI to the configuration
level for it.
To configure the DNS port on the server, use the following command to
change the CLI to the configuration level for the port:
port port-num udp
To enable health monitoring of the DNS service, use the following command:
health-check monitor-name
(Layer 3 health monitoring using the default Layer 3 health monitor is
already enabled by default.)
2. To configure a service group and add the DNS proxy (real server) to it,
use the following commands:
slb service-group group-name udp
command creates the service group and changes the CLI to the configuration level for it. To add the DNS server to the service group, use the
following command:
member server-name:port-num
3. To configure a virtual server for the DNS proxy and bind it to the real
server and service group, use the following commands:
slb virtual-server name ipaddr
30 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Configure a GSLB Policy
command creates the virtual server changes the CLI to the configuration
level for it. To add the DNS port, use the following command:
port port-number udp
This command changes the CLI to the configuration level for the DNS
port. To bind the DNS port to the DNS proxy service group and enable
GSLB on the port, use the following commands:
service-group group-name
gslb-enable
Configure a GSLB Policy

The GSLB policy contains the metrics used to evaluate each site.
For the evaluation of sites, A10 uses a fixed list of site addresses. This list is
constructed based on the original list when a site becomes active. This fixed
metric evaluation function does not do ordering or re-ordering of the original list.
In the default GSLB policy, the following metrics are enabled by default:
Health-Check
Geographic
Round-Robin
All other metrics are disabled. (For detailed information about policy
parameters and their defaults, see Policy Configuration Commands on
page 188 or the AX Series GUI Reference or online help.)
Note:
Although the Geographic metric is enabled by default, there are no default

geo-location mappings. To use the Geographic metric, you must load or
manually configure geo-location mappings. (See Loading or Configuring Geo-Location Mappings on page 49 later in this section.)
Note:
Also see GSLB Policy on page 18.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
31 of 260

Enabling / Disabling Metrics

To enable or disable a metric, use one of the following procedures.
USING THE GUI

2. On the menu bar, select Policy.
3. Click on the policy name or click Add to create a new policy.
4. If you are configuring a new policy, enter a name in the Name field in
the General section.
5. In the Metrics section, drag-and-drop the metric from one column to the
other. For example, to disable the Health-Check metric, drag-and-drop it
from the In Use column to the Not In Use column.
If you are enabling a metric, drag it to the position you want it to be used
in the processing order. For example, if you are enabling the Admin
Preference metric and you want this metric to be used first, drag-anddrop the metric to the top of the In Use column.
6. In the DNS Options section, configure the DNS options, if applicable to
your deployment. (For descriptions, see DNS Options on page 23.)
7. Click OK.
USING THE CLI

To enable a metric, enter the metric name at the configuration level for the
policy. For example, to enable the Admin-Preference metric, enter the following command:
AX(config gslb-policy)#admin-preference
To disable a GSLB metric, use the no form of the command for the metric, at the configuration level for the policy. For example, to disable the
Health-Check metric, enter the following command at the configuration
level for the policy:
AX(config gslb-policy)#no health-check
32 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

To set DNS options, use the following command at the configuration level
for the policy. (For descriptions, see DNS Options on page 23.)
[no] dns
{
action |
active-only [fail-safe] |
addition-mx |
auto-map |
backup-alias |
backup-server |
cache [aging-time {seconds | ttl}] |
cname-detect |
delegation |
external-ip |
external-soa |
geoloc-action |
geoloc-alias |
geoloc-policy |
hint |
ip-replace |
ipv6 options |
logging {both | query | response | none}
proxy block option |
selected-only [num] |
server
[addition-mx]
[any]
[authoritative options]
[mx]
[ns [auto-ns]]
[ptr [auto-ptr]]
[srv]
[txt] |
sticky [network-mask | /prefix-length]
[aging-time minutes] [ipv6-mask mask-length] |
ttl num
}
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
33 of 260

GSLB Configuration - Changing the Metric Order
Changing the Metric Order

To change the metric order, use one of the following procedures.
USING THE GUI

3. Click on the policy name or click Add to create a new policy.
4. If you are configuring a new policy, enter a name in the Name field in
the General section.
5. In the Parameters section, drag-and-drop the metric to the position in
which you want it to be used in the processing order. For example, if
you want the Admin-Preference metric to be used first, drop the metric
to the top of the In Use column.
6. Click OK.
USING THE CLI

To change the positions of metrics in a GSLB policy, use the following
command at the configuration level for the policy:
[no] metric-order metric [metric ...]
The metric option specifies a metric and can be one of the following:
active-rdt
active-servers
admin-ip
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
34 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

num-session
weighted-ip
weighted-site
Note:
Metric order does not apply to the Alias-Admin-Preference or WeightedAlias metrics.
Configuring Active-Round Delay Time

If you are planning to use the active-Round Delay Time (aRDT) metric,
read this section. Otherwise, you can skip the section. This metric is disabled by default.
aRDT
aRDT measures the round-delay-time for a DNS query and reply between a
site AX device and the GSLB local DNS.
You can configure aRDT to take a single sample or periodic samples.
Global aRDT Parameters
The aRDT metric uses the following options, which are configurable on a
global basis:
Domain Specifies the query domain. To measure the active round-
delay-time (aRDT) for a client, the site AX device sends queries for the
domain name to a clients local DNS. An aRDT sample consists of the
time between when the site AX device sends a query and when it
receives the response.
Only one aRDT domain can be configured. It is recommended to use a
domain name that is likely to be in the cache of each clients local DNS.
The default domain name is google.com.
The AX device averages multiple aRDT samples together to calculate
the aRDT measurement for a client. (See the description of Track
below.)
Interval Specifies the number of seconds between queries. You can
specify 1-16383 seconds. The default is 1.

Retry Specifies the number of times GSLB will resend a query if there
is no response. You can specify 0-16. The default is 3.

Sleep Specifies the number of seconds GSLB stops tracking aRDT
data for a client after a query fails. You can specify 1-300 seconds. The
default is 3.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
35 of 260

Timeout Specifies the number of milliseconds GSLB will wait for a
reply before resending a query. You can specify 1-16383 milliseconds

(ms). The default is 3000 ms.
Track Specifies the number of seconds during which the AX device
collects samples for a client. The samples collected during the track time
are averaged together, and the averaged value is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The default is
60 seconds.
The averaged aRDT measurement is used until it ages out. The aging
time for averaged aRDT measurements is 10 minutes by default and is
configurable on individual sites, using the aRDT aging-time command.
To configure global aRDT options, use the following command at the global
configuration level of the CLI:
[no] gslb active-rdt
{
domain domain-name |
interval seconds |
retry num |
sleep seconds |
timeout ms |
track seconds
}
Default Settings
When you enable aRDT, a site AX device sends some DNS requests to the
GSLB domains local DNS. The GSLB AX device then averages the aRDT
times of 5 samples.
Single Sample (Single Shot)
To take a single sample and use that sample indefinitely, use the single-shot
option. This option instructs each site AX device to send a single DNS
query to the GSLB local DNS.
The single-shot option is useful if you do not want to frequently update the
aRDT measurements. For example, if the GSLB domain's clients tend to
remain logged on for long periods of time, using the single-shot option
ensures that clients are not frequently sent to differing sites based on aRDT
measurements.
36 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

The single-shot has the following additional options:
timeout Specifies the number of seconds each site AX device should
wait for the DNS reply. If the reply does not arrive within the specified
timeout, the site becomes ineligible for selection, in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. The
default is 3 seconds.
skip Specifies the number of site AX devices that can exceed their sin-
gle-shot timeouts, without the aRDT metric itself being skipped by the
GSLB AX device during site selection. You can skip from 1-31 sites.
The default is 3.
Multiple Samples
To periodically retake aRDT samples, do not use the single-shot option. In
this case, the AX device uses the averaged aRDT value based on the number
of samples measured for the intervals.
For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average over the last 3 samples, collected in 5-second
intervals. If you configure single-shot instead, a single sample is taken.
The number of samples can be 1-8. The default is 5 samples.
Store-By
By default, the GSLB AX device stores one aRDT measurement per site
SLB device. Optionally, you can configure the GSLB AX device to store
one measurement per geo-location instead. This option is configurable on
individual GSLB sites. (See Changing aRDT Settings for a Site on
page 39.)
Tolerance
The default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are within 10 percent, the GSLB AX device
considers the sites to be equal in terms of aRDT. You can adjust the tolerance to any value from 0-100 percent.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
37 of 260

Enabling aRDT
To enable aRDT, use one of the following procedures.
USING THE GUI

3. Click on the policy name or click Add to create a new one.
4. Drag-and-drop aRDT from the Not In Use column to the In Use column.
5. Click the plus sign to display the aRDT configuration fields.
6. To use single-shot aRDT, select the Single-shot checkbox. To collect
multiple samples, do not select the Single-shot checkbox.
7. To change settings for single-shot, edit the values in the Timeout and
Skip fields.
8. To change settings for multiple samples, edit the values in the Samples
and Tolerance fields.
9. Click OK.
USING THE CLI

Enter the following command at the configuration level for the GSLB policy:
[no] active-rdt
[difference num]
[fail-break]
[ignore-id group-id]
[keep-tracking]
[limit ms]
[samples num-samples]
[single-shot] [skip count] [timeout seconds]
[tolerance num-percentage]
If you omit all the options, the site AX device send DNS requests to the
GSLB domains local DNS. The GSLB AX device averages the aRDT
times of the samples. The aRDT measurements are regularly updated. You
can use the samples option to change the number of samples to 1-8.
To enable single-shot aRDT instead, use the single-shot option. For singleshot, you also can use the skip and timeout options. (See the descriptions
above, in Single Sample (Single Shot) on page 36)
38 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI Examples
The following commands access the configuration level for GSLB policy
gslbp2 and enable the aRDT metric, using all the default settings:
AX(config)#gslb policy gslbp2
AX(config gslb-policy)#active-rdt
The following commands access the configuration level for GSLB policy
gslbp3 and enable the aRDT metric, using single-shot settings:
AX(config)#gslb policy gslbp3
AX(config gslb-policy)#active-rdt single-shot
AX(config gslb-policy)#active-rdt skip 3
In this example, each site AX device will send a single DNS query to the
GSLB domains local DNS, and wait 3 seconds (the default) for a reply. The
site AX devices will then send their aRDT measurements to the GSLB AX
device. However, if more than 3 site AX devices fail to send their aRDT
measurements to the GSLB AX device, the AX device will not use the
aRDT metric.
Changing aRDT Settings for a Site
You can adjust the following aRDT settings on individual sites:
aging-time Specifies the maximum amount of time a stored aRDT
result can be used. You can specify 1-60 minutes. The default is 10 minutes.
bind-geoloc Stores the aRDT measurements on a per geo-location
basis. Without this option, the measurements are stored on a per siteSLB device basis.
ignore-count Specifies the ignore count if aRDT is out of range. You
can specify 1-15. The default is 5.

ipv6-mask Specifies the client IPv6 mask length, 1-128. The default is
128.
limit Specifies the limit. You can specify 1-16383. The default is
16383 milliseconds.
mask Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The default is 32.

range-factor Specifies the maximum percentage a new aRDT mea-
surement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the
allowed percentage, the new measurement is discarded and the previous
measurement is used again.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
39 of 260

For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75% to 125% of the previous value can
be used. A measurement that is less than 75% or more than 125% of the
previous measurement can not be used.
You can specify 1-1000. The default is 25.
smooth-factor Blends the new measurement with the previous one, to
smoothen the measurements.

For example, if the smooth-factor is set to 10 (the default), 10% of the
new measurement is used, along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of the new measurement is used, along with 50% of the previous measurement.
USING THE GUI

Use the Options section of the GUI page for the site.
USING THE CLI

Use the following command at the configuration level for the site:
[no] active-rdt
aging-time minutes |
bind-geoloc |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
Excluding a Set of IP Addresses from aRDT Polling
You can use an IP list to exclude a set of IP addresses from aRDT polling.
You can configure an IP list in either of the following ways:
Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
40 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

USING THE CLI

To configure an IP list using the CLI, use the following command at the
global configuration level of the CLI:
[no] gslb ip-list list-name
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
[no] ip ipaddr {subnet-mask | /mask-length}
id group-id
This command creates an IP entry in the list. Based on the subnet mask or
mask length, the entry can be a host address or a subnet address. The id
option adds the entry to a group. The group-id can be 0-31.
[no] load bwlist-name
This command loads the entries from a black/white list into the IP list. For
information on configuring a black/white list, see the Policy-Based SLB
(PBSLB) chapter in the AX Series System Configuration and Administration Guide.
To use the IP list to specify the IP addresses to exclude from aRDT data collection, use the following command at the configuration level for the GSLB
policy:
[no] active-rdt ignore-id group-id
USING THE GUI

Note:
In the current release, IP lists can not be configured using the GUI.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
41 of 260

Configuring BW-Cost Settings

If you are planning to use the BW-Cost metric, read this section. Otherwise,
you can skip the section. The BW-Cost metric is disabled by default.
The BW-Cost metric selects sites based on bandwidth utilization on the site
AX links.
How Bandwidth Cost Is Measured

To compare sites based on bandwidth utilization, the GSLB AX device
sends SNMP GET requests for a specified MIB interface object, such as
ifInOctets, to each site.
If the SNMP object value is less than or equal to the bandwidth limit
configured for the site, the site is eligible to be selected.

If the SNMP object value is greater than the bandwidth limit configured
for the site, then the site is ineligible.

The GSLB AX device sends the SNMP requests at regular intervals. Once a
site is ineligible, the site can become eligible again at the next interval if the
utilization is below the configured limit minus the threshold percentage.
(See below.)
Configuration Requirements
To use the BW-Cost metric, an SNMP template must be configured and
bound to each site. The GSLB SNMP template specifies the SNMP version
and other information necessary to access the SNMP agent on the site AX
device, and the Object Identifier (OID) of the MIB object to request.
In addition, the following BW-Cost parameters must be configured on each
site:
Bandwidth limit The bandwidth limit specifies the maximum value of
the requested MIB object for the site to be eligible for selection.
Bandwidth threshold For a site to regain eligibility when BW-Cost is
being compared, the SNMP objects value must be below the thresholdpercentage of the limit value.
For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must be 72,000 or less, for the site to become
eligible again based on bandwidth cost. Once a site again becomes eligible, the SNMP objects value is again allowed to increase up to the
bandwidth limit value (80,000 in this example).
42 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Configuring Bandwidth Cost

To use the BW-Cost metric:
1. On the site AX devices, configure and enable SNMP.
2. On the GSLB AX device:
a. Configure a GSLB SNMP template.
b. Add the template to the GSLB site configuration.
c. Optionally, set the bandwidth limit and threshold on the site. By
default, the bandwidth limit is not set (unlimited).
d. Enable the BW-Cost metric in the GSLB policy. By default, the
BW-Cost metric is disabled.
USING THE GUI

Note:
SNMP template configuration is not supported in the GUI. Use the CLI to
configure the template, then use the following GUI procedures.
USING THE CLI

To Configure a GSLB SNMP Template
Use the following commands:
[no] gslb template snmp template-name
This command adds the template and changes the CLI to the configuration
level for the template, where the following template-related commands are
available:
[no] version {v1 | v2c | v3}
The version command specifies the SNMP version running on the site AX
device.
[no] host ipaddr
[no] oid oid-value
The host command specifies the IP address of the site AX device.
The oid command specifies the interface MIB object to query on the site
AX device.
Note:
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
43 of 260

SNMPv1 / v2c Commands:
[no] community community-string
The community command specifies the community string required for
authentication.
SNMPv3 Commands:
[no] username name
This command specifies the SNMPv3 username required for access to the
SNMP agent on the site AX device.
[no] security-level
{no-auth | auth-no-priv | auth-priv}
This command specifies the SNMPv3 security level:
no-auth Authentication is not used and encryption (privacy) is not
used. This is the default.

auth-no-priv Authentication is used but encryption is not used.
auth-priv Both authentication and encryption are used.
[no] auth-proto {sha | md5}

[no] auth-key string
These commands are applicable if the security level is auth-no-priv or
auth-priv. The auth-proto command specifies the authentication protocol.
The auth-key command specifies the authentication key. The key string can
be 1-127 characters long.
[no] priv-proto {aes | des}
[no] priv-key string
These commands are applicable only if the security level is auth-priv. The
priv-proto command specifies the privacy protocol used for encryption.
The priv-key command specifies the encryption key. The key string can be
1-127 characters long.
[no] context-engine-id id
[no] context-name id
[no] security-engine-id id
The context-engine-id command specifies the ID of the SNMPv3 protocol
engine running on the site AX device. The context-name command specifies an SNMPv3 collection of management information objects accessible
by an SNMP entity. The security-engine-id command specifies the ID of
44 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

the SNMPv3 security engine running on the site AX device. For each command, the ID is a string 1-127 characters long.
[no] interface id
The interface command specifies the SNMP interface ID.
Additional Commands:
[no] interval seconds
[no] port port-num
The interval command specifies the amount of time between each SNMP
GET to the site AX devices. You can specify 1-999 seconds. The default
is 3.
The port command specifies the protocol port on which the site AX devices
listen for the SNMP requests from the GSLB AX device. You can specify 165535. The default is 161.
To Apply a GSLB SNMP Template to a GSLB Site
[no] template template-name
To Configure the Bandwidth Limit and Threshold on a Site
[no] bw-cost limit limit threshold percentage
The limit specifies the maximum value of the SNMP object (as queried by
the GSLB AX device), in order for the site to remain eligible for selection.
You can specify 0-2147483647. There is no default.
If a site becomes ineligible due to being over the limit, the percentage
parameter is used. In order to become eligible for selection again, the sites
limit value must not be more than
limit*threshold-percentage.
You can specify 0-100 percent. There is no default.
To Enable the Bandwidth Cost Metric in a GSLB Policy
Use the following command at the configuration level for the policy:
[no] bw-cost
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
45 of 260

To display BW-Cost data for a site
Use the following command:
show gslb site [site-name] bw-cost
CLI Example SNMPv2c
The following commands configure a GSLB SNMP template for
SNMPv2c:
AX(config)#gslb template snmp snmp-1
AX(config-gslb template snmp)#version v2c
AX(config-gslb template snmp)#host 192.168.214.124
AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12
AX(config-gslb template snmp)#community public
AX(config-gslb template snmp)#exit
The following commands apply the SNMP template to a site and set the
bandwidth limit and threshold:
AX(config)#gslb site usa
AX(config gslb-site)#template snmp-1
AX(config gslb-site)#bw-cost limit 100000 threshold 90
AX(config gslb-site)#exit
The following commands enable the BW-Cost metric in the GSLB policy:
AX(config)#gslb policy pol1
AX(config-gslb policy)#bw-cost
AX(config-gslb policy)#exit
The following command displays BW-Cost data for the site:

AX-1(config)#show gslb site usa bw-cost
U = Usable, TI = Time Interval
USGN = Unsigned, SN64 = Unsigned 64
CNTR = Counter, CT64 = Counter 64
Site
Template
Current
Highest
Limit
U Type Len
Value
TI
-------------------------------------------------------------------------------usa
snmp-1
31091
142596
100000
Y CNTR
4
3355957308 3
46 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI Example SNMPv3
The following commands configure a GSLB SNMP template for SNMPv3.
In this example, authentication and encryption are both used.
AX(config-gslb template snmp)#security-level auth-priv
AX(config-gslb template snmp)#username read
AX(config-gslb template snmp)#priv-proto des
AX(config-gslb template snmp)#auth-key 12345678
AX(config-gslb template snmp)#priv-key 12345678
The other commands are the same as those shown in CLI Example
SNMPv2c on page 46.
Configuring Alias Admin Preference

To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, assign an administrative preference to the DNS CNAME record for the service.
2. At the configuration level for the GSLB policy:
Enable the Alias Admin Preference metric.
Enable one or both of the following DNS options, as applicable to
your deployment:
DNS backup-alias
DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service.
USING THE GUI

The current release does not support this feature in the GUI.
USING THE CLI

1. To assign an administrative preference to the DNS CNAME record for a
service, use the following command at the configuration level for the
service:
[no] admin-preference preference
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
47 of 260

The preference can be 0-255. A higher value is preferred over a lower
value. The default is 0 (not set).
2. To enable the Alias Admin Preference metric, use the following command at the configuration level for the policy:
[no] alias-admin-preference
Configuring Weighted Alias

To configure the Weighted Alias metric:
1. At the configuration level for the GSLB service, assign a weight to the
DNS CNAME record for the service.
Enable the Weighted Alias metric.
your deployment:
DNS backup-alias
DNS geoloc-alias
option on the service.
USING THE GUI

USING THE CLI

1. To assign a weight to the DNS CNAME record for a service, use the following command at the configuration level for the service:
[no] weight num
The num can be 1-255. A higher value is preferred over a lower value.
The default is 1.
2. To enable the Weighted Alias metric, use the following command at the
configuration level for the policy:
[no] weighted-alias
48 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Loading or Configuring Geo-Location Mappings

You can configure geo-location mappings manually or by loading the mappings from a file. Configuring the geo-location mappings manually might
not be practical, unless you have only a few sites.
The geo-location configuration options are described in detail below. To
skip the descriptions and go directly to configuration instructions, see one of
the following sections. Each section provides the procedure for one of the
approaches to configuring geo-location mappings.
Loading or Configuring Geo-Location Mappings on page 49
Manually Configuring Geo-Location Mappings on page 54
Geo-Location Database Files

You can load the geo-location database (which contains the geo-location
mappings) from one of the following types of files:
Internet Assigned Numbers Authority (IANA) database The IANA
database contains the geographic locations of the IP address ranges and

subnets assigned by the IANA. Note that this database is loaded by
default.
Custom database in CSV format You can load a custom geo-location
database from a file in comma-separated-values (CSV) format. However, before loading the file, you must first configure a CSV template on
the AX device because the data in the file is formatted by the template.
Note:
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a
previously loaded database, the address or range is overwritten by the new
database.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address
or IP range.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
49 of 260

If more than one geo-location matches a clients IP address, the most specific match is used. For example, if a client is in the same city as a site AX,
that site will be preferred. If the client and site are in the same state but in
different cities, the site in that state will be preferred.
Only one database can be active. If you load more than one database, the
most-recently loaded one becomes the active one, and the older database is
no longer used. Data from the older database is not merged into the new
database.
Example Database File
An example of a database file is shown below. Each paragraph is actually a
single line in the file, but they are displayed here in multiple lines due to the
limited width of the page. (Note that lines in the database file should not
have spaces between the paragraphs. This was done to improve readability.)
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS", "COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
"1159364096","1159364351","US","UNITED STATES","NA","NORTH AMERICA","","","","ENVIRONMENTAL COMPLIANCE SERVICE","SILVER","","32.0708","-100.682"
"1159364352","1159364607","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS", "MLS PROPERTY INFORMATION NETWORK","SHREWSBURY","WORCESTER","42.2959","71.7134"
...
The example above shows how the CSV file appears when displayed in a
text editor. If the same data were displayed in a spreadsheet application, it
would appear like Figure 1 below.
FIGURE 1
CSV File in Spreadsheet Application
The database file can contain more types of information (fields, or columns)
than are required for the GSLB database. When you load the CSV file into
the geo-location database, the CSV template on the AX device filters the
file to extract the required data, while ignoring the rest of the data. In the
example below, only the fields shown in bold type will be extracted and
placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
50 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

These fields contain the following information:
From IP address (starting IP address in range), To IP address (ending IP address in
range, or subnet mask), Continent, Country
The IP addresses in this example are in bin4 format. Dotted decimal format
(for example: 69.26.125.0) is also supported. If you use bin4 format, the AX
device automatically converts the addresses into dotted decimal format
when you load the database into GSLB.
Converting IP Addresses into bin4 Format
If you want to use bin4 format in the CSV file, here is how to convert an IP
address from dotted-decimal format to bin4 format:
1. Convert each node into Hex.
2. Convert the resulting Hex number into decimal.
3. Enter the decimal number into the database file.
Here is an example for IP address 69.26.125.0, the first IP address in the
example CSV file:
Dotted Decimal
Hex of Each Node
Combined
Hex Number
Decimal
69.26.125.0
45.1a.7d.00
451a7d00
1159363840
CSV File Field Delimiters

The fields in the CSV file must be separated by a delimiter. By default, the
AX device interprets commas as delimiters. When you configure the CSV
template on the AX device, you can set the delimiter to any valid ASCII
character.
Creating and Loading a Custom Geo-Location Database
To create and load a custom geo-location database:
1. Prepare the database file. (This step requires an application that can
save to text for CSV format, and it cannot be performed on the AX
device.)
2. Configure a CSV template on the AX device. The CSV template specifies the field positions (or columns) in the database that should be
extracted, such as IP address and location information.
3. Import the CSV file onto the AX device.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
51 of 260

4. Load the CSV file.
5. Display the geo-location database.
USING THE GUI

Configuring the CSV Template
2. On the menu bar, select Geo-location > Import.
3. In the Template section, enter a name for the template.
4. If the CSV file uses a character other than a comma to delimit fields,
enter the delimiter character in the Delimiter field. You want the CSV
template to use the same delimiter that has been used in the database file
you will be loading.
5. In each data field, indicate the fields position (or column) in the CSV
file. For example, if the destination IP address or subnet is listed in the
CSV file in the fourth column, enter 4 in the IP-To field.
6. Click Add.
Importing the CSV File
1. Select Config Mode > Service > GSLB, if not already selected.
2. On the menu bar, select Geo-location > Import, if not already selected..
3. In the File section, select the file transfer protocol.
4. Enter the filename and the access parameters required to copy the file
from the remote server.
5. Click Add.
Loading the CSV File Data into the Geo-Location Database
1. Select Config Mode > Service > GSLB, if not already selected.
2. On the menu bar, select Geo-location > Import, if not already selected..
3. In the Load/Unload section, enter the name of the geo-location database
in the file field.
4. In the Template field, enter the name of the template to use for formatting the data.
52 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

USING THE CLI

Configuring the CSV Template
On the AX device, you must configure a CSV template for the database file.
When you load the file into GSLB, the AX device uses the template to
extract the data and load it into the GSLB database.
1. Use the following command at the global configuration level:
[no] gslb template csv template-name
This command creates the template and changes the CLI to the configuration level for it.
2. Use the following command to identify the field positions for the geolocation data:
[no] field num {ip-from | ip-to-mask |
continent | country | state | city}
The num option specifies the field position (or column) within the CSV
file. You can specify 1-64. The following options specify the type of
geo-location data that is located in the field position:
ip-from Specifies the beginning IP address in the range or subnet.
ip-to-mask Specifies the ending IP address in the range, or the
subnet mask.
continent Specifies the continent where the IP address range or
subnet is located.
country Specifies the country where the IP address range or subnet
is located.
state Specifies the state where the IP address range or subnet is
located.
city Specifies the city where the IP address range or subnet is
located.
3. If the CSV file uses a character other than a comma to delimit fields, use
the following command to specify the character used in the file:
[no] delimiter {character | ASCII-code}
You can type the character or enter its decimal ASCII code (0-255).
Importing the CSV File
To import the CSV file onto the AX device, use the following command at
the Privileged EXEC or global configuration level of the CLI:
import geo-location file-name [use-mgmt-port] url
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
53 of 260

You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the
entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
scp://[user@]host/file
rcp://[user@]host/file
http://[user@]host/file
https://[user@]host/file
sftp://[user@]host/file
(For information about the use-mgmt-port option, see the Using the Management Interface as the Source for Management Traffic chapter in the
AX Series System Configuration and Administration Guide.)
Loading the CSV File Data into the Geo-Location Database
To load the CSV file, use the following command at the global configuration level of the CLI:
[no] gslb geo-location load file-name
csv-template-name
Use the file name you specified when you imported the CSV file, and the
name of the CSV template to be used for extracting data from the file.
Note:
The file-name option is available only if you have already imported a geolocation database file.
To display information about CSV files as they are being loaded, use the
following command:
show gslb geo-location file [file-name]
Manually Configuring Geo-Location Mappings
USING THE GUI

In the GUI, this is part of site configuration. See Configure Sites on
page 67.
54 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

USING THE CLI

To manually configure a geo-location mapping:
1. Configure each geographic location (geo-location) as a named range of
client IP addresses. You can configure geo-locations globally and
within individual GSLB policies.
To configure a geo-location, use the following command at the global
configuration level or at the configuration level for the GSLB policy:
[no] gslb geo-location location-name
start-ip-addr [mask ip-mask] [end-ip-addr]
2. Associate a site with a geo-location name, using the following command
at the configuration level for the site:
[no] geo-location location-name
Note:
If you configure geo-locations globally and at the configuration level for

individual sites, and a client IP address matches both a globally configured geo-location and a geo-location configured on a site, the globally
configured geo-location is used by default. To configure the GSLB AX
device to use geo-locations configured on individual sites instead, use the
geo-location match-first policy command at the configuration level for
the policy.
Displaying the Geo-Location Database
USING THE GUI

2. On the menu bar, select Geo-location > Find.
The geo-location database appears. You can use the find options to display
database entries or statistics for specific geo-locations or IP addresses.
USING THE CLI

To display the geo-location database, use the following command:
show gslb geo-location db [geo-location-name]
[[statistics] ip-range range-start range-end]
[[statistics] depth num]
[statistics]]
The geo-location-name option displays the database entry for the specified
location.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
55 of 260

The ip-range option displays entries for the specified IP address range.
The depth num option filters the display to show only the location entries at
the specified depth or higher. For example, to display continent and country
entries while hiding individual state and city entries, specify depth 2.
To search for an entry in the geo-location database that is based on client IP
address, use the following command:
show gslb geo-location ip ipaddr
CLI Example
The commands in this example load a custom geo-location database from a
CSV file called test.csv, and then display the database. The test.csv file is
shown in Example Database File on page 50.
First, the following commands configure the CSV template:
AX(config)#gslb template csv test1-tmplte
AX(config-gslb template csv)#field 1 ip-from
AX(config-gslb template csv)#field 2 ip-to-mask
AX(config-gslb template csv)#field 5 continent
AX(config-gslb template csv)#field 3 country
AX(config-gslb template csv)#exit
The following command imports the file onto the AX device:

AX(config)#import geo-location test1.csv ftp:
Address or name of remote host []?192.168.1.100
User name []?admin2
Password []?*********
File name [/]?test1.csv
The following commands initiate loading the data from the CSV file into
the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte
AX(config)#show gslb geo-location file
T = T(Template)/B(Built-in), Per = Percentage of loading
Filename
T Template
Per Lines
Success Error
-----------------------------------------------------------------------------test1
T t1
98% 11
10
0
56 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

The following command displays the geo-location database. The data that
was extracted from the CSV file is shown here in bold type.
AX(config)#show gslb geo-location db
Last = Last Matched Client, Hits = Count of Client matched
T = Type, Sub = Count of Sub Geo-location
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)
Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------NA
(empty)
(empty)
(empty)
0
1
G
Geo-location: NA, Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------US
(empty)
(empty)
(empty)
0
10
GS
Geo-location: NA.US, Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------69.26.125.0
69.26.125.255
(empty)
0
0
GR
69.26.126.0
69.26.126.255
(empty)
0
0
GR
69.26.127.0
69.26.127.255
(empty)
0
0
GR
69.26.128.0
69.26.136.135
(empty)
0
0
GR
69.26.136.136
69.26.136.143
(empty)
0
0
GR
69.26.136.144
69.26.140.255
(empty)
0
0
GR
69.26.141.0
69.26.141.255
(empty)
0
0
GR
69.26.142.0
69.26.159.255
(empty)
0
0
GR
69.26.160.0
69.26.160.255
(empty)
0
0
GR
69.26.161.0
69.26.161.7
(empty)
0
0
GR
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the
match best instead of searching the database using the match first algorithm. This behavior may be helpful if you suspect that more than one host
has been mapped to a single public IP address.
Geo-location Databases Background
When configuring GSLB on the AX device, a geo-location file containing
mappings between geographic regions and IP addresses is imported onto the
AX device. For example, the IANA database is pre-installed on the AX
device prior to shipping, and it contains thousands of entries mapping geographic regions to IP address ranges.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
57 of 260

In addition, third-party companies sell geo-location databases, and some of
these databases may contain millions of mappings between geographic
regions and ranges of IP addresses. As with the IANA database files, these
files can also be imported into the AX devices global database.
However, geo-location information can also be manually configured on the
AX device at the GSLB policy level.
A GSLB policy is typically created for each GSLB zone, so you could, for
example, have separate zones for a company that has offices in New York
and San Jose. Each of these GSLB zones might have its own geo-location
file, with each file containing highly granular information that maps IP
addresses and local regions.
When configuring geo-location for a GSLB zone, you will need to use the
match first command to decide whether to search the Global database (containing the IANA file) or if you would prefer to search the GSLB Policy
database.
The match first command determines which of the two geo-location databases will be used to parse incoming DNS requests from clients. That is, it
allows you to decide whether the Global database or GSLB Policy database
will be searched.
Once this configuration decision has been made, then the next thing that you
need to do is decide if you want to enable the geo-location overlap command.
Note:
The geo-location overlap command is disabled by default because it tends

to be taxing on the AX processors.
The default behavior for the AX device is to use the match first algorithm
(not to be confused with the match first option described above), is to scan
the geo-location database for the first IP address that matches the clients
Source IP.
In contrast, the geo-location overlap option uses match best algorithm,
meaning the entire geo-location file must be scanned in order to locate the
optimal response to send back to the client. This is very demanding on the
AX CPU.
When to Use Geo-Location Overlap
The geo-location overlap option is recommended for situations in which the
public IP address is not unique and the same IP address may be associated
with different hosts. While it is unlikely that the IANA geo-location file
would contain such errors, the internet is a dynamic place and information
can become stale and/or inaccurate. In particular, this situation might hap-
58 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

pen if users are careless about the way they manually add IP addresses to
the GSLB policies. A user might have many GSLB zones and each zone
might have many geo-location files, so it is possible that some IP address
ranges may overlap.
For example, if a company has a site in New York and San Jose:
New YorK IP range is 1.1.1.1 1.1.1.9
San Jose IP range is 1.1.1.1 1.1.1.3
In this situation, there exists an overlap in the IP address from 1.1.1.1 to

1.1.1.3.
To remedy this confusing situation, one can enable the geo-location overlap
option to cause the AX device to search the geo-location database for the
match best (or longest matching IP address).
However, if the geo-location overlap option is disabled, then the AX device
will revert to its default behavior, which is to use the match first algorithm
to check the clients IP address against the database and then use the first IP
address-region mapping discovered when parsing the database.
USING THE GUI

If you suspect a public IP address in your domain is not unique and the same
IP address may be associated with different hosts, you can enable the geolocation overlap option. To do so, follow the procedure below:
2. Click the Policy tab, and then click the Add button.
3. Enter a name for the GSLB policy in the Name field.
4. Click the Geo-location arrow to expand the menu.
The Geo-location menu appears, as shown below:
5. In the Match Best Entry section, select the desired checkboxes. By
default, the Global and Policy checkboxes are clear, meaning the
overlap feature is disabled (and the match first approach is used).
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
59 of 260

6. To enable the overlap behavior, select one or both checkboxes in the
Match Best Entry area. Your options are:
Global Enabling this option will search the global database (such
as IANA) for the longest matching and most-specific address.

Policy Enabling this option will search the GSLB policy database
for the longest matching and most-specific address.
7. When finished, click OK to save your changes.
USING THE CLI

If you believe your manually-configured geo-location databases may have
two or more domains tied to the same IP address, you can use the following
command at the GSLB policy configuration level of the CLI to enable geolocation overlap:
[no] geo-location overlap [global | policy]
CLI Example
The following command enables geo-location overlap at the GSLB policy
level. The overlap option is used to enable match best behavior for the geolocation database within the default GSLB policy. By enabling this behavior, the match first algorithm will not be used, and instead the AX device
will attempt to find the best match by searching for the longest string that
matches the source IP address in the clients request.
AX(config)#gslb policy default
AX(config-gslb policy)#geo-location overlap policy
60 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Configure Services
Configure Services
A service is an application such as HTTP or FTP. For example: www.mydomain.com is a service where www is the http service or an application. Each
zone can be configured with one or more services.
To configure services in a GSLB zone, use one of the following procedures.
USING THE GUI

2. On the menu bar, select Service IP.
3. Click Add.
4. Enter the service name and IP address.
5. If needed, assign an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be reached
from outside the internal network.
6. Add the service port(s):
a. Enter the port number and select the protocol (TCP or UDP).
b. Optionally, select a health monitor.
c. Click Add. The service port appears in the service port list.
7. Click OK.
8. Repeat for each service IP.
USING THE CLI

To configure service VIPs, use the following command at the global configuration level of the CLI:
gslb vip-name ipaddr
This command changes the CLI to the configuration level for the service.
To assign an external IP address to the service, use the following command.
An external IP address is needed if the service IP address is an internal IP
address that can not be reached from outside the internal network.
external-ip ipaddr
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
61 of 260

To configure a service port on the service, use the following command to
change the CLI to the configuration level for the port:
port port-num {tcp | udp}
To enable health monitoring of the service, use the following command:
health-check monitor-name
Gateway Health Monitoring

To simplify health monitoring of a GSLB site, you can use a gateway health
check. A gateway health check is a Layer 3 health check (ping) sent to the
gateway router for an SLB site. If a sites gateway router fails a health
check, it is likely that none of the services at the site can be reached. GSLB
stops using the site until it begins to pass gateway health checks again.
In most cases, an ICMP health check is sufficient. You can use the default
ICMP health check or configure a custom one. For more detailed health
analysis, you can use an external health check. For example, you can use a
script to get SNMP information from the gateway, and base the gateways
health status on the retrieved information.
Health-Check Precedence
Health checking for a GSLB service can be performed at the following levels.
1. Gateway health check
2. Port health check
3. IP health check (Layer 3 health check of service IP)
If the gateway health check is unsuccessful, the service IP is marked Down.
If the gateway health check is successful, then the port health check can be
used to check the status of the ports (assuming ports have been configured
on the service IP). Otherwise, if no service ports are configured on the service IP, then the Layer 3 health check of the service IP is used.
62 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Configuring Gateway Health Checking for GSLB Sites
To configure gateway health checking for a GSLB site:
1. Configure the health monitor, unless you plan to use the default ICMP
health monitor.
2. On the SLB device at the site, create an SLB real server configuration
with the gateway routers IP address. If you configured a custom health
check, make sure to apply it to the real server.
3. On the GSLB controller, specify the sites gateway IP address in the
SLB-device configuration for the site.
Sites with Multiple Gateway Links
If a site has multiple gateways, create a separate real server for each gateway on the site AX device. On the GSLB controller, create a separate SLBdevice configuration for each gateway (real server). In each SLB-device
configuration, specify only the service IPs that can be reached by the gateway specified in that SLB-device configuration.
For a service IP that can be reached on any of multiple links, create a separate SLB-device configuration, without using the gateway option. The gateway health status for this SLB-device will be Down only if all the gateway
health checks performed for the other SLB-device configurations for the
site fail.
USING THE GUI

1. On the site AX deviceTo create the gateway router, navigate to the
real server configuration page. Enter a name and the gateway IP
address. Do not add any ports.
If you plan to use the default Layer 3 health monitor, no further configuration is needed on the site AX device. If you plan to use a custom
ICMP monitor, configure the monitor, select create from the Health
Monitor drop-down list.
2. On the GSLB controllerTo specify the sites gateway IP address, navigate to the site configuration page. From this page, navigate to the
SLB-Device configuration page and enter the gateway IP address in the
Gateway field.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
63 of 260

USING THE CLI

1. On the site AX deviceTo create the gateway router, use the following
command at the global configuration level of the CLI on the site AX
device:
[no] slb server gateway-name gateway-ipaddr
If you plan to use the default Layer 3 health monitor, no further configuration is needed on the site AX device. If you plan to use a custom
ICMP monitor, configure the monitor, then use the following command
at the configuration level for the real server (gateway):
[no] health-check icmp-monitor-name
2. On the GSLB controllerTo specify the sites gateway IP address, use
the following command at the configuration level for the SLB device,
within the site configuration:
[no] gateway gateway-ipaddr
Disabling a Gateway Health-Check
On the GSLB controller, you can disable gateway health checking at the
SLB-device configuration level or the service configuration level; doing so
will not affect any health checks configured for the individual virtual servers and service ports at the site.
To disable gateway health checking at the SLB-device configuration level,
use the following command:
no gateway health-check
After you enter this command, the SLB device will stop accepting gateway
status information.
To disable gateway health checking at the service configuration level, use
the following command:
no health-check gateway
After you enter this command, the service will stop using gateway health
checks.
Displaying the Health Status of a Site Gateway
To display the health status for a site gateway, use the following command:
show gslb slb-device
64 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI ExampleSite with Single Gateway Link

On the site AX device, the following command configures a real server for
the gateway. The default ICMP health method is used.
Site-AX(config)#slb server 1.1.1.1
On the GSLB controller, the following commands enable gateway health

checking for site device site-ax:
GSLB-AX(config)#gslb site remote
GSLB-AX(config-gslb site)#slb-dev site-ax 10.1.1.1
GSLB-AX(config-slb dev)#gateway 1.1.1.1
The following command displays the gateway health status for GSLB sites:
GSLB-AX(config)#show gslb slb-device
Attrs = Attributes, APF = Administrative Preference
Sesn-Num/Uzn = Number/Utilization of Available Sessions
GW = Gateway Status, IPCnt = Count of Service-IPs
P = GSLB Protocol, L = Local Protocol
Device
IP
Attrs APF Sesn-Num
Uzn GW
IPCnt
-------------------------------------------------------------------------------local:self
127.0.0.1
100 0
0%
0
local:self2
127.0.0.1
100 0
0%
0
local:self3
127.0.0.1
100 0
0%
2
remote:site-ax
10.1.1.1
100 0
0% UP 0
In this example, the gateway health status for SLB-device configuration

site-ax on the remote site is Up.
CLI ExampleSite with Multiple Gateway Links

On the site AX device, the following commands configure real servers for
each of two gateway links. The default ICMP health method is used for each
link.
Site-AX(config-real server)#exit
On the GSLB controller, the following commands enable gateway health

checking for each of the sites links. A unique SLB-device name is used for
each link, even though both links are for the same SLB device (20.1.1.1).
GSLB-AX(config)#gslb site remote-link1
GSLB-AX(config-gslb site)#slb-dev site-ax-lnk1 20.1.1.1
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
65 of 260

GSLB-AX(config-slb dev)#exit
GSLB-AX(config-gslb site)#exit
GSLB-AX(config)#gslb site remote-link2
GSLB-AX(config-gslb site)#slb-dev site-ax-lnk2 20.1.1.1
If the same services can be reached through either link, an additional SLBdevice configuration is required:
GSLB-AX(config)#gslb site remote-link-both
GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1
No gateway is specified in the SLB-device configuration. The gateway

health status will be Up unless the health checks for 2.2.2.1 and 3.3.3.1 both
fail.
Multiple-Port Health Monitoring

GSLB supports multiple-port health checking for service IPs. When you use
a multiple-port health check for a service IP, the service IP is marked Up if
any of the ports passes the health check. It is not required for all ports to
pass the health check.
Default Health Monitors
The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default health monitor for a service port is the default
TCP or UDP monitor, depending on the transport protocol.
By default, if the GSLB protocol is enabled and can reach the service,
health checking is performed over the GSLB protocol. Otherwise, health
checking is performed using standard network traffic instead. Optionally,
you can disable use of the GSLB protocol for health checking, on individual
service-IPs.
USING THE GUI

66 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Configure Sites
USING THE CLI

To configure a multiple-port health check, use the following command at
the configuration level for the service IP:
[no] health-check port port-num port-num [...]
You can specify up to 64 ports.
CLI Example
The following commands apply a custom HTTP health monitor to service
IP gslb-srvc2:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99
AX(config-gslb service-ip)#port 80
AX(config-gslb service-port)#health-check http
Note:
Applying a health monitor is required only if you do not plan to use the
default health monitors. (See Default Health Monitors on page 66.)
The following commands enable a multi-port health check for the HTTP
service www on service IP gslb-srvc2 in GSLB zone abc.com:
AX(config)#gslb zone abc.com

AX(config-gslb zone)#service http www
AX(config-gslb service)#health-check port 80 8080 8081
Configure Sites
To configure GSLB sites, use one of the following procedures.
USING THE GUI

2. On the menu bar, select Site.
3. Click Add.
4. Enter the site name.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
67 of 260

GSLB Configuration - Configure Sites
5. In the SLB-Device section, enter information about the AX devices that
provide SLB for the site:
a. Click Add.
b. Enter a name for the device.
c. Enter the IP address at which the GSLB AX device will be able to
reach the site AX device.
d. To add a service to this SLB device, select it from the drop-down list
in the VIP server section and click Add. Repeat for each service.
6. In the IP-Server section, add services to the site. Select a service from
the drop-down list and click Add. Repeat for each service.
7. To manually map a geo-location name to the site, enter the geo-location
name in the Geo-location section and click Add.
8. Click OK. The site appears in the Site table.
USING THE CLI

To configure the GSLB sites, use the following commands:
gslb site site-name
This command changes the CLI to the configuration level for the site. To
associate an IP service with this site, use the following command:
ip-server {name | service-ip}
The name or service-ip is the name or IP address of a real server load balanced by the site.
To specify the AX device that provides SLB at the site, use the following
command:
slb-dev device-name ipaddr
To add the GSLB VIP server to the SLB device, use the following command:
vip-server {name | ip ipaddr}
The service-name is the GSLB service specified by the gslb vip-name
ipaddr command in Configure Services on page 61.
68 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Configure a Zone
Configure a Zone
To configure a GSLB zone, use one of the following procedures.
USING THE GUI

2. On the menu bar, select Zone.
3. Click Add.
4. Enter the zone name in the Name field.
5. In the Service section, click Add. (See Figure 16 on page 110.)
The service configuration sections appear.
6. In the Service field, enter the service name.
7. Select the service type from the Port drop-down list.
8. Add the services:
a.
b.
c.
d.
e.
f.
In the Service section, click Add.

Enter name for the service (for example, www).
Select the service type from the Port drop-down list.
Configure additional options, if applicable to your deployment.
Click OK.
Repeat for each service.
9. Click OK. The zone appears in the GSLB zone list.
USING THE CLI

To configure the GSLB zone, use the following commands:
gslb zone zone-url
The zone-url is the URL that clients will send in DNS queries. This command changes the CLI to the configuration level for the zone. To add a service to the zone, use the following command:
service port service-name
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
69 of 260

GSLB Configuration - Enable the GSLB Protocol
The port is the application port for the server and must be the same port
name or number specified on the service VIP.
Enable the GSLB Protocol

To enable the GSLB protocol, use one of the following procedures.
USING THE GUI

2. On the menu bar, select Global.
The Global section appears.
3. Select Enabled next to one of the following options, depending on the
AX devices function in the GSLB configuration:
Run GSLB as Controller
Run GSLB as Site SLB Device
4. Click OK.
USING THE CLI

To enable the GSLB protocol on the GSLB AX device, use the following
command at the global configuration level of the CLI:
gslb protocol enable controller
To enable the GSLB protocol on a site AX device, use the following command at the global configuration level of the CLI:
gslb protocol enable device
Resetting or Clearing GSLB

If you need to reset or clear the GSLB configuration, you can use the following commands:
gslb system reset Unloads all geo-location files and reloads the
default iana file.

no gslb all Unloads all geo-location files, including iana, and clears
all GSLB configuration information and statistical data.
70 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration - Resetting or Clearing GSLB
These commands are available at the global configuration level of the CLI.
Confirmation Prompt
By default, the CLI displays a prompt asking you to confirm whether to perform the reset or deletion. You can reply yes or no.
If you do not want the prompt to appear, you can disable it by entering the
following command at the global configuration level of the CLI:
no gslb system prompt
Simplified CLI Syntax for Removing All Configuration Items
The all option removes all configuration items of the specified type. In previous releases, the CLI supported removal of GSLB configuration items
only one item at a time.
Here are the no gslb commands that support the all option:
no gslb geo-location all Removes all manually configured
geo-locations from the AX devices configuration.

no gslb geo-location load all Unloads all geo-location
database files on the AX device. The default database (IANA) is also

unloaded.
no gslb ip-list all Removes all IP lists from the AX devices
configuration.
no ip all At the configuration level for an IP-list, removes all
IP addresses from the list.
no gslb policy all Removes all GSLB policies from the AX
devices configuration.
no gslb service-ip all Removes all service IPs from the AX
no gslb site all Removes all GSLB sites from the AX
no ip-server all At the site configuration level, removes
all IP servers (real servers) from the site.
no slb-device all At the site configuration level, removes
all SLB devices.
no vip-server all At the configuration level for an SLB
device, removes all virtual servers from the device.
no gslb template csv all Removes all CSV templates from
the AX devices configuration.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
71 of 260

GSLB Configuration - Resetting or Clearing GSLB
no gslb template snmp all Removes all SNMP templates
from the AX devices configuration.

no gslb template all Removes all CSV templates and SNMP
templates from the AX devices configuration.

no gslb zone all Removes all GSLB zones from the AX
To remove all GSLB configuration items at the same time, you can use the
following command instead:
no gslb all
72 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Auto-mapping -
Auto-mapping
An AX device acting as a GSLB controller can retrieve the data needed to
build the DNS system by automatically returning DNS records by name.
This GSLB Auto-Mapping feature reduces the required amount of DNS
management work when deploying GSLB.
In releases prior to 2.7.0, manual configuration is required for each of the
services for which an AX device is to respond. This manual configuration
typically involves creating a service IP, applying it to a site, adding the zone,
and then mapping the service to the service IP.
With, GSLB Auto-mapping, however, the AX device allows you to automatically create the service by taking the name of a system resource, or
"module", and appending it to the front of a zone to create the service name
(DNS name).
Once the servers and other network devices have been configured with
basic information, auto-mapping enables the GSLB protocol to support
DNS queries for the following modules (or system resources):
SLB server
SLB virtual server
SLB device
GSLB site
GSLB service-IP
GSLB Group
Hostname
Details:
This feature only works with GSLB wildcard service.
There is no L3V support for SLB server or SLB virtual server.
Names exceeding 20 characters must be changed to DNS domain, with
labels separated by the '.' character.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
73 of 260

Auto-mapping -
Configuration
Configuring DNS Auto-mapping requires the following steps:
1. Configure DNS Auto-mapping at the zone level or system level.
2. Enable DNS Auto-mapping the zone and/or system level.
USING THE GUI

To configure GSLB Auto-mapping, navigate as follows:
2. Click the Site tab, and then click the Add button.
3. Scroll down and click the arrow button to expand the Options section.
A window similar to the one shown below appears:
FIGURE 2
Config Mode > Service > GSLB > Site > Add
4. Select the Auto Map checkbox, if it is not already selected.

6. Scroll down and click the arrow button to expand the Auto Map section.
FIGURE 3
Config Mode > Service > GSLB > Policy > Add
7. By default, all modules (resources) are selected. You can select or clear
the checkboxes to determine which modules or system resources for
which the GSLB protocol will support DNS queries.
74 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Auto-mapping 8. Either accept the default TTL value of 300 seconds, or enter a new
time-to-live for the modules.
9. Click OK to store your changes.
USING THE CLI

Configure DNS Auto-mapping at the system level
By default, system auto-mapping is disabled until you configure the modules. However, after system auto-mapping has been configured, the query
name is the objects name.
Use the following CLI commands to configure auto-mapping.
gslb system auto-map module {all | slb-server |
slb-virtual-server | slb-device | gslb-service-ip |
gslb-site | gslb-group | hostname}
gslb system auto-map ttl seconds
Note:
By default, all modules are enabled in the policy.

Configure DNS Auto-mapping at the zone level
Use the following CLI commands at the GSLB policy level to configure
auto-mapping for a zone level:
dns auto-map
Details:
To get the DNS response, the query name is in the following format:
<obj-name>.<zone-name>
For example, if a real server's name is us-svr1, and the wildcard zone is
example.com, then the query name should be us-svr1.example.com
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
75 of 260

Auto-mapping CLI Example
The following example configures a VIP called WWW at IP
192.168.1.100.
AX(config)#slb virtual-server WWW 192.168.1.100
AX(config-slb vserver)#ha-group 1
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#source-nat pool Internal-Pool-1
AX(config-slb vserver-vport)#service-group Internal-Service-Group-1
Next, the commands below configure a GSLB policy auto-map, for the
zone a10.com. A wildcard service IP is used. If a client sends a query for
a host within the a10.com zone (for example, an AX with the name "sjax"), then the full service name is sj-ax.a10.com., and the GSLB protocol
will respond to the clients query by providing the management IP address
and the IP address for the inbound data interface.
AX(config)#gslb policy auto-map
AX(config)#dns auto-map
AX(config)#gslb zone a10.com
AX(config-gslb zone)#service *
AX(config-gslb service)#gslb policy auto-map
76 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options -
Advanced DNS Options

This chapter describes some of the DNS options you can configure in
Global Server Load Balancing (GSLB) policies.
Note:
This chapter is not intended to be an exhaustive presentation of all DNS

options in GSLB policies. For complete syntax information, see dns on
page 197.
DNS Active-only on page 78
Support for DNS TXT Records on page 80
Append All NS Records in DNS Authority Section on page 82
Hints in DNS Responses on page 83
DNS Sub-zone Delegation on page 85
DNS Proxy Block on page 91
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
77 of 260

Advanced DNS Options - DNS Active-only
DNS Active-only
By default, if all of the servers failed to pass the health check, then the
GSLB controller would return an empty list to the client, rather than sending
the list of IP addresses for the servers that had failed the health check.
You can configure the AX device to send the list of IP addresses (associated
with servers that failed their health checks) back to the client. The feature
can be enabled using the new dns active-only metric option.
In association with this feature, you can also designate one or more backup
servers, and the IP addresses for these servers will be sent to the client in the
event that all of the primary servers have failed. This behavior requires that
you enable the dns backup-server feature within the GSLB policy, and that
you specify the backup servers within the DNS A-record for the GSLB zone
service.
To summarize, there are now three options:
active-only (Old) Nothing is returned to the client if all servers fail the
health check.
active-only fail-safe (New) A list of IP addresses for the servers that
failed the health check are sent back to the client.

backup-server Designate one or more backup servers that can be
returned to the client if the primaries should fail.
USING THE GUI

To configure the Active Only Fail Safe feature on a GSLB AX device,
follow the procedure below:
4. Click the DNS Options arrow to expand the menu.
78 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options - DNS Active-only
5. From the DNS Options menu that appears, select one of the following:
Active Only checkbox Select this to enable the Active Only fea-
ture. If all servers fail the health check, then nothing is returned to
the client. (Selecting this checkbox activates the Fail Safe checkbox.)
Fail Safe checkbox Select this sub-option to have the list of IP
addresses associated with failed servers returned to the client.
6. (Optional) Select the Backup Server checkbox if you would like one or
more backup servers to be returned to the client in the event that all of
the primary servers fail.
USING THE CLI

Enabling fail-safe option
To enable the active-only fail-safe option and return a list of server IP
addresses for failed servers, use the following command within a GSLB
policy:
dns active-only fail-safe
The no form of the command can be used with the active-only feature to
disable the fail-safe option.
CLI Example
The commands below enable the DNS active-only fail-safe option within a
GSLB policy, so a list of IP addresses will be sent to the client for the servers that failed the health check.
AX(config-gslb policy)#dns active-only fail-safe
Enabling backup server mode

To designate one or more backup servers to be returned to the client if the
primary servers fail, do the following:
1. Use the following command to enable the backup server mode within
the GSLB policy:
dns backup-server
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
79 of 260

Advanced DNS Options - Support for DNS TXT Records
2. Specify the backup servers in the dns-a-record within the GSLB zone
service using the following command:
dns-a-record ip-addr as-backup
CLI Example
The commands below are used within a GSLB policy to specify that a
backup server at IP 192.168.123.1 will be returned to the client, should the
primary servers fail.
AX(config-gslb policy)#dns backup-server
AX(config)#gslb zone z1
AX(config-gslb zone)#service 80 http
AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup
AX(config-gslb zone-gslb service)#exit
Support for DNS TXT Records

The TXT record is a type of DNS resource record, similar to an A record or
a CNAME record, but it has typically been used to carry machine-readable
data, opportunistic encryption, Sender Policy Framework (SPF), Domain
Keys, and DNS-SD. (Please refer to RFC 1464 for further details on uses
for TXT resource records.)
GSLB supports the ability to use DNS TXT resource records for the
following purposes:
Perform Add/Delete/Find operations, based on a DNS TXT record
Support multiple DNS TXT records for each service
Carry multiple pieces of DNS TXT data within one TXT record
Support DNS TXT/ANY query in server mode
Support GSLB debug functions
Note:
80 of 260
The maximum length of a DNS TXT record data is 2048 characters.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options - Support for DNS TXT Records
USING THE GUI

To configure a DNS TXT record for a GSLB zone using the AX GUI,
navigate as follows:
2. Click the Zone tab, and then click the Add button.
3. Scroll down and click the arrow button to expand the Service section.
4. Click the Add button, and enter the details for this new service.
5. Scroll down and click the arrow button to expand the DNS TXT Record
section. A window similar to the one shown below appears:
FIGURE 4
DNS TXT Record
6. Enter the desired text string in the blank DNS TXT Record field. Then,
click the Add button, as shown in Figure 4.
Note:
Use quotation marks when entering text strings that contain spaces. If a
text string is entered without using quotation marks, this will cause the
content to be split into different sections of the record.
7. When finished, scroll to the bottom of the page and click OK to save
your changes.
USING THE CLI

To use DNS TXT resource records to carry multiple pieces of DNS TXT
data within one TXT record, use the following command at the GSLB
policy configuration level:
[no] dns server txt
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
81 of 260

Advanced DNS Options - Append All NS Records in DNS Authority Section
And then use the following command at the service config level within a
GSLB zone:
[no] dns-txt-record aaaa bbbb cccc
Note:
The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact
A10 Support.
Displaying Records
To display the DNS TXT Records, use the following command:
show gslb service dns-txt-record
To display the DNS TXT switch, use the following command:
show gslb policy [name]
Append All NS Records in DNS Authority Section

GSLB supports name server (NS) records in the Authority Section of the
DNS response. When this feature is enabled, the GSLB AX device (running
in server mode) will include all NS records in the Authority Section of the
DNS response that is sent to the client. By providing additional NS information, this feature can be helpful if one or more of the name servers becomes
unavailable.
USING THE GUI

To enable the GSLB AX device to append NS records in the Authority
section of a DNS response, follow the procedure below:
The DNS Options menu appears, as shown below:
82 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options - Hints in DNS Responses
FIGURE 5
NS Records under DNS Options
5. Select the Server Mode checkbox to place the AX device in Server

Mode (and to activate the NS List checkbox). Then, select the NS List
checkbox, as shown above.
USING THE CLI

To append all Name Server (NS) Resource Records (RR) in the Authority
Section of a DNS reply from a GSLB AX device in server mode, use the
following command at the gslb policy configuration level of the CLI:
[no] dns server authoritative ns-list
You can disable the inclusion of the NS record in the Authority section of
DNS responses by using the no form of the command.
Hints in DNS Responses

By default, the AX device places hints in the Additional Section of the DNS
response. Hints are A or AAAA records that are sent in the response to a clients DNS request. These records provide a mapping between the host
names and IP addresses.
You can disable the appearance of hints in a DNS response. In addition, you
also can determine where in the DNS response the hints will appear.
Hints can appear in the following sections of a DNS response:
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
83 of 260

Advanced DNS Options - Hints in DNS Responses
None Does not append hints in the DNS response
Additional Appends hints in the Additional Section (default)
Answer Appends hints in the Answer Section
This new option applies to the following record types:

NS
MX
SRV
USING THE GUI

To configure hints in the DNS response, follow the procedure below:
5. In the Hint area, select the desired radio button:
No Disables hints in the DNS response
Additional Enables hints in the Additional Section (default)
Answer Enables hints in the Answer Section
USING THE CLI

Use the following command at the GSLB policy configuration level of the
CLI to configure the Hint Record, (or Glue Record) that appears in DNS
replies sent from the GSLB AX device to a clients DNS request.
[no] dns hint
{
addition |
answer |
none
}
84 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options - DNS Sub-zone Delegation
CLI Example
The following command configures the AX device to include the Hint
Record in the Answer Section of the DNS response. This might be helpful
if, for example, the local DNS server has trouble parsing the Additional
Section that appears in a full DNS reply.
AX(config-gslb policy)#dns hint answer
DNS Sub-zone Delegation

GSLB sub-zone delegation allows you to delegate authority or responsibility for a portion of the DNS namespace from the parent domain to a separate
sub-domain which may reside on one or more remote servers and may be
managed by someone other than the network administrator who is responsible for the parent zone.
By delegating responsibility for a sub-zone (or sub-domain), you are
effectively dividing up the namespace, or the mappings between the hostnames and their associated IP addresses. This division helps to distribute the
DNS database more effectively.
Sub-zone delegation may be desirable if your organization is growing
quickly and you are adding remote branches or offices. If the branches are
distributed across a broad geographic area, sub-zone delegation can be done
to reduce the response times to the resolvers, thus providing faster performance by placing the requested DNS records closer to the clients. Sub-zone
delegation may also be done to distribute the DNS traffic load across a
larger number of servers in order to improve fault tolerance. Additionally,
you may wish to delegate the responsibility for a sub-zone to an administrator who is more familiar with a particular group of servers, whether due to
geographical proximity or due to an administrators familiarity with the
content and services offered by those servers.
For example, assume a San Jose-based company is expanding rapidly and
decides to open an office in New York for its finance division. With the
additional traffic generated by client DNS resolvers on the East Coast, the
parent domain, (example.com) may no longer suffice. In this case, it
might be helpful to add a separate sub-zone (finance.example.com) for
the New York office. Such a scenario is shown in Figure 6 on page 86.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
85 of 260

FIGURE 6
Namespace for finance division is delegated as new sub-zone
Figure 6 shows the root zone at the top of the DNS hierarchy. The figure
also illustrates the following important points:
The next level down are the Top Level Domains (TLDs), or the DNS
servers responsible for managing the resource records for the .com,
.org and other domains.
The parent zone is located beneath the TLDs. It is at this level within the
DNS structure that the organizations main domain (example.com) is

located.
A separate sub-zone (finance.example.com), representing the New
York office, has been delegated from the parent zone.

As this hypothetical sub-zone is branched off of the parent domain, it might
be helpful to delegate responsibility for managing this new sub-zone to an
IT administrator who is also located in New York.
Keep in mind that during the process of delegating authority for any subzone, an NS record must be added to the zone file within the authoritative
name server for the parent zone. This must be done so that other DNS servers and clients will recognize the new server as being authoritative for the
particular delegated sub-zone.
86 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Details:
Sub-zone delegation is enabled within a GSLB policy and applied at the
zone level.
When delegating a sub-zone, the GSLB AX device must be in server
mode. The feature will not work with the GSLB AX device in proxy
mode.
Once a sub-zone has been delegated from the parent zone, client resolv-
ers will send a query for the NS record, and the response from the GSLB
AX device will have the NS record in the Authority section and the IP
address in the Additional section of the full DNS response.
Note:
The AX device supports configuration of glue records. A glue record can

be configured to prevent circular dependencies, which can occur if the
name server is located in a sub-zone of the parent domain. Such a scenario
can make it impossible for the client resolver to locate the IP for the name
server, because it is located within a sub-zone of the parent domain. Configuring a glue record eliminates this problem by providing an address
record that appears in the Additional section of the full DNS response,
and this enables the client to find the name server.
USING THE GUI

This feature is not supported in the GUI for this release.
USING THE CLI

To enable sub zone delegation, use the following command at the GSLB
configuration level:
[no] dns delegation
CLI Example #1
The following command configures the GSLB policy, and places the GSLB
AX device in server mode. The delegation command, which is also applied
at the DNS level, enables the sub-zone delegation.
AX(config)#gslb policy delegat-1
AX(config-gslb policy)#dns server
AX(config-gslb policy)#dns delegation
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
87 of 260

The following command creates the sub-zone to be delegated. Note that this
also requires the configuration of a wildcard service.
AX(config)#gslb zone sub.example.com
Alternatively, you could use the following commands to have the feature
support DNSSEC by removing the sub. from the zone config.
AX(config)#gslb zone example.com
AX(config-gslb zone)#service *.sub
The following command creates the NS record in the GSLB policy:

AAX(config-gslb service)#dns-ns-record ns.finance.example.com
The following command applies the delegation policy at the zone level for
the service group level:
AX(config-gslb zone)#policy delegation
The following optional command can be used at the GSLB zone level to
configure a DNS glue record. This configuration helps prevent circular
dependencies:
AX(config-gslb zone)#service 53 ns.finance
AX(config-gslb zone-gslb service)#dns-a-record <service-ip name>
88 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI Example #2
The following command configures the GSLB service IP ns-ip-1 at IP
172.16.11.211 and disables the health check at the service IP level and at
port 53 for UDP.
AX(config)#gslb service-ip ns-ip-1 172.16.11.211
AX(config-gslb service ip)#no health-check
AX(config-gslb service ip)#port 53 udp
AX(config-gslb service ip-port)#no health-check
The following command configures the GSLB service IP dc1-vip at IP

10.10.10.10 and disables the health check at the service IP level and at port
80 for TCP.
AX(config)#gslb service-ip dc1-vip 10.10.10.10
AX(config-gslb service ip)#port 80 tcp
The following command configures the GSLB service IP ns-ip-1 at IP

172.16.10.203 and disables the health check at the service IP level and at
port 80 for TCP.
AX(config)#gslb service-ip dc2-vip 172.16.10.203
AX(config-gslb service ip)#port 80 tcp
The following commands configure a GSLB site called dc1. The site has
an AX device, dc1-ax at IP 10.10.10.50.
AX(config)#gslb site dc1
AX(config-gslb site)#slb-dev dc1-ax 10.10.10.50
AX(config-gslb site-slb dev)#vip-server dc1-vip
AX(config-gslb site-slb dev)#exit
AX(config-gslb site-slb dev)#vip-server dc2-vip
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
89 of 260

AX(config-gslb site-slb dev)#vip-server ns-ip-1
The following commands configure three GSLB policies: (1) the default
GSLB policy, (2) GSLB policy 5 (for delegation), and (3) GSLB policy
dns-server. The AX delegates authority for the sub-domain
sub.sub.a10networks.jp to nameserver "ns01.sub.sub.a10networks.jp".
AX(config)#gslb policy 5
AX(config-gslb policy)#dns delegation
AX(config)#gslb policy dns-server

The following commands create the GSLB zone sub.sub.a10networks.jp

and creates a wildcard service within the zone. The GSLB policy 5, created above, is assigned to the wildcard service, and an NS record is created
for the name server, ns01.sub.sub.a10networks.jp.
AX(config)#gslb zone sub.sub.a10networks.jp
AX(config-gslb zone-gslb service)#policy 5
AX(config-gslb zone-gslb service)#dns-ns-record ns01.sub.sub.a10networks.jp
90 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Advanced DNS Options - DNS Proxy Block
The following commands are used within the same GSLB zone
sub.sub.a10networks.jp to creates a service for port 53 called ns01. The
GSLB policy dns-server, created above, is assigned to the service, and an
A record is created for ns-ip-1 to return the associated Service-IP if the
DNS is in server mode.
AX(config-gslb zone)#service 53 ns01
AX(config-gslb zone-gslb service)#policy dns-server
AX(config-gslb zone-gslb service)#dns-a-record ns-ip-1 static
The following commands creates the GSLB zone sub.a10networks.jp and

enables the http service. Then, the policy dns-server is bound and A
records are create for dc1-vip and dc2-vip.
AX(config)#gslb zone sub.a10networks.jp
AX(config-gslb zone-gslb service)#policy dns-server
AX(config-gslb zone-gslb service)#dns-a-record dc1-vip static
AX(config-gslb zone-gslb service)#dns-a-record dc2-vip static
The following command enables the GSLB and makes this AX device the
GSLB controller.
AX(config)#gslb protocol enable controller
DNS Proxy Block

AX Release 2.7.0 introduces DNS Proxy Block, which enables an AX
device to block DNS client queries from being sent to an internal DNS
server. The AX device must be in GSLB proxy mode for the feature to
work.
The DNS Proxy Block feature can be used to block DNS queries based on
DNS query type, DNS query number, or by specifying a range of numbers.
The feature can be used to block the following well-known DNS types:
A (type 1)
AAAA (type 28)
CNAME (type 5)
MX (type 15)
NS (type 2)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
91 of 260

PTR (type 12)
SOA (type 6)
SRV (type 33)
TXT (type 16)
After specifying the type of DNS query to be blocked, select an action to

perform on the selected DNS query type, for example, drop or reject.
When selecting an action to perform on a query type, keep in mind the following caveats:
Selecting a DNS query type without specifying the action will cause the
default action to be applied to the selected query type. The default action
is drop.
Selecting an action without specifying the query type will cause the fea-
ture to essentially remain disabled. If no query type has been identified,

then no action is applied, even if an action has been specified.
Benefits
Implementing this feature may reduce the amount of traffic sent to back-end
DNS servers. This can increase efficiency by reducing the burden on those
servers. This feature may also be desirable in situations where resource
records reside on a DNS server that is accessible to both internal and external clients. In such situations where the same DNS server is being accessed
by both internal and external clients, the DNS Proxy Block feature helps
prevent sensitive resource records on an internal DNS server from being
leaked to external clients.
Note:
Prior releases supported a similar DNS Blocking option, which essentially removed the dns-a-record information from DNS responses. By
using the no-resp option at the GSLB service level for a zone, dns-arecord information would be stripped from the DNS servers response.
This new command, however, simply blocks the clients DNS request
before it is received by the back-end DNS server.
Details:
The GSLB AX device must be operating in proxy mode to support the
DNS Proxy Block feature.

The feature is configured within the GSLB policy and is applied at the
zone and service levels.
92 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Multiple query types can be specified, but only one action can be
applied to those query types. Therefore, the first bullet below would be
an acceptable configuration, but the second bullet would not:
Reject both SRV and CNAME query types (OK)
Reject SRV but drop CNAME query types (Not OK)
USING THE GUI

To enable the DNS Proxy Block feature for a GSLB zone using the AX
GUI, navigate as follows:
3. Click the DNS Proxy Block arrow to expand the menu.
FIGURE 7
DNS Proxy Block
4. Select the Drop or Reject Action radio button. If desired, you can select
the No radio button to disable the DNS Proxy Block feature.
5. Click the Type List drop-down menu and select the desired well-known
DNS query type that you would like to block. Then, click the Add
button. If you want to remove a query type from the list, select the
checkbox next to a query type and then click the Delete button.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
93 of 260

Alternatively, to enter a range of DNS query type numbers to be
blocked, in the Range List section, enter the beginning number in the
From field and the ending number in the To field.
7. Next, apply the policy to a zone by selecting Config Mode > Service >
GSLB, and then click the Zone tab.
8. Apply the GSLB policy you just created to an existing zone by clicking
the hyperlinked name of the zone and then selecting the GSLB policy
from the drop-down menu.
9. Click OK to save your changes.
USING THE CLI

Enabling GSLB DNS Proxy Block
To enable the GSLB DNS Proxy Block feature, use the following command
at the GSLB policy configuration level:
dns proxy block
[
a |
aaaa |
ns |
mx |
srv |
cname |
ptr |
soa |
txt |
num query-type |
range {start-query-type end-query-type} |
]
action [[drop | reject]
The query-type is the numeric value that corresponds to a well-known DNS

query type. Specify any number from 1 to 255.
The range option allows you to target less well-known DNS query types.
The start-query-type is the numeric value used to define the beginning of
the range, while the end-query-type is the numeric value used to define the
end of the range of DNS query types that will be blocked. The range can go
94 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

from 1 to 65535. If desired, you can enter the same number for the beginning and end range values to target a specific query type.
The available actions are drop and reject. Selecting "drop" drops the specified DNS query type without sending a confirmation message to the client.
Selecting "reject" rejects the specified DNS query type and returns the
Refused message in replies to the client.
Note:
To enter the action and query type on a single line, you must enter the
query type prior to entering the action. If the action is entered first, then
the query type must be entered on a separate line.
CLI Example
The following example shows the commands used to create a GSLB policy,
enable the DNS Proxy Block feature for A records, and then applies the policy to the zone called example.com for the service http.
AX(config)#gslb policy pol-1

AX(config-gslb policy)#dns proxy block a
AX(config-gslb policy)#gslb zone example.com
AX(config-gslb policy)#policy pol-1
AX(config-gslb policy)#service http www
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
95 of 260

96 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
AX Series - Global Server Load Balancing Guide

Partition-specific Group Management - Implementation Details
Partition-specific Group Management

Beginning with release 2.6.1-GR1, the AX device allows Global Server
Load Balancing (GSLB) to be configured within individual partitions. The
shared partition and the private partitions in which Layer 2/3 virtualization
is enabled, can each have their own GSLB configuration parameters, which
are separate from the other partitions.
To configure GSLB parameters for an individual partition, assign them all
to the same GSLB configuration group, and then map the group to the partition.
Implementation Details
Partition-specific GSLB configuration is supported only for partitions in
which Layer 2/3 virtualization is enabled.

The following GSLB configuration items can not be configured for indi-
vidual partitions. They can be configured only globally, for all partitions
on the AX device:
GSLB system-wide settings: gslb system, gslb dns, gslb protocol
and gslb active-rdt
GSLB geo-locations (gslb geo-location)
Duplicate names are not supported for GSLB items. For example, the
same zone name can not be configured in more than one partition.
For each partition, only one GSLB Group is supported to implement
mapping.
For each partition, you can create one group, the partition group.
In the current release, the following synchronization scenario is sup-
ported: from shared partition group to shared partition group

The view and inheritance features are not supported in this release.
aVCS Notes
In an aVCS deployment there is more than one device in the virtual
chassis. Due to real-time configuration synchronization, all devices in

the virtual chassis will have the same configuration. In this case, more
than one GSLB controller can have the highest priority. The controller
with the highest last 4 bytes in its management interface MAC address is
elected as the group master.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
97 of 260

Partition-specific Group Management - Implementation Details
GSLB group will synchronize configuration between AX devices. If the
group is enabled and the GSLB configuration can be handled by the

GSLB group, aVCS will not synchronize the GSLB configuration to the
vBlade.
If the vMaster is not the same device as the as GSLB group master, con-
figuration of GSLB in a member controller requires the config-anywhere option to be enabled in the GSLB group.
Note:
98 of 260
For additional information about Role Based Partitions, please see the
Role-Based Administration chapter in the AX Series System Configuration and Administration Guide.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration Examples - CLI Example
GSLB Configuration Examples

This chapter provides configuration examples for Global Server Load Balancing (GSLB).
These examples implement a basic GSLB deployment. The examples
assume that the default GSLB policy is used, without any changes to the
policy settings.
CLI Example
Configuration on the GSLB AX Device (GSLB Controller)
The following commands configure a health monitor for the local DNS
server to be proxied:
AX-Controller(config)#health monitor dns-53
AX-Controller(config-health:monitor)#method dns domain example.com
AX-Controller(config-real server)#exit
The following commands configure the DNS proxy:

AX-Controller(config)#slb server dns-1 10.10.10.53
AX-Controller(config-real server)#port 53 udp
AX-Controller(config-real server-node port)#health-check dns-53
AX-Controller(config-real server-node port)#exit
AX-Controller(config-real server)#exit
AX-Controller(config)#slb service-group sg-1 udp
AX-Controller(config-slb service group)#member dns-1:53
AX-Controller(config-slb service group)#exit
AX-Controller(config)#slb virtual-server DNS_SrvA 10.10.10.100
AX-Controller(config-slb virtual-server)#port 53 udp
AX-Controller(config-slb virtual server-slb virtua...)#gslb-enable
AX-Controller(config-slb virtual server-slb virtua...)#service-group sg-1
AX-Controller(config-slb virtual server-slb virtua...)#exit
AX-Controller(config-slb virtual server)#exit
The following commands configure the service IP addresses. The VIP

address and virtual port number of the virtual server in the site AX Series
devices SLB configuration are used as the service IP address and port number on the GSLB AX Series device.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
99 of 260

AX-Controller(config)#gslb service-ip servicevip1 2.1.1.10
AX-Controller(config-gslb service ip)#port 80 tcp
AX-Controller(config-gslb service ip)#exit
AX-Controller(config)#gslb service-ip servicevip2 3.1.1.10
AX-Controller(config-gslb service ip)#port 80 tcp
AX-Controller(config-gslb service ip)#exit
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
The following commands configure the sites. For each site SLB device,
enter the IP address of the AX Series device that provides SLB at the site.
For the VIP server names, enter the service IP name specified above.
AX-Controller(config)#gslb site usa
AX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip1
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
AX-Controller(config)#gslb site asia
AX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip2
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
The following commands configure the GSLB zone:

AX-Controller(config)#gslb zone a10.com
AX-Controller(config-gslb zone)#service http www
AX-Controller(config-gslb zone-gslb service)#dns-cname-record www.a10.co.cn
AX-Controller(config-gslb zone-gslb service)#geo-location China www.a10.co.cn
AX-Controller(config-gslb zone-gslb service)#exit
AX-Controller(config-gslb zone)#exit
At the configuration level for the service (www), the CNAME

www.a10.co.cn is configured, and the CNAME is associated with geo-location China. If a clients IP address is in the range for the China geo-location,
GSLB sends the CNAME www.a10.co.cn in the DNS reply.
The following command enables the GSLB protocol:
AX-Controller(config)#gslb protocol enable controller
100 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Configuration on Site AX Device AX-A

The following commands configure SLB on site AX device AX-A:
Site-AX-A(config)#slb server www 2.1.1.2
Site-AX-A(config-real server)#port 80 tcp
Site-AX-A(config-real server-node port)#exit
Site-AX-A(config-real server)#exit
Site-AX-A(config)#slb server www2 2.1.1.3
Site-AX-A(config-real server)#port 80 tcp
Site-AX-A(config-real server-node port)#exit
Site-AX-A(config-real server)#exit
Site-AX-A(config)#slb service-group www tcp
Site-AX-A(config-slb service group)#member www:80
Site-AX-A(config-slb service group)#member www2:80
Site-AX-A(config-slb service group)#exit
Site-AX-A(config)#slb virtual-server www 2.1.1.10
Site-AX-A(config-slb virtual server)#port 80 http
Site-AX-A(config-slb virtual server-slb virtua...)#service-group www
Site-AX-A(config-slb virtual server-slb virtua...)#exit
Site-AX-A(config-slb virtual server)#exit
Note:
The virtual server IP address must be the same as the GSLB service IP
address configured on the GSLB AX device.
The following command enables the GSLB protocol:
Site-AX-A(config)#gslb protocol enable device
Configuration on Site AX Device AX-B

The following commands configure SLB and enable the GSLB protocol on
site AX device AX-B:
Site-AX-B(config)#slb server www 3.1.1.2
Site-AX-B(config-real server)#port 80 tcp
Site-AX-B(config-real server-node port)#exit
Site-AX-B(config-real server)#exit
Site-AX-B(config)#slb server www2 3.1.1.3
Site-AX-B(config-real server)#port 80 tcp
Site-AX-B(config-real server-node port)#exit
Site-AX-B(config-real server)#exit
Site-AX-B(config)#slb service-group www tcp
Site-AX-B(config-slb service group)#member www:80
Site-AX-B(config-slb service group)#member www2:80
Site-AX-B(config-slb service group)#exit
Site-AX-B(config)#slb virtual-server www 3.1.1.10
Site-AX-B(config-slb virtual server)#port 80 http
Site-AX-B(config-slb virtual server-slb virtua...)#service-group www
Site-AX-B(config-slb virtual server-slb virtua...)#exit
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
101 of 260

GSLB Configuration Examples - GUI Example
Site-AX-B(config-slb virtual server)#exit
Site-AX-B(config)#gslb protocol enable device
GUI Example
Configuration on the GSLB AX Device (GSLB Controller)
Configure a Health Monitor for the DNS Proxy
1. Select Config Mode > Service > Health Monitor.
2. On the menu bar, select Health Monitor.
3. Click Add.
4. Enter a name for the monitor in the Name field.
5. In the Method section, select DNS from the Type drop-down list.
6. In the Domain field, enter the domain name. (Generally, this is the same
as the GSLB zone name you will configure.)
Configure the DNS Proxy
1. Begin configuring the proxy:
a. Select Config Mode > Service > GSLB.
b. On the menu bar, select DNS Proxy.
c. Click Add.
d. Enter a name for the proxy in the Name field.
e. In the IP Address field, enter the IP address that will be advertised
as the authoritative DNS server for GSLB zone.
Note:
The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy. (below).
f. In the GSLB Port section, click Add. The GSLB Port section
appears.
102 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

2. Configure the service group:
a. In the Service Group drop-down list, select create to create a service group. (See Figure 8 on page 103.)
The Service Group section appears.
b. Enter the service group information. For this example, enter the following:
Name gslb-proxy-sg-1
Port type UDP
Load-balancing metric (algorithm) Round-Robin
Health Monitor default
c. In the Server section, enter the DNS servers real IP address in the
Server field, and enter the DNS port number in the port field.
d. Click Add. The DNS port appears in the list. (See Figure 9 on
page 104.)
e. Click OK. The GSLB Port section reappears. In the service dropdown list, the service group you just configured is selected. (See
Figure 10 on page 104.)
3. Finish configuration of the proxy:
a. Click OK. The Proxy section reappears. (See Figure 11 on
page 105.)
b. Click OK. The DNS proxy appears in the DNS Proxy table. (See
Figure 12 on page 105.)
FIGURE 8
Configure > Service > GSLB > DNS Proxy
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
103 of 260

FIGURE 9
Configure > Service > GSLB > DNS Proxy - service group
configuration
FIGURE 10
selected
104 of 260
Configure > Service > GSLB > DNS Proxy - service group
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

FIGURE 11
configured
Configure > Service > GSLB > DNS Proxy - GSLB port
FIGURE 12
configured
Configure > Service > GSLB > DNS Proxy - DNS proxy
Load the IANA Geo-location Database

2. On the menu bar. select Geo-location > Import.
3. In the Load/Unload section, enter iana in the File field. Leave the
Template field blank.
4. Click Add.
Configure Services
2. On the menu bar, select Service IP.
3. Click Add.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
105 of 260

4. Enter the service name and IP address. For this example, enter the following:
Name servicevip1
IP Address 2.1.1.10 (This is the VIP address of a site. Configure a
separate GSLB service IP for each SLB VIP.)

5. If needed, assign an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be reached
from outside the internal network.
6. Add the service port(s):
a. Enter the port number and select the protocol (TCP or UDP).
b. Optionally, select a health monitor.
c. Click Add. The service port appears in the service port list.
For this example, add TCP port 80 and leave the health monitor
unselected.
(See Figure 13 on page 106.)
7. Click OK.
8. Repeat for each service IP.
FIGURE 13
106 of 260
Config Mode > Service > GSLB > Service IP
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Configure Sites
2. On the menu bar, select Site.
3. Click Add.
4. Enter the site name.
5. In the SLB-Device section, enter information about the AX devices that
provide SLB for the site:
a. Click Add.
b. Enter a name for the device.
c. Enter the IP address at which the GSLB AX device will be able to
reach the site AX device.
d. To add a service to this SLB device, select it from the drop-down list
in the VIP server section and click Add. Repeat for each service.
For this example, enter the following:
Name AX-A
IP Address 2.1.1.1 (This is the IP address of the site AX device
that provides SLB for the site.)
GSLB Service Add a service IP by selecting it from the dropdown list and clicking Add. For this example, add servicevip1
to site usa.
6. In the IP-Server section, add services to the site. Select a service from
the drop-down list and click Add. Repeat for each service.
7. To manually map a geo-location name to the site, enter the geo-location
name in the Geo-location section and click Add.
8. Click OK. The site appears in the Site table.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
107 of 260

FIGURE 14
108 of 260
Configure > Service > GSLB > Site - SLB Device
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

FIGURE 15
Configure > Service > GSLB > Site - site parameters selected
Configure a Zone
2. On the menu bar, select Zone.
3. Click Add.
4. Enter the zone name in the Name field.
5. In the Service section, click Add. (See Figure 16 on page 110.)
The service configuration sections appear.
6. In the Service field, enter the service name.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
109 of 260

7. Select the service type from the Port drop-down list.
8. Add the services:
a.
b.
c.
d.
e.
f.
In the Service section, click Add.

Enter name for the service (for example, www).
Select the service type from the Port drop-down list.
Configure additional options, if applicable to your deployment.
Click OK.
Repeat for each service.
9. Click OK. The zone appears in the GSLB zone list.

FIGURE 16
110 of 260
Configure > Service > GSLB > Zone
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

FIGURE 17
Configure > Service > GSLB > Zone
Enable the GSLB Protocol

3. Select Enabled next to Run GSLB as Controller.
4. Click OK.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
111 of 260

Configuration on Site AX Devices

SLB configuration is the same with or without GSLB, and is not described
here.
To enable the AX device to run GSLB as a site AX device, perform the following steps on each site AX device:
3. Select Enabled next to Run GSLB as Site SLB Device.
4. Click OK.
112 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration Synchronization - Overview
GSLB Configuration Synchronization

This chapter describes GSLB configuration synchronization.
Overview
The AX device provides a mechanism to automatically synchronize GSLB
configurations and service IP status among multiple GSLB controllers for a
GSLB zone. (A GSLB controller is an AX device on which GSLB is configured and on which the GSLB controller option is enabled.)
To use this feature, add the GSLB controllers to a GSLB controller group.
The group members (controllers) elect a master controller for the group.
The master controller updates the GSLB configurations on each of the other
group members. The master controller also checks the service IPs for their
status and sends the status information to the other group members.
Note:
This feature is different from the AX Series Virtual Chassis System

(aVCS) feature. aVCS is used for multiple AX devices that serve as
mutual backups within the same LAN. GSLB configuration synchronization is used by GSLB controllers, which typically are connected across
WAN links.
How AX Devices Join a Controller Group
On each GSLB controller, the configuration for a GSLB group includes a
list of primary group members. After the GSLB process starts on an AX
device, the device joins the controller group by connecting to the primary
group members to exchange group management traffic. You can specify up
to 15 primary group members. By default, no primary group members are
defined.
You do not need to configure the list of primary group members on each
controller. If you configure the list on the AX device you plan to use as the
master controller for the group, that device will send the list to the other
controllers in the group.
The learning option enables an AX device to learn the IP addresses of additional group members from the primary group members. Learning is
enabled by default.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
113 of 260

Election of the Master Controller
Each GSLB controller in a controller group has a configurable priority
value, 1-255. During master election, the GSLB controller with the highest
priority is elected master for the group.
If more than one controller has the highest priority value, the controller with
the highest last 4 bytes in its management interface MAC address is elected.
The master controller and the other controllers periodically send keepalive
messages. If the other controllers stop receiving keepalive messages from
the master controller, a new master is elected.
Note:
To designate a master controller for the GSLB group, set the priority of
the desired AX device to a higher value than the other members. It is recommended that you make GSLB configuration changes for the groupwide parameters (shown below) on the master. The group synchronization
feature will push your configuration to the other group members.
GSLB Synchronization
The master in a GSLB controller group synchronizes the following GSLB
configuration items by updating the configurations on the other controllers:
Service IPs
Sites, including SLB-device parameters
Zones, including services
GSLB policies (only those that are used by services)
SLB information for DNS proxy
GSLB protocol settings
The following items are not synchronized:

Geo-location files
Black/white list files
Health monitors
The master controller sends the following status information to the other
controllers:
aRDT data
Connection load data
Virtual port status
114 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Virtual server status
Device status
Until the configuration synchronization status reaches FullSync, you can

change GSLB configuration information directly on group members even if
they are not the master. However, if the same configuration items are
changed on the master, the changes on the master overwrite the changes on
the other group members.
After the configuration synchronization status reaches FullSync, directly
changing the configuration on a member device is not supported. In this
case, the following error message is displayed: Operation denied by Group
Master.
Notes
In the current release, if there are two or more controllers in a private
network and they are using the same public NAT address, only one of
the controllers will be accepted as a member of the GSLB group. The
AX GSLB controller will reject the other connection request if it comes
from the same external IP.
In HA or VRRP-A deployments, the GSLB configuration synchroniza-
tion feature synchronizes with the active device, which then pushes the
GSLB configuration changes to the standby.
Starting in Release 2.6.1-P3, the AX devices CLI prompt displays the
AX devices role within the GSLB group, which can be either Master
or Member, as shown in the examples below:
AX2500-Master(config)#
AX2500-Member(config)#
Display of the group role can be disabled by using the no terminal gslbprompt command at the global config level.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
115 of 260

GSLB Configuration Synchronization - GSLB Group Parameters
GSLB Group Parameters

Table 2 lists the GSLB group parameters you can configure.
TABLE 2
GSLB Group Parameters
Parameter
Group name
Group state
Priority
Description and Syntax

Name of the GSLB controller group.
Supported Values
default
[no] gslb group default
Default: not set
Note: The current release does not support this feature in the GUI.
State of the group on the AX device.
Enabled or disabled
[no] enable
Default: disabled
Value used during master election for the group.
Higher priority values are preferred over lower priority values. For example, priority value 200 is preferred over priority value 100.
0-255
Default: 100
[no] priority num
Primary
controller
IP addresses of the other GSLB controllers to connect to within the group.
Valid IP address
Default: not set
You can specify up to 15 IP addresses.

[no] primary ipaddr
Learning
Allows the device to learn the IP addresses of additional group members from the primary controller(s).
Enabled or disabled
Default: enabled
[no] learn
Automatic
configuration
save
Automatically saves the configuration on a group
member when the configuration is saved on the
groups master controller.
Enabled or disabled
Default: enabled
[no] config-save
116 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB Configuration Synchronization - Configuration
Configuration
At a minimum, to add an AX device to a GSLB controller group:
1. On the controller you plan to use as the master:
a. Configure the GSLB parameters that will be synchronized with the
other controllers.
b. Configure local GSLB parameters as applicable to your deployment.
c. Add the device to the GSLB controller group and change the group
priority value to 255.
d. Enable the devices membership in the group.
2. On each of the other controllers:
a. Add the device to the GSLB controller group. Set the priority to a
value that is less than the master.
b. Enable the AX devices membership in the group.
c. Configure local GSLB parameters as applicable to your deployment.
USING THE GUI

The current release does not support configuration of this feature using the
GUI.
USING THE CLI

To configure a GSLB group, use the following commands.
This command changes the CLI to the configuration level for the group,
where the following commands are available.
[no] enable
This command activates the GSLB controllers membership in the group.
[no] priority num
This command specifies the priority of the controller to become the master
for the group. (See Election of the Master Controller on page 114.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
117 of 260

[no] primary ipaddr
This command specifies the IP address of another GSLB controller in the
group. You can specify up to 15 primary controllers. Enter the command
separately for each controller.
[no] learn
This command enables the AX device to learn the IP addresses of other
group members from the primary controllers.
[no] config-save
This command enables automatic configuration save on a group member
when the configuration is saved on the groups master controller.
To display GSLB group information, use the following command:
show gslb group [group-name] [brief] [statistics]
CLI Example
The following commands add a GSLB controller to the default GSLB
group, enable the devices membership in the group, and display group
information:
AX(config)#gslb group default
AX(config-gslb group)#enable
AX(config-gslb group)#show gslb group brief
Pri = Priority, Attrs = Attributes
D = Disabled, L = Learn
P = Passive, * = Master
Name
Pri Attrs Master
Member
----------------------------------------------------------------------------default
100 L
192.168.101.72
Table 3 describes the fields in the command output.

TABLE 3
Field
Name
Pri
118 of 260
show gslb group brief fields

Description
Priority of the master controller.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

TABLE 3
show gslb group brief fields (Continued)
Field
Attrs
Description
GSLB group attributes of this member:
D Member is disabled.
L Group learning is enabled on this member.
P Members connection with this member (the member
on which you enter the show gslb group command) is
passive.
The group connection between any two controller group
members is a client-server connection. The group member
that initiates the connection is the client, and has the passive side of the connection. The other member is the
server.
* Member is the current master for the group.
Note: Attributes are displayed only when at least two group
members are connected.
IP address of the current master for the group.
Number of GSLB controllers in the group. This number
includes all configured group members and all learned group
members.
Master
Member
AX(config-gslb group)#show gslb group

Group: default, Master: 192.168.101.72
Member
ID
Pri Attrs
Status
----------------------------------------------------------------------------local
22e40d29 255 L*
OK
192.168.1.131
941a1229 100
Synced
192.168.1.132
ab301229 100 P
Synced

TABLE 4
show gslb group fields
Field
Member
Description
GSLB controllers currently in the group.
ID
The local member is the GSLB controller on which you

entered this show command.
Group member ID assigned by the controller group feature.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
119 of 260

TABLE 4
Field
Pri
Attrs
show gslb group fields (Continued)

Description
Priority of the GSLB controller.
GSLB group attributes of the member:
passive.
server.
Status

When the GSLB group is starting up, this column shows the
protocol status. After the group is established, this column
shows the group status.
Protocol status:
Idle
Active
OpenSent
OpenConfirm
Established
Group status of the member:
Ready
FullSync / MasterSync
Synced
Note: If the group status of the member is OK, this AX
device (the one on which you entered the command) knows
of the member, but no connection between this AX device
and the member is required.
120 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Geo-location-based Access Control - Using a Class List
Geo-location-based Access Control

You can control access to a VIP based on the geo-location of the client. You
can configure the AX device to perform one of the following actions for
traffic from a client, depending on the location of the client:
Drop the traffic
Reset the connection
Send the traffic to a specific service group (if configured using a black/
white list)
The AX device determines a clients location by looking up the clients subnet in the geo-location database used by Global Server Load Balancing
(GSLB).
Note:
This feature requires you to load a geo-location database, but does not
require any other configuration of GSLB. The AX system image includes
the Internet Assigned Numbers Authority (IANA) database. By default,
the IANA database is not loaded but you can easily load it, as described in
the configuration procedure later in this section.
Using a Class List

This section show how to configure geo-location-based VIP access using a
class list.
Note:
In the current release, geo-location-based VIP access works only if the

class list is imported as a file. The CLI does not support configuration of
class-list entries for this application.
Example
The following class list maps client geo-locations to limit IDs (LIDs), which
specify the maximum number of concurrent connections allowed for clients
in the geo-locations.
L US 1
L US.CA 2
L US.CA.SJ 3
The following commands import the class list onto the AX device, configure a policy template, and bind the template to a virtual port. The connec-
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
121 of 260

Geo-location-based Access Control - Using a Class List
tion limits specified in the policy template apply to clients who send
requests to the virtual port.
This example assumes the default geo-location database (iana) is already
loaded.
AX(config)#import class-list c-share tftp:
Address or name of remote host []?192.168.32.162
File name [/]?c-share
Importing ... Done.
AX(config)#slb template policy pclass
AX(config-policy)#class-list name c-share
AX(config-policy)#class-list lid 1
AX(config-policy-policy lid)#conn-limit 4
AX(config-policy-policy lid)#exit
AX(config-policy-policy lid)#class-list lid 2
AX(config-policy-policy lid)#class-list lid 3
AX(config-policy)#geo-location overlap
AX(config-policy)#exit
AX(config)#slb virtual-server vip1 10.1.1.155
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#template policy pclass
AX(config-slb vserver-vport)#exit
The following command verifies operation of the policy:

AX(config-policy)#show slb geo-location statistics
M = Matched or Level, ID = Group ID
Conn = Connection number, Last = Last Matched IP
v = Exact Match, x = Fail
Virtual Server: vip1/80, c-share
-------------------------------------------------------------------------------Max Depth: 3
Success: 3
Geo-location
M ID Permit
Deny
Conn
Last
-------------------------------------------------------------------------------US.CA.SJ
v 3 1
1
1
77.1.1.107
-------------------------------------------------------------------------------Total: 1
122 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Geo-location-based Access Control - Using a Black/White List
Using a Black/White List

To configure geo-location-based access control for a VIP:
1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly into the GUI. If you configure the list
using a text editor, import the list onto the AX device.
2. Configure an SLB policy (PBSLB) template. In the template, specify the
black/white list name, and the actions to perform for the group IDs in
the list.
3. Load a geo-location database, if one is not already loaded.
4. Apply the policy template to the virtual port for which you want to control access.
Configuring the Black/White List

You can configure black/white lists in either of the following ways:
Remote option Use a text editor on a PC, then import the list onto the
AX device.
Local option Enter the black/white list directly into a management
GUI window.
With either method, the syntax is the same. The black/white list must be a
text file that contains entries (rows) in the following format:
L "geo-location" group-id #conn-limit
The L indicates that the clients location will be determined using information in the geo-location database.
The geo-location is the string in the geo-location database that is mapped to
the clients IP address; for example, US, US.CA, or US.CA.SanJose.
The group-id is a number from 1 to 31 that identifies a group of clients (geolocations) in the list. The default group ID is 0, which means no group is
assigned. On the AX device, the group ID specifies the action to perform on
client traffic.
The #conn-limit specifies the maximum number of concurrent connections
allowed from a client. The # is required only if you do not specify a group
ID. The connection limit is optional. For simplicity, the examples in this
section do not specify a connection limit.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
123 of 260

Here is a simple example of a black/white list for this feature:
L "US"
L "US.CA"
L "JP"
USING THE GUI

To configure or import a black/white list using the GUI:
1. Select Config Mode > Service > PBSLB.
2. Click New.
To import the list:
Leave Remote selected.
Enter a name for the list in the Name field.
Enter the hostname or IP address in the Host field.
Enter the file path and name in the Location field.
To enter the file directly into the GUI:
Select Local.
Type the list into the Definition field.
3. Click OK.
To configure an SLB policy (PBSLB) template:
1. Select Config Mode > Service > Template.
2. On the menu bar, select Application > PBSLB Policy.
3. Click Add.
4. In the Name field, enter a name for the template.
5. From the drop-down list below the Name field, select the black/white
list.
6. Select a group ID from the Group ID drop-down list.
7. Select one of the following from the Action drop-down list.
Drop Drops new connections until the number of concurrent con-
nections on the virtual port falls below the ports connection limit.
(The connection limit is set in the black/white list.)
Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit.
124 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

service-group-name Each of the service groups configured on the
AX device is listed.
create This option displays the configuration sections for creating
a new service group.
8. Optionally, enable logging. (The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for
ACL logging. See the "Log Rate Limiting section in the "Basic
Setup chapter of the AX Series System Configuration and Administration Guide.)
9. Click Add.
10. Repeat step 6 through step 9 for each group ID.
11. Click OK.
To load the IANA geo-location database:
2. On the menu bar, select Geo-location > Import.
3. In the Load/Unload section, enter iana in the File field. Leave the
Template field blank.
4. Click Add.
Note:
If preferred, you can import a custom geo-location database instead. For

information, see Loading or Configuring Geo-Location Mappings on
page 49.
To apply the policy template to a virtual port:
1. Select Config Mode > Service > SLB.
2. On the menu bar, select Virtual Server.
3. Select the virtual server or click Add to configure a new one.
4. If you are configuring a new VIP, enter the name and IP address for the
server.
5. In the Port section, select the port and click Edit, or click Add to add a
new port. The Virtual Server Port page appears.
6. Select the policy template from the PBSLB Policy Template drop-down
list.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
125 of 260

7. Click OK.
8. Click OK again to finish the changes and redisplay the virtual server list.
USING THE CLI

1. To import a black/white list onto the AX device, use the following command at the global configuration level of the CLI:
bw-list name url [period seconds] [load]
The name can be up to 31 alphanumeric characters long. The url specifies the file transfer protocol, directory path, and filename. The following URL format is supported: tftp://host/file
2. To configure a PBSLB template, use the following commands:
[no] slb template policy template-name
Enter this command at the global configuration level of the CLI. The
command creates the template and changes the CLI to the configuration
for the template, where the following PBSLB-related commands are
available.
[no] bw-list name file-name
This command binds a black/white list to the virtual ports that use this
template.
[no] bw-list id id
service {service-group-name | drop | reset}
[logging [minutes] [fail]]
This command specifies the action to take for clients in the black/white
list:
id Group ID in the black/white list.
service-group-name Sends clients to the SLB service group associated with this group ID on the AX device.
drop Drops connections for IP addresses that are in the specified
group.
reset Resets connections for IP addresses that are in the specified
group.
3. To load a geo-location database, use the following command at the
global configuration level of the CLI:
[no] gslb geo-location load
{iana | file-name csv-template-name}
126 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

4. To apply the policy template to a virtual port, use the following command at the configuration level for the virtual port:
[no] template policy template-name
Displaying SLB Geo-Location Information
To display SLB geo-location information, use the following command:
show slb geo-location
[
virtual-server-name |
virtual-port-num |
bad-only |
[depth num]
[id num]
[location string]
[statistics]
]
The bad-only option displays only invalid or mismatched geo-location content.
The depth option specifies how many nodes within the geo-location data
tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify depth 2. By default, the
full tree (all nodes) is displayed.
The id option displays only the geo-locations mapped to the specified black/
white list group ID.
The location option displays information only for the specified geo-location; for example US.CA.
Clearing SLB Geo-Location Statistics
To clear SLB geo-location statistics, use the following command at the Privileged EXEC level of the CLI:
clear slb geo-location
[
virtual-server name [...]
virtual-port-num |
location {all | string}
]
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
127 of 260

Geo-location-based Access Control - Full-Domain Checking
CLI Example
The following command imports black/white list geolist onto the AX
device.
AX(config)#import bw-list geolist scp://192.168.1.2/root/geolist
The following commands configure a policy template named geoloc and

add the black/white list to it. The template is configured to drop traffic from
clients in the geo-location mapped to group 1 in the list.
AX(config)#slb template policy geoloc
AX(config-policy)#bw-list name geolist
AX(config-policy)#bw-list id 1 drop
AX(config-policy)#exit
The following commands apply the policy template to port 80 on virtual

server vip1:
AX(config)#slb virtual-server vip1
AX(config-slb virtual server)#port 80 http
AX(config-slb vserver-vport)#template policy geoloc
AX(config-slb vserver-vport)#show slb geo-location
Full-Domain Checking
By default, when a client requests a connection, the AX device checks the
connection count only for the specific geo-location level of the client. If the
connection limit for that specific geo-location level has not been reached,
then the clients connection is permitted. Likewise, the permit counter is
incremented only for that specific geo-location level.
Table 5 shows an example set of geo-location connection limits and current
connections.
TABLE 5
Geo-location connection limit example
Geo-location
US
US.CA
US.CA.SanJose
Connection Limit
100
50
20
Current
Connections
100
37
19
Using the default behavior, the connection request from the client at
US.CA.SanJose ia allowed even though CA has reached its connection
limit. Likewise, a connection request from a client at US.CA is allowed.
However, a connection request from a client whose location match is simply
US is denied.
128 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

After these three clients are permitted or denied, the connection permit and
deny counters are incremented as follows:
US Deny counter is incremented by 1.
US.CA Permit counter is incremented by 1.
US.CA.SanJose Permit counter is incremented by 1.
Full-Domain Checking
When full-domain checking is enabled, the AX device checks the current
connection count not only for the clients specific geo-location, but for all
geo-locations higher up in the domain tree.
Based on full-domain checking, all three connection requests from the clients in the example above are denied. This is because the US domain has
reached its connection limit. Likewise, the counters for each domain are
updated as follows:
US Deny counter is incremented by 1.
US.CA Deny counter is incremented by 1.
USING THE GUI

USING THE CLI

To enable full-domain checking for geo-location-based connection limiting,
use the following command at the configuration level for the PBSLB template:
geo-location full-domain-tree
Note:
It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Enabling PBSLB Statistics Counter Sharing

You can enable sharing of statistics counters for all virtual servers and virtual ports that use a PBSLB template. This option causes the following
counters to be shared by the virtual servers and virtual ports that use the
template:
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
129 of 260

Permit
Deny
Connection number
Connection limit
USING THE GUI

USING THE CLI

To enable the share option, use the following command at the configuration
level for the PBSLB policy template:
geo-location share
Note:
130 of 260
It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Cloud-based Computing Solution -
Cloud-based Computing Solution

GSLB supports the ability to dynamically generate a service-ip, based on
the hostname assigned to an AX device. If you have an FQDN for the SLB
but you are lacking the associated IP address, then the GSLB protocol can
query the DNS server for an A record or CNAME record in order to learn
the IP address for that device. The GSLB AX device, or GSLB controller,
can acquire the IP address of the device and apply it to the service-ip.
This information can then be used to configure the SLB server (with
hostname) as an ip-server or vip-server of a GSLB site. The IP address that
appears in the A record or CNAME record will become the dynamically
assigned service-ip for that SLB.
Benefits
The GSLB Cloud Computing Solution may work well if you are using multiple web-based service providers to provide server load balancing services.
It can allow you to shift from one web-based service provider to another in
order to use the services that cost less or that have better health metrics.
If you are using a cloud-based SLB service provider for web-based services,
then the provider will send a CNAME record to access the cloud servers,
and the cloud servers can be dynamically imported into the AX device via
the CNAME record in order to do GSLB.
Note:
For this release, the feature supports IPv4 resource records and does not
support IPv6 records.
USING THE GUI

This feature is not supported in the GUI for this release.
USING THE CLI

No new CLI commands are required to use this feature. The ability to shift
from one cloud-based SLB provider to another can be enabled by using
existing CLI commands, as shown in the CLI example below.
CLI Example
The example below shows the generation of dynamic service-ip addresses
by hostname via DNS. This can be accomplished using the following CLI
configurations on an AX device:
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
131 of 260

Cloud-based Computing Solution To configure the cloud-based service provider number 1:
AX(config)#slb server www www.example2.com
To configure the cloud-based service provider number 2:

AX(config)#slb server mail mail.example2.com
To configure the cloud-based service provider number 3:

AX(config)#slb server www1 www1.example2.com
The following commands configure three sites for each web-based service
provider:
AX(config)#gslb site sanjose
AX(config-gslb site)#slb-dev AX5200 192.168.1.2
AX(config-gslb site-slb dev)#ip-server ip-server1
AX(config-gslb site-slb dev)#ip-server ip-server2
AX(config-gslb site-slb dev)#ip-server www
AX(config-gslb site-slb dev)#ip-server mail
132 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

DNSSEC Support - Overview
DNSSEC Support
This chapter describes the AX devices DNSSEC support.
Overview
An AX device configured as a Global Server Load Balancer (GSLB) controller can act as an authoritative DNS server for a domain zone. As the
authoritative DNS server for the zone, the AX device sends records in
response to requests from DNS clients. The AX device supports the ability
to respond to client requests for the following types of well-known resource
records:
A
AAAA
CNAME
NS
MX
PTR
SRV
TXT
Placing the AX device within the DNS infrastructure exposes it to potential

online attacks. When DNS was originally designed, there were no mechanisms to ensure the DNS infrastructure would remain secure.
In an unsecured DNS environment, the clients DNS resolver has no way to
assess the validity of the address it receives for a particular domain name, so
the clients DNS resolver cannot tell whether an address received for a particular domain is from the legitimate owner of that domain.
This potential security hole opens the door for possible forgeries, thus making DNS vulnerable to so-called man-in-the-middle attacks, DNS cache
poisoning attacks, and other types of online attacks that could be used to
forge DNS data, hijack traffic, and to potentially steal sensitive information
from the user.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
133 of 260

To close this security hole, the IETF introduced a set of standards in the
mid-1990s called Domain Name System Security Extensions (DNSSEC).
These additional standards add authentication to DNS and help ensure the
integrity of the data transferred between the client resolvers and DNS servers.
DNSSEC offers authentication through the use of cryptographic keys and
digital signatures, which ensure that entries within DNS tables are correct
and that connections are made to legitimate servers. The AX devices implementation of DNSSEC is based on RFCs 4033, 4034, and 4035.
Note:
DNSSEC for GSLB is not supported in proxy mode for this release.
DNS without Security

Figure 18 on page 135 provides a visual introduction to basic DNS without
DNSSEC. The figure shows the recursive lookup process that occurs when
a client resolver requests the IP address for a particular URL. Note that this
134 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

illustration shows how a client request works in a simple DNS environment
that does not have DNSSEC.
FIGURE 18
DNS Packet Flow without DNSSEC
A client (shown at upper left) requires access to a server in the domain

zone1.example.org (at lower left). The AX device, which is acting as the
GSLB controller, is the authoritative DNS server for the zone. In order to
access this server, the client requires the IP address for this zone, or domain.
The user enters the domain name in the web browsers URL, and from
there, the process of obtaining the IP address associated with this domain
unfolds as follows:
1. The DNS resolver embedded in the clients web browser sends an
address request (A ?) to the Caching DNS server to see if the Caching
DNS server already has the required IP address cached in its memory
for the requested example.org domain.
2. The Caching DNS server has a list of IP address-to-domain mappings,
but the list is not comprehensive, and unfortunately, the Caching DNS
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
135 of 260

server does not have the required IP address. It acts as a proxy for the
client and makes a recursive query to the Root DNS Server, which is
located at the top of the DNS hierarchy.
3. The Root DNS Server does not have the requested IP address, but in an
attempt to point the Caching DNS server in the right direction, it
responds to the request with a Name Server (NS) record, which contains
the IP of the Top Level Domain (TLD) server for the .org domain.
4. The Caching DNS server now has the IP address for the name server
that manages the .org domain, so it sends an address request (on behalf
of the client) to the TLD DNS server for the .org domain.
5. It turns out that the TLD Server does not have the requested IP address,
but once again, it points the Caching DNS server in the right direction
by providing an NS record containing the IP address for the next name
server within the DNS hierarchy, which is the authoritative DNS server
for the example.org subdomain.
6. Now that it has the IP address needed to reach the authoritative DNS
server for the example.org domain, the Caching DNS server sends a
request for zone1.example.org to this authoritative DNS server.
7. The authoritative DNS server does not have the requested information,
but it can get the Caching DNS server one step closer to its destination
by providing the NS record for the authoritative DNS server for the
zone1.example.org domain.
8. The Caching DNS Server sends a request to the authoritative DNS
server for the zone1.example.org domain.
9. The AX device, which is the authoritative DNS server for zone1.example.org, has the IP address that the client needs. It sends the requested IP
address to the Caching DNS server.
10. The Caching DNS server sends the IP address, provided by the AX
device, to the DNS resolver in the clients browser. The client now has
the IP address needed to reach the server in the zone1 subdomain.
136 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

DNSSEC (DNS with Security)

Figure 19 on page 138 illustrates how the DNS query process works when
the security extensions are used with DNS to provide security (DNSSEC).
The process is similar to that depicted in Figure 18 on page 135, but with
the notable exception that DNSSEC uses the following additional resource
record types to provide security:
DNS Key (DNSKEY) Public key used by an Authoritative DNS
server to sign resource records for its zone.

Delegation Signer (DS) Hash (message digest) of a public key. A DNS
server uses the DS for a zone directly beneath it in the DNS hierarchy to
verify that signed resource records from the Authoritative DNS server
for that zone are legitimate.
Resource Record Signature (RRSIG) Digitally signs another resource
record, such as an A record. The digital signature is created by applying

a hash function to the DNS record to reduce its file size, an encryption
algorithm is applied to the hash value (using the private key), and this
encrypted hash value appears as the digital signature at the bottom of the
resource record. The RRSIG record, which contains the private key used
to encrypt the hash value, appears at the bottom of the record being
signed.
While Figure 18 on page 135 shows how basic DNS works without DNSSEC, Figure 19 on page 138 provides an updated version of this illustration
showing how the DNS lookup process works with DNSSEC.
The recursive lookup process remains largely unchanged, with the higher
level DNS servers pointing to lower level servers within the DNS hierarchy
in order to move the request closer to the authoritative server for the desired
domain.
However, when DNSSEC is added to this scenario, the additional records
(such as DS, RRSIG, and DNSKEY) are used to sign and authenticate the
communications from the DNS servers, thus proving to the client that each
of the name servers in the chain of trust are authoritative for their respective domains. For more details, See Building the Chain of Trust on
page 140.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
137 of 260

FIGURE 19
DNS Packet Flow with DNSSEC
Figure 19 shows the resolution process for an address query from the DNS
resolver on a client for the IP address of zone1.example.org.
1. The DNS resolver on the client sends an address query for the IP
address of a host under zone1.example.org.
2. The Caching DNS server, which does not have the address, forwards the
request to the root server.
3. The root server redirects the Caching DNS server to the TLD DNS
server for the .org domain. This is accomplished by sending an NS
record with the IP address of that TLD server. The root server uses an
RRSIG record (used to store the private key) to sign the NS record, and
138 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

the root server sends a copy of the DS record to the Caching DNS
server, which points to the TLD server.
4. The Caching DNS server sends the address query to the TLD server for
the .org domain.
5. The TLD server does not have the requested address, so it points the
Caching DNS server to the Authoritative DNS server for example.org It
sends an NS record with the IP address of the authoritative server for
example.org, and the TLD server signs the NS record with the private
key in the RRSIG record.
6. The Caching DNS server sends the address query to the Authoritative
DNS server for example.org.
7. The Authoritative DNS server for example.org does not have the
requested address, so it responds to the caching servers request by sending the NS record (signed with the RRSIG record). This NS record contains the IP address of the Authoritative DNS server for
zone1.example.org. The server sends the DS record for the zone1.example.org server to the Caching DNS server.
8. The Caching DNS server sends the address query to the Authoritative
DNS server for zone1.example.org, which happens to be the AX device.
9. Finally, the Caching DNS server has reached the Authoritative DNS
server for zone1.example.org. The Authoritative DNS server (which is
the AX device) replies with an SOA record, the requested A record, and
RRSIG records containing the private key, which is used to sign the
SOA and A records.
10. The Caching DNS server asks the AX device for its DNSKEY record,
which is where the public key for the zone is advertised. (This public
key is needed to unlock the resource records and check the hash values
back up the chain.)
11. The AX device sends its DNSKEY record, along with an RRSIG record
that was used to sign the DNSKEY record. (The RRSIG record contains
the private key.)
12. To continue assembling the chain of trust, the Caching DNS server asks
the Authoritative DNS server for example.org for its DNSKEY record.
13. The Authoritative DNS server for example.org sends its DNSKEY
record, along with an RRSIG record (with the private key) that was used
to sign the DNSKEY record.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
139 of 260

14. The Caching DNS server then asks the TLD server for .org for its DNSKEY record.
15. The TLD server sends its DNSKEY record, along with an RRSIG
record that was used to sign the DNSKEY record. The Caching DNS
server now has all the private/public key pairs and has therefore validated all of the links in the chain of trust. It can now send the trusted
response to the DNS resolver on the client.
Building the Chain of Trust

Figure 20 illustrates how the Chain of Trust is built within the DNSSEC
infrastructure. A Chain of Trust is built like a series of links, with each node
authenticating the one below.
The presence of a Chain of Trust allows the clients DNS resolver to know
that all DNS servers within the chain have vouched for one another, starting
from the Root DNS Server and continuing down to the lowest-level DNS
server.
140 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

FIGURE 20
DNSSEC Chain of Trust
Figure 20 above shows the Authoritative DNS Server for the zone1.example.org domain at the bottom left, and the Root DNS Server is located at the
upper right.
Starting from the lower left, the Authoritative DNS Server for the
zone1.example.org domain, has a DNS key record (DNSKEY). This DNSKEY record contains the public Zone Signing Key (ZSK) for zone1. The
ZSK is used to sign other record types, such as A records, for the zone. The
DNSKEY record is signed by another key, the Key Signing Key (KSK),
which also belongs to this zone.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
141 of 260

The Start of Authority (SOA) record indicates that this server is the Authoritative DNS Server for zone1. The A record provides the IP address for
zone1.example.org.
The next level up within the DNS hierarchy corresponds to the next "label"
in the example.org domain, and it has a record called the Delegation Signer
(DS). The DS record contains a hash, or message digest, of the public Key
Signing Key (KSK), which belongs to the Authoritative DNS Server for the
node below, zone1.example.org.
The DNS resolver (or the Caching DNS Server) can compare the hash value
for any of the nodes within the Chain of Trust, and the values should match.
If the hash values in a DS record cannot be recreated from the DNSKEY
record, then this indicates the packet containing the key record may have
been tampered with, cannot be trusted, and should be discarded.
However, if the hash value is correct, this indicates that the Chain of Trust is
unbroken and that the DNSKEY record (for the Authoritative DNS Server
associated with the zone1.example.org domain) is properly linked to the DS
record above.
In turn, the DNSKEY record (for the Authoritative DNS Server associated
with the example.org domain) is properly linked to the DS record above.
This process of DNSKEY records being linked with the DS record of the
node above continues all the way to the Root DNS Server.
The clients DNS resolver knows that the Root DNS Server is legitimate
due to the presence of a trust anchor. This trust anchor, which consists of
information for the Root DNS Server, is included in the resolver software
that is installed on the client. This minimizes the chance that a client could
access a corrupt root DNS server.
Due to this anchor, the client knows the Root DNS Server can be trusted, in
it can infer that the other nodes within the Chain of Trust can also be trusted.
Because the hash values match all the way down the line, this is an indication that the Chain of Trust is intact, and that the clients DNS resolver can
trust the Authoritative DNS Server for zone1.example.org, located at the
bottom of the Chain of Trust within the DNS hierarchy.
Performing Key Rollovers

New DNSSEC keys should be generated periodically to replace the old keyset. While it may not be necessary to perform the key rollover process every
time you sign your zone, it is a good idea to change keys on a regular schedule if you suspect your keys may have been compromised.
142 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

As a rule of thumb, longer keys are more secure and do not need to be
replaced as often as shorter keys. However, if your zone contains highly
valuable information that could attract unwanted attention from potential
miscreants, then it is recommended that you perform the key rollover process at more frequent intervals.
Key rollovers must be performed manually. The key rollover process differs
slightly for the ZSK and KSK keys. Instructions for performing both types
of key rollovers are provided below.
ZSK Key Rollovers

ZSK rollovers use a pre-publishing scheme. This approach can be helpful
because if the old key expires or is compromised in some way, the new key
has already been distributed throughout the DNS. This makes performing
the rollover relatively easy since you can easily switch to the new key that
has already been distributed while removing the old key from the zone. This
way, the name servers will still be able to find the zone-signing DNSKEY
record by using the new pre-published but inactive ZSK key, thus preventing them from becoming isolated with the old information.1
To help illustrate the ZSK rollover process, consider the following example
in which there is DNSSEC-enabled zone, example.com, which uses the
DNSSEC template temp-test. In this example, the old key called, ZSKOLD is replaced with a new key, ZSK-NEW.
The key rollover process unfolds as follows:
1. The new key ZSK-NEW is added to the DNSSEC template temptest. When the new key is added to the template, the status of the new
key is set with the publish command in order to distribute the new key
across the network of DNS servers.
2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of
time configured for this parameter; the default is 4 hours. Once the time
has elapsed, the old ZSK key expires and is removed from the cache.
3. The status of the old key ZSK-OLD is changed within the DNSSEC
template using the deprecate command. At the same time, the status of
the new key ZSK-NEW is elevated using the active command.
4. It is recommended to wait for the duration specified for the Maximum
Zone TTL for any data in the zone to expire from the caches. This is just
1.
For additional details on pre-publishing, refer to RFC 4641.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
143 of 260

a precaution to ensure that any old data in the zone expires and is
removed.
5. Remove the old key ZSK-OLD from the DNSSEC template using the
no zsk keyname command.
KSK Key Rollovers

A double-signature scheme is used for KSK key rollovers. This scheme is
simpler than the ZSK pre-publishing scheme and does not use the publish,
active, and deprecate command options.
The drawback to using the double-signature approach for KSK rollovers is
that the number of signatures is multiplied by a factor of two. This increases
the size of your zone during the key rollover process, which can present
problems for larger zones. However, the benefit of the double-signature
scheme, when compared with the pre-publishing scheme used for ZSK rollovers, is that the double-signature scheme requires only three steps: Initial,
new DNSKEY, and DNSKEY removal.1
To help illustrate the KSK rollover process, consider the following example
in which there is DNSSEC-enabled zone, example.edu, which uses the
DNSSEC template temp-2, and has the KSK key called KSK-OLD. In
this example, the old key is replaced with a new key, KSK-NEW.
The KSK key rollover process unfolds as follows:
1. The new key KSK-NEW is added to the DNSSEC template temp-2
to sign the zone.
2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of
time configured for this parameter; the default is 4 hours. After this time
period has passed, the old KSK key will expire from the cache.
3. Transfer the new KSK key to the parent zone. In this example, the parent zone is .edu. For details on transferring the key to the parent zone,
see Importing and Exporting the Delegation Signature Keyset on
page 145.
4. The parent zone has a TTL value configured for the DS record. Wait for
this amount of time to pass. This will cause the old DS record (which
1.
144 of 260
For additional details, refer to RFC 4641.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

points to the authoritative DNSKEY record for the example.edu child
zone) to expire from the cache of the parent zone.
5. Remove the old key KSK-OLD from the DNSSEC template temp-2
using the no ksk keyname command. Once the old key is removed, the
new KSK will be used to sign the zone.
Importing and Exporting the Delegation Signature Keyset

The Delegation Signer (DS) resource record (RR) and the corresponding
DNSKEY RR are stored in the different locations. The AX device offers
import and export CLI commands to move these records to the appropriate
nodes within the DNS hierarchy.
Figure 20 on page 141 shows that the DS RR always appears one level
higher within the DNS hierarchy than its DNSKEY record. The DS record
is on the parent side and the DNSKEY record is on the child side. To help
understand this principle, consider the example earlier in this section. The
DS record for the zone example.org is stored in the .org zone. This zone is
the parent zone relative to the example.org zone, which is the child zone.
While the DS record is stored in the parent zone, the DNSKEY record is
stored in the child zone.
To ensure that these records are in the appropriate relative locations, the AX
supports two kinds of keyset formats that can be used to import the DS
record from the child zone to the parent zone:
DS RR This is a hashed version of the DNSKEY.
DNSKEY RR The AX converts this record using a hash function,
in order to create the resulting DS record.

The import dnssec-ds/dnssec-dnskey child-zone-name command imports
the DS keyset of the child zone. Note that the parent zone must be set up
before the record is imported.
The export dnssec-ds/dnssec-dnskey authoritative-zone-name command exports the DS keyset from the child zone to the parent zone.
Note:
Communication between the parent and child zones is performed out-ofband.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
145 of 260

DNSSEC Templates
To configure DNSSEC on the AX device, templates are used to define
information required by the security standard. The following information is
required when configuring DNSSEC templates:
Combinations limits (on signatures)1 The parameter is used to spec-
ify the maximum number of combinations per Resource Record Set

(RRset), where RRset is defined as all the records of a particular type for
a particular domain, such as all the quad-A (IPv6) records for
www.example.com.
A static signature is included in the response to DNS queries. This static
signature is generated in advance of future requests. For example, suppose there are five A type DNS resource records that correspond to a
hypothetical domain name, www.example.net:
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.5
A static signature is generated for all of the possible combinations, such
as [1.1.1.1], [1.1.1.1 1.1.1.2], [1.1.1.1 1.1.1.2 1.1.1.3]... [1.1.1.5]. By
setting the combinations-limit parameter, this places a limit on the number of combinations of resource records that could be returned, preventing an excessive burden on the system memory.
Values for this combination limit range from 1-65535, with a default
value of 31 possible combinations per resource record set.
DNSKEY Time to Live The dnskey-ttl parameter is used to set the
lifetime for DNSSEC key resource records. The TTL can range from 1864,000 seconds, with a default of 14,400 seconds (or 4 hours).
Key Signing Key The key signing key (KSK) is needed to establish
the chain of trust and is the private counterpart to the public zone signing key used to sign authentication keys for the zone. At least one KSK
is needed to sign successfully, but no more than two KSKs can be configured. There is no default.
Return NSEC/NSEC3 This parameter is used to enable or disable the
return of an NSEC or NSEC3 record in response to a client request for

an invalid domain. As originally designed, DNSSEC would expose the
list of device names within a zone, allowing an attacker to gain a list of
network devices that could be used to create a map of the network.
1.
146 of 260
For more details, please refer to RFC 4033, 4034, 4035 and 4641.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

However, when NSEC/NSEC3 is used, the DNS server responds to
invalid client requests by providing an NSEC/NSEC3 record, which
contains an authenticated denial of existence for the invalid domain.
NSEC records include the invalid name in the response to the client. It
was found that this information could be used for zone walking or
zone enumeration using dictionary attacks. To address this vulnerability, NSEC3 was introduced to thwart zone walking by including a
hashed value of the invalid requested name in the response record.
By default, the AX device returns an NSEC/NSEC3 record to client
queries for invalid domain names. To disable the return of an NSEC/
NSEC3 record, use the no return-nsec-on-failure command.
Signature validity period The signature-validity-period parameter is
used to set the period for which a signature will remain valid. The time
can range from 5-30 days, and the parameter has a default of 10 days.
Zone Signing Key The zone signing key (ZSK) is used to sign the
domain names zone. At least one ZSK is needed to sign successfully,

but no more than two ZSKs can be configured. There is no default.
The ZSK allows that you specify one of the following sub-options,
which are used during the key rollover process:
Active Selecting this option sets the status of the ZSK to active,
and only the active ZSK can be used to sign the zone. The active
option is enabled by default. Only one active ZSK is allowed per
zone.
Published This option is used to publish a newer ZSK just before
deprecating the older key and activating the newer ZSK. This offers
a way to push the newer key into the DNS infrastructure, but without activating it. The published ZSK can become active at the expiration of the DNSKEY TTL period.
Deprecated This option is used to deprecate an older ZSK prior to
activating a new ZSK. This must be done before the new key can
become active.
FIGURE 21
Life cycle of a ZSK
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
147 of 260

DNSSEC Support - Configuration
Configuration
To configure DNSSEC for GSLB:
1. Generate the DNS keys (or import them) to the AX device.
2. Configure the DNSSEC template.
3. Verify the DNSSEC template.
4. Apply the DNSSEC template to GSLB policy.
USING THE GUI

The current release does not support configuration of this feature using the
GUI.
USING THE CLI

Configure the DNSSEC template
Note:
You must generate the keys before using them in a DNSSEC template.
To configure the DNSSEC template, use the following command at the
GSLB config level:
dnssec template name
Please refer to DNSSEC Templates on page 146 for details on configuring DNSSEC template sub-options.
Verify DNSSEC template using show command
After configuring a DNSSEC template, use the following command at the
GSLB config level to display information for the configured template:
show dnssec template name
Apply the DNSSEC template to GSLB policy
To apply the DNSSEC template and provide DNSSEC support for GSLB,
and to enable DNSSEC within the zone policy, use the following command
at the GSLB policy level:
dns server authoritative sec
148 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Specify the DNSSEC template
To specify the DNSSEC template, use the following command at the GSLB
zone config level. If no template is specified, then the default template will
be used.
template dnssec template-name
Import the DS Keyset from a Child Zone
To import the DS keyset from the child zone to the parent zone, use the following command at the config level:
import dnssec-ds child-zone-name
Export the DS Keyset from a Child Zone
To export the DNSKEY keyset from the child zone to the parent zone, use
the following command at the config level:
export dnssec-dnskey authoritative-zone-name
Note:
When using the CLI commands to import/export a DS/DNSKEY record

to/from a parent/child zone, it is not necessary to list the AX devices
internal file name for the resource record. Instead, you can simply include
the name of the DNS zone from which you will be importing or exporting
the file.
Generate the DNSSEC Key
To generate the DNSSEC keyset, use the following command at the config
level:
dnssec key-generate name algorithm
[RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1]
keysize num
Algorithm Specify which RSA SHA algorithm is used to generate
the DNSSEC key pair (ZSK and KSK). You can specify any of the
following algorithms:
RSASHA1 (default)
RSASHA256
RSASHA512
NSEC3RSASHA1
Selecting one of the first three algorithms (RSASHA1, RSASHA256, or
RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option
(NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be
generated for the zone, which is helpful in mitigating the threat posed by
zone walking.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
149 of 260

Note:
Different zones can use different DNSSEC templates and thus have different algorithms.
Keysize Specify the number of bits in the DNSSEC key, which can
range from 512-4096 bits. Values must be specified in multiples of

64 bits, and the default value is 1024 bits.
Deleting the DNSSEC Key
To remove a DNSSEC key from the AX device, use the following CLI command at the config level:
no dnssec key-generate name
Exporting the DNSSEC Key
To export the DNSSEC key from the AX device, use the following CLI
command at the config level:
export dnssec-key filename
Importing the DNSSEC Key
To import the DNSSEC key to the AX device, use the following CLI command at the config level:
import dnssec-key filename
Note:
The imported dnssec-key file is a compressed file with the .tar suffix. This
tar file includes both the private and public keys, with the respective suffixes of .private and .key. When an example tar file with the name
key01 is un-compressed, it includes the public key ("key01.key") and
the private key ("key01.private").
Zone Signing Commands
After the zone or DNSSEC template configuration is changed, the zone
signing will automatically begin 30 seconds later. However, you can use the
following command at the global config level to immediately trigger zonesigning:
dnssec sign-zone-now name
Specify the name for the DNS zone. Note that if a name is not specified,
then all zones will be checked for configuration changes and signed (if any
changes are found).
Details:
DNSSEC Signature timeout All zones will be checked every two
days to guarantee that the dnssec-enabled zones have valid signatures. If

the signature has timed-out, then this will cause the zone to be re-signed.
150 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

DNSSEC Support - Configuration Examples
Import the DNSSEC DS RR for the child zone Every time the DS
record of the child zone is imported, the parent of that child zone will be
re-signed.
Configuration Examples
The following sections show DNSSEC configuration examples.
CLI Example #1
The following commands enable the DNSSEC option for GSLB, so that the
AX device can handle DNSSEC queries while in DNS server mode.
AX(config-gslb policy)#dns server authoritative sec
Note:
DNSSEC for GSLB is not supported in proxy mode for this release.
Note:
The AX device supports the following standard DNS records:

SOA, A, AAAA, ANY, CNAME, MX, NS, PTR and SRV.
The AX device supports the following DNSSEC records:
DNSKEY, NSEC, NSEC3, DS and RRSIG
CLI Example #2
When configuring GSLB on the AX device, the default DNSSEC template
is used for each zone unless you specify another template. The commands
below generate an encryption key called keygen1, using the
NSEC3RSASHA1 encryption algorithm. Then, commands are used to create the DNSSEC template called dnssec1, which has a combinations-limit
of 10 and uses the key just created. The template is applied to a zone called
example.com:
AX(config)#dnssec key-generate keygen1 algorithm NSEC3RSASHA1 keysize 1024
AX(config)#dnssec template dnssec1
AX(config-dnssec)#combinations-limit 10
AX(config-dnssec)#ksk keygen1
AX(config-dnssec)#exit
AX(config)#gslb zone example.com
AX(config-gslb zone)#template dnssec dnssec1
AX(config-gslb zone)#exit
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
151 of 260

DNSSEC Support - Configuration Examples
CLI Example #3
The following command is used to display information for the DNSSEC
template created above:
AX(config)#show dnssec template dnssec1
dnssec template dnssec1
ksk keygen1
combinations-limit 10
CLI Example #4
The following command imports the DS record from the delegated child
zone (zone1.example.org) to the parent zone (example.org), for which
the AX device is the authoritative DNS server:
AX(config)#import dnssec-ds zone1.example.org scp://root@10.10.10.13/root/
dsset-zone1.example.org
Password []?******
Importing ...
...0 minutes 3 seconds
Done.
152 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI Command Reference - Main Configuration Commands
CLI Command Reference

This chapter lists the CLI commands for Global Server Load Balancing
(GSLB). The commands are organized into the following sections:
Main Configuration Commands on page 153
Policy Configuration Commands on page 188
Show Commands on page 222
Clear Command on page 254
Main Configuration Commands

The commands in this section configure GSLB parameters. In some cases,
the commands create a GSLB configuration item and change the CLI to the
configuration level for that item.
gslb active-rdt
Description
Syntax
Configure global aRDT settings.

[no] gslb active-rdt
{
domain domain-name |
interval seconds |
port portnum |
retry num |
sleep seconds |
timeout ms |
track seconds
}
Parameter
domain
domain-name
Description
Specifies the query domain. To measure the
active-Round Delay Time (aRDT) for a client,
the site AX device sends queries for the domain
name to a clients local DNS. An aRDT sample
consists of the time between when the site AX
device sends a query and when it receives the
response.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
153 of 260

Only one aRDT domain can be configured. It is
recommended to use a domain name that is likely
to be in the cache of each clients local DNS.
The AX device averages multiple aRDT samples
together to calculate the aRDT measurement for
a client. (See the description of track below.)
interval
seconds
Specifies the number of seconds between queries. You can specify 1-16383 seconds.
port portnum
Specifies the port. You can specify ports

1-65535. (For more information, please contact
A10 Networks.)
retry num
Specifies the number of times GSLB will resend

a query if there is no response. You can specify
0-16.
sleep seconds
Specifies the number of seconds GSLB stops

tracking aRDT data for a client after a query
fails. You can specify 1-300 seconds.
timeout ms
Specifies the number of milliseconds GSLB will

wait for a reply before resending a query. You
can specify 1-16383 ms.
track seconds
Specifies the number of seconds during which

the AX device collects samples for a client. The
samples collected during the track time are averaged together, and the averaged value is used as
the aRDT measurement for the client. You can
specify 3-16383 seconds.
The averaged aRDT measurement is used until it
ages out. The aging time for averaged aRDT
measurements is 10 minutes by default and is
configurable on individual sites, using the
active-rdt aging-time command.
Default
This command has the following default settings:

domain google.com
interval 1 second
port Please contact A10 Networks for information.
retry 3
sleep 3 seconds
154 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

timeout 3000 ms
track 60 seconds
Mode
Global configuration mode
gslb dns action

Description
Globally drop or reject DNS queries from the local DNS server.
Syntax
[no] gslb dns action {drop | reject}

Parameter
Description
drop
Drops DNS queries that do not match any zone

service.
reject
Rejects DNS queries that do not match any zone

service, and returns the Refused message in
replies.
Default
Not set
Mode
gslb dns logging

Description
Syntax
Globally set DNS logging parameters. When this option is enabled, the
GSLB DNS log messages appear in the AX log.
[no] gslb dns logging
{
both | query | response | none |
}
Parameter
Default
Description
both
Specifies that both query and response

messages are logged.
query
Specifies that query messages are logged.
response
Specifies that response messages are logged.
none
Logs nothing.
Disabled
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
155 of 260

Mode
gslb geo-location
Description
Syntax
Configure a global geographic location by assigning a location name to a

client IP address range. GSLB forwards client requests from addresses
within the specified IP address range to the GSLB site that serves the location.
[no] gslb geo-location location-name
[start-ip-addr {mask ip-mask | end-ip-addr}]
no gslb geo-location all
Parameter
location-name
Description
Name of the location. Use a period between each
string label (range). Each range can contain up to
15 alphanumeric characters. The entire name can
contain up to 127 alphanumeric characters.
Example: Asia.japan.123456789.xyz
The AX device can perform a partial match for a
geo-location. For example, if IP 1.1.1.1 belongs
to Asia.japan, but only Asia is configured,
the AX device still knows which site to select.
start-ip-addr
Beginning IP address for the range.
mask ip-mask
Network mask.
end-ip-addr
Ending IP address for the range.
all
Removes all manually configured geo-locations

from the configuration. The all option is valid
only with the no form of the command shown
above.
If you enter the gslb geo-location location-name command without any

additional options, the CLI changes to the configuration level for the
geo-location, where you can assign multiple IP address ranges to it. Use the
following command for each range:
[no] ip start-ip-addr {mask ip-mask | end-ip-addr}
Default
N/A
Mode
156 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Usage
Geographic location also can be configured in a GSLB policy. In this case,

the policy specifies whether to use the globally configured geographic location or the location configured in the policy. (See geo-location on
page 209 and geo-location match-first on page 209.)
You can use manually configured geo-location mappings or load a database
of mappings. To load a geo-location databases, see gslb geo-location load
on page 158.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location.
Example
The following example configures geographic location US.CA.SanJose

for IP address range 100.1.1.1 through 100.1.1.125:
AX(config)#gslb geo-location US.CA.SanJose 100.1.1.1 100.1.1.125
gslb geo-location delete

Description
Syntax
Delete or replace a custom geo-location database from the AX device.

gslb geo-location delete {all | file-name}
Parameter
all
Description
Deletes all manually configured geo-locations
from the configuration.
Default
N/A
Usage
This command is available only if you have already imported a geo-location

database file. This command can replace a loaded geo-location database file
but does not unload one without replacing it. To unload a geo-location database file without replacing it, see gslb geo-location load on page 158.
Mode
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
157 of 260

gslb geo-location load

Description
Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring
each geo-location separately.
Syntax
[no] gslb geo-location load

{iana | file-name csv-template-name}
no gslb geo-location load all
Parameter
Loads the Internet Assigned Numbers Authority

(IANA) database. The IANA database contains
the geographic locations of the IP address ranges
and subnets assigned by the IANA. The IANA
database is included in the AX system software.
However, it is unloaded (not used) by default.
iana
file-name
csv-templatename
Note:
Description
Loads a custom database. You can load a custom

geo-location database from a file in comma-separated-values (CSV) format. This option requires
configuration of a CSV template on the AX
device. When you load the CSV file, the data is
formatted based on the template. (To configure a
CSV template, see gslb template csv on
page 175.)
The file-name option is available only if you have already imported a geolocation database file. To display a list of filenames, enter the following:
gslb geo-location load ?
all
Unloads all geo-location database files, including

the default database (IANA). The all option is
valid only with the no form of the command
shown above.
Default
The IANA geo-location database is loaded by default.
Mode
Usage
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new
database.
158 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Example
The following command loads the IANA database:
AX(config)#gslb geo-location load iana
Example
The following command loads geo-location data from a CSV file:
AX(config)#gslb geo-location load test1.csv test1-tmplte
gslb group
Description
Syntax
Configure GSLB group settings. GSLB controllers within a GSLB group

automatically synchronize GSLB configuration information and data.
The command changes the CLI to the configuration level for the group,
where the following group-related commands are available:
(The other commands are common to all CLI configuration levels. See the
AX Series CLI Reference.)
Command
[no] configanywhere
[no] configmerge
[no]
config-save
[no] dnsdiscover
Description
Allows GSLB to be configured on any group
member, without restricting the changes to the
master controller.
If this option is used and the current GSLB controller has the highest priority of all group members, then this current controller will attempt to
retrieve the config file from the master GSLB
controller before assuming control.
Enables automatic configuration save on this
GSLB group member when the configuration is
saved on the group master.
Discover member via DNS protocol. When this
option is used, you do not need to configure a
primary IP address, because GSLB will send a
DNS query (based on the group name) to
discover other group members.
For example, if group name is group.a10.com
then GSLB will send the DNS discover query
with domain name group.a10.com.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
159 of 260

[no] enable
Activates the AX devices membership in the

GSLB controller group.
[no] inherit
Inherit main GSLB configuration.
[no] learn
Enables the AX device to learn the IP addresses

of other group members from the groups primary controllers.
[no] primary
ipaddr
Specifies the IP address of another group member, to be a primary member. After the GSLB
process starts on an AX device, the device joins
the controller group by connecting to the primary
group members to exchange group management
traffic.
You can specify up to 15 primary members.
Enter the command separately for each member.
[no] priority
num
Specifies the priority of the AX device to become

the master for the group. You can specify 1-255.
[no] standalone Run GSLB Group in standalone mode.

[no] suffix
name
Default
This option allows you to configure the DNS suffix that will be used for dns-discovery. You can
specify the suffix (or name) that GSLB will
append to the domain name when sending the
dns-discover query. For example, if the group
name is group and the suffix is a10.com,
then the concatenated strings are sent in the DNS
discovery query as group.a10.com.
The group parameters have the following default values:

config-anywhere disabled
config-merge disabled
config-save disabled
dns-discover disabled
enable disabled
inherit disabled
learn enabled
primary not set
160 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

priority 100
standalone disabled
suffix not set
Mode
gslb ip-list
Description
Syntax
Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
[no] gslb ip-list list-name
no gslb ip-list all
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
Command
[no] ip ipaddr
[subnet-mask |
/mask-length]
id group-id
no ip all
[no] load
bwlist-name
all
Default
Description
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The id option adds
the entry to a group. The group-id can be 0-31.
Removes all manually configured IP addresses
from the IP list.
Loads the entries from a black/white list into the
IP list. For information on configuring a black/
white list, see the Policy-Based SLB (PBSLB)
section in the Traffic Security Features chapter
of the AX Series System Configuration and
Administration Guide.
Removes all GSLB IP lists from the configuration. The all option is valid only with the no
form of the command shown above.
None
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
161 of 260

Mode
Usage
You can configure an IP list in either of the following ways:

Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from aRDT data collection:
AX(config)#gslb ip-list iplist1

AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3
AX(config-gslb ip-list)#exit
AX(config-gslb policy)#ip-list iplist1
AX(config-gslb policy)#active-rdt ignore-id 3
gslb ping
Description
Syntax
Test GSLB connectivity from the GSLB AX device to a site AX device.

ping {site-name | ipaddr}
site-name |
ipaddr
Command
Mode
162 of 260
GSLB site name or the IP address of the site AX

device.
Description
site-name
GSLB site name of the site AX device.
ipaddr
The IP address of the site AX device.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

gslb policy
Description
Configure a GSLB policy.
Syntax
[no] gslb policy {default | policy-name}

no gslb policy all
Parameter
Description
default
The default GSLB policy included in the software.
policy-name
Name of the policy, up to 63 alphanumeric characters.
all
Removes all GSLB policies from the configuration. The all option is valid only with the no
This command changes the CLI to the configuration level for the specified
GSLB policy. For information about the commands available at the GSLB
policy level, see Policy Configuration Commands on page 188.
Default
N/A
Mode
Example
The following example creates a GSLB policy called gslb-policy2:
AX(config)#gslb policy gslb-policy2

AX(config gslb-policy)#
gslb protocol
Description
Enable the GSLB protocol or set protocol options.
Syntax
[no] gslb protocol

{
enable {controller | device} |
status-interval seconds |
use-mgmt-port
}
Note:
For the limit options, see gslb protocol limit on page 165.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
163 of 260

Parameter
enable
{controller |
device}
Description
Enables the GSLB protocol:

controller Use this option on the AX
device on which GSLB is configured.
device Use this option on the AX devices
that are SLB devices at the GSLB sites.
status-interval
seconds
Changes the number of seconds between GSLB
status messages. You can specify 1-300 seconds.
use-mgmt-port
Default
Use the management route table instead of the

data route table.
The GSLB protocol options have the following defaults:

enable Disabled.
status-interval 30 seconds
use-mgmt-port disabled
Mode
Usage
The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
AX devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on the GSLB controller, and it is recommended (but
not required) that you enable the protocol on the site AX devices.
The following GSLB policy metrics require the protocol to be enabled on
both the site AX devices as well as the GSLB controller:
Session-Capacity
aRDT
Connection-Load
Num-Session
The GSLB protocol is also required for the Health-Check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
164 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Example
The following command enables the GSLB protocol on a GSLB AX Series

device:
AX(config)#gslb protocol enable controller
Example
The following command enables the GSLB protocol on a site AX Series

device:
AX(config)#gslb protocol enable device
gslb protocol limit

Description
Syntax
Change aRDT message limits.

[no] gslb protocol limit
{
ardt-query num-msgs |
ardt-response num-msgs |
ardt-session num-sessions |
conn-response num-msgs |
response num-msgs |
message num-msgs
}
Parameter
Default
Description
ardt-query
Limits the number of aRDT Query messages.
ardt-response
Limits the number of aRDT Response Messages.
ardt-session
Limits the number of aRDT sessions.
conn-response
Limits the number Connection Load Response

Messages.
response
Limits the number of Response Messages.
message
Limits the number of messages.
The GSLB protocol limit options have the following defaults:

ardt-query 200 messages
ardt-response 1000 response messages
ardt-session 32768 sessions
conn-response no limit
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
165 of 260

response 3600 messages
message 10000 messages
Mode
gslb service-ip
Description
Syntax
Configure a service IP, which can be a virtual servers or real servers IP

address.
[no] gslb service-ip service-name [ipaddr]
no gslb service-ip all
Parameter
Description
service-name
Name of the service, up to 63 alphanumeric characters.
ipaddr
IP address of the virtual server or real server. You

can specify an IPv4 or IPv6 address.
(If you are changing the configuration of a GSLB
service that is already configured, this parameter
is not required.)
Removes all GSLB service IPs from the configuration. The all option is valid only with the no
all
service, where the following GSLB-related commands are available:
Command
disable
Disables GSLB for the service IP address.
enable
Enables GSLB for the service IP address.
[no] external-ip
ipaddr
[no] healthcheck [option]
166 of 260
Description
Assigns an external IP address to the service IP.

The external IP address allows a service IP that
has an internal IP address to be reached from outside the internal network.
Configures monitoring of the service IP address.
If you enter the command without any options,
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

the default Layer 3 health monitor (ICMP ping)
is used.
monitor-name The service is checked using the
specified Layer 3, 4 or 7 health monitor.
follow-port portnum The health of the service
port is based on the health of another port. Specify the other port number.
protocol Enables or disables use of the GSLB
protocol for health checking of the service. By
default, the protocol option is enabled. If the
GSLB protocol is enabled and can reach the service, health checking is performed over the
GSLB protocol. Otherwise, health checking is
performed using standard network traffic instead.
[no] ipv6
ipv6-addr
Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS
AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on
page 197.)
[no] port num
{tcp | udp}
Adds a service port to the service IP address. The

command also changes the CLI to the configuration level for the specified service port, where the
following service port-related commands are
available:
disable Disables GSLB for the service port
on this service IP address.
enable Enables GSLB for the service port on
this service IP address.
[no] health-check [monitor-name]
Enables or disables health monitoring for the service port. If you do not specify a health monitor,
the default health monitor is used. (See Usage
below.)
Default
No services are configured by default. When you configure a service, the

service is enabled by default, and the default port is 80. The default health
monitor for a service is the default Layer 3 health monitor (ICMP ping). The
default health monitor for a service port is the default TCP or UDP monitor,
depending on the transport protocol. (For more on health checking, see
Usage below.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
167 of 260

Mode
Usage
If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), the health checks are performed within
the GSLB protocol.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks.
If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
active-rdt
ip-list
dns external-ip
dns ipv6 mapping
geo-location
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99

AX(config-gslb service-ip)#
gslb site
Description
Syntax
Configure a GSLB site.

[no] gslb site site-name
no gslb site all
Parameter
168 of 260
Description
site-name
Name for the site, up to 63 alphanumeric characters.
all
Removes all GSLB sites from the configuration.

The all option is valid only with the no form of
the command shown above.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

site, where the following site-related commands are available:
Command
[no] active-rdt
option
Description
Configures options for the aRDT metric:
aging-time minutes Specifies the maximum amount of time a stored aRDT result can
be used. You can specify 1-15360 minutes. The
default is 10 minutes.
bind-geoloc Stores the aRDT measurements on a per geo-location basis. Without this
option, the measurements are stored on a per siteSLB device basis.
ignore-count num Specifies the ignore
count if aRDT is out of range. You can specify 115. The default is 5.
limit num Specifies the maximum aRDT
allowed for the site. If the aRDT measurement
for a site exceeds the configured limit, GSLB
does not eliminate the site. Instead, GSLB moves
to the next metric in the policy. You can specify
0-16383 milliseconds (ms). The default is 16383.
mask {/mask-length | mask-ipaddr}
Specifies the IPv4 client subnet mask length. The
default mask length is 32.
range-factor num Specifies the maximum percentage a new aRDT measurement can
differ from the previous measurement. If the new
measurement differs from the previous measurement by more than the allowed percentage, the
new measurement is discarded and the previous
measurement is used again.
For example, if the range-factor is set to 25 (the
default), a new measurement that has a value
from 75% to 125% of the previous value can be
used. A measurement that is less than 75% or
more than 125% of the previous measurement
can not be used.
smooth-factor num Blends the new
measurement with the previous one, to smoothen
the measurements.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
169 of 260

For example, if the smooth-factor is set to 10 (the
default), 10% of the new measurement is used,
along with 90% of the previous measurement.
Similarly, if the smooth-factor is set to 50, 50%
of the new measurement is used, along with 50%
of the previous measurement.
(For information about the aRDT metric, see
active-rdt on page 188.)
[no] auto-map
Enables auto-mapping feature at the site level.
[no] bw-cost
options
Configures options for the BW-Cost metric:

limit num Specifies the maximum amount
the SNMP object queried by the GSLB AX
device can increase since the previous query, in
order for the site to remain eligible for selection.
You can specify 0-2147483647. There is no
default.
If a site becomes ineligible due to being over the
limit, the percentage parameter is used. In order
to become eligible for selection again, the sites
limit value must not exceed
limit*threshold-percentage.
You can specify 0-100. There is no default.
threshold percentage For a site to
regain eligibility when BW-Cost is being compared, the SNMP objects value must be below
the threshold-percentage of the limit value.
For example, if the limit value is 80,000 and the
threshold is 90 percent, then the limit value must
be 72,000 or less, in order for the site to become
eligible again based. Once a site again becomes
eligible, the SNMP objects value is again
allowed to increase up to the bandwidth limit
(80,000 in this example).
(For information about the BW-Cost metric, see
bw-cost on page 193.)
[no] disable
170 of 260
Disables all servers in the GSLB site.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

[no] geolocation
location-name
[no] ip-server
service-ip
Associates this site with a specific geographic

location. (To configure a location, use the gslb
geo-location command.)
Associates a real server with this site.
Note: Generally, virtual servers rather than real
servers are associated with a site. To associate a
virtual server with a site, use the vip-server
option of the slb-dev command.
no ip-server
all
[no] slb-dev
device-name
ip-addr
Removes all real servers from the site.
Specifies the device that provides SLB for the

site. The IP address must be reachable by the
GSLB AX Series when the GSLB protocol is
enabled.
This command changes the CLI to the configuration level for the SLB device. At this CLI level,
the following optional GSLB-related commands
are available:
[no] admin-preference num Assigns a
preference value to the SLB device. If the
Admin-Preference metric is enabled in the policy
and all metrics before this one result in a tie, the
SLB device with the highest Admin-Preference
value is preferred. You can specify from 0 255.
The default is 100.
[no] auto-detect [ip | port]
Enables DNS auto mapping at the service IP
level or the port level.
[no] auto-map Enables auto mapping for
this site.
[no] gateway ipaddr Specifies the gateway the SLB device will use to reach the GSLB
local DNS for collecting aRDT measurements.
[no] gateway health-check Enables
gateway health checking. A gateway health
check is a Layer 3 health check (ping) sent to the
gateway router for an SLB site. This option is
enabled by default.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
171 of 260

[no] max-client num Specifies the maximum number of clients for which the GSLB AX
device (controller) saves data such as aRDT
measurements for each of the clients. You can
specify 1-2147483647. The default is 32768.
[no] proto-aging-fast This option
enables a quick refresh of data sent from a site
AX device to the AX controller by aging out
data from a site AX device. This can be useful to
obtain fresh health status information from a site
AX. For example, if a virtual server has been
deleted from a site-AX device, but this information could not be sent to the AX controller, then
the status in the controller will continue to appear
as "UP" for a long time until it is aged out. The
"proto-aging-fast" command forces the GSLB
controller to start aging the health status immediately after receiving updated information from a
site AX.
[no] proto-aging-time seconds If
communication between a site AX device and the
GSLB controller is interrupted, then the data for
that site will become stale. The GSLB controller
can continue to rely upon this old information,
but after some time, the old data for the site must
be purged. The lifespan of this old data is the
sum of the time set using the gslb protocol status-interval command, plus the time you set
using this proto-aging-time option. The default
value is 60 seconds.
[no]
proto-compatible
Enables
GSLB protocol compatibility between a controller running 2.6.1 or later and a site AX device
running 2.4.x. This option is disabled by default.
[no] vip-server {name | ip ipaddr}
Maps this SLB site to a globally configured
GSLB service IP address. If you use the name
option, the name must be the name of a configured service IP. (To configure the service IP, use
the gslb service-ip command. See gslb serviceip on page 166.)
no vip-server all Removes all VIP mappings (configured by the vip-server command)
from the SLB device.
172 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

no slb-dev all
[no] template
template-name
Removes all SLB devices from the site.

Binds a template to the site. To use the BW-Cost
metric, use this option to bind a GSLB SNMP
template to the site.
[no] weight num Assigns a weight to the site. If the Weighted-Site

metric is enabled in the policy and all metrics
before Weighted-Site result in a tie, the site with
the highest weight is preferred. The weight can
be from 1 100. The default is 1.
Default
See above.
Mode
Example
The following example creates a site named NY-site and adds SLB
AX Series site-ax-1 with IP address 10.10.10.10 to the site:
AX(config)#gslb site NY-site

AX(config gslb-site)#slb-dev site-ax-1 10.10.10.10
gslb system auto-map module

Description
Syntax
Enable auto-mapping of IP address to resource name.

[no] gslb system auto-map module
{all | slb-server | slb-virtual-server |
slb-device | gslb-service-ip | gslb-site |
gslb-group | hostname}
Default
Disabled
Mode
Usage
See Auto-mapping on page 73.
gslb system auto-map ttl

Description
Syntax
Configure the TTL for DNS A or AAAA records created by the auto-mapping feature.
[no] gslb system auto-map ttl seconds
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
173 of 260

Parameter
seconds
Default
Description
Maximum number of seconds for which an A or
AAAA record created by auto-mapping is valid.
You can specify 1-65535 seconds.
300
gslb system ip-ttl

Description
Syntax
Change the IP Time-to-Live (TTL) in DNS replies to clients.

[no] gslb system ip-ttl num
Parameter
Description
TTL, 1-255.
num
Default
255
Mode
Usage
This option applies only to DNS server mode. The option does not apply to
DNS proxy mode.
The TTL value is used in all replies, regardless of the clients original TTL.
gslb system prompt

Description
Syntax
Disable or re-enable display of the confirmation prompt for gslb system

reset and no gslb [option] all commands.
[no] gslb system prompt
Default
The prompt is enabled.
Mode
174 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

gslb system reset

Description
Reset the entire GSLB configuration.
Syntax
gslb system reset
Default
N/A
Mode
Usage
This command unloads all geo-location files, and reloads the default iana
file.
This command does not remove the GSLB configuration. If you want to
entirely remove the GSLB configuration, see no gslb all on page 187.
gslb system wait

Description
Syntax
Delay startup of GSLB following startup of the AX device.

[no] gslb system wait seconds
Parameter
seconds
Description
Length of the delay, 0-16384 seconds.
Default
0 seconds (no delay)
Mode
gslb template csv

Description
Syntax
Configure a template for extracting geo-location data from an imported

CSV file.
[no] gslb template csv template-name
no gslb template csv all
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
175 of 260

Parameter
Note:
Description
template-name
Name of the template, 1-63 characters.
all
Removes all CSV templates from the configuration. The all option is valid only with the no
To remove all CSV templates and SNMP templates, use the following
command: no gslb template all
template, where the following commands are available.
Command
[no] delimiter
{character |
ASCII-code}
[no] field num

type-of-data
Description
Specifies the character used in the file to delimit

fields. You can type the character or enter its decimal ASCII code (0-255).
The num option specifies the field position
within the CSV file. You can specify from 1-64.
The following options specify the type of geolocation that is located in the field position:
ip-from Specifies the beginning IP address in
the range or subnet.
ip-to-mask Specifies the ending IP address in
the range, or the subnet mask.
continent Specifies the continent where the IP
address range or subnet is located.
country Specifies the country where the IP
address range or subnet is located.
state Specifies the state where the IP address
range or subnet is located.
city Specifies the city where the IP address
range or subnet is located.
Default
176 of 260
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ).
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Mode
Usage
To load a geo-location data file and use the CSV template to extract the
data, see gslb geo-location load on page 158.
Example
The following commands configure a CSV template called test1-tmplte:
AX(config)#gslb template csv test1-tmplte

AX(config-gslb template csv)#field 1 ip-from
AX(config-gslb template csv)#field 2 ip-to-mask
AX(config-gslb template csv)#field 5 continent
AX(config-gslb template csv)#field 3 country
gslb template snmp

Description
Configure an SNMP template to query data for use by the BW-Cost metric.
Syntax
[no] gslb template snmp template-name

no gslb template snmp all
Parameter
Note:
Description
template-name
Name of the template, 1-63 characters.
all
Removes all SNMP templates from the configuration. The all option is valid only with the no
To remove all CSV templates and SNMP templates, use the following
command: no gslb template all
template, where the following commands are available.
Command
[no] auth-key
string
Description
Specifies the authentication key. The key string
can be 1-127 characters long. This command is
applicable if the security level is auth-no-priv or
auth-priv.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
177 of 260

[no] auth-proto
{sha | md5}
[no] community
communitystring
[no] contextengine-id id
[no] contextname id
Specifies the ID of the SNMPv3 protocol engine

running on the site AX device.
Specifies an SNMPv3 collection of management
information objects accessible by an SNMP
entity.
Specifies the IP address of the site AX device.
[no] interface
id
Specifies the SNMP interface ID.
[no] oid
oid-value
Specifies the amount of time between each

SNMP GET to the site AX devices. You can
specify 1-999 seconds. The default is 3.
Specifies the interface MIB object to query on
the site AX device.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
[no] port
portnum
[no] priv-key
string
[no] priv-proto
{aes | des}
178 of 260
For SNMPv1 or v2c, specifies the community

string required for authentication.
[no] host
ipaddr
[no] interval
seconds
Note:
Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
Specifies the protocol port on which the site AX

devices listen for the SNMP requests from the
GSLB AX device. You can specify 1-65535. The
default is 161.
Specifies the encryption key. The key string can
be 1-127 characters long. This command is applicable only if the security level is auth-priv.
Specifies the privacy protocol used for encryption. This command is applicable only if the
security level is auth-priv.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

[no] securityengine-id id
[no] securitylevel
{no-auth |
auth-no-priv |
auth-priv}
Specifies the ID of the SNMPv3 security engine

running on the site AX device. For each command, the ID is a string 1-127 characters long.
Specifies the SNMPv3 security level:

no-auth Authentication is not used and encryption (privacy) is not used. This is the default.
auth-no-priv Authentication is used but
encryption is not used.
auth-priv Both authentication and encryption
are used.
[no] username
name
[no] version
{v1 | v2c | v3}
Specifies the SNMPv3 username required for

access to the SNMP agent on the site AX device.
Specifies the SNMP version running on the site
AX device.
Default
See above.
Mode
Usage
The community command applies only to SNMPv1 or v2c. Most of the

other commands, with the exception of the version, interval, port, and
interface commands, apply to SNMPv3.
You can not delete an SNMP template if the template is in use by a site. To
delete a template, first remove it from all site configurations that are using
it.
Example
The following commands configure a GSLB SNMP template for

SNMPv2c:

AX(config-gslb template snmp)#version v2c
AX(config-gslb template snmp)#community public
AX(config-gslb template snmp)#exit
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
179 of 260

Example
The following commands configure a GSLB SNMP template for SNMPv3.

In this example, authentication and encryption are both used.

AX(config-gslb template snmp)#security-level auth-priv
AX(config-gslb template snmp)#username read
AX(config-gslb template snmp)#priv-proto des
AX(config-gslb template snmp)#auth-key 12345678
AX(config-gslb template snmp)#priv-key 12345678
gslb zone
Description
Configure a GSLB zone, which identifies the top-level name for the services load balanced by GSLB.
Syntax
[no] gslb zone zone-name

no gslb zone all
Note:
DNSSEC is not supported for GSLB wildcard zones.

Parameter
zone-name
Description
Name of the zone, up to 127 alphanumeric
characters, or * (wildcard character matching on
all zone names).
You can use lower case characters and upper case
characters. However, since Internet domain
names are case-insensitive, the AX device internally converts all upper case characters in GSLB
zone names to lower case.
all
Removes all GSLB zones from the configuration. The all option is valid only with the no
zone, where the following zone-related commands are available:
180 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Command
[no] disable
[no] dns-mxrecord name
priority
Description
Disables all services in the GSLB zone.
Configures a DNS Mail Exchange (MX) record

for the zone. The name is the fully-qualified
domain name of the mail server for the zone.
If more than one MX record is configured for the
same zone, the priority specifies the order in
which the mail server should attempt to deliver
mail to the MX hosts. The MX with the lowest
priority value has the highest priority and is tried
first. The priority can be 0-65535. There is no
default.
MX records configured on a zone are used only
for services on which MX records are not configured.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for
the mail service.
[no] dns-nsrecord
domain-name
Configures a DNS name server record for the

specified domain.
[no] dns-soarecord
[external]
dns-server-name
mailbox-name
[expire
seconds]
[refresh
seconds]
[retry seconds]
[serial num]
[ttl seconds]
Configures a DNS start of authority (SOA)
record for the GSLB zone.
The external option causes the AX device to
replace the internal SOA record with an external
SOA record when a request is received from an
external client. This prevents external clients
from gaining access to internal information. The
feature must also be enabled in the GSLB policy.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
181 of 260

The refresh option specifies the number of seconds other DNS servers wait before requesting
updated information for the GSLB zone. The
retry option specifies how many seconds other
DNS servers wait before resending a refresh
request, if GSLB does not respond to the previous request. The expire option specifies how
many seconds GSLB can remain unresponsive to
a refresh request before the other DNS server
drops responding to queries for the zone.
The serial option specifies the initial serial number of the SOA record. This number is automatically incremented each time a change occurs to
any records in the zone file. You can specify a
serial number from 0-2147483647. The default is
based on the current system time on the GSLB
AX device when you create the SOA record.
The ttl option specifies the number of seconds
GSLB will cache and reuse negative replies
(NXDOMAIN messages). A negative reply is an
error message indicating that a requested domain
does not exist.
Note:
The ttl option is equivalent to the minimum option in BIND 9.

[no] policy
policy-name
[no] service
port
[service-name]
Applies the specified GSLB policy to the zone.

You can specify default for the GSLB policy
name, if you have not configured another policy
and applied it to the zone. The GSLB policy
applied to the zone is also applied to the services
in that zone.
Adds a service to the zone. The port option specifies the service port and can be a well-known
name recognized by the CLI or a port number
from 1 to 65535. The service-name can be 1-31
alphanumeric characters or * (wildcard character
matching on all service names).
For the same reason described for zone names,
the AX device converts all upper case characters
in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service, where the following
GSLB-related commands are available:
182 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

action action-type Specifies the action to
perform for DNS traffic:
drop Drops DNS queries from the local
DNS server.
reject Rejects DNS queries from the
local DNS server and returns the Refused
message in replies.
forward
{both | query | response} Forwards requests or queries, as follows:
forward both Forwards queries to the
Authoritative DNS server, and forwards
responses to the local DNS server.
forward query Forwards queries to the
Authoritative DNS server, but does not
forward responses to the local DNS
server.
forward response Forwards responses
to the local DNS server, but does not forward queries to the Authoritative DNS
server.
Note:
Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level
for the policy. See dns on page 197.
disable Disables all services in the GSLB
zone.
dns-a-record
{service-name | ip service-ipaddr}
{as-backup | as-replace | no-resp
| static | ttl num | weight num}
Configures a DNS Address (A) record for the
service, for use with the DNS replace-ip option
in the GSLB policy. (See dns on page 197.)
as-backup This option is used to specify
the backup servers in the dns-a-record within
the GSLB zone. These are the servers that
will be returned to the client if the primary
servers fail and backup server mode is
enabled.
as-replace This option is used with the
ip-replace option in the policy. When both
options are set (as-replace here and ip-
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
183 of 260

replace in the policy), the client receives
only the IP address set here by service-ip.
no-resp Prevents the IP address for this
site from being included in DNS replies to
clients.
static This option is used with the dns
server option in the policy. When both
options are set (static here and dns server in
the policy), the GSLB AX device acts as the
DNS server for the IP address set here by
service-ip.
ttl num Assigns a TTL to the service,
0-2147483647. By default, the TTL of the
zone is used. This option can be used with
the dns server option in the policy, or with
DNS proxy mode enabled in the policy.
weight num Assigns a weight to the service. If the Weighted-IP metric is enabled in
the policy and all metrics before WeightedIP result in a tie, the service on the site with
the highest weight is selected. The weight
can be 1-100. By default, the weight is not
set.
Note:
The no-resp option is not valid with the static or as-replace option. If
you use no-resp, you cannot use static or as-replace.
dns-cname-record alias [alias ...]
[as-backup]
[admin-preference num]
[weight num] Configures DNS Canonical
Name (CNAME) records for the service.
as-backup Specifies that the record is a
backup record.
admin-preference num Default is
100. Please contact A10 Networks for information.
weight num Please contact A10 Networks for information.
dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for
the service. The name is the fully-qualified
domain name of the mail server for the service.
184 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

If more than MX record is configured for the
same service, the priority specifies the order in
which the mail server should attempt to deliver
mail to the MX hosts. The MX record with the
lowest priority number has the highest priority
and is tried first. The priority can be 0-65535.
There is no default.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the
mail service.
dns-ns-record domain-name
[as-backup] Configures a DNS name
server record. The as-backup option specifies
that the record is a backup record. To use the asbackup option, you also must use the dns
backup-alias command in the policy. (See dns
on page 197.)
dns-ptr-record domain-name Configures a DNS pointer record.
dns-srv-record domain-name
priority [port portnum]
[weight num] Configures a DNS service
record.
The priority can be 0-65535. There is no
default.
The port portnum specifies the protocol port
to return to the client, and can be 0-65534.
There is no default. If you do not specify the
port, GSLB finds the port for the SRV record
and sends it to the client. If you do specify
the port, GSLB sends the specified port to
the client.
The weight num specifies the weight and can
be 0-65535. The default is 10.
dns-txt-record aaaa bbbb cccc
Enables use of DNS TXT resource records to
carry multiple pieces of DNS TXT data within
one TXT record.
Note:
The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact
A10 Support.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
185 of 260

Note:
This option also requires the dns server txt command at the configuration
level for the GSLB policy.
geo-location location-name [...]
{action action | alias url |
policy policy-name} Configures geolocation settings. The location must already be
configured. (See gslb geo-location on
page 156.)
action action Specifies the action to perform for DNS traffic. The action options are
the same as those for the action command
described above.
alias url Maps an alias configured with the
alias option (see above) to the specified
location for this service.
policy policy-name Applies the specified
GSLB to clients from the geo-location.
health-check
{gateway | port portnum [...]}
Please contact A10 Networks for information.
admin-ip
{service-name | service-ipaddr} [...]
Specifies the list of service IP addresses in the
DNS reply.
policy policy-name Applies the specified GSLB policy to the service.
no gslb service
all
[no] template
dnssec
template-name
[no] ttl
seconds
Removes all services from the zone.
Binds a DNSSEC template to the zone. (See

DNSSEC Support on page 133.)
Changes the TTL of each DNS record contained
in DNS replies received from the DNS for which
the AX Series is a proxy, for this zone. You can
specify from 0 to 1000000000 (one billion) seconds. This TTL setting overrides the TTL setting
in the GSLB policy. The default is 10.
The TTL of the DNS reply can be overridden in
two different places in the GSLB configuration:
(1) If a GSLB policy is assigned to the individual
186 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

service, then the TTL from that policy is used.
(2) If no policy is assigned to the individual service, but the TTL is set in the zone, then the
zones TTL setting is used. (This is the level set
by the ttl command shown earlier this section.)
Default
Default settings are described above, where applicable.
Mode
Example
The following example creates a zone named ax-gslb-zone:
AX(config)#gslb zone ax-gslb-zone

AX(config gslb-zone)#
Example
The following example uses the wildcard character at the end of the gslb
zone command. This has the result of identifying all GSLB zones so that the
next line of the configuration creates a positive match on all DNS domains
that have the prefix of www.
AX#configure
AX(config)#gslb zone *
Example
The following commands create a default GSLB policy and then specify
that a backup server at IP 192.168.123.1 will be returned to the client if the
primary servers fail.

AX(config-gslb policy)#dns backup-server
AX(config)#gslb zone z1
AX(config-gslb zone)#service 80 http
AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup
no gslb all
Description
Syntax
Delete all GSLB configuration commands.

no gslb all
Default
N/A
Mode
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
187 of 260

CLI Command Reference - Policy Configuration Commands
Usage
If you only want to reset GSLB instead of removing the GSLB configuration, see gslb system reset on page 175.
The all option is also supported with the no forms of the GSLB configuration commands described in the other sections in this chapter. For syntax
information, see the sections for the individual commands.
Policy Configuration Commands

The commands in this section configure GSLB policies. The CLI changes to
this level when you enter the gslb policy policy-name command from the
global Config level.
active-rdt
Description
Configure the active-Round Delay Time (aRDT) metric.

aRDT measures the round-delay-time for a DNS query and reply between a
site AX device and the GSLB local DNS.
Syntax
[no] active-rdt
[difference num]
[fail-break]
[ignore-id group-id]
[keep-tracking]
[limit ms]
[samples num-samples]
[single-shot]
[skip count]
[timeout seconds]
[tolerance num-percentage]
Parameter
difference
num
fail-break
Description
Number from 0 to 16383 specifying the rounddelay-time difference.
Enables GSLB to stop if the configured aRDT
limit in a policy is reached. The fail-break action
depends on whether the GSLB controller is running in server mode or proxy mode:
Server mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
188 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

the client; otherwise, the controller returns a
SERVFAIL error to the client.
Proxy mode: If a backup-alias is configured,
the client; otherwise, the controller returns the
response from the backend DNS server.
Note:
To configure the aRDT limit, use the limit option (describe below).
To configure GSLB to return a CNAME record as a backup, enable the
backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service
within a zone, use the following command at the configuration level for
the service: dns-cname-record alias-name as-backup
ignore-id
group-id
Excludes the IP addresses in the specified IP list

from aRDT data collection. Specify an ID from
0-31. (To configure an IP list, see gslb ip-list
on page 161.)
keep-tracking
Continues tracking of aRDT for clients after the

track time expires. By default, GSLB stops collecting aRDT samples for a client (stops tracking
the client) after the time has exceeded the number of seconds specified by the global aRDT
track setting.
limit ms
Specifies the aRDT limit for the policy. This

option is useful for applying site selection based
on aRDT limits and geo-location. This option is
required if you plan to use the DNS geoloc-policy option. You can specify 1-16383 ms.
To configure aRDT limit by geo-location:
1. Enable the active-rdt bind-geoloc option on
each GSLB site.
2. Enable the dns geoloc-policy option in the
default GSLB policy, and enable the active-rdt
option in the policies for geo-locations. If applicable, configure the aRDT limit.
3. On the service within the zone, enable the geolocation option and specify the GSLB policy to
use for that location.
samples
num-samples
Number from 1 to 8 specifying the number of

samples to collect.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
189 of 260

single-shot
skip
count
When single-shot is configured, this option

determines the number of site AX devices that
can exceed their single-shot timeouts, without
the aRDT metric itself being skipped by the
GSLB AX device during site selection. You can
skip from 1-31 sites.
timeout
seconds
tolerance
num-percentage
Default
Collects a single sample only.
When single-shot is configured, this option

determines the number of seconds each site AX
device should wait for the DNS reply. If the reply
does not arrive within the specified timeout, the
site becomes ineligible for selection, in cases
where selection is based on the aRDT metric.
You can specify 1-255 seconds.
Specifies how much the aRDT values must differ
in order for GSLB to prefer one geo-location or
site over another based on aRDT.
Disabled. When you enable the aRDT metric, it has the following default
settings:
difference 0
fail-break disabled
ignore-id not set
keep-tracking disabled
limit 16383 ms
samples 5
single-shot Disabled. Multiple samples are taken at regular intervals.
skip 3
timeout 3 seconds
tolerance 10 percent.
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
190 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Example
The following command enables the aRDT metric:
AX(config gslb-policy)#active-rdt
active-servers
Description
Configure the Active-Servers metric, which prefers the VIP with the highest
number of active servers.
Active-servers is a measure of the number of active real servers bound to a
virtual port residing on a GSLB site.
Syntax
[no] active-servers [fail-break]

Parameter
fail-break
Description
Enables GSLB to stop if the number of active
servers for all services is 0. The fail-break action
depends on whether the GSLB controller is running in proxy mode or server mode:
Default
Disabled
Mode
GSLB Policy
Usage
Use this command to eliminate inactive real servers from being eligible for
selection.
Example
The following command enables the Active-Servers metric:
AX(config gslb-policy)#active-servers
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
191 of 260

admin-ip
Description
Syntax
Allows you to assign administrative weights to IP addresses.

[no] admin-ip [top-only]
Parameter
top-only
Description
Returns only the first (top) IP address in the IP
list. This option overrides the default behavior, in
which GSLB sends all IP addresses to the
requesting client after those addresses have been
vetted according to the metrics in the policy.
Default
Disabled
Mode
GSLB Policy
Usage
The prioritized list is sent to the next metric for further evaluation. If
admin-ip is the last metric, the prioritized list is sent to the client. To configure the ordered list of IP addresses for a service, use the ip-order command
at the service configuration level for the GSLB zone. See gslb zone on
page 180.
admin-preference
Description
Syntax
Enable or disable the Admin-Preference metric, which prefers the site

whose SLB device has the highest administratively set weight.
[no] admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
To set the GSLB Admin-Preference value for a site, use the admin-preference command at the configuration level for the SLB device within the site.
(See gslb site on page 168.)
Example
The following command enables the Admin-Preference metric:
AX(config gslb-policy)#admin-preference
192 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

alias-admin-preference
Description
Syntax
Enable or disable the Alias Admin Preference metric, which selects the
DNS CNAME record with the highest administratively set preference. This
metric is similar to the Admin Preference metric, but applies only to DNS
CNAME records.
[no] alias-admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
Metric order does not apply to this metric. When enabled, this metric
always has high priority.
To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, use the admin-preference preference command to assign an administrative preference to the
DNS CNAME record for the service. (See gslb service-ip on
page 166.)
Use the alias-admin-preference command to enable the Alias
Admin Preference metric.

your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 197.)
option on the service. (See gslb service-ip on page 166.)
bw-cost
Description
Syntax
Configure the BW-Cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost [fail-break]
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
193 of 260

Parameter
fail-break
Description
Enables GSLB to stop if the current BW-Cost
value is over the limit. The fail-break action
Default
Disabled
Mode
GSLB Policy
Example
The following command enables the BW-Cost metric:
AX(config gslb-policy)#bw-cost
capacity
Description
Configure the TCP/UDP Session-Capacity metric. This mechanism provides a way to shift load away from a site before the site becomes congested.
Example:
Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the Session-Capacity threshold is set to 90, then
for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000.
Syntax
[no] capacity [threshold num-percentage]

[fail-break]
Parameter
threshold
num-percentage
194 of 260
Description
Number from 0 to 100 specifying the maximum
percentage of a site AX Series session table that
can be used. If the session table utilization is
greater than the specified percentage, the GSLB
AX Series prefers other sites over this site.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

fail-break
Enables GSLB to stop if the session utilization

on all site SLB devices is over the threshold. The
fail-break action depends on whether the GSLB
controller is running in proxy mode or server
mode:
Default
Disabled. When you enable the capacity metric, the default threshold is 90
percent.
Mode
GSLB Policy
Usage
Example
The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:
AX(config gslb-policy)#capacity
connection-load
Description
Syntax
Configure the Connection-Load metric, which prefers sites that have not
exceeded their thresholds for new connections.
[no] connection-load
[limit number-of-connections] |
[samples number-of-samples interval seconds]
[fail-break]
Parameter
limit numberof-connections
Description
Number that specifies the maximum average
number of new connections per second the site
AX Series can have. You can specify from 1 to
999999999 (999,999,999).
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
195 of 260

samples numberof-samples
interval
seconds
Number of samples for the SLB device (the site
AX Series) to collect, and the number of seconds
between each sample. You can specify 1-8 samples and an interval of 1-60 seconds.
fail-break
Enables GSLB to stop if the connection load for

all sites is over the limit. The fail-break action
Default
Disabled. When you enable the Connection-Load metric, the default limit is
not set (unlimited). The default number of samples is 5, and the default
interval is 5 seconds.
Mode
GSLB Policy
Usage
This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site AX Series itself allows.
Example
The following command sets the connection load limit to 1000 new connections:
AX(config gslb-policy)#connection-load limit 1000
196 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

dns
Description
Syntax
Configure DNS parameters for the policy.

[no] dns
{
action |
active-only [fail-safe] |
addition-mx |
auto-map |
backup-alias |
backup-server |
cache [aging-time {seconds | ttl}] |
cname-detect |
delegation |
external-ip |
external-soa |
geoloc-action |
geoloc-alias |
geoloc-policy |
hint |
ip-replace |
ipv6 options |
logging {both | query | response | none}
proxy block option |
selected-only [num] |
server
[addition-mx]
[any]
[authoritative options]
[mx]
[ns [auto-ns]]
[ptr [auto-ptr]]
[srv]
[txt] |
sticky [network-mask | /prefix-length]
[aging-time minutes] [ipv6-mask mask-length] |
ttl num
}
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
197 of 260

Parameter
Enable GSLB to perform the DNS actions specified in the service configurations.
action
Note:
Description
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See gslb zone on
page 180.
active-only
[fail-safe]
Removes IP addresses from DNS replies when

those addresses fail health checks.
Note: If none of the IP addresses in the DNS
reply pass the health check, the GSLB AX Series
does not use this metric, since it would result in
an empty IP address list.
The fail-safe option returns a list of server IP
addresses for failed servers to the client. Without
this option, IP addresses of failed servers are
omitted from the reply.
addition-mx
Appends MX records in the Additional section in

replies for A records, when the device is configured for DNS proxy or cache mode.
auto-map
Enables creation of A and AAAA records for IP

resources configured on the AX device. For
example, this option is useful for auto-mapping
VIP addresses to service-IP addresses. (See
Auto-mapping on page 73.)
backup-alias
Returns the alias CNAME record configured for

the service, if GSLB does not receive an answer
to a query for the service and no active DNS
server exists. This option is valid in server mode
or proxy mode.
To configure the backup alias for a service within
a zone, use the following command at the configuration level for the service: dns-cname-record
alias-name as-backup
backup-server
cache
[aging-time
seconds| ttl]
198 of 260
Designates one or more backup servers that can

be returned to the client if the primaries should
fail.
Enables the GSLB AX device to cache DNS

replies. The AX device uses information in the
cached DNS entries to reply to subsequent client
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

requests, as opposed to sending a new DNS
request for every client query.
By default, the AX device caches a DNS reply
for the duration of the TTL in the reply. You can
override the entry TTL by setting the cache aging
time. You can specify 1-1,000,000,000 seconds
(nearly 32 years). Do not type commas when you
enter the number.
If you change the aging time but later decide to
restore it to its default value, use the ttl option
instead of seconds.
cname-detect
Disabling this option skips the Cname response.

If enabled, the GSLB-AX applies the zone and
service policy to the Cname record instead of
applying it to the address record.
delegation
Enables sub-zone delegation. The feature allows

you to delegate authority or responsibility for a
portion of the DNS namespace from the parent
domain to a separate sub-domain which may
reside on one or more remote servers and may be
managed by someone other than the network
administrator who is responsible for the parent
zone. (For more information, see DNS Subzone Delegation on page 85.)
external-ip
Returns the external IP address configured for a

service IP. If this option is disabled, the internal
address is returned instead.
The external IP address must be configured on
the service IP. (Use the external-ip command at
the configuration level for the service IP.)
external-soa
Replaces the internal SOA record with an external SOA record to prevent external clients from
gaining information that should only be available
to internal clients. If this option is disabled, the
internal address is returned instead.
The external SOA record must be configured in
the GSLB zone. (Use the external-soa record
command at the gslb zone configuration level.)
geoloc-action
Performs the DNS traffic handling action specified for the clients geo-location. The action is
specified as part of service configuration in a
zone.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
199 of 260

Note:
To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See
gslb zone on page 180.
geoloc-alias
Returns the alias name configured for the clients

geo-location. (This option does the same thing as
the alias-geoloc option, which is deprecated in
AX Release 2.0.)
geoloc-policy
Uses the GSLB policy assigned to the clients

geo-location.
hint
{addition |
answer |
none}
Enables hints, which appear in the Additional

Section of the DNS response. Hints are A or
AAAA records that are sent in the response to a
clients DNS request. These records provide a
mapping between the host names and IP
addresses.
addition Appends hints in the Additional
Section (default).
answer Appends hints in the Answer Section.
none Does not append hints in the DNS
response.
The hint option applies to the following record
types: NS, MX, and SRV.
ip-replace
Replaces the IP addresses in the DNS reply with

the service IP addresses configured for the service. (To configure the service IP addresses, use
the service-ip command at the configuration
level for the service. See gslb zone on
page 180.)
ipv6 options
Enables support for IPv6 AAAA records. The

following options are supported:
mapping {addition | answer | exclusive |
replace} Specifies the actions in response to an
200 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

IPv6 DNS query. You can enable one or more of
these options.
addition Append AAAA records in the
DNS Addition section of replies.
answer Append AAAA records in the
DNS Answer section of replies.
exclusive Replace A records (IPv4 address
records) with AAAA records.
replace Reply with AAAA records only.
Note:
The current release has the following limitations:

Health checks and the GSLB protocol use IPv4 only.
IP address-related metrics such as aRDT are always based on IPv4.
Virtual servers for GSLB service IPs are required to have both an IPv4
and an IPv6 address.

mix Enables GSLB to return both AAAA and
A records in the same answer.
smart Enables IPv6 return by query type. For
the ipv4-ipv6 mapping records, an A query
(IPv4) will return an A record and an AAAA
query (IPv6) will return an AAAA record.
logging options Configures DNS logging.
The both | none | query | response option specifies the types of messages to log.
To restrict logging to a specific geo-location or
IP address, use one of the following options:
proxy block
options
Blocks DNS t queries from being sent to an internal DNS server. The AX device must be in
GSLB proxy mode for the feature to work. The
options can be one or more of the following:
a
aaaa
ns
mx
srv
cname
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
201 of 260

ptr
soa
txt
num query-type
range {start-query-type end-query-type}
action [drop | reject]
(For more information, see DNS Proxy Block
on page 91.)
selected-only
[num]
server
[options]
Enables return of only the selected IP addresses.

You can specify 1-128 records can be returned
after selection occurs. If the number is greater
than the selected number, then GSLB ignores this
configuration.
Enables the GSLB AX device to act as a DNS
server, for specific service IPs in the GSLB zone.
When you enable the server option, the GSLB
AX directly responds to Address queries for specific service IP addresses in the GSLB zone. The
AX device still forwards other types of queries to
the DNS server.
If you use the server option, you do not need to
use the cname-detect option. When a client
requests a configured alias name, GSLB applies
the policy to the CNAME records.
To place the server option into effect, you also
must enable the static option on the individual
service IP. (To configure the service IP addresses,
use the service-ip command at the configuration
level for the service. See gslb zone on
page 180.)
addition-mx Enables the GSLB AX
device to provide the A record containing the
mail servers IP address in the Additional
section, when the device is configured for
DNS server mode.
any Enables the GSLB AX device to provide all resource records that are available,
when the AX device is configured for DNS
server mode. When a client issues a type
ANY request (which is actually a pseudo
202 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

resource record that is expressed by the wildcard code *), then the AX device includes
all RR information it has available.
authoritative [options] Makes the
AX device the authoritative DNS server for
the GSLB zone, for the service IPs in which
you enable the static option. (See below.) If
you omit the authoritative option, the AX
device is a non-authoritative DNS server for
the zone domain.
addition-mx This option appends the
MX record in the Addition section, when the
device is configured for DNS server mode.
any Provides all records.
full-list The full-list option appends
all A records in the Authoritative section of
DNS replies.
ns-list This option appends all Name
Server (NS) Resource Records (RR) in the
Authority section of DNS replies.
mx Provides the MX record in the Answer
section, and the A record for the mail server
in the Additional section, when the device is
configured for DNS server mode.
ns [auto-ns] Provides the name server
record. The auto-ns option causes the policy
to provide A records for NS records automatically.
ptr [auto-ptr] Provides the pointer
record. The auto-ptr option causes the policy to provide pointer records automatically.
srv Provides the service record.
txt Provides the service record. TXT
resource records can be used to carry multiple pieces of DNS TXT data within a single
record.
Note:
The server option is not valid with the ip-replace option. They are mutually exclusive.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
203 of 260

sticky
[network-mask |
/prefix-length]
[aging-time
minutes]
[ipv6-mask
mask-length]
Sends the same service IP address to a client for
all requests from that client for the service
address. Sticky DNS ensures that, during the
aging-time, a client is always directed to the
same site.
/prefix-length Adjusts the granularity of
the feature. The default prefix length is 32, which
causes the AX device to maintain separate stickiness information for each local DNS server. For
example, if two clients use DNS 10.10.10.25 as
their local DNS server, and two other clients use
DNS 10.20.20.99 as their local DNS server, the
AX maintains separate stickiness information for
each set of clients, by maintaining separate stickiness information for each of the local DNS servers.
aging-time
minutes Specifies how
many minutes a DNS reply remains sticky. You
can specify 1-65535 minutes.
ipv6-mask mask-length Adjusts the
granularity of the feature for IPv6. The default
mask length is 128.
Note:
If you enable the sticky option, the sticky time must be as long or longer
than the zone TTL. (Use the ttl command at the configuration level for the
zone. See gslb zone on page 180.)
ttl num
Default
Changes the TTL of each DNS record contained

in DNS replies received from the DNS for which
the AX Series is a proxy. You can specify 01000000 (1,000,000) seconds.
This command has the following defaults:

action disabled
active-only disabled; when you enable this option, fail-safe is
disabled by default
addition-mx disabled
auto-map disabled
204 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

backup-alias disabled
backup-server disabled
cache disabled; when you enable this option, the default aging time
for a cached DNS reply is the TTL set by the DNS server in the reply
cname-detect enabled
delegation disabled
external-ip enabled
geoloc-action disabled
geoloc-alias disabled
geoloc-policy disabled
hint enabled for addition option
ip-replace disabled
ipv6 all options disabled
logging disabled
proxy disabled
selected-only disabled
server disabled
sticky disabled; when you enable this option, the default prefix is /
32, the default aging time is 5 minutes, and the default IPv6 mask length
is 128.
ttl 10 seconds
Mode
GSLB Policy
Usage
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1.
2.
3.
4.
sticky
server
cache
proxy (The command does not have a separately configurable proxy
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
205 of 260

The site address selected by the first option that is applicable to the client
and requested service is used.
Example
The following command enables CNAME detection:
AX(config gslb-policy)#dns cname-detect
Example
The following configuration excerpt uses the ipv6 mix option to enable
mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and
AAAA records will be included in replies to either A or AAAA requests
from clients.
gslb service-ip ip1 20.20.20.100
port 80 tcp
port 80 tcp
gslb service-ip ipv61 fe80::1
port 80 tcp
port 80 tcp
port 80 tcp
gslb policy p8
dns ipv6 mix
dns server
gslb zone a8.com
policy p8
service http www
dns-a-record ip2 static
dns-a-record ipv61 static
Example
206 of 260
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an
AAAA query will be answered by an AAAA record. More specifically, if a
client sends an A query, GSLB returns A records in the answer section, and
AAAA records in the additional section. If a client sends an AAAA query,
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

GSLB returns AAAA records in the answer section, and A records in the
additional section.
ipv6 ffff::1
port 80 tcp
ipv6 ffff::2
port 80 tcp
gslb policy p8
dns ipv6 mapping addition
dns ipv6 smart
dns server
gslb zone a8.com
policy p8
service http www
dnssec key-generate
Description
Generate the DNSSEC keyset.
Syntax
[no] dnssec key-generate name algorithm

keysize num
Parameter
Description
name
Name of the DNSSEC keyset.
algorithm
Specify which RSA SHA algorithm is used to

generate the DNSSEC key pair (ZSK and KSK):
RSASHA1
RSASHA256
RSASHA512
NSEC3RSASHA1
Note:
Selecting one of the first three algorithms (RSASHA1, RSASHA256, or

RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option
(NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be gen-
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
207 of 260

erated for the zone, which is helpful in mitigating the threat posed by zone
walking.
keysize num
Default
N/A
Mode
Global config
Number of bits in the DNSSEC key. You can

specify 512-4096 bits, in multiples of 64 bits.
The default value is 1024 bits.
export dnssec-dnskey
Description
Syntax
Export the DS keyset from the child zone to the parent zone.
[no] import dnssec-dnskey authoritative-zone-name
[use-mgmt-port] url
Parameter
Description
zone-name
Authoritative zone name of the dnskey.
use-mgmt-port
Uses the management interface as the source

interface for the connection to the remote device.
url
File transfer protocol, username (if required), and

directory path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
a password is required, you will still be prompted
for the password. The password can be up to 255
characters long.
To enter the entire URL:
tftp://host/file
Default
208 of 260
N/A
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Mode
Global config
Usage
When using the CLI commands to import/export a DS/DNSKEY record to/

from a parent/child zone, it is not necessary to list the AX devices internal
file name for the resource record. Instead, you can simply include the name
of the DNS zone from which you will be importing or exporting the file.
geo-location
Description
Syntax
Configure a geographic location. GSLB forwards client requests from IP

addresses within the locations range to the GSLB site that serves the location.
[no] geo-location location-name start-ip-addr
[mask ip-mask | end-ip-addr]
Parameter
Description
location-name
Name of the location, up to 127 alphanumeric

characters.
start-ip-addr
Beginning IP address for the range.
mask ip-mask
Network mask.
end-ip-addr
Ending IP address for the range.
Default
None.
Mode
GSLB Policy
Usage
To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 209.)
Example
The following example configures geographic location CN.BeiJing for IP

address range 200.1.1.1 through 200.1.1.253:
AX(config gslb-policy)#geo-location CN.BeiJing 200.1.1.1 200.1.1.253
geo-location match-first
Description
Configure the policy to prefer either the globally configured geo-location or

the one configured in this policy. If a client IP address matches the IP ranges
in a globally configured location and in a location configured in this policy,
the geo-location match-first command specifies which matching geo-location to use.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
209 of 260

Syntax
[no] geo-location match-first {global | policy}

Parameter
Description
global
GSLB prefers globally configured locations over

locations configured in this policy.
policy
GSLB prefers locations configured in this policy

over globally configured locations.
Default
global
Mode
GSLB Policy
Example
The following command configures the GSLB AX Series to prefer locations

configured in this policy:
AX(config gslb-policy)#geo-location match-first policy
geo-location overlap
Description
Syntax
Enable overlap matching mode. If there are overlapping addresses in the

geo-location database, use this option to enable the AX device to find the
most precise match.
[no] geo-location overlap [global | policy]
Parameter
Description
global
GSLB prefers globally configured locations over

locations configured in this policy.
policy
GSLB prefers locations configured in this policy

over globally configured locations.
Default
Disabled
Mode
GSLB Policy
Usage
If you suspect a public IP address in your domain is not unique and the same
IP address may be associated with different hosts, you can enable the geolocation overlap option. This causes the AX device to search the geo-location database for the match best (or longest matching IP address). Otherwise, the AX device will use its default behavior, which is to scan the
specified geo-location database using the match first algorithm, which
uses the first IP address-region mapping discovered. (See Geo-location
Overlap on page 57.)
210 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

geographic
Description
Syntax
Enable or disable the Geographic metric. The Geographic metric prefers

sites that are within the geographic location of the client.
[no] geographic
Default
Enabled
Mode
GSLB Policy
Usage
You must configure the geographic location, by configuring a geo-location

name, then assigning the geo-location to a GSLB site. To configure a geolocation, assign a client IP address range to a location name. (See gslb geolocation on page 156 and geo-location on page 209.) To assign the geolocation to a site, use the geo-location command at the site configuration
level. (See gslb site on page 168.)
Example
The following command disables the Geographic metric:
AX(config gslb-policy)#no geographic
health-check
Description
Syntax
Enable or disable the Health-Check metric. The Health-Check metric prefers sites that pass their health checks.
[no] health-check
Default
Enabled
Mode
GSLB Policy
Usage
controller and on the site AX devices, if the default health checks are used
on the service IPs.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks. In this case, the GSLB protocol is not required to be
enabled on the site AX devices, although use of the protocol is still recommended.
Example
The following command disables the Health-Check metric:
AX(config gslb-policy)#no health-check
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
211 of 260

import dnssec-dnskey
Description
Syntax
Import the DNSKEY keyset from the child zone to the parent zone.
[no] import dnssec-dnskey authoritative-zone-name
[use-mgmt-port] url
Parameter
authoritativezone-name
Description
Authoritative zone name of the dnskey.
use-mgmt-port

url

directory path.
characters long.
tftp://host/file
Default
N/A
Mode
Global config
Usage

212 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

import dnssec-ds
Description
Syntax
Import the DS keyset from the child zone to the parent zone.
[no] import dnssec-ds child-zone-name [use-mgmtport] url
Parameter
Description
child-zone-name Child zone name of the ds keyset.

use-mgmt-port

url

directory path.
characters long.
tftp://host/file
Default
N/A
Mode
Global config
Usage

Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
213 of 260

ip-list
Description
Syntax
Use an IP list to exclude a set of IP addresses from aRDT polling.

[no] ip-list list-name
Default
None
Usage
To configure an IP list, see gslb ip-list on page 161.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from aRDT data collection:
AX(config)#gslb ip-list iplist1

AX(config-gslb ip-list)#exit
AX(config-gslb policy)#ip-list iplist1
AX(config-gslb policy)#active-rdt ignore-id 3
least-response
Description
Syntax
Enable or disable the Least-Response metric, which prefers VIPs that have
the fewest hits.
[no] least-response
Default
Disabled
Mode
GSLB Policy
Example
The following command enables the Least-Response metric:
AX(config gslb-policy)#least-response
214 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

metric-fail-break
Description
Syntax
Enable GSLB to stop if there are no valid service IPs.

[no] metric-fail-break
Default
Disabled
Mode
GSLB Policy
metric-force-check
Description
Syntax
Force the GSLB controller to always check all metrics in the policy.
[no] metric-force-check
Default
By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
Mode
GSLB Policy
metric-order
Description
Syntax
Configure the order in which the GSLB metrics in this policy are used.
[no] metric-order metric [metric ...]
Parameter
metric
[metric ...]
Description
One or more of the following metrics:
active-rdt
active-servers
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
215 of 260

num-session
weighted-ip
weighted-site
Default
By default, metrics are used in the following order:

1. Health-Check
2. Weighted-IP
3. Weighted-Site
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10. Admin-Preference
11. BW-Cost
12. Least-Response
The Health-Check, Geographic and Round-Robin metrics are enabled by
default. The Round-Robin metric does not appear in the list above because
this is the metric of last resort.
Mode
GSLB Policy
Usage
The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you
specify. All remaining metrics are prioritized to follow the metrics you
specify.
The GSLB AX Series uses each metric, in the order specified, to compare
the IP addresses returned in DNS replies to clients. If a metric is disabled,
the metric order does not change. The GSLB AX Series skips the metric and
continues to the next enabled metric.
The Round-Robin metric can not be re-ordered.
To display the metric order used in a policy, see show gslb policy on
page 234.
216 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

num-session
Description
Configure the Num-Session metric, which evaluates a site based on available session capacity and tolerance threshold compared to another site. Sites
that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds.
Example:
Site A has 800,000 sessions available and Site B has 600,000 sessions available. If Num-Session is enabled, then Site A is preferred because it has a
larger number of available sessions than site B.
If the tolerance option is enabled (with a default value of 10 percent), and if
Site A has 800,000 sessions available and Site B has 600,000 sessions available, then Site A will continue to be preferred until Site Bs available sessions exceed Site As available sessions by more than 10 percent. In this
case, Site A will remain the preferred site until Site Bs available sessions
exceed 800,000 by more than ten percent (or 80,000 sessions). If Site As
available sessions remain constant, and Site Bs available sessions increase
to the point that they exceed 880,000 sessions, the Site B would become the
preferred site.
Note:
Syntax
When dealing with smaller base numbers, a small fluctuation in the number of available sessions can cause flapping from one site to another.
Thus, when configuring sites with smaller capacities, it is recommended
to use a larger tolerance number to prevent frequent flapping between preferred sites.
[no] num-session [tolerance num]
Parameter
num-percentage
Description
Number from 0 to 100 specifying the percentage
by which the number of available sessions on site
SLB devices can differ without causing the NumSession metric to select one site device over
another. (See the Usage description.)
Default
Disabled. When you enable the Num-Session metric, the default tolerance is
10 percent.
Mode
GSLB Policy
Usage
The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differ-
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
217 of 260

ences in available sessions do not cause frequent, unnecessary, changes in
site preference.
Example
The following command changes the available-session tolerance threshold

to 70 percent:
AX(config gslb-policy)#num-session tolerance 70
round-robin
Description
Syntax
Configure the Round-Robin metric, which selects sites in sequential order.

[no] round-robin
Default
Enabled
Mode
GSLB Policy
Usage
The AX device uses Round-Robin to select a site at the end of the policy
parameters evaluation. This is true even if the Round-Robin metric is disabled in the GSLB policy.
Example
The following command disables the Round-Robin metric:
AX(config gslb-policy)#no round-robin
weighted-alias
Description
Syntax
Enable the Weighted Alias metric, which prefers CNAME records with
higher weight values over CNAME records with lower weight values. This
metric is similar to Weighted-IP, but applies only to DNS CNAME records.
[no] weighted-alias
Default
Disabled
Mode
GSLB Policy
218 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Usage
Metric order does not apply to this metric.

To configure the Weighted Alias metric:
1. At the configuration level for the GSLB service, use the weight command to assign a weight to the DNS CNAME record for the service.
(See gslb service-ip on page 166.)
Enable the Weighted Alias metric.
your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 197.)
option on the service. (See gslb service-ip on page 166.)
weighted-ip
Description
Syntax
Configure the Weighted-IP metric, which uses service IP addresses with

higher weight values more often than addresses with lower weight values.
[no] weighted-ip [total-hits]
Parameter
total-hits
Description
First sends requests to the service IP addresses
that have fewer hits. After all service IP
addresses have the same number of hits, GSLB
sends requests based on weight. This option is
disabled by default.
Default
Disabled
Mode
GSLB Policy
Usage
As a simple example, assume that the Weighted-IP metric is the only enabled metric, or at least always ends up being used as the tie breaker. The
total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP
address 10.10.10.2 has weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so
on, (4 to 10.10.10.1, then 2 to 10.10.10.2).
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
219 of 260

Here is an example using the same two servers and weights, with the totalhits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and
IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4
requests go to 10.10.10.2, then the requests are distributed according to
weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,
and so on. To display the total hits for a service IP address, use the show
gslb service-ip command. (See gslb service-ip on page 166.)
To assign a weight to a service IP address, use the following command at
the configuration level for the zone service:
dns-a-record name weight num
Example
The following command disables the Weighted-IP metric:
AX(config gslb-policy)#no weighted-ip
weighted-site
Description
Syntax
Configure the Weighted-Site metric, which uses sites with higher weight
values more often than sites with lower weight values.
[no] weighted-site [total-hits]
Parameter
total-hits
Description
First sends requests to the sites that have fewer
hits. After all service sites have the same number
of hits, GSLB sends requests based on weight.
This option is disabled by default.
Default
Disabled. When you enable the Weighted-Site metric, the default weight of
each site is 1.
Mode
GSLB Policy
Usage
As a simple example, assume that the Weighted-Site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to
A, then 2 to B).
Here is an example using the same two sites and weights, with the total-hits
option enabled. Site A has weight 4 with total hits 8, and site B has weight 2
with total hits 0. In this case, the first 4 requests go to site B, then requests
are sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
220 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

To assign a weight to a site, use the following command at the configuration
level for the site: weight num
Example
The following command disables the Weighted-Site metric:
AX(config gslb-policy)#no weighted-site
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
221 of 260

CLI Command Reference - Show Commands
Show Commands
This section describes the GSLB show commands.
show gslb cache

Description
Show the DNS messages cached on the GSLB AX device. The GSLB AX
device caches DNS replies if either of the following GSLB policy options
are enabled:
DNS caching
aRDT metric (if the single-shot option is used)
Syntax
show gslb cache

[service-name ...]
[zone zone-name]
Option
Description
zone-name
Displays cached DNS messages for the specified

zone.
service-name
Displays cached DNS messages for the specified

service.
Mode
All
Example
The following command displays cached DNS messages for service

www.testme.com:http:
AX#show gslb cache www.testme.com:http

QD = Question Records, AN = Answer Records
NS = Authority Records, AR = Additional Records
Flag = DNS Flag, Len = Cache Length
A = Authoritative Answer, D = Recursion Desired
R = Recursion Available
Zone: testme.com
Service
Alias
Len TTL
Flag QD AN NS AR
--------------------------------------------------------------------------www.testme.com:http
96
3055
DR
1
4
0
0

TABLE 6
Field
Zone
222 of 260
show gslb cache fields

Description
GSLB zone name.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

TABLE 6
Field
Service
Alias
Len
TTL
show gslb cache fields (Continued)

Description
GSLB service.
Alias, if configured, that maps to the DNS Canonical Name
(CNAME) for the service.
Length of the DNS message, in bytes.
Number of seconds for which the cached message is still
valid.
show gslb config

Description
Syntax
Show the GSLB configuration commands that are in the running-config.

show gslb config
[
active-rdt |
dns |
geo-location |
group |
ip-list |
policy |
protocol |
service-ip |
site |
system
template |
view |
zone |
common-filters (| include string)
]
Mode
All
Usage
The show gslb config command can be used in shared partitions, private
partitions, and gslb-view.
When used in shared partitions
When used within a shared partition, the show gslb config command can
include the following:
active-rdt: Show GSLB aRDT configuration
dns: Show GSLB global DNS configuration
geo-location: Show GSLB global geo-location configuration
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
223 of 260

group: Show GSLB group configuration
ip-list: Show GSLB IP list configuration
policy: Show GSLB policy configuration
protocol: Show GSLB protocol configuration
service-ip: Show GSLB service-ip configuration
site: Show GSLB site configuration
system: Show GSLB system options
template: Show GSLB template configuration
view: Show GSLB view
zone: Show GSLB zone configuration
When used in private partitions

When used within a private partition, the show gslb config command can
include the following:
group: Show GSLB Group configuration
service-ip: Show GSLB service-IP configuration
Note:
When the show gslb config command is used within a private partition,
the following command completions are not supported: active-rdt, dns,
geo-location, protocol, system, and view.
When used in gslb-view
When used in gslb-view, the show gslb config command can include the
following:
group: Show GSLB Group configuration
224 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Note:
When the show gslb config command is used in gslb-view, the following
command completions are not supported: active-rdt, dns, geo-location,
protocol, service-ip, system, and view.
Details about L3V Deployments
When using the new show gslb config command filters in L3V partitions,
only the following command completions are supported: group, ip-list,
policy, service-ip, site, template, and zone.
The following show gslb config command options are not supported in
L3V deployments, and by extension, not supported by the new gslb show
command enhancements: active-rdt, dns, geo-location, protocol, system and
view.
Show gslb config XXX for shared partitions

The command syntax when used within a shared partition is as follows:
show gslb config
[
active-rdt |
dns |
geo-location |
group |
ip-list |
policy |
protocol |
service-ip |
site |
system
template |
view |
zone |
[common-filters (| include string)
]
CLI Example
Show gslb config zone
Show gslb config site zone
Show gslb config service-ip zone | include aaa
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
225 of 260

Show gslb config for gslb-view
The command syntax when used within gslb-view is as follows:
show gslb config
[
group |
ip-list |
policy |
service-ip |
site |
template |
zone |
common filters(| include xxx)
]
CLI Example:
Show gslb config site template
Show gslb config zone | include aaa
Show gslb config for private partition

The command syntax when used within a private partition is as follows:
show gslb config
[
group |
ip-list |
policy |
service-ip |
site |
template |
zone |
common filters(| include xxx)
]
CLI Example:
Show gslb config site template
Show gslb config service-ip zone | include aaa
226 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

show gslb fqdn

Description
Syntax
Show GSLB statistics using a Fully Qualified Domain Name (FQDN).

show gslb fqdn domain-name [domain-name ... ]
[
dns-a-record |
dns-cname-record |
dns-mx-record |
dns-ns-record |
dns-ptr-record |
dns-srv-record |
dns-txt-record |
session |
cache
]
Mode
All
Introduced in Release
2.7.0
Usage
This command allows you to show various parameters for an FQDN, such
as:
DNS cache information
DNS A Record Service-IP statistics
Statistics for MX, PTR, SRV, CNAME and other record types
DNS session information
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
227 of 260

show gslb geo-location

Description
Syntax
Show the status of GSLB geo-location mappings.

show gslb geo-location
{
[db [geo-location-name]
[[statistics] ip-range range-start range-end]
[[statistics] depth num]
[[statistics] directory num]
[[statistics] top num [percent [global]]]
[statistics]]
[file [file-name]]
[ip ipaddr]
[rdt
[active [geo-location-name ...]
[site site-name] [depth num]]
Option
Description
db [options]
Displays the geo-location database. If you specify a geo-location name, only the entries for that
geo-location are shown. Otherwise, entries for all
geo-locations are shown.
ip-range Displays entries for the specified IP
address range.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is displayed.
directory num Please contact A10 Networks
for information.
top num [percent [global]] Please contact A10
Networks for information.
statistics Displays client statistics for the specified geo-location.
file
[file-name]
228 of 260
Displays the geo-location database files on the

AX device, and their load status. (Data from a
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

geo-location database file does not enter the geolocation database until you load the file. See
gslb geo-location load on page 158.)
ip ipaddr
Displays geo-location database entries for the

specified IP address.
rdt [options]
Displays aRDT data for geo-locations. You can

use the following options:
active Displays data for aRDT.
geo-location-name Displays aRDT data only
for the specified GSLB geo-location.
site site-name Displays aRDT data only for the
specified GSLB site.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is
displayed.
Mode
All
Usage
The matched client IP address and the hits counter indicate the working status of the geo-location configuration.
Example
The following command shows the status of a geo-location named pc:
AX#show gslb geo-location pc

Sub = Count of Sub Geo-location
T = Type, G(global)/P(policy), P-Name = Policy name
Geo-location: pc
From
To
Last
Hits
Sub
T
P-Name
----------------------------------------------------------------------------1.2.2.0
1.2.2.255
(empty)
0
0
P
default

TABLE 7
show gslb geo-location fields
Field
Geo-location
From
Description
Name of the geo-location.
Beginning address in the address range assigned to the geolocation.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
229 of 260

TABLE 7
show gslb geo-location fields (Continued)
Field
To
Description
Ending address in the address range assigned to the geo-location.
Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have
matched.
Total number of client IP addresses that have matched the
geo-location.
Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab.
Last
Hits
Sub
geo-location pc 10.1.0.0 mask /16

geo-location pc.office 10.1.1.0 mask /24
geo-location pc.lab 10.1.2.0 mask /24
Type of geo-location:
G The geo-location is configured at the global level in

the AX Series configuration.
P The geo-location is configured within a GSLB policy.
Name of the GSLB policy where the geo-location is configured.
P-Name
Example
The following command shows the load status information for a geo-location database file:
AX(config)#show gslb geo-location file test1

T = T(Template)/B(Built-in), Per = Percentage of loading
Filename
T Template
Per Lines
Success Error
-----------------------------------------------------------------------------test1
T t1
98% 11
10
0
Example
The following command displays entries in the geo-location database:
AX(config)#show gslb geo-location db

T = Type, Sub = Count of Sub Geo-location
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)
Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------NA
(empty)
(empty)
(empty)
0
1
G
Geo-location: NA, Global
230 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------US
(empty)
(empty)
(empty)
0
10
GS
Geo-location: NA.US, Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------69.26.125.0
69.26.125.255
(empty)
0
0
GR
69.26.126.0
69.26.126.255
(empty)
0
0
GR
69.26.127.0
69.26.127.255
(empty)
0
0
GR
...
show gslb group

Description
Syntax
Show information for GSLB controller groups.

show gslb group
[
brief |
group-name [...] [statistics] |
statistics
]
Mode
All
Example
The following commands add a GSLB controller to the default GSLB

group, enable the devices membership in the group, and display group
information:
AX(config)#gslb group default

AX(config-gslb group)#enable
AX(config-gslb group)#show gslb group brief
Name
Pri Attrs Master
Member
-----------------------------------------------------------------------------default
255 L*
local

TABLE 8
Field
Name
show gslb group brief fields

Description
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
231 of 260

TABLE 8
show gslb group brief fields (Continued)
Field
Pri
Attrs
Description
Priority of the master controller.
GSLB group attributes of this member:
passive.
server.
IP address of the current master for the group.
Number of GSLB controllers in the group. This number
includes all configured group members and all learned group
members.
Master
Member
AX(config-gslb group)#show gslb group

Group: default, Master: 192.168.101.72
Member
ID
Pri Attrs
Status
----------------------------------------------------------------------------local
22e40d29 255 L*
OK
192.168.1.131
941a1229 100
Synced
192.168.1.132
ab301229 100 P
Synced

TABLE 9
232 of 260
show gslb group fields
Field
Member
Description
GSLB controllers currently in the group.
ID
The local member is the GSLB controller on which you

entered this show command.
Group member ID assigned by the controller group feature.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

TABLE 9
Field
Pri
Attrs
show gslb group fields (Continued)

Description
Priority of the GSLB controller.
GSLB group attributes of the member:
passive.
server.
Status

When the GSLB group is starting up, this column shows the
protocol status. After the group is established, this column
shows the group status.
Protocol status:
Idle
Active
OpenSent
OpenConfirm
Established
Group status of the member:
Ready
FullSync/MasterSync
Synced
Note: If the group status of the member is OK, this AX
device (the one on which you entered the command) knows
of the member, but no connection between this AX device
and the member is required.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
233 of 260

show gslb ip-list

Description
Syntax
Mode
Display information for GSLB IP lists.

show gslb ip-list
[
brief |
list-name |
id num |
ip ipaddr |
statistics
]
All
show gslb memory

Description
Syntax
Mode
Display memory allocation information for GSLB.

show gslb memory
[mem-loc-id [...]]
[interval seconds]
All
show gslb policy

Description
Syntax
Show GSLB metric settings for GSLB policies.

show gslb policy [policy-name]
Mode
All
Example
The following command shows the configuration of GSLB policy www:
AX#show gslb policy www

Policy name: www
MO = Metric Order, En-Value = Enabled or Value
Type
| MO| Option
| En-Value | Description
================================================================================
DNS
|
| action
| no
| Action
|
| active-only | no
| Only return active service-IP(s)
|
| selected-only| no
| Only return selected service-IP(s)
|
| cname-detect| yes
| Apply policy on CNAME records
|
| external-ip | yes
| Return external IP
|
| external-soa| no
| Return external SOA
234 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

|
| IPv6 Mapping| no
| A/AAAA Mapping
|
| IPv6 Mix
| no
| Both IPv4 and IPv6 Server
|
| IPv6 Smart | no
| Return IPv6 Server by Query Type
|
| ip-replace | no
| Replace DNS server's service-IPs
|
| GL-alias
| no
| Return CNAME Records by Geo-loc
|
| GL-action
| no
| Action by Geo-location
|
| GL-policy
| no
| Policy by Geo-location
|
| Bak-alias
| no
| Return Alias when fail
|
| Bak-server | no
| Return fallback server when fail
|
| cache
| no
| Cache DNS proxy response
|
| addition-mx | no
| Addition MX Records
|
| delegation | no
| Sub Zone Delegation
|
| pxy-block
| no
| Block DNS Queries in proxy mode
|
| server
| no
| Run GSLB in DNS server mode
|
| sticky
| no
| Stick to DNS Record
|
| ttl
| 10
| TTL value, unit: sec
|
| Log
| global
| DNS Logging
|
| IP List
| no
| Filter by IP List
|
| AutoMap
| no
| Auto build DNS Infrastructure
|
| Hint
| addition | Append Hint Records
-------------------------------------------------------------------------------Metric
|
| Force-Check | no
| Check Service-IP for all metrics
|
| Fail-Break | no
| Break if no valid service-IP
-------------------------------------------------------------------------------health-check
| 1 |
| yes
| Service-IP's health
|
| Preference | no
| Check Health Preference
geographic
| 7 |
| yes
| Geographic
round-robin
| 15|
| yes
| Round robin selection
-------------------------------------------------------------------------------weighted-ip
| 2 |
| no
| Service-IP's weight
|
| total-hits | no
| Weighed IP by total hits
weighted-site
| 3 |
| no
| Site's weight
|
| total-hits | no
| Weighed Site by total hits
capacity
| 4 |
| no
| Session capacity of SLB device
|
| threshold
| 90
| Threshold of session capacity
|
| fail-break | no
| Break when exceed threshold
active-servers | 5 |
| no
| Active servers of SLB device
|
| fail-break | no
| Break when no active server
active-rdt
| 6 |
| no
| Active Round delay time
|
| tolerance
| 10
| RDT tolerance
|
| difference | 0
| RDT Difference
|
| samples
| 5
| Count of RDT samples
|
| limit
| 16383
| Limit of usable RDT
|
| fail-break | no
| Break when no valid RDT
|
| single-shot | no
| Wait for A-RDT Samples
|
| timeout
| 3
| Timeout of single-shot
|
| skip
| 3
| Skip query if no samples
|
| keep-track | no
| Keep tracking clients
|
| ignore-id
| no
| Ignore IP Address by group ID
connection-load | 8 |
| no
| Service-IP's connection load
|
| limit
| unlimited | Limit of connection load
|
| fail-break | no
| Break when exceed limit
|
| number
| 5
| Number of conn-load samples
|
| interval
| 5
| Interval between two samples
num-session
| 9 |
| no
| Session number of SLB device
|
| tolerance
| 10
| Tolerance of session number
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
235 of 260

active-weight
| 10|
| no
| Weight based on active servers
admin-preference| 11|
| no
| Admin preference of SLB device
bw-cost
| 12|
| no
| Cost of Bandwidth
|
| fail-break | no
| Break when exceed limit
least-response | 13|
| no
| Least response service-IP
admin-ip
| 14|
| no
| Admin preference of Service-IP
|
| top-only
| no
| Highest priority server only
-------------------------------------------------------------------------------alias-admin-pf |
|
| no
| Admin preference of alias name
weighted-alias |
|
| no
| Weight of alias name
-------------------------------------------------------------------------------auto-map
|
| module
| all
| DNS Auto Mapping Modules
|
| ttl
| 300
| DNS Auto Mapping TTL
-------------------------------------------------------------------------------geo-location
|
| match-first | global
| Geo-location table to use first
|
| overlap
| no
| Geo-location overlap matching

TABLE 10 show gslb policy fields
Field
Policy name
Type
MO
Option
En-Value
Description
Description
Name of the GSLB policy.
Name of the GSLB metric.
For GSLB metrics, indicates the order in which the metrics
are used.
Metric or option name.
For metric, indicates whether they are enabled (yes or no).
For options, indicates the value.
Description of the metric or option.
show gslb protocol

Description
Syntax
Mode
236 of 260
Show the status of the GSLB protocol on the GSLB AX Series and the SLB
devices (site AX Series).
show gslb protocol
[[geo-location-name] port portnum]
All
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Example
The following command shows GSLB protocol status information on an

AX device acting as a GSLB controller:
AX#show gslb protocol

GSLB site: aapg
slb-dev: ax (127.0.0.1) Established
Session ID:
26702
Connection succeeded:
1 |Connection failed:
Open packet sent:
1 |Open packet received:
Open session succeeded:
1 |Open session failed:
Sessions Dropped:
0 |Update packet received:
Keepalive packet sent:
1408 |Keepalive packet received:
Notify packet sent:
0 |Notify packet received:
Message Header Error:
0
0
1
0
34411
1407
0
GSLB site: abc

slb-dev: ax1 (127.0.0.2) Established
Session ID:
65410
Connection succeeded:
1 |Connection failed:
Open packet sent:
Open session succeeded:
1 |Open session failed:
Sessions Dropped:
...
0
1
0
34411
1407
show gslb rdt

Description
Syntax
Show aRDT data.

show gslb rdt
[geo-location
[slb-device
[ip ipaddr [...]]] |
[local-info]
Option
Description
geo-location
Displays aRDT data based on geo-location.
slb-device
Displays aRDT data based on SLB device.
local-info
Displays local aRDT data on a site AX device.
active
Displays data for aRDT.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
237 of 260

site site-name
Displays aRDT data only for the specified GSLB

site.
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
ip ipaddr [...] Displays aRDT data only for the specified clients.
Mode
All
Usage
All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local aRDT data on a site AX
device, enter the command on the site AX device and use the local-info
option.
Example
Here is an example of the output for this command when entered on the
GSLB AX device:
AX#show gslb rdt

TTL = Time to live(Unit: min), T = Type, A(active)
Device: site1/remote
IP
TTL
T|
-----------------------------------------------------------------------------10.10.10.2
10
A|
20.20.20.21
10
A|
41
40
29
46
38
42
34
30
192.168.217.1
10
A|
38
54
46
50
43
38
192.168.217.11
10
A|
41
40
29
46
38
42
34
30
T|
Device: site2/local
IP
TTL
-----------------------------------------------------------------------------10.10.10.2
10
A|
35
52
35
40
54
56
44
48
20.20.20.21
10
A|
20
20
16
16
20
16
20
18
192.168.217.1
10
A|
16
44
20
16
20
18
192.168.217.11
10
A|
20
20
16
16
20
16
20
18
T = Type: A(active), TS = Time Stamp(unit: min)
238 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Geo-location
Site
T RDT TS
-----------------------------------------------------------------------------cn.sh
cn.bj
jp
us
site1
A 38
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 0
10
site2
A 48
10
This example shows the default display (with no additional options). The
TTL results are organized by site AX device, then by geo-location.
TABLE 11 show gslb rdt fields
Field
Device
IP
TTL
T
1-8
Geo-location
Site
T
RDT
TS
Description
Site AX device.
IP address at the other end of the aRDT exchange.
Time-to-live for the Active-TT entry.
RDT type, which can be A (aRDT).
Individual aRDT measurements (in units of seconds).
Geo-location name for which aRDT measurements have
been taken.
GSLB site name within the geo-location.
RDT type. (See descriptions above.)
Individual aRDT measurements (in units of seconds).
System time stamp of the aRDT measurement.
show gslb samples conn

Description
Syntax
Show the number of connections that are currently on a virtual port.

show gslb samples conn
{service-name | vipaddr} port-num
[range-start]
[range range-start range-end]
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
239 of 260

Option
Description
service-name |
vipaddr
Specifies the service name or service IP.
port-num
Specifies the virtual port.
range-start
Specifies the range start.
range
range-start
range-end
Collects samples only for the specified range of

service port numbers.
Mode
All
Usage
The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See gslb
protocol on page 163.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
AX#show gslb samples conn china 80

0
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 15000
25000
35000
45000
55000
65000
75000
2
| 85000
95000
105000
show gslb samples conn-load

Description
Syntax
Show the number of connections on each virtual server.

show gslb samples conn-load num-samples interval
[service-name | vipaddr]
[port-num]
Option
Description
num-samples
Number of connection-load samples to collect

and display.
num-samples
Number of seconds to wait between collection of

each sample.
service-name |
vipaddr
240 of 260
Collects samples only for the specified service

IP.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

port-num
Collects samples only for the specified service

port number.
Mode
All
Example
The following command shows 5 connection-load samples, collected at 5second intervals:
AX#show gslb samples conn-load 5 5

ip1:80, average is: 36
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 0
0
11
1
168
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 0
0
22
2
168
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 120
0
0
0
180
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 240
0
0
0
192
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). The services are listed by service IP
and service port.
In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the
actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data
samples, and 11 connections during the third sample.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
241 of 260

show gslb samples rdt

Description
Syntax
Show the aRDT between the GSLB AX Series and a client.

show gslb samples rdt
[geo-location-name
[slb-device
[local-info]
Option
Description
geo-locationname

geo-location.
slb-device
Displays aRDT data only for the specified SLB

device.
local-info
Displays local aRDT data on a site AX device.
active
Displays data for aRDT.
site site-name

site.
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
Mode
All
Usage
Eight aRDT samples are displayed for each device. Times are shown in 10millisecond (ms) increments. In the example below, the first aRDT time for
Device1 is 50 ms.
If you disable the GSLB protocol, the data is cleared.
242 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

show gslb service

Description
Syntax
Show the configuration information for services.

show gslb service
{cache | dns-a-record | dns-cname-record |
dns-mx-record | dns-ns-record | dns-ptr-record |
dns-srv-record | session}
[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
Option
cache
Displays service information in the GSLB DNS

cache.
dns-a-record
Displays Address records for GSLB services.
dns-cnamerecord
Displays CNAME records for GSLB services.
dns-mx-record
Displays MX records for GSLB services.
dns-ns-record
Displays name server records for GSLB services.
dns-ptr-record
Displays pointer records for GSLB services.
dns-srv-record
Displays service records for GSLB services.
dns-txt-record
Displays DNS TXT records for GSLB services.
session
Displays current GSLB sessions for services.
service-name
Specifies a service name.
zone zone-name
Specifies a zone name.
ip ipaddr
{subnet-mask |
/mask-length}
Mode
Description
Specifies a client host or subnet address. (This

option applies only to the session option.)
All
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
243 of 260

Example
The following example shows CNAME information for zone a10.com:
AX#show gslb service dns-cname-record a10.com

Zone: a10.com
Alias = Alias Name, Geoloc = Geo-location
G-Geoloc = Matched Global Geo-location
P-Geoloc = Matched Policy Geo-location
Service
Alias
Geoloc
G-Geoloc
P-Geoloc
-----------------------------------------------------------------------------http:www
http.a10.com
pc1
(empty)
(empty)
ftp:ftp
ftpp.a10.com
pc1
(empty)
pc1
show gslb service-ip

Description
Shows information for a GSLB service.

show gslb service-ip
{service-name | vipaddr | local-info}
Option
Example
Description
service-name |
vipaddr
Specifies the service name or VIP address.
local-info
Shows local SLB virtual-server information.
The following command shows information for the beijing service:
AX#show gslb service-ip beijing

V = Is Virtual server, E = Enabled
P-Cnt = Count of Service Ports
Service-IP
IP
V E State
P-Cnt Hits
-----------------------------------------------------------------------------:Device1:beijing
2.1.1.10
Y Y UP
3
0

TABLE 12 show gslb service-ip fields
Field
Service-IP
IP
V
E
State
P-Cnt
Hits
244 of 260
Description
Device name and service IP name.
IP address of the service.
Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
Indicates whether the service IP is enabled.
Indicates the service IP state: UP or DOWN.
Number of service ports on the service IP.
Number of times the service IP has been selected.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

show gslb service-port

Description
Syntax
Show information about the GSLB service ports configured on the sites.
show gslb service-port [local-info]
Option
local-info
Description
Shows local SLB virtual-port information.
Mode
All
Example
The following command shows information about all the configured GSLB
service ports.
AX#show gslb service-port

Attrs = Attributes, Act-Svrs = Active Real Servers
Curr-Conn = Current Connections
D = Disabled, P = GSLB Protocol, L = Local Protocol
Service-Port
Attrs State
Act-Svrs
Curr-Conn
-----------------------------------------------------------------------------10.77.27.222:80
L
DOWN
0
0
10.10.10.1:80
DOWN
0
0
67.67.6.84:80
UP
1
0
67.67.6.82:21
UP
1
0
192.168.100.6:80
DOWN
0
0

TABLE 13 show gslb service-port fields
Field
Service-Port
Attrs
State
Act-Svrs
Curr-Conn
Description
Service IP address and service port number.
Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
Indicates the service state: IP or DOWN.
Number of active real servers for the service.
Current number of connections to the service.
show gslb session

Description
Show cached GSLB policy selections.

Selections are cached on a zone:service basis. While a cached GSLB policy
selection is valid (that is, before it ages out), the cached selection is used for
subsequent requests from the same client for the same zone and service.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
245 of 260

Syntax
show gslb session

[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
Option
Mode
Description
service-name
Specifies a service name.
zone zone-name
Specifies a zone name.
ip ipaddr
{subnet-mask |
/mask-length}
Specifies a client host or subnet address.
All
show gslb site

Description
Syntax
Show GSLB site information.

show gslb site [site-name ...]
[bw-cost] [statistics]
Option
Description
site-name
Displays information only for the specified site.
bw-cost
Displays BW-Cost information.
statistics
Displays statistics.
Mode
All
Example
The following command shows information for GSLB site Site1:
AX#show gslb site Site1

Site
Device/server
VIP
Vport
State
Hits
------------------------------------------------------------------Site1
Device1 (device) 2.1.1.10
Up
0
1.2.2.2
21
Up
23
Up
80
Up
2.1.1.11
Up
0
21
Up
80
Up
2.1.1.12
Up
0
21
Up
23
Up
80
Up
serverB (server)
Up
0
3.1.1.10
80
Up
246 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

TABLE 14 show gslb site fields
Field
Site
Device/server
VIP
Vport
State
Hits
Description
GSLB site name.
Device name and device IP address or real server name and
real server IP address.
Virtual IP address for the service.
Virtual port number.
Virtual port state.
Number of times the service IP was selected.
Table 15 describes the fields in the command output when the bw-cost
option is used.
TABLE 15 show gslb site bw-cost fields
Field
Site
Template
Current
Highest
Limit
U
Type
Len
Value
TI
Example
Description
GSLB site name.
SNMP template name.
Current value of the SNMP object used for measurement.
Highest value of the SNMP object used for measurement.
Limit configured for the BW-Cost metric.
Indicates whether the site is usable, based on the BW-Cost
measurement.
Data type of the SNMP object.
Data length of the SNMP object.
Value of the SNMP object.
Time interval between measurements.
The following command shows GSLB site statistics:
AX#show gslb site statistics

Site
Hits
Last
----------------------------------------------------------------------------site1
14
2.1.1.10
site2
0
(empty)
site3
0
(empty)
site4
0
(empty)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
247 of 260

Table 16 describes the fields in the command output when the statistics
option is used.
TABLE 16 show gslb site statistics fields
Field
Site
Hits
Last
Description
GSLB site name.
Number of times the site was selected.
Site that was most recently selected.

Description
Syntax
Show information about an SLB device used by GSLB.

[
device-name |
local-info |
rdt active [device-name ... | ip ipaddr ...]
]
Option
Description
device-name
Displays information only for the specified SLB

device.
local-info
Displays local SLB device information on a site

SLB device.
rdt options
Displays aRDT data. You can use the following

options:
active Displays data for aRDT.
device-name Displays aRDT data only for the
specified SLB device.
ip ipaddr Displays aRDT data only for the
specified client IP address(es).
Mode
248 of 260
All
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Example
The following command shows information about SLB device Device1:
AX#show gslb slb-device Device1

APF = Administrative Preference, Sub-Cnt = Count of Service-IPs
Sesn-Uzn = Session Utilization
Sesn-Num = Number of Available Sessions
Device
IP
APF Sesn-Uzn Sesn-Num
Sub-Cnt
-----------------------------------------------------------------------------site1:Device1
1.2.2.2
200
0% 0
3

TABLE 17 show gslb site fields
Field
Device
IP
APF
Sesn-Uzn
Sesn-Num
Sub-Cnt
Description
Site name and device name.
SLB devices IP address.
Administrative preference for the device.
Current session utilization on the device.
Number of sessions available on the device.
Number of service IPs on the device.
show gslb state

Description
Syntax
Show GSLB state information collected by GSLB debugging.

show gslb state
Mode
All
Usage
To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example
The following commands enable GSBL debugging with retention of state

information, and initiate display of the state information:
site-ax-1(config)#debug gslb state

site-ax-1(config)#show gslb state
show gslb statistics

Description
Syntax
Show statistics for the GSLB protocol, for sites, or for zones.
show gslb statistics {message | site | zone}
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
249 of 260

Mode
All
Usage
The show gslb statistics message command shows the same output as the
show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and
the show gslb statistics zone command shows the same output as the show
gslb zone statistics command.
Example
The following command shows statistics for the GSLB protocol:
AX#show gslb statistics message

GSLB site: site1
slb-dev: remote (20.20.20.2) Established
Session ID:
40576
Connection success:
4 |Connection failure:
Open packet sent:
Open session success:
1 |Open session failure:
Dropped sessions:
Notify packet sent:
0 |
0
1
3
5101
1218
0
0
GSLB site: site2

slb-dev: local (192.168.217.2) Established
Session ID:
104
Connection success:
Open packet sent:
Open session success:
Dropped sessions:
Notify packet sent:
0 |
1
1
0
22
1
0
0
GSLB controller: 192.168.217.2 Established

Session ID:
104
Connection success:
Open packet sent:
Open Sent
Dropped sessions:
0 |Update packet sent:
Notify packet sent:
0 |
0
1
0
22
1
0
0
show gslb zone

Description
Syntax
250 of 260
Show GSLB zone information.

show gslb zone [zone-name]
[dns-mx-record] [dns-ns-record] [dns-soa-record]
[statistics]
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

Option
Description
zone-name
Displays information only for the specified zone.
dns-mx-record
Displays the MX records for the zone(s).
dns-ns-record
Displays the name server records for the zone(s).
dns-soa-record
Displays the start-of-authority records for the

zone(s).
statistics
Displays statistics for the zone(s).
Mode
All
Example
The following example shows information for zone a10.com:
AX#show gslb zone a10.com

Zone
Service
Policy
TTL
-----------------------------------------------------------------------------a10.com
www
20
http:www
www
20
ftp:ftp
ftp
30

TABLE 18 show gslb zone fields
Field
Zone
Service
Policy
TTL
Example
Description
Zone name.
Service type and service name.
GSLB policy name.
DNS TTL value set by GSLB in DNS replies to queries for
the zone address.
The following command shows MX records for zones:
AX#show gslb zone dns-mx-record

Pri = Priority, Last = Last Server
Owner
MX-Record
Pri
Hits
Last
-----------------------------------------------------------------------------mail.abc.com:smtp
mail1.abc.com
0
0
mail2.xyz.com
10
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
251 of 260

TABLE 19 show gslb zone dns-mx-record fields
Field
Owner
MX-Record
Pri
Hits
Last
Example
Description
Zone and service name to which the MX record belongs.
Name of the MX record.
Priority (preference) set for the MX record.
Number of times the record has been used.
Most recent time the record was used.
The following command shows GSLB zone statistics:
AX(config-gslb zone-gslb service)#show gslb zone example.com statistics

GSLB Zone example.com:
Total Number of Services configured: 1
Rcv-query = Received Query, Sent-resp = Sent Response
M-Proxy = Proxy Mode, M-Cache = Cache Mode
M-Svr = Server Mode, M-Sticky = Sticky Mode
Service
Rcv-query Sent-resp M-Proxy
M-Cache
M-Svr
M-Sticky
----------------------------------------------------------------------------http:www
16
15
3
0
0
12
Total
16
15
3
0
0
12

TABLE 20 show gslb zone statistics fields
Field
GSLB Zone
Total Number of
Services configured
Service
Rcv-query
Sent-resp
M-Proxy
M-Cache
M-Svr
252 of 260
Description
Zone name.
Number of GSLB services configured for the zone.
Service type and service name.

Number of DNS queries received for the service.
Number of DNS replies sent to clients for the service.
Number of DNS replies sent to clients by the AX device as a
DNS proxy for the service.
Number of cached DNS replies sent to clients by the AX
device for the service. (This statistic applies only if the DNS
cache option is enabled in the policy.)
Number of DNS replies sent to clients by the AX device as a
DNS server for the service. (This statistic applies only if the
DNS server option is enabled in the policy.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

TABLE 20 show gslb zone statistics fields (Continued)
Field
M-Sticky
Description
Number of DNS replies sent to clients by the AX device to
keep the clients on the same site. (This statistic applies only
if the DNS sticky option is enabled in the policy.)
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
253 of 260

CLI Command Reference - Clear Command
Clear Command
clear
Description
Syntax
Clear statistics or reset functions. Sub-command parameters are required for

specific sub-commands.
clear gslb {options}
Sub-Command
254 of 260
Description
all
Clears all GSLB statistics.
cache
Clears the GSLB DNS cache.
debug
Clears debug statistics.
fqdn
Clears FQDN statistics.
geo-location
Clears geo-location statistics.
group
Clears GSLB group statistics.
ip-list
Clears IP-list statistics.
memory
Clears memory statistics.
protocol
Clears GSLB protocol statistics.
rdt
Clears RDT samples.
samples
Clears aRDT samples.
server
Clears server statistics.
service
Clears service statistics.
session
Clears GSLB sessions.
site
Clears site statistics.
slb-device
Clears SLB device samples.
statistics
options
Clears message, site, or zone statistics.
zone
Clears zone statistics.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

CLI Command Reference - DNSSEC Commands
DNSSEC Commands
This section describes the commands for DNSSEC.
(For more on this feature, see DNSSEC Support on page 133.)
dnssec key-generate
Description
Syntax
Generate a key for DNSSEC.

dnssec key-generate name algorithm
keysize num
Parameter
name
algorithm
[RSASHA1 |
RSASHA256 |
RSASHA512 |
NSEC3RSASHA1]
Description
Key filename.
RSA SHA algorithm to use to generate the DNSSEC key pair (ZSK and KSK). You can specify
any of the following algorithms:
RSASHA1 (default)
RSASHA256
RSASHA512
NSEC3RSASHA1
Selecting one of the first three algorithms
(RSASHA1, RSASHA256, or RSASHA512)
will cause the standard NSEC resource record to
be generated for the zone. However, selecting the
fourth algorithm option (NSEC3RSASHA1)
causes the NSEC3/NSEC3PARAM record to be
generated for the zone, which is helpful in mitigating the threat posed by zone walking.
Different zones can use different DNSSEC templates and thus have different algorithms.
keysize num
number of bits in the DNSSEC key, which can

range from 512-4096 bits. Values must be specified in multiples of 64 bits, and the default value
is 1024 bits.
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
255 of 260

Default
See above.
Mode
dnssec template
Description
Syntax
Configure a DNSSEC template.

[no] dnssec template template-name
DNSSEC template, where the following commands are available.
Command
[no]
combinationslimit num
[no] dnskey-ttl
seconds
[no] ksk name
Description
Maximum number of combinations per Resource

Record Set (RRset), where RRset is defined as
all the records of a particular type for a particular
domain, such as all the quad-A (IPv6) records
for www.example.com. You can specify 165535.
Lifetime for DNSSEC key resource records. The
TTL can range from 1-864,000 seconds.
Key signing key (KSK) for establishing the chain
of trust and is the private counterpart to the public zone signing key used to sign authentication
keys for the zone. At least one KSK is needed to
sign successfully, but no more than two KSKs
can be configured.
[no] returnnsec-on-failure Returns an NSEC or NSEC3 record in response

to a client request for an invalid domain. As originally designed, DNSSEC would expose the list
of device names within a zone, allowing an
attacker to gain a list of network devices that
could be used to create a map of the network.
[no] signaturevalidity-period
days
Period for which a signature will remain valid.
The time can range from 5 to 30 days.
256 of 260
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

[no] zsk name
[active |
published |
deprecated]
Zone signing key (ZSK) for signing the domain

names zone. At least one ZSK is needed to sign
successfully, but no more than two ZSKs can be
configured.
active Sets key status to active.
published Sets key status to published.
deprecated Sets key status to deprecated.
Default
The default DNSSEC template has the following defaults:

combinations-limit 31
dnskey-ttl 14,400 seconds (4 hours)
ksk Not set
return-nsec-on-failure enabled
signature-validity-period 10
zsk Not set
Mode
dnssec sign-zone-now
Description
Syntax
Immediately trigger zone-signing.

dnssec sign-zone-now name
Parameter
name
Description
Name of the DNS zone.
Default
Signing begins 30 seconds after the zone or DNSSEC template configuration is changed.
Mode
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
257 of 260

show dnssec template

Description
Syntax
Mode
258 of 260
Display information for a DNSSEC template.

show dnssec template name
All
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
259 of 260
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
2012 A10 Networks Corporation. All rights reserved.
260

AX GSLB Guide v2 7 0-20121010 PDF

Uploaded by

Copyright:

Available Formats

You might also like

AX GSLB Guide v2 7 0-20121010 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AX GSLB Guide v2 7 0-20121010 PDF

Uploaded by

Copyright:

Available Formats

GlobalServerLoadBalancingGuide

AX Series Advanced Traffic Manager

A10 Networks, Inc. 10/10/2012 - All Rights Reserved

Information in this document is subject to change without notice.

A10 Networks Inc. Software License and End User Agreement

AX Series - GSLB Configuration Guide

End User License Agreement

AX Series - GSLB Configuration Guide

reverse engineer or decompile, decrypt, disassemble or otherwise reduce

disclose, provide, or otherwise make available trade secrets contained

Software, Upgrades and Additional Products or Copies. For purposes of this

CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL

USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR

AX Series - GSLB Configuration Guide

AX Series - GSLB Configuration Guide

AX Series - GSLB Configuration Guide

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

. This option downloads a text log file.

3. Email the file as an attachment to support@A10Networks.com.

USING THE CLI

AX Series - GSLB Configuration Guide

AX Series - GSLB Configuration Guide

About This Document

AX 5630 (front panel view)

Information is available for AX Series products in the following documents.

AX Series - GSLB Configuration Guide

Some guides include GUI configuration examples. In these examples,

A10 Virtual Application Delivery Community

AX Series - GSLB Configuration Guide

End User License Agreement

Obtaining Technical Assistance

Collecting System Information.............................................................................................................. 7

About This Document

GSLB Deployment Modes.................................................................................................................... 18

AX Series - GSLB Configuration Guide

Advanced DNS Options

DNS Active-only ....................................................................................................................................78

Partition-specific Group Management

Implementation Details .........................................................................................................................97

GSLB Configuration Examples

GSLB Configuration Synchronization

AX Series - GSLB Configuration Guide

Geo-location-based Access Control

Using a Class List............................................................................................................................... 121

Cloud-based Computing Solution

CLI Command Reference

Main Configuration Commands ........................................................................................................ 153

AX Series - GSLB Configuration Guide

Policy Configuration Commands.......................................................................................................188

AX Series - GSLB Configuration Guide

Show Commands................................................................................................................................ 222

Clear Command .................................................................................................................................. 254

DNSSEC Commands .......................................................................................................................... 255

AX Series - GSLB Configuration Guide

AX Series - GSLB Configuration Guide

users to the nearest site